Comments (7)
It would be nice to have an option to provide your own CA/cert for the admission webhook to prevent this unnecessary Kong restart.
This was possible before and it should be possible to provide your own cert/key. If not, that is a bug.
from charts.
This is more or less the same as our issue with the Postgres password secret. The cert is randomly generated, and Helm generates random resources every time the template is rendered. We do need to replace the pods when this occurs, as otherwise they'll try to unsuccessfully use the old cert.
Historically, using a pre-install
hook to generate the cert Secret was the only workaround for this, but that comes with the caveat that the Secret is no longer part of the release and doesn't get cleaned up if the release is deleted. The proposed solution is to add functionality that ignores resource changes if the resource has some annotation, but there's no work in progress for that: helm/helm#5290 (comment)
https://github.com/helm/charts/issues/5167#issuecomment-619137759 indicates that Helm 3.1's lookup function provides a means to work around this, but using this would break Helm 2.x compatibility. We do plan to drop support for Helm 2.x, but don't yet have a planned timeline (probably some time this year, but it depends on when other Kong releases come out).
@hbagdi you can specify your own certificate, but the chart will always add the checksum annotation regardless. We could add a check to see if the certificate environment variables are present once controller 0.9 is out, though that seems a bit hacky, and adds some extra user work. I recommend we wait until we remove Helm 2.x support and then implement the lookup workaround (which, granted, is also a bit hacky): this is annoying, but not critical to fix. Does that sound reasonable?
from charts.
you can specify your own certificate, but the chart will always add the checksum annotation regardless.
In that case, the cert/key will not change every-release and this will not result in any change in the checksum, meaning the pods will not roll. Is my understanding correct?
helm/charts#5167 (comment) indicates that Helm 3.1's lookup function provides a means to work around this, but using this would break Helm 2.x compatibility.
Yes, we can adopt this later on.
Meta comment:
Regarding the new label "2.0", can we change it to "Chart 2.0"?
There are two upgrades coming in: Helm 3 upgrade, Chart 2.0, and it is important to differentiate them.
from charts.
How do you specify your own cert/key for the admission controller? The template for the admission webhook config seems to unconditionally generate a random one.
https://github.com/Kong/charts/blob/master/charts/kong/templates/admission-webhook.yaml#L2-L4
from charts.
In that case, the cert/key will not change every-release and this will not result in any change in the checksum, meaning the pods will not roll. Is my understanding correct?
Not quite: the checksum is based off the certificate installed at the default location, which is the random certificate. The volume mount uses the random certificate and can't be configured to use your own secret, so it's always rotated.
We can make that configurable, but it will need to take the environment-based certificate handling from 0.9 into account. That has a secondary issue where generating a checksum would also require the 3.x lookup function, though we could disable the annotation if it's present and trust users to restart their own pods when it changes.
from charts.
https://github.com/Kong/charts/blob/master/charts/kong/templates/admission-webhook.yaml#L2-L4
We need to fix this. It should be possible for user to supply certs.
We can make that configurable, but it will need to take the environment-based certificate handling from 0.9 into account.
though we could disable the annotation if it's present and trust users to restart their own pods when it changes.
Not ideal but that's totally acceptable.
from charts.
I understand that:
- if the user provides a custom webhook cert, then the annotation changes causing an unnecessary rolling restart of pods. Filed #252 to handle this.
- if the user provides no webhook cert, auto-generation should happen only once. Filed #253
I understand that these are two independent issues that should be handled separately. Closing this issue to allow more focused execution on those two. Thanks @agaffney for reporting this.
from charts.
Related Issues (20)
- "kong stop" in wait-for-db command prevents init container from exiting gracefully, suggest kong quit" HOT 2
- Upgrade PostgreSQL dependency version
- runAsUser: 1000 in securityContext causes error in Openshift HOT 5
- Service monitor scraping both status port of ingress pod HOT 5
- Kong chart cannot be deployed with ArgoCD / Kustomize HOT 7
- request-size-limiting http2 requests are not supported without content-length header HOT 1
- no matches for kind "PodSecurityPolicy" in version "policy/v1beta1" HOT 2
- How to increase kong's timeout time HOT 1
- From OpenSource Kong to Kong Plus in Kubernetes (AKS) HOT 1
- New namespace, kong resource processing failed: failed to fetch the secret HOT 3
- Cannot specify admin.type as NodePort HOT 1
- migrations-post-upgrade.yaml fails when using affinity
- Allow to select service port for ingress HOT 3
- Next-gen (3.0) chart layout HOT 2
- The failure of readyness probe leads to a crash of the proxy HOT 4
- Make it possible to verify released charts integrity
- kong/charts not running HOT 14
- Question regarding Kong 2.8 support in latest helm chart version (2.33.3) HOT 1
- Env not merged/override from .Values.env HOT 1
- ingressController.konnect.tlsClientCertSecretName: wrong naming
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from charts.