cert provisioner #22
cert provisioner #22
Conversation
k8s-ci-robot
added
size/XL
| limitations under the License. | ||
| */ | ||
|
|
||
| package certoutput |
mengqiy
force-pushed
the
webhook
branch
2 times, most recently
from
cd79900 to
62cad9b
Compare
|
PTAL |
pkg/admission/doc.go
Outdated
| The package will write self-signed certificates to secrets. | ||
|
|
||
| // Build a CertProvisioner with empty options | ||
| cp := &CertProvisioner{Client: getClientOrDie(), Options: Options{}} |
There was a problem hiding this comment.
They shouldn't have to specify Options. I don't think the getClientOrDie() function is correct. Use the one from the config package
pkg/admission/doc.go
Outdated
| // handler error | ||
| } | ||
|
|
||
| If the above mutatingWebhookConfiguration is processed, the cert provisioner will provision |
There was a problem hiding this comment.
mutatingWebhookConfiguration
cap?
pkg/admission/doc.go
Outdated
|
|
||
| If the above mutatingWebhookConfiguration is processed, the cert provisioner will provision | ||
| the certificate and create an secret named "secret-foo" in namespace "namespace-bar" for webhook "webhook-1". | ||
| Similarly, it will create an secret named "secret-baz" in namespace "default" for webhook "webhook-2". |
There was a problem hiding this comment.
Also mention that it will write the CA back to the WebhookConfiguration
| ServerCertName = "cert.pem" | ||
| ) | ||
|
|
||
| // Options are options for configure a CertOutput. |
|
|
||
| // Options are options for configure a CertOutput. | ||
| type Options struct { | ||
| Type *Type |
pkg/admission/controller.go
Outdated
| } | ||
|
|
||
| // getClientOrDie get the default client for the CertProvisioner. | ||
| func getClientOrDie() client.Client { |
There was a problem hiding this comment.
This already exists in the config package
There was a problem hiding this comment.
I can't find it.
There is no method returning client.Client in https://godoc.org/github.com/kubernetes-sigs/controller-runtime/pkg/client/config
The only relevant thing I can find is client.New() method at https://godoc.org/github.com/kubernetes-sigs/controller-runtime/pkg/client#New
pkg/admission/controller.go
Outdated
|
|
||
| func (bc *CertProvisioner) init() { | ||
| if bc.Client == nil { | ||
| bc.Client = getClientOrDie() |
There was a problem hiding this comment.
We probably want to return an error from the calling method instead of panic-ing.
pkg/admission/controller.go
Outdated
| "github.com/kubernetes-sigs/controller-runtime/pkg/client/config" | ||
| ) | ||
|
|
||
| // CertProvisioner provisions certificates for webhook configurations. |
There was a problem hiding this comment.
and writes them to an output destination - such as a Secret or local file. CertProvisioner can update the CA field of
certain resources with the CA of the certs.
| } | ||
|
|
||
| // New builds a new CertsOutput instance for the provided webhook configuration. | ||
| func New(webhookConfig runtime.Object, client client.Client, cp certinput.CertInput, op Options) (CertsOutput, error) { |
There was a problem hiding this comment.
can the Input be an option tool? Can we default it to selfsigned?
| } | ||
|
|
||
| // New builds a new CertsOutput instance for the provided webhook configuration. | ||
| func New(webhookConfig runtime.Object, client client.Client, cp certinput.CertInput, op Options) (CertsOutput, error) { |
There was a problem hiding this comment.
For client, WDYT of injecting it?
There was a problem hiding this comment.
What will it look like? Some pseudo code will be helpful.
mengqiy
force-pushed
the
webhook
branch
2 times, most recently
from
fa1ac99 to
952db43
Compare
|
PTAL |
pkg/admission/certgenerator/doc.go
Outdated
|
|
||
| Create a implementation instance of certprovisioner. | ||
| Create a implementation instance of certgenerator. |
There was a problem hiding this comment.
Create an instance of CertGenerator ?
pkg/admission/certgenerator/doc.go
Outdated
| cp := SelfSignedCertProvisioner{ | ||
| CommonName: "foo.bar.com" | ||
| } | ||
| cp := SelfSignedCertGenerator{} |
pkg/admission/certgenerator/doc.go
Outdated
| cp := SelfSignedCertProvisioner{ | ||
| CommonName: "foo.bar.com" | ||
| } | ||
| cp := SelfSignedCertGenerator{} | ||
|
|
||
| Provision the certificates. |
| @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and | |||
| limitations under the License. | |||
| */ | |||
|
|
|||
| package certprovisioner | |||
| package certgenerator | |||
There was a problem hiding this comment.
Want to throw it out there from caller's code readability perspective:
We can probably have a package name cert under admission
caller's code will look like
cg, err := cert.Generator()
cw, err := cert.Writer()| @@ -24,8 +24,8 @@ type Certs struct { | |||
| CACert []byte | |||
| } | |||
There was a problem hiding this comment.
Certs is giving an impression of multiple certificates and it is not.
some options.Cert or Certificate or CertArtifacts or CertContents
| // CertWriter provides method to handle webhooks. | ||
| type CertWriter interface { | ||
| // Create a new CertWriter with the given runtime.Object | ||
| New(runtime.Object) (CertWriter, error) |
There was a problem hiding this comment.
Are we sure this method belongs in this interface ? its more like a constructor for CertWriter itself ?
| // Create a new CertWriter with the given runtime.Object | ||
| New(runtime.Object) (CertWriter, error) | ||
| // Handle ensures that the webhooks it manages have the right certificates. | ||
| Handle() error |
There was a problem hiding this comment.
Should this be called WriteCert or EnsureCert or ManageCert or PopulateCert ?
| } | ||
|
|
||
| // certio provides methods for handling certificates for webhook. | ||
| type certio interface { |
There was a problem hiding this comment.
certReaderWriter is probably better name ?
pkg/admission/controller.go
Outdated
| if err != nil { | ||
| return err | ||
| } | ||
| } |
There was a problem hiding this comment.
This doesn't appear to be thread-safe ?
Also, once cp.CertWriter is assigned and webhookConfiguration changes, cp.CertWriter won't get updated .. right..? wouldn't that be a problem ?
mengqiy
force-pushed
the
webhook
branch
2 times, most recently
from
8d0492b to
2994c60
Compare
k8s-ci-robot
added
size/XXL
This comment has been minimized.
This comment has been minimized.
| EnsureCert() error | ||
| } | ||
|
|
||
| func handleCommon(webhook *admissionregistrationv1beta1.Webhook, ch certReadWriter) error { |
| var _ = BeforeSuite(func(done Done) { | ||
| logf.SetLogger(logf.ZapLogger(false)) | ||
|
|
||
| testenv = &test.Environment{} |
There was a problem hiding this comment.
Don't we need to start the te if we are going to use it?
pkg/admission/certwriter/provider.go
Outdated
| } | ||
|
|
||
| // New builds a new CertWriter for the provided webhook configuration. | ||
| func NewProvider(ops Options) (CertWriterProvider, error) { |
There was a problem hiding this comment.
This writes to both locations? What does this do by default?
pkg/admission/certwriter/multiple.go
Outdated
| "k8s.io/apimachinery/pkg/runtime" | ||
| ) | ||
|
|
||
| // MultiCertWriterProvider composes a slice of CertWriterProviders. |
There was a problem hiding this comment.
Add a comment about what use cases this is good for.
|
PTAL |
|
Coverage report: |
| Client: ops.Client, | ||
| CertGenerator: ops.CertGenerator, | ||
| } | ||
| //f := &FSCertWriter{ |
There was a problem hiding this comment.
Why is this commented out?
There was a problem hiding this comment.
It has not been implemented ans tested completely :)
| } | ||
|
|
||
| // NewCertWriter builds a new CertWriter using the provided options. | ||
| // By default, it builds a MultiCertWriter that is composed of a SecretCertWriter and a FSCertWriter. |
There was a problem hiding this comment.
This document is not correct, it doesn't do the file writer
There was a problem hiding this comment.
This will happen in one week.
I can remove it for now.
|
|
||
| package writer | ||
|
|
||
| //import ( |
There was a problem hiding this comment.
Can you remove this file from the PR?
| // Due to | ||
| // https://github.com/kubernetes/kubernetes/blob/5da925ad4fd070e687dc5255c177d5e7d542edd7/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/controller_ref.go#L35 | ||
| isController := true | ||
| ownerRef := metav1.OwnerReference{ |
There was a problem hiding this comment.
| *generator.Artifacts, error) { | ||
| v := s.webhookMap[webhookName] | ||
|
|
||
| webhook := v.webhook |
There was a problem hiding this comment.
Most of this code is duplicated in write(). Please pull it out into a function.
|
|
||
| func certsToSecret(certs *generator.Artifacts, sec apitypes.NamespacedName) *corev1.Secret { | ||
| return &corev1.Secret{ | ||
| TypeMeta: metav1.TypeMeta{ |
There was a problem hiding this comment.
FYI: you shouldn't need to fill in the TypeMeta.
There was a problem hiding this comment.
Why?
Does it mean the client.Client will set the TypeMeta fields for me if I pass it a *corev1.Secret?
|
|
||
| import ( | ||
| "reflect" | ||
| "sync" |
| return nil | ||
| } | ||
|
|
||
| var _ = Describe("MultipleCertWriterProvider", func() { |
There was a problem hiding this comment.
I think this has been renamed.
| Provision the certificates using the CertWriter. | ||
|
|
||
| // writer can be either one of the CertWriters created above | ||
| err = writer.EnsureCerts(webhookConfiguration) // webhookConfiguration is an existing runtime.Object |
There was a problem hiding this comment.
How does this get the certs out? Add an example of actually starting an http server.
| ObjectMeta: metav1.ObjectMeta{ | ||
| Name: "test-mwc", | ||
| Namespace: "test-ns", | ||
| UID: types.UID("123456"), |
There was a problem hiding this comment.
I think you can just use a string.
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/approve |
pwittrock
added
the
approved
address the remaining comments from #22
cert provisioner
address the remaining comments from kubernetes-sigs#22
This PR is migrating from mengqiy/WebhookCertManager#1
GoDoc: http://35.192.136.38:12346/pkg/sigs.k8s.io/controller-runtime/pkg/admission/