generate: correctly set CSV webhookDefinition deployment names
#3761
Conversation
openshift-ci-robot
added
the
do-not-merge/work-in-progress
|
We need to not mention the volume mount point of server certs/ ports of web server in csv (though this is optional). However, there one another issue with the naming of certificates because of which #3762 and this are blocked. |
estroz
changed the title
generate: correctly set CSV webhookDefinition deployment namesgenerate: correctly set CSV webhookDefinition deployment names
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
Does this need a CHANGELOG framgent? |
| csv.Spec.WebhookDefinitions = webhookDescriptions | ||
| } | ||
|
|
||
| var defaultAdmissionReviewVersions = []string{"v1beta1"} |
There was a problem hiding this comment.
This goes to v1 webhooks once we bump to controller-tools v0.4.0 right? Or rather plugins v3 I think.
There was a problem hiding this comment.
This has to do with what version of admission reviews the webhook server serves, which is still v1beta1 on controller-runtime's master.
There was a problem hiding this comment.
Ah okay that's not linked to wehooks v1 then, although I imagine we'll want to bump that to v1 as well soon.
| sel := dep.Spec.Template.GetLabels() | ||
| // A null label selector matches no objects. | ||
| if sel == nil { | ||
| continue | ||
| } | ||
| // An empty label selector matches all objects. | ||
| if len(sel) == 0 { | ||
| depName = dep.GetName() | ||
| break | ||
| } |
There was a problem hiding this comment.
Are you looking at the deployment's selector which is spec.Selector or the pod labels here?
If it's just the pod labels the var should be renamed to reflect that: sel := dep.Spec.Template.GetLabels() to podLabels := dep.Spec.Template.GetLabels()
Also the comments saying label selector.
Plus what does An empty label selector matches all objects mean here?
The label selector can't be empty. It's a required field. But even if it is, what does that signify here.
There was a problem hiding this comment.
Originally I was using the dep's selector, but that proved unnecessary (and much more difficult) because the webhook service already has a selector. Therefore the variable name and empty selector check are irrelevant, will change/remove.
There was a problem hiding this comment.
Additionally the label comparison needs to check if service.Spec.Selector is a subset of dep.Spec.Template.GetLabels(), since the service provides the label constraint here.
There was a problem hiding this comment.
That makes more sense, thanks for clarifying.
estroz
force-pushed
the
bugfix/set-webhook-deployment-name
branch
2 times, most recently
from
4965a8f to
b44edf5
Compare
| if len(description.AdmissionReviewVersions) == 0 { | ||
| description.AdmissionReviewVersions = defaultAdmissionReviewVersions | ||
| } | ||
|
|
There was a problem hiding this comment.
Can we have a check here to see if description.SideEffects is null, if so set it to SideEffectClassNone? Because having it null causes installplan to fail.
There was a problem hiding this comment.
I’ll do this in a follow-up. Ideally I wouldn’t be modifying admission review versions in this PR either since they’re unrelated to the deployment name fix, so I’ll break that out too.
| if serviceRef := webhook.ClientConfig.Service; serviceRef != nil { | ||
| if serviceRef.Port != nil { | ||
| description.ContainerPort = *serviceRef.Port | ||
| } |
There was a problem hiding this comment.
Also, if serviceRef.Port == nil and description.ContainerPort is not set, can we default it to 9443 which is used in case of cert-manager. It is a required field which needs to be defined in WebhookDescription. Since 443 (which olm defaults to) is restricted to root user, I suppose setting it to 9443 is a better option?
| if len(description.AdmissionReviewVersions) == 0 { | ||
| description.AdmissionReviewVersions = defaultAdmissionReviewVersions | ||
| } | ||
|
|
There was a problem hiding this comment.
The same sideEffects and containerPort as in validating WH needs to be set here too.
| // findMatchingDeploymentAndServiceForWebhook matches a Service to a webhook's client config (if it uses a service) | ||
| // then matches that Service to a Deployment by comparing label selectors (if the Service uses label selectors). | ||
| // The names of both Service and Deployment are returned if found. | ||
| func findMatchingDeploymentAndServiceForWebhook(c *collector.Manifests, wcc admissionregv1.WebhookClientConfig) (depName, serviceName string) { |
There was a problem hiding this comment.
I am not sure if this is in scope of this PR. But currently, if using Webhooks we need not specify volumeMounts and webhook server port in CSV. Could we have a check for that, and accordingly not append ContainerVolumeMounts in Deployment.
There was a problem hiding this comment.
I think this will need discussion before changing. We can’t remove all volume mounts and/or ports since these will probably contain other values set by users; in general the generator should avoid modifying declarative manifests like that, which risks changing what they declare.
Instead we need to properly patch the deployment via kustomize before passing it to the generator. @joelanford had a thought or two on this.
estroz
force-pushed
the
bugfix/set-webhook-deployment-name
branch
from
b44edf5 to
f1b533a
Compare
…yments selected by webhook services
estroz
force-pushed
the
bugfix/set-webhook-deployment-name
branch
from
f1b533a to
71e21aa
Compare
|
/cherry-pick v1.0.x |
|
@joelanford: new pull request created: #3904 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
6 participants
Description of the change:
Motivation for the change: an element of a CSV's
spec.webhookDefinitions's deployment name was being inferred from the webhook config's service reference name, which often does not match the deployment's name. Instead, we can look up what service a webhook is using, then use the service's label selector to look up the deployment via labels on the pods for which the service will proxy./cc @varshaprasad96
Checklist
If the pull request includes user-facing changes, extra documentation is required:
changelog/fragments(seechangelog/fragments/00-template.yaml)website/content/en/docs