Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updating the caBundle for the controller webhook #7022

Merged

Conversation

ytimocin
Copy link
Contributor

Description

Updating the caBundle for the controller webhook

Type of change

@ytimocin ytimocin requested review from a team as code owners January 11, 2024 22:07
@ytimocin ytimocin temporarily deployed to functional-tests January 11, 2024 22:09 — with GitHub Actions Inactive
@@ -32,7 +33,7 @@ webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: {{ b64enc $ca.Cert }}
caBundle: {{ $validatingWebhookCaBundle }}

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ytimocin Can you please make the code consistent with how UCP does? UCP way is more intuitive.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In UCP's case, we don't need to select a caBundle from an array of webhook configurations: https://github.com/radius-project/radius/blob/main/deploy/Chart/templates/ucp/apiservice.yaml#L42.

The reason I did it this way is that we have a new webhook coming soon and that will also be added to the array of configs. We will need to map the right webhook configuration to the right caBundle.

The only thing that we will need to do for the next webhook is to call the function with the right webhook name.

Let me know if that makes sense @youngbupark.

Copy link

@youngbupark youngbupark Jan 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For mutatingAdmissionController, we will use existing controller service and share the same endpoint. Then I do not think we need additional cert for mutating controller. Please keep it simple and address what we need to solve.

@radius-functional-tests
Copy link

radius-functional-tests bot commented Jan 11, 2024

Radius functional test overview

🔍 Go to test action run

Name Value
Repository ytimocin/radius
Commit ref e9b47ff
Unique ID e01baac88e
Image tag pr-e01baac88e
Click here to see the list of tools in the current test run
  • gotestsum 1.10.0
  • KinD: v0.20.0
  • Dapr: 1.12.0
  • Azure KeyVault CSI driver: 1.4.2
  • Azure Workload identity webhook: 1.1.0
  • Bicep recipe location ghcr.io/radius-project/dev/test/functional/shared/recipes/<name>:pr-e01baac88e
  • Terraform recipe location http://tf-module-server.radius-test-tf-module-server.svc.cluster.local/<name>.zip (in cluster)
  • applications-rp test image location: ghcr.io/radius-project/dev/applications-rp:pr-e01baac88e
  • controller test image location: ghcr.io/radius-project/dev/controller:pr-e01baac88e
  • ucp test image location: ghcr.io/radius-project/dev/ucpd:pr-e01baac88e
  • deployment-engine test image location: ghcr.io/radius-project/deployment-engine:latest

Test Status

⌛ Building Radius and pushing container images for functional tests...
✅ Container images build succeeded
⌛ Publishing Bicep Recipes for functional tests...
✅ Recipe publishing succeeded
⌛ Starting samples functional tests...
⌛ Starting datastoresrp functional tests...
⌛ Starting shared functional tests...
⌛ Starting kubernetes functional tests...
⌛ Starting ucp functional tests...
⌛ Starting daprrp functional tests...
⌛ Starting msgrp functional tests...
✅ kubernetes functional tests succeeded
✅ samples functional tests succeeded
✅ msgrp functional tests succeeded
✅ datastoresrp functional tests succeeded
✅ ucp functional tests succeeded
✅ daprrp functional tests succeeded
✅ shared functional tests succeeded

@ytimocin ytimocin force-pushed the ytimocin/updateWebhookCaBundle branch 2 times, most recently from a9fbee4 to 2d1bf17 Compare January 11, 2024 23:11
@ytimocin ytimocin temporarily deployed to functional-tests January 11, 2024 23:15 — with GitHub Actions Inactive
@radius-functional-tests
Copy link

radius-functional-tests bot commented Jan 11, 2024

Radius functional test overview

🔍 Go to test action run

Name Value
Repository ytimocin/radius
Commit ref 2d1bf17
Unique ID 95f2384de7
Image tag pr-95f2384de7
Click here to see the list of tools in the current test run
  • gotestsum 1.10.0
  • KinD: v0.20.0
  • Dapr: 1.12.0
  • Azure KeyVault CSI driver: 1.4.2
  • Azure Workload identity webhook: 1.1.0
  • Bicep recipe location ghcr.io/radius-project/dev/test/functional/shared/recipes/<name>:pr-95f2384de7
  • Terraform recipe location http://tf-module-server.radius-test-tf-module-server.svc.cluster.local/<name>.zip (in cluster)
  • applications-rp test image location: ghcr.io/radius-project/dev/applications-rp:pr-95f2384de7
  • controller test image location: ghcr.io/radius-project/dev/controller:pr-95f2384de7
  • ucp test image location: ghcr.io/radius-project/dev/ucpd:pr-95f2384de7
  • deployment-engine test image location: ghcr.io/radius-project/deployment-engine:latest

Test Status

⌛ Building Radius and pushing container images for functional tests...
✅ Container images build succeeded
⌛ Publishing Bicep Recipes for functional tests...
✅ Recipe publishing succeeded
⌛ Starting kubernetes functional tests...
⌛ Starting samples functional tests...
⌛ Starting datastoresrp functional tests...
⌛ Starting msgrp functional tests...
⌛ Starting daprrp functional tests...
⌛ Starting shared functional tests...
✅ msgrp functional tests succeeded
✅ samples functional tests succeeded
✅ kubernetes functional tests succeeded
✅ ucp functional tests succeeded
✅ datastoresrp functional tests succeeded
✅ shared functional tests succeeded

lakshmimsft
lakshmimsft previously approved these changes Jan 11, 2024
kachawla
kachawla previously approved these changes Jan 11, 2024
Copy link

@youngbupark youngbupark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

controller-cert secret should be created only if existingSecret is null. Otherwise, it shouldn't create it. Please add if statement around controller-cert manifest.

@ytimocin ytimocin dismissed stale reviews from kachawla and lakshmimsft via 243a308 January 12, 2024 19:44
@ytimocin ytimocin force-pushed the ytimocin/updateWebhookCaBundle branch from 2d1bf17 to 243a308 Compare January 12, 2024 19:44
@ytimocin ytimocin requested a review from youngbupark January 12, 2024 19:45
@ytimocin ytimocin force-pushed the ytimocin/updateWebhookCaBundle branch from 243a308 to 46d782c Compare January 12, 2024 19:47
{{ end }}
tls.crt: {{ include "secrets.lookup" (dict "secret" "controller-cert" "namespace" .Release.Namespace "key" "tls.crt" "defaultValue" $cert.Cert) }}
tls.key: {{ include "secrets.lookup" (dict "secret" "controller-cert" "namespace" .Release.Namespace "key" "tls.key" "defaultValue" $cert.Key) }}
ca.crt: {{ include "secrets.lookup" (dict "secret" "controller-cert" "namespace" .Release.Namespace "key" "ca.crt" "defaultValue" $ca.Cert) }}

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need this ? this is dupe with tls.crt

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tls.crt uses $cert.Cert while ca.crt uses $ca.Cert. They are different.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ca.crt is also added here: https://github.com/bitnami/charts/blob/882140cfc5318420fdf563b77201f7ee5f67ca8f/bitnami/rabbitmq-cluster-operator/templates/messaging-topology-operator/validating-webhook-configuration.yaml#L29. That is what we use for the caBundle.

We need a way to access existing ca.crt to use it in the caBundle.

{{ if $existingSecret }}tls.key: {{ index $existingSecret.data "tls.key" }}
{{ else }}tls.key: {{ b64enc $cert.Key }}
{{ end }}
tls.crt: {{ include "secrets.lookup" (dict "secret" "controller-cert" "namespace" .Release.Namespace "key" "tls.crt" "defaultValue" $cert.Cert) }}

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do not need to create Secret if secret exists. So we can simplify it like below.

{{- if not $existingSecret }} // ---> UPDATE THIS 
apiVersion: v1
kind: Secret
metadata:
  name: controller-cert
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: controller
    app.kubernetes.io/part-of: radius
data:
  tls.crt: {{ b64enc $cert.Cert }}
  tls.key: {{ b64enc $cert.Key }}
{{- end }}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

secrets.lookup function checks if there is already a Secret and, if there is, it uses the existing one. Like here.

secrets.lookup gets the secret name and the namespace that secret should be in, checks if it exists, if it does it returns the existing secret. If not, it returns the default value provided. In this case $cert.Cert, $cert.Key, and $ca.Cert.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we do it this ({{- if not $existingSecret }}) way, then Secret gets deleted when we do --reinstall. In the --reinstall case, the $existingSecret is not nil, that part is missing from the template. Let me know if that makes sense. Happy to sync offline.

And I did another test, when we do --reinstall Secret doesn't get recreated with this way: https://github.com/radius-project/radius/pull/7022/files#diff-dacf6ba48c5b451f0a3a55b9978b57991a50fb27fc2da1c4785e09e52adc4b09R18-R20.

@ytimocin ytimocin force-pushed the ytimocin/updateWebhookCaBundle branch 2 times, most recently from 066d0e2 to 4fa6441 Compare January 12, 2024 21:40
@ytimocin ytimocin temporarily deployed to functional-tests January 12, 2024 21:58 — with GitHub Actions Inactive
@radius-functional-tests
Copy link

radius-functional-tests bot commented Jan 12, 2024

Radius functional test overview

🔍 Go to test action run

Name Value
Repository ytimocin/radius
Commit ref 4fa6441
Unique ID 8cf45496a1
Image tag pr-8cf45496a1
Click here to see the list of tools in the current test run
  • gotestsum 1.10.0
  • KinD: v0.20.0
  • Dapr: 1.12.0
  • Azure KeyVault CSI driver: 1.4.2
  • Azure Workload identity webhook: 1.1.0
  • Bicep recipe location ghcr.io/radius-project/dev/test/functional/shared/recipes/<name>:pr-8cf45496a1
  • Terraform recipe location http://tf-module-server.radius-test-tf-module-server.svc.cluster.local/<name>.zip (in cluster)
  • applications-rp test image location: ghcr.io/radius-project/dev/applications-rp:pr-8cf45496a1
  • controller test image location: ghcr.io/radius-project/dev/controller:pr-8cf45496a1
  • ucp test image location: ghcr.io/radius-project/dev/ucpd:pr-8cf45496a1
  • deployment-engine test image location: ghcr.io/radius-project/deployment-engine:latest

Test Status

⌛ Building Radius and pushing container images for functional tests...
✅ Container images build succeeded
⌛ Publishing Bicep Recipes for functional tests...
✅ Recipe publishing succeeded
⌛ Starting msgrp functional tests...
⌛ Starting ucp functional tests...
⌛ Starting datastoresrp functional tests...
⌛ Starting shared functional tests...
⌛ Starting samples functional tests...
⌛ Starting daprrp functional tests...
⌛ Starting kubernetes functional tests...
✅ msgrp functional tests succeeded
✅ samples functional tests succeeded
✅ ucp functional tests succeeded
✅ daprrp functional tests succeeded
✅ datastoresrp functional tests succeeded
✅ kubernetes functional tests succeeded
✅ shared functional tests succeeded

Reuses the value from an existing secret, otherwise sets its value to a default value.

Usage:
{{ include "secrets.lookup" (dict "secret" "secret-name" "namespace" "ns-name" "key" "key-name" "defaultValue" "default-secret") }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: perhaps ...."defaultValue" "default-secretvalue") or ...."defaultValue" "default-value") is more accurate

@ytimocin ytimocin force-pushed the ytimocin/updateWebhookCaBundle branch from 4fa6441 to 7847b14 Compare January 13, 2024 23:20
Copy link

@youngbupark youngbupark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Please ensure that we run the proper test for clean install and upgrade scenarios.

@ytimocin ytimocin temporarily deployed to functional-tests January 14, 2024 05:11 — with GitHub Actions Inactive
@radius-functional-tests
Copy link

radius-functional-tests bot commented Jan 14, 2024

Radius functional test overview

🔍 Go to test action run

Name Value
Repository ytimocin/radius
Commit ref 7847b14
Unique ID 18f3a9f55f
Image tag pr-18f3a9f55f
Click here to see the list of tools in the current test run
  • gotestsum 1.10.0
  • KinD: v0.20.0
  • Dapr: 1.12.0
  • Azure KeyVault CSI driver: 1.4.2
  • Azure Workload identity webhook: 1.1.0
  • Bicep recipe location ghcr.io/radius-project/dev/test/functional/shared/recipes/<name>:pr-18f3a9f55f
  • Terraform recipe location http://tf-module-server.radius-test-tf-module-server.svc.cluster.local/<name>.zip (in cluster)
  • applications-rp test image location: ghcr.io/radius-project/dev/applications-rp:pr-18f3a9f55f
  • controller test image location: ghcr.io/radius-project/dev/controller:pr-18f3a9f55f
  • ucp test image location: ghcr.io/radius-project/dev/ucpd:pr-18f3a9f55f
  • deployment-engine test image location: ghcr.io/radius-project/deployment-engine:latest

Test Status

⌛ Building Radius and pushing container images for functional tests...
✅ Container images build succeeded
⌛ Publishing Bicep Recipes for functional tests...
✅ Recipe publishing succeeded
⌛ Starting ucp functional tests...
⌛ Starting kubernetes functional tests...
⌛ Starting datastoresrp functional tests...
⌛ Starting samples functional tests...
⌛ Starting daprrp functional tests...
⌛ Starting msgrp functional tests...
⌛ Starting shared functional tests...
✅ kubernetes functional tests succeeded
✅ msgrp functional tests succeeded
✅ samples functional tests succeeded
✅ ucp functional tests succeeded
✅ daprrp functional tests succeeded
✅ datastoresrp functional tests succeeded
✅ shared functional tests succeeded

@ytimocin ytimocin merged commit d7cdbf2 into radius-project:main Jan 16, 2024
16 checks passed
willdavsmith pushed a commit to willdavsmith/radius that referenced this pull request Jan 17, 2024
# Description
Updating the caBundle for the controller webhook

## Type of change
- This pull request fixes a bug in Radius and has an approved issue
(issue link required).
Fixes: radius-project#6989

Signed-off-by: ytimocin <[email protected]>
Signed-off-by: willdavsmith <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

"x509: certificate signed by unknown authority" error during webhook call
4 participants