Added cert-controller for easy webhook cert generation #319
Conversation
p-strusiewiczsurmacki-mobica
force-pushed
the
add-cert-controller
branch
2 times, most recently
from
3b833ed to
fdc44ea
Compare
| @@ -46,6 +46,8 @@ spec: | |||
| command: ["coil-egress-controller"] | |||
| args: | |||
| - --zap-stacktrace-level=panic | |||
| # [CERTS] Following line should be uncommented if automatic cert generation is used. | |||
| # - --enable-cert-rotation=true | |||
There was a problem hiding this comment.
Do we have to comment on --enable-restart-on-cert-refresh?
And I would like to enable/disable this option with v2/kustomization.yaml like config/pod/compat_calico.yaml do.
Lines 18 to 20 in 52b38c6
There was a problem hiding this comment.
I've moved as much of the kustomization to separate patch files as possible, I think.
As for the --enable-restart-on-cert-refresh - I don-t think it is required here. This is mostly added for esthetic purposes - without restart cert-controller might emit some errors into the logs. The errors are recoverable so they don;t break anything, just don't look nice in the logs. I am currently trying to push a small PR to fix this.
| - apiGroups: | ||
| - "" | ||
| resources: | ||
| - secrets | ||
| verbs: | ||
| - get | ||
| - list | ||
| - update | ||
| - watch |
There was a problem hiding this comment.
I think this rule is only needed when cert-controller is enabled, so it is better to make it a separate file and patch it as needed using v2/kustomization.yaml.
There was a problem hiding this comment.
I've moved this to separate patch file. However, this is generated with kubebuilder so I also had to remove the check of this file (git diff) from make check-generate target. Contributors will also have to be careful to not commit the generated file.
There was a problem hiding this comment.
How about making a new role resource file for a cert-controller with controller-gen? And apply it (and its role-binding) when make enable-certs-generation is executed by using Kustomize's resource.
I think this way, we can check with git diff.
p-strusiewiczsurmacki-mobica
force-pushed
the
add-cert-controller
branch
7 times, most recently
from
1bb8127 to
9061c02
Compare
I've added a |
p-strusiewiczsurmacki-mobica
force-pushed
the
add-cert-controller
branch
3 times, most recently
from
2efc178 to
11e3afb
Compare
| - apiGroups: | ||
| - "" | ||
| resources: | ||
| - secrets | ||
| verbs: | ||
| - get | ||
| - list | ||
| - update | ||
| - watch |
There was a problem hiding this comment.
How about making a new role resource file for a cert-controller with controller-gen? And apply it (and its role-binding) when make enable-certs-generation is executed by using Kustomize's resource.
I think this way, we can check with git diff.
p-strusiewiczsurmacki-mobica
force-pushed
the
add-cert-controller
branch
2 times, most recently
from
7b08f0f to
336113a
Compare
Done :) Let me know what you think! |
Signed-off-by: Patryk Strusiewicz-Surmacki <[email protected]> Co-authored-by: Tomoki Sugiura <[email protected]>
p-strusiewiczsurmacki-mobica
force-pushed
the
add-cert-controller
branch
from
336113a to
7c7be30
Compare
This PR implements #318
Certificates can be now generated and injected automatically using open-policy-agent/cert-controller.