-
Notifications
You must be signed in to change notification settings - Fork 178
Use certwatcher to support mounting cert-manager certificates. #134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
nckturner
merged 9 commits into
aws:master
from
kanopy-platform:add_certwatcher_support
Jan 22, 2022
Merged
Changes from all commits
Commits
Show all changes
9 commits
Select commit
Hold shift + click to select a range
60dfbea
Add certwatcher support
colinhoglund 87b5b63
fix flag parsing
colinhoglund 573bcc9
use signals pkg
colinhoglund da8ef9f
add comments
colinhoglund 7ad6d0e
update to go 1.17, go mod vendor
colinhoglund 3c3a438
go mod tidy
colinhoglund 50c3736
update github actions
colinhoglund 6b279e0
remove vendor
colinhoglund d71ef18
go mod vendor
colinhoglund File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,21 +1,57 @@ | ||
| module github.com/aws/amazon-eks-pod-identity-webhook | ||
|
|
||
| go 1.13 | ||
| go 1.17 | ||
|
|
||
| require ( | ||
| github.com/evanphx/json-patch v4.4.0+incompatible // indirect | ||
| github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef // indirect | ||
| github.com/google/go-cmp v0.5.2 // indirect | ||
| github.com/googleapis/gnostic v0.2.0 // indirect | ||
| github.com/imdario/mergo v0.3.7 // indirect | ||
| github.com/pkg/errors v0.8.1 | ||
| github.com/prometheus/client_golang v0.9.3 | ||
| github.com/pkg/errors v0.9.1 | ||
| github.com/prometheus/client_golang v1.11.0 | ||
| github.com/spf13/pflag v1.0.5 | ||
| github.com/stretchr/testify v1.4.0 | ||
| github.com/stretchr/testify v1.7.0 | ||
| gopkg.in/square/go-jose.v2 v2.5.1 | ||
| k8s.io/api v0.18.8 | ||
| k8s.io/apimachinery v0.18.9-rc.0 | ||
| k8s.io/client-go v0.18.8 | ||
| k8s.io/api v0.23.0 | ||
| k8s.io/apimachinery v0.23.0 | ||
| k8s.io/client-go v0.23.0 | ||
| k8s.io/klog v1.0.0 | ||
| sigs.k8s.io/yaml v1.2.0 | ||
| sigs.k8s.io/controller-runtime v0.11.0 | ||
| sigs.k8s.io/yaml v1.3.0 | ||
| ) | ||
|
|
||
| require ( | ||
| github.com/beorn7/perks v1.0.1 // indirect | ||
| github.com/cespare/xxhash/v2 v2.1.1 // indirect | ||
| github.com/davecgh/go-spew v1.1.1 // indirect | ||
| github.com/evanphx/json-patch v4.12.0+incompatible // indirect | ||
| github.com/fsnotify/fsnotify v1.5.1 // indirect | ||
| github.com/go-logr/logr v1.2.0 // indirect | ||
| github.com/gogo/protobuf v1.3.2 // indirect | ||
| github.com/golang/protobuf v1.5.2 // indirect | ||
| github.com/google/go-cmp v0.5.5 // indirect | ||
| github.com/google/gofuzz v1.1.0 // indirect | ||
| github.com/googleapis/gnostic v0.5.5 // indirect | ||
| github.com/imdario/mergo v0.3.12 // indirect | ||
| github.com/json-iterator/go v1.1.12 // indirect | ||
| github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect | ||
| github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect | ||
| github.com/modern-go/reflect2 v1.0.2 // indirect | ||
| github.com/pmezard/go-difflib v1.0.0 // indirect | ||
| github.com/prometheus/client_model v0.2.0 // indirect | ||
| github.com/prometheus/common v0.28.0 // indirect | ||
| github.com/prometheus/procfs v0.6.0 // indirect | ||
| golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 // indirect | ||
| golang.org/x/net v0.0.0-20210825183410-e898025ed96a // indirect | ||
| golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f // indirect | ||
| golang.org/x/sys v0.0.0-20211029165221-6e7872819dc8 // indirect | ||
| golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b // indirect | ||
| golang.org/x/text v0.3.7 // indirect | ||
| golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect | ||
| google.golang.org/appengine v1.6.7 // indirect | ||
| google.golang.org/protobuf v1.27.1 // indirect | ||
| gopkg.in/inf.v0 v0.9.1 // indirect | ||
| gopkg.in/yaml.v2 v2.4.0 // indirect | ||
| gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect | ||
| k8s.io/klog/v2 v2.30.0 // indirect | ||
| k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 // indirect | ||
| k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b // indirect | ||
| sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 // indirect | ||
| sigs.k8s.io/structured-merge-diff/v4 v4.2.0 // indirect | ||
| ) |
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
8 changes: 8 additions & 0 deletions
8
vendor/github.com/cespare/xxhash/v2/.travis.yml
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
22 changes: 22 additions & 0 deletions
22
vendor/github.com/cespare/xxhash/v2/LICENSE.txt
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
67 changes: 67 additions & 0 deletions
67
vendor/github.com/cespare/xxhash/v2/README.md
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's not just unavailable, it's not allowed: https://github.com/kubernetes/kubernetes/blob/48da959dbff18bfef6e801bd8c8ab3c88b7a7650/pkg/apis/certificates/validation/validation.go#L202
I think we will need to deprecate in-cluster flag + print a clear error + exit gracefully if the kubernetes server version is 1.22 AND
in-clusteris true. Instead of trying and failing to create invalid CSR. However, doing all that is out of scope of your PR. So I would like to accept the other changes and drop these changes topkg/cert/request.go, if possible.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the feedback @wongma7, and it totally makes sense to separate these. The only reason I changed
pkg/cert/request.gois because of dependencies.certwatcheris only exported in a newer version of thecontroller-runtime, which resulted in an upgrade ofk8s.io/client-gotov0.23.0, which is turn changed the underlying Config type forKeyUsagetocertficates/v1.I'm not entirely sure if there is a way to avoid these dependency updates for now, but would be open to any suggesstions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see, thx for the explanation. Then I agree with merging this part as well, I don't see a way to avoid it either.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note for self and others interested in the
in-cluster=truecase:Given that this PR basically solves the
in-cluster=falsecase since now webhook actually reload certs when they are renewed...My plan for
in-cluster=trueis...in-cluster=trueworks for k8s <=1.21 but doesn't for >1.21. We have discussed this at length and there seems to be no way to make it work in >1.21* (without mis/abusing the CSR api) so we need to deprecate it ASAP (as 1.22 has been out for months now).in-cluster=truewon't work for ANY k8s version. Users who rely on it will need to make sure they use an older revision when building pod-identity-webhook.in-cluster=truewith a note in README and major version release so it is clear & obvious that it won't work for ANY k8s versionThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It probably makes sense to tag a release before merging this since the latest release is a bit old. Then once the followup work is done, a new release can be cut that introduces
certwatcherand deprecates the--in-clusterflag at the same time.