HOSTEDCP-1090: Use statically configured haproxy for router #2778
Conversation
|
@csrwng: This pull request references HOSTEDCP-1090 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
the
jira/valid-reference
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
@csrwng: This pull request references HOSTEDCP-1090 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci
bot
added
do-not-merge/needs-area
area/control-plane-operator
|
/test verify |
|
/test e2e-aws |
2 similar comments
|
/test e2e-aws |
|
/test e2e-aws |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
openshift-merge-robot
added
the
needs-rebase
openshift-merge-robot
removed
the
needs-rebase
| } | ||
|
|
||
| sa := ignitionserver.ProxyServiceAccount(controlPlaneNamespace) | ||
| if result, err := createOrUpdate(ctx, c, sa, func() error { |
There was a problem hiding this comment.
Because the ignition proxy does not need any special permissions on the management cluster. There's no point in having a dedicated service account with role/rolebinding. This was here because we were granting the service account permission to use the host network SCC. We really don't need that. Everything now runs as restricted.
| {{ $ns := .Namespace }} | ||
| {{- range .Backends }} | ||
| backend {{ .Name }} | ||
| server {{ .Name }} {{ .DestinationService }}.{{ $ns }}.svc.cluster.local:{{.DestinationPort}} check resolvers coredns init-addr last,libc,none |
There was a problem hiding this comment.
Do we need the ns and .cluster.local?
Couldn't we just use the name?
If so couldn't this actually be a static hardcoded list?
There was a problem hiding this comment.
We don't need either, but that's the full dns name without relying on a search suffix, which I think is less error prone.
I didn't use a static list because we don't always use routes for all services, so I wanted to build the list of things we route to based on existing route resources and rely on the logic that creates routes to tell me which things I should route to here.
|
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
Replace the internal router deployment with a statically configured instance of haproxy. Remove any additional privileges required by control plane workloads.
✅ Deploy Preview for hypershift-docs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bryan-cox, csrwng The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
already tagged but lgtm as well 👍 |
| manifests.KubeAPIServerExternalPublicRoute("").Name, | ||
| manifests.KubeAPIServerExternalPrivateRoute("").Name: | ||
| p.HasKubeAPI = true | ||
| continue |
There was a problem hiding this comment.
why do we need continue here?
There was a problem hiding this comment.
just curious, otherwise lgtm
There was a problem hiding this comment.
we don't need it :)
I had that there before that section was inside the case stmt but forgot to remove. It doesn't hurt, but I will remove it in a follow up
|
@csrwng: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Need to consult with IBM Cloud team to determine whether an override for the PSA labels is needed before backporting |
Introduces an annotation to override the pod security admission label for hosted control plane namespaces. This is a follow up to openshift#2778 where the default PSA is now changed to 'Restricted'. For some consumers like IBM, this label may be too restrictive for other workloads they may want to run in the control plane namespace.
8 participants
What this PR does / why we need it:
Replace the internal router deployment with a statically configured instance of haproxy. Remove any additional privileges required by control plane workloads.
Which issue(s) this PR fixes:
Fixes #HOSTEDCP-1090
Checklist