Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: Integration of certmanager for IntegrationSink #8385

Open
wants to merge 17 commits into
base: main
Choose a base branch
from

Conversation

matzew
Copy link
Member

@matzew matzew commented Dec 13, 2024

NOTE: this is not yet ready, and adds a raw support for cert-manager / TLS

Fixes #

Proposed Changes

Pre-review Checklist

  • At least 80% unit test coverage
  • E2E tests for any new behavior
  • Docs PR for any user-facing impact
  • Spec PR for any new API feature
  • Conformance test for any change to the spec

Release Note


Docs

@knative-prow knative-prow bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 13, 2024
Copy link

knative-prow bot commented Dec 13, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: matzew

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knative-prow knative-prow bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Dec 13, 2024
@knative-prow knative-prow bot added the area/test-and-release Test infrastructure, tests or release label Dec 13, 2024
@matzew matzew force-pushed the integration_certmanager branch from a1209c6 to 3dd433f Compare December 13, 2024 09:12
Copy link

codecov bot commented Dec 13, 2024

Codecov Report

Attention: Patch coverage is 18.09524% with 86 lines in your changes missing coverage. Please review.

Project coverage is 64.03%. Comparing base (4087c3a) to head (1232c65).

Files with missing lines Patch % Lines
...conciler/integration/sink/resources/certificate.go 0.00% 44 Missing ⚠️
pkg/reconciler/integration/sink/integrationsink.go 6.25% 29 Missing and 1 partial ⚠️
pkg/reconciler/integration/sink/controller.go 0.00% 8 Missing ⚠️
cmd/controller/main.go 0.00% 4 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #8385      +/-   ##
==========================================
- Coverage   64.22%   64.03%   -0.19%     
==========================================
  Files         388      389       +1     
  Lines       23324    23413      +89     
==========================================
+ Hits        14979    14993      +14     
- Misses       7550     7624      +74     
- Partials      795      796       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@matzew matzew force-pushed the integration_certmanager branch 4 times, most recently from 80cb7ab to d3306df Compare December 17, 2024 14:40
featureStore = feature.NewStore(logging.FromContext(ctx).Named("feature-config-store"), func(name string, value interface{}) {
featureFlags := value.(feature.Flags)
if !featureFlags.IsDisabledTransportEncryption() && featureStore != nil {
for _, inf := range []injection.InformerInjector{challenge.WithInformer, v1certificate.WithInformer, certificaterequest.WithInformer, clusterissuer.WithInformer, issuer.WithInformer} {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this does not work, when changing the feature cfg afterwards. In the controller.go of the integrationsink I am getting a nil pointer... when accessing the cmCertificateLister there.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it doesn't, we could start / stop the informer manually without injection based on the value

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we could start / stop the informer manually without injection based on the value

you mean the "cert manager" informers, right? start / stop based on cfg change of the config-feature CM?

Any pointer to similar code for this?

Copy link
Member

@pierDipi pierDipi Dec 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

here we start a "custom" configmap informer using the factory

// Manually create a ConfigMap informer for the env.GetNamespace() namespace to have it
// optionally created when needed.
infFactory := informers.NewSharedInformerFactoryWithOptions(
kubeclient.Get(ctx),
controller.GetResyncPeriod(ctx),
informers.WithNamespace(env.GetNamespace()),
informers.WithTweakListOptions(func(options *metav1.ListOptions) {
options.LabelSelector = eventingtls.TrustBundleLabelSelector
}),
)
go func() {
<-ctx.Done()
infFactory.Shutdown()
}()
inf := infFactory.Core().V1().ConfigMaps()
_ = inf.Informer() // Actually create informer
trustBundleConfigMapLister = inf.Lister().ConfigMaps(env.GetNamespace())
infFactory.Start(ctx.Done())
_ = infFactory.WaitForCacheSync(ctx.Done())

the "stop" is based on the passed context and there we can use the usual "context / cancel" pair

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

Copy link
Contributor

@skonto skonto Dec 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A bit of background info. We discussed a more dynamic approach in the past here. Serving requires for the controller pod to be restarted. In general making it dynamic here makes more sense as it reacts on some cm change and you can freely define your main stuff as in the adapter's main. For Serving once you disable encryption there will be downtime afaik and we wanted minimal changes back then to move with the internal encryption feature. cc @ReToCode if he has anything to add/correct me.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@skonto so you suggest going the route via knative/pkg#2989 ?

Copy link
Contributor

@skonto skonto Jan 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It depends on the UX. If you dont want a pod restart you need the dynamic informer addition/removal. The flag just avoids generating by default the init code that registers an informer factory and the related informer. We don't want to register that immediately because the feature might be disabled. We cant do this dynamically without a restart because registration does not start the informer we have to wait for sharedmain to do this. So right now once sharedmain does start the controllers and the informers you can't start a new one but potentially we could extend sharedmain to do this.

matzew added 14 commits January 10, 2025 12:08
Basics for Cert-manager

Signed-off-by: Matthias Wessendorf <[email protected]>
Signed-off-by: Matthias Wessendorf <[email protected]>
Signed-off-by: Matthias Wessendorf <[email protected]>
Signed-off-by: Matthias Wessendorf <[email protected]>
Signed-off-by: Matthias Wessendorf <[email protected]>
Signed-off-by: Matthias Wessendorf <[email protected]>
Signed-off-by: Matthias Wessendorf <[email protected]>
Signed-off-by: Matthias Wessendorf <[email protected]>
Signed-off-by: Matthias Wessendorf <[email protected]>
Signed-off-by: Matthias Wessendorf <[email protected]>
@matzew matzew force-pushed the integration_certmanager branch from ee95167 to 17f8e71 Compare January 10, 2025 11:08
Copy link

knative-prow bot commented Jan 10, 2025

@matzew: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
unit-tests_eventing_main 17f8e71 link true /test unit-tests
reconciler-tests_eventing_main 17f8e71 link true /test reconciler-tests

Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@@ -44,6 +44,13 @@ kube::codegen::gen_client \
--with-watch \
"${REPO_ROOT_DIR}/pkg/apis"

kube::codegen::gen_client \
Copy link
Contributor

@skonto skonto Jan 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@matzew You can clean up this as in https://github.com/knative/serving/pull/15703/files#diff-149dfe7bb29d1191dceae3a52915e750e64b7f87257a5fb309c29d3056e2a95d. We are removing the generated clientsets in favor of the original ones

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/test-and-release Test infrastructure, tests or release do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants