Helm chart support for webhook sidecar #3966
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/cc @Raffo |
johngmyers
force-pushed
the
webhook-chart
branch
3 times, most recently
from
427869c
to
51e3b34
Compare
| securityContext: | ||
| {{- toYaml . | nindent 12 }} | ||
| {{- end }} | ||
| image: {{ .Values.webhook.image . }} |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
| {{- toYaml .Values.webhook.livenessProbe | nindent 12 }} | ||
| readinessProbe: | ||
| {{- toYaml .Values.webhook.readinessProbe | nindent 12 }} | ||
| {{- if or .Values.webhook.secretConfiguration.enabled .Values.webhook.extraVolumeMounts }} |
There was a problem hiding this comment.
.Values.webhook.secretConfiguration.enabled is not in the values.yaml
There was a problem hiding this comment.
Changed to use mountPath instead of enabled, to match the external-dns container and the condition two lines below.
This does mean that setting either mountPath without also setting enabled will result in mounting a nonexistent volume. We could make the condition for the volume definition be an or of the two mountPath, leaving enabled to just control creating the Secret.
| {{- toYaml . | nindent 12 }} | ||
| {{- end }} | ||
| {{- end }} | ||
| {{- if or .Values.secretConfiguration.enabled .Values.webhook.secretConfiguration.enabled .Values.extraVolumes }} | ||
| volumes: | ||
| {{- if .Values.secretConfiguration.enabled }} |
There was a problem hiding this comment.
| {{- if .Values.secretConfiguration.enabled }} | |
| {{- if or .Values.secretConfiguration.enabled .Values.webhook.secretConfiguration.enabled }} |
There was a problem hiding this comment.
I had decided against having a .Values.webhook.secretConfiguration.enabled. The .Values.secretConfiguration.enabled setting defines the creation of the Secret, whereas each of the containers has its own mountPath setting. It is most likely that any secret will only be needed by the webhook (to authenticate to the provider's API).
|
@johngmyers With my 3 suggested changes and this values files: webhook:
image: "myhook:v1.2"
args: ["-c","-v"]
env:
- name: TEST
value: "TESTVAL"
extraVolumeMounts: []
resources:
requests:
cpu: 10m
memory: 50Mi
secretConfiguration:
enabled: true
mountPath: "/etc/mysecret"It produced the expected output, with secret mounted on sidecar and not on main container. |
There was a problem hiding this comment.
I think this PR works in general but I don't think using .Values.webhook.image as the flag to enable this behaviour is a good API. Initially I was thinking that there should be .Values.webhook.enabled but this still leave the behaviour of .Values.provider as ambiguous.
I think that this PR should use eq .Values.provider "webhook" as the flag for this behaviour as it's consistent with the current API.
|
@stevehipwell to enable the webhook provider you need to provide an image and there's no purpose to providing an image except to enable the webhook provider. So providing an image is equivalent to enabling the webhook provider. So a |
|
@johngmyers I agree with @stevehipwell. The code would be more clear and consistent using For misconfiguration, it's possible to use fail when user has set webhook provider without a webhook image. See for instance how it's done on this HPA template when it's been enabled without the required maxReplicas. As an alternative, there is also the required function. |
|
Keying off of Keying off of |
johngmyers
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
johngmyers
force-pushed
the
webhook-chart
branch
from
a772c35
to
badc6c3
Compare
|
Following the use of secretConfiguration:
data:
credentials: |
[default]
my_secret_access = $MY_SECRET_KEY
webhook:
image: "myhook:v1.2"
args: ["-c","-v"]
env:
- name: TEST
value: "TRUC"
resources:
requests:
cpu: 10m
memory: 50Mi
secretConfiguration:
mountPath: "/etc/mysecret"Generated yaml is missing the annotation |
|
If I do think it would be useful for the chart to support |
|
Yes, that's the issue. And even if the user provides it externally, it won't be smooth : one will have to restart manually the pod each time the secret is updated. With the current state of the PR,
Following this idea to enable it with |
|
@johngmyers the primary behaviour for this chart is controlled by |
|
@mloiseleur I agree that there's no benefit to having A theoretical feature to support |
|
We do not have agreement with this. I strongly disagree with @stevehipwell 's stance on this. The stance is not even logical: the entire point of the webhook provider is to change how providers are specifed, so how built-in providers used to be specified is not relevant to how external providers should be specified. Users configuring an external provider should not be surprised by external-dns using the AWS provider because they failed to specify something that the chart could easily have figured out itself. |
johngmyers
force-pushed
the
webhook-chart
branch
from
d5b5948
to
007d2e4
Compare
|
@Raffo there is no consensus between @johngmyers and myself. I stand by my review and am very much opposed to breaking the existing chart API; I can't see any benefit while I can see a significant number of downsides. I'm happy to provide a PR to add webhook support within the existing chart API; we can support single container, sidecar and external service patterns. |
|
This change does not break the existing chart API. All preexisting use cases continue to work with no change to config. From a user experience perspective, this change has all benefit and no downside. There is no reason or benefit for a user of a sidecar provider to configure the The argument against this change is nonsensical. That it changes a previous configuration model that did not allow for the feature being added is unavoidable. |
k8s-ci-robot
removed
the
needs-rebase
k8s-ci-robot
added
the
needs-rebase
|
I think it would be confusing and inconsistent if the chart works different to what is described here: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/webhook-provider.md. The documentation says there is a new provider |
johngmyers
force-pushed
the
webhook-chart
branch
from
d4adb0c
to
b61bb65
Compare
k8s-ci-robot
removed
the
needs-rebase
johngmyers
force-pushed
the
webhook-chart
branch
3 times, most recently
from
dac9319
to
90b69ea
Compare
johngmyers
force-pushed
the
webhook-chart
branch
from
90b69ea
to
cc1c5f5
Compare
|
Moved all the settings under |
| ports: | ||
| - name: provider-metrics | ||
| protocol: TCP | ||
| containerPort: 8080 |
There was a problem hiding this comment.
Is this port expected on all webhook providers ?
FTM, I have seen they are using one port (8888) by default, to serve provider methods and probes.
There was a problem hiding this comment.
That is my proposal. We'll want them to have a separate port for metrics because security depends on the provider methods not being accessible outside of the pod. I don't see any benefit in letting webhook providers choose different metrics ports.
|
@johngmyers @mloiseleur what is the situation with this PR and #4032? |
|
The situation between this and #4032 is that we have not yet converged. |
| @@ -22,32 +22,34 @@ spec: | |||
| matchLabels: | |||
| {{- include "external-dns.selectorLabels" . | nindent 6 }} | |||
| endpoints: | |||
| - port: http | |||
| {{- range (list "http" "provider-metrics" }} | |||
There was a problem hiding this comment.
I need to make the "provider-metrics" part of this conditional on there being a provider sidecar.
k8s-ci-robot
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@johngmyers: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
@mloiseleur: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Description
Adds support to the Helm chart for running a webhook provider as a sidecar
Checklist