Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add helm values for annotations #214

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

thesuperzapper
Copy link

closes #175

This PR adds two new values to the helm chart:

  • app.deploymentAnnotations: annotations to be applied to the trust-manager Deployment resource
  • app.certificateAnnotations: annotations to be applied to the Certificate and Issuer resources

This is primarily so that users can create a combined chart with cert-manager, and use ArgoCD to prevent race conditions.

For example, here are the values I am using in deployKF for this purpose:

app:
  certificateAnnotations:
    ## we must sync cert-manager resources after cert-manager itself
    argocd.argoproj.io/sync-wave: "10"

  deploymentAnnotations:
    ## we must sync the trust-manager deployment after its certificate is ready
    argocd.argoproj.io/sync-wave: "20"

@jetstack-bot jetstack-bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Oct 26, 2023
@jetstack-bot
Copy link
Contributor

Hi @thesuperzapper. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jetstack-bot jetstack-bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Oct 26, 2023
@thesuperzapper
Copy link
Author

@inteon I would appreciate a quick look at this small change to the helm chart, as it will let me stop forking the trust-manager helm chart for use in deployKF.

@erikgb
Copy link
Contributor

erikgb commented Oct 28, 2023

@thesuperzapper Have you seen #157? Being able to cut the dependency to cert-manager from trust-manager makes a lot of sense.

We should probably include the feature of adding annotations anyway, but do you really need to annotate the trust-manager deployment to solve your use case? Since the deployment mount the certificate secret as a volume mount, I don't think the pods will be scheduled before the secret is created by cert-manager.

I am also a bit torn regarding the proposed app.certificateAnnotations value. The certificate is more related to the webhook IMO, and we have a webhook hierarchy in the Helm chart (mess) also. WDYT?

/ok-to-test
/lgtm
/cc @inteon @SgtCoDFish

@jetstack-bot jetstack-bot added ok-to-test lgtm Indicates that a PR is ready to be merged. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Oct 28, 2023
@erikgb
Copy link
Contributor

erikgb commented Oct 28, 2023

Please run 'make -s update-helm-docs'

To fix CI

@SgtCoDFish
Copy link
Member

Could you provide a little more detail on why you want this? We discussed it a bit and we guessed that with a combined chart you're running into issues with the CRDs not being installed when the trust-manager Certificate is created?

@jetstack-bot jetstack-bot removed the lgtm Indicates that a PR is ready to be merged. label Oct 30, 2023
@jetstack-bot
Copy link
Contributor

New changes are detected. LGTM label has been removed.

@jetstack-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign wallrj for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@thesuperzapper
Copy link
Author

Could you provide a little more detail on why you want this? We discussed it a bit and we guessed that with a combined chart you're running into issues with the CRDs not being installed when the trust-manager Certificate is created?

@SgtCoDFish the issue is not about the CRDs themselves being installed, it's about race conditions between the four "phases" of a combined cert-manager + trust-manager chart:

  1. cert-manager
  2. Cert Manager Certificates (depend on cert-manager webhook)
  3. trust-manager (mounts certificate secrets, for its webhook)
  4. Trust Manager Bundles (depend on trust-manager webhook)

ArgoCD supports the idea of "sync waves" which allows us to resolve this race condition by appropriately annotating the resources that depend on each other into separate waves.

Copy link
Member

@SgtCoDFish SgtCoDFish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for explaining! I've gotta say I'm kinda uneasy about merging this for what feels like such a specific Argo thing - but I think that's probably because I'm just generally kinda uneasy about Helm 😂

I've left a comment - do you think you could make that change?

(Note I'm finishing for the day now, so I might not be able to re-review until tomorrow)

Comment on lines +114 to +115
# -- Annotations for the Certificate/Issuer resources created by trust-manager
certificateAnnotations: {}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick: Looking to the future I'd like to remove the dependency on cert-manager that trust-manager currently has. Having app.certificateAnnotations doesn't really fit with a future chart where we donn't have any certificates or issuers.

Could we move this under app.webhook.tls.certManager.annotations? That way it's clear that it's for all certManager resources (certs + issuers) and it's moved to a more specific area of the chart.

@jetstack-bot jetstack-bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 30, 2023
@jetstack-bot
Copy link
Contributor

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@cert-manager-prow
Copy link
Contributor

@thesuperzapper: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-trust-manager-test ddfc6a6 link true /test pull-trust-manager-test
pull-trust-manager-integration ddfc6a6 link true /test pull-trust-manager-integration

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@cert-manager-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale

@cert-manager-prow cert-manager-prow bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 6, 2024
@cert-manager-bot
Copy link
Contributor

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
/lifecycle rotten
/remove-lifecycle stale

@cert-manager-prow cert-manager-prow bot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Dec 6, 2024
@thesuperzapper
Copy link
Author

I think this issue is still important, and is causing me to run a forked version of the chart.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. ok-to-test size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

support extra annotations on resoures in helm chart
5 participants