Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow config of http01 solver pod security context #5373

Merged
merged 7 commits into from
Aug 5, 2024
Merged

Allow config of http01 solver pod security context #5373

merged 7 commits into from
Aug 5, 2024

Conversation

aidy
Copy link
Contributor

@aidy aidy commented Aug 7, 2022
edited by maelvls
Loading

This allows configuration of the http01 solver PodSecurityContext as
part of the Issuer specification.

Pull Request Motivation

#5295

Kind

/kind feature

Release Note

You can now configure the pod security context of HTTP-01 solver pods.

@jetstack-bot jetstack-bot added release-note-none Denotes a PR that doesn't merit a release note. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 7, 2022
@jetstack-bot
Copy link
Contributor

Hi @aidy. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jetstack-bot jetstack-bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. area/acme Indicates a PR directly modifies the ACME Issuer code area/acme/http01 Indicates a PR modifies ACME HTTP01 provider code labels Aug 7, 2022
@aidy
Copy link
Contributor Author

aidy commented Aug 7, 2022
edited
Loading

This is feels like a slightly clumsy way to allow this configuration, but I think it's the cleanest approach.

Other approaches involve radically altering the way in which the cm controller takes configuration, or providing configuration flags for all the possible PodSecurityContext options. I suspect that the default is fine for nearly all use-cases, and for the few cases where overriding the default is necessary, doing so as a native k8s construct is likely to be preferable.

If necessary, helm templates could be modified to enable more intuitive usage.

I couldn't spot any prior art in the e2e tests for http01 solvers, and it was a little beyond my available time to implement - but if I've just missed it, please do point me in the right direction.

@SgtCoDFish
Copy link
Member

/ok-to-test

Thanks for raising this! I probably won't be able to review but hopefully someone will!

@jetstack-bot jetstack-bot added ok-to-test release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. release-note-none Denotes a PR that doesn't merit a release note. labels Aug 9, 2022
@SgtCoDFish SgtCoDFish added kind/feature Categorizes issue or PR as related to a new feature. and removed needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels Aug 9, 2022
@SgtCoDFish SgtCoDFish added this to the v1.10 milestone Aug 9, 2022
@irbekrm
Copy link
Contributor

irbekrm commented Aug 9, 2022
edited
Loading

We do already have one mechanism how to configure some pod spec values (for Ingress solvers only at the moment) via issuer.spec.acme.solvers.http01.ingress.podTemplate.spec.
Do we specifically want to make this a flag as opposed to adding another config field to the issuer pod template to make this a global config option?
I'm a little concerned that it could be confusing for users that there would be config options for pod spec in two different places.

@aidy
Copy link
Contributor Author

aidy commented Aug 9, 2022

I'm a little concerned that it could be confusing for users that there would be config options for pod spec in two different places.

Maybe this isn't the right approach, but - Isn't that already the case? The options from buildDefaultPod all come from extraArgs, I think.

@irbekrm
Copy link
Contributor

irbekrm commented Aug 9, 2022
edited
Loading

Maybe this isn't the right approach, but - Isn't that already the case? The options from buildDefaultPod all come from extraArgs, I think.

I think that the existing flags are an older approach of configuring the solver pod and the pod template was added later to avoid having to add more and more flags to configure various options, see #1097 but I will verify this, if that's the case, we probably want to document it somewhere

x-post https://kubernetes.slack.com/archives/CDEQJ0Q8M/p1660041935692369

@aidy
Copy link
Contributor Author

aidy commented Aug 9, 2022

I've looked a bit harder, and I think I agree - setting via the issuer spec is a cleaner and more intuitive approach. I'll have a look at reworking this.

@irbekrm
Copy link
Contributor

irbekrm commented Aug 9, 2022

I've looked a bit harder, and I think I agree - setting via the issuer spec is a cleaner and more intuitive approach. I'll have a look at reworking this.

Thanks @aidy and thanks for the work you've done already!

@aidy aidy force-pushed the set-security-context branch from fd26335 to afa4b7b Compare August 9, 2022 15:53
@jetstack-bot jetstack-bot added dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. area/api Indicates a PR directly modifies the 'pkg/apis' directory area/deploy Indicates a PR modifies deployment configuration and removed dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. labels Aug 9, 2022
@aidy aidy force-pushed the set-security-context branch from afa4b7b to f9a1550 Compare August 9, 2022 15:55
@jetstack-bot jetstack-bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. and removed dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. labels Aug 9, 2022
@jetstack-bot
Copy link
Contributor

@aidy: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-cert-manager-master-e2e-v1-27-upgrade b52c5e9 link true /test pull-cert-manager-master-e2e-v1-27-upgrade
pull-cert-manager-master-e2e-v1-27 b52c5e9 link true /test pull-cert-manager-master-e2e-v1-27
pull-cert-manager-master-make-test 91bf83a link true /test pull-cert-manager-master-make-test

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@gnd
Copy link

gnd commented Apr 4, 2024

hello, any progress on this ?

@cert-manager-prow cert-manager-prow bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 29, 2024
@cert-manager-bot
Copy link
Contributor

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
/close

@cert-manager-prow
Copy link
Contributor

@cert-manager-bot: Closed this PR.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@phandox
Copy link

phandox commented Jun 19, 2024

Hi @aidy @maelvls it looks like it slip through cracks. Can we get this reopened / merged? So much work was already done and we would really appreciate to have it in the upstream!

/reopen
/remove-lifecycle rotten

@cert-manager-prow
Copy link
Contributor

@phandox: You can't reopen an issue/PR unless you authored it or you are a collaborator.

In response to this:

Hi @aidy @maelvls it looks like it slip through cracks. Can we get this reopened / merged? So much work was already done and we would really appreciate to have it in the upstream!

/reopen
/remove-lifecycle rotten

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@cert-manager-prow cert-manager-prow bot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Jun 19, 2024
@maelvls maelvls reopened this Jun 20, 2024
@cert-manager-prow
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: maelvls

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@phandox
Copy link

phandox commented Jul 9, 2024

Bump @aidy any chance for fixing the merge conflict? It would be highly appreciated as the PR is already approved 🙏 Thank you!

@aidy
Copy link
Contributor Author

aidy commented Jul 15, 2024

Will try to have a look this week

@aidy
Allow config of http01 solver pod security context
3e98f55 
This allows configuration of the http01 solver PodSecurityContext as
part of the Issuer specification.

Signed-off-by: Adrian Lai <[email protected]>
@aidy aidy force-pushed the set-security-context branch from 91bf83a to 345453e Compare July 15, 2024 09:04
@cert-manager-prow cert-manager-prow bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 15, 2024
aidy and others added 6 commits July 15, 2024 10:28
@aidy
Generate CRDs / conversion functions
12e3233 
Signed-off-by: Adrian Lai <[email protected]>
@aidy
Add test for http01 PodSecurityContext config
96831b9 
Signed-off-by: Adrian Lai <[email protected]>
@aidy
Fix test
62bdee8 
Signed-off-by: Adrian Lai <[email protected]>
@aidy
Update/Fix tests for new test structure
8b68443 
Signed-off-by: Adrian Lai <[email protected]>
@aidy
Copy PodSecurityContext over, dropping windowsOptions
6dc80e5 
Signed-off-by: Adrian Lai <[email protected]>
@aidy
Remove protobuf annotations
bde1acd 
These were copy-pasted in from the parent definitions. We don't marshal
to protobuf (none of the other structs have equivalent annotations), so
remove them as they are unnecessary.

Signed-off-by: Adrian Lai <[email protected]>
@aidy aidy force-pushed the set-security-context branch from 345453e to bde1acd Compare July 15, 2024 10:01
@phandox
Copy link

phandox commented Aug 5, 2024

Hi @maelvls would you be able to give it LGTM label? conflicts seems to be fixed again by @aidy . Thank you! 🙏

@maelvls
Copy link
Member

maelvls commented Aug 5, 2024

Hey, sorry about the delay! The PR seems all good. Well done @aidy!

/lgtm

@cert-manager-prow cert-manager-prow bot added the lgtm Indicates that a PR is ready to be merged. label Aug 5, 2024
@phandox
Copy link

phandox commented Aug 5, 2024

Awesome @maelvls , only removing do-not-merge/hold label is missing from merging 🙏

@maelvls maelvls removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 5, 2024
@cert-manager-prow cert-manager-prow bot merged commit e65c363 into cert-manager:master Aug 5, 2024
6 checks passed
@wallrj
Copy link
Member

wallrj commented Sep 26, 2024

A beta-release is now available which contains the fix for this issue. Please test and feedback if you have time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maelvls maelvls maelvls left review comments

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/acme/http01 Indicates a PR modifies ACME HTTP01 provider code area/acme Indicates a PR directly modifies the ACME Issuer code area/api Indicates a PR directly modifies the 'pkg/apis' directory area/deploy Indicates a PR modifies deployment configuration dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. ok-to-test release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.