Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade JetStack Cert-Manager to v0.15.2 #6414

Merged
merged 3 commits into from
Aug 6, 2020
Merged

Upgrade JetStack Cert-Manager to v0.15.2 #6414

merged 3 commits into from
Aug 6, 2020

Conversation

bmelbourne
Copy link
Contributor

What type of PR is this?
/kind feature

What this PR does / why we need it:

This PR upgrades the deployment of JetStack Cert-Manager to v0.15.2.

Which issue(s) this PR fixes:
Fixes #5946

Special notes for your reviewer:
For additional information, refer to roles\kubernetes-apps\ingress_controller\cert_manager\README.md.

Does this PR introduce a user-facing change?:

Action required: Refer to roles\kubernetes-apps\ingress_controller\cert_manager\README.md prior to upgrading JetStack Cert-Manager in your exisitng Kubernetes cluster.

@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jul 16, 2020
@k8s-ci-robot
Copy link
Contributor

Hi @bmelbourne. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jul 16, 2020
@k8s-ci-robot k8s-ci-robot requested review from bozzo and EppO July 16, 2020 21:07
@k8s-ci-robot k8s-ci-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Jul 16, 2020
@floryut floryut mentioned this pull request Jul 17, 2020
Closed
@bmelbourne
Copy link
Contributor Author

bmelbourne commented Jul 17, 2020
edited
Loading

There's appear to be underlying issue with k8s dns/service resolution when deployed on CentOS7 only.

TASK [kubernetes-apps/ingress_controller/cert_manager : Cert Manager | Apply ClusterIssuer manifest] ***
fatal: [k8s-1]: FAILED! => {"changed": false, "msg": "error running kubectl (/usr/local/bin/kubectl apply --force --filename=/etc/kubernetes/addons/cert_manager/clusterissuer-cert-manager.yml) command (rc=1), out='', err='Error from server (InternalError): error when creating \"/etc/kubernetes/addons/cert_manager/clusterissuer-cert-manager.yml\": Internal error occurred: failed calling webhook \"webhook.cert-manager.io\": Post https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=30s: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)\n'"}

If I install busybox and lookup the service dns for cert-manager-webhook.cert-manager.svc, it fails for CentOS7 whereas for Ubuntu 18.04 it passes.

CentOS 7

$ k run busybox --image=busybox:1.28 --command -- sleep 3600
$ POD_NAME=$(k get pods -l run=busybox -o jsonpath="{.items[0].metadata.name}")
$ k exec -ti $POD_NAME -- nslookup kubernetes.default.svc
Server:         169.254.25.10
Address:        169.254.25.10:53

** server can't find kubernetes.default.svc: NXDOMAIN

*** Can't find kubernetes.default.svc: No answer

command terminated with exit code 1

$ k exec -ti $POD_NAME -- nslookup cert-manager-webhook.cert-manager.svc
Server:         169.254.25.10
Address:        169.254.25.10:53

** server can't find cert-manager-webhook.cert-manager.svc: NXDOMAIN

*** Can't find cert-manager-webhook.cert-manager.svc: No answer

command terminated with exit code 1

Ubuntu 18.04

$ k exec -ti $POD_NAME -- nslookup kubernetes.default.svc
Server:    169.254.25.10
Address 1: 169.254.25.10

Name:      kubernetes.default.svc
Address 1: 10.233.0.1 kubernetes.default.svc.cluster.local

$ k exec -ti $POD_NAME -- nslookup cert-manager-webhook.cert-manager.svc
Server:    169.254.25.10
Address 1: 169.254.25.10

Name:      cert-manager-webhook.cert-manager.svc
Address 1: 10.233.62.186 cert-manager-webhook.cert-manager.svc.cluster.local

Does anyone know if there is an outstanding issue with CentOS7, Flannel CNI and K8s DNS?

@bmelbourne
Copy link
Contributor Author

/assign @woopstar

@floryut
Copy link
Member

floryut commented Jul 20, 2020

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jul 20, 2020
@floryut
Copy link
Member

floryut commented Jul 30, 2020

@bmelbourne Could you try another CI test then ? if it doesn't work only on Centos7 we could warn users and still roll this out.

@bmelbourne
Copy link
Contributor Author

bmelbourne commented Aug 1, 2020
edited
Loading

@bmelbourne Could you try another CI test then ? if it doesn't work only on Centos7 we could warn users and still roll this out.

@floryut I've merged in the latest master commits yesterday and the issue appears to be have been resolved. Looking through the commit history, the only likely possible fix is the K8s upgrade to v1.18.6, otherwise nothing else stands out.

All CI tests are now passing which is great news to move this PR forward.

@floryut
Copy link
Member

floryut commented Aug 3, 2020

@bmelbourne Could you try another CI test then ? if it doesn't work only on Centos7 we could warn users and still roll this out.

@floryut I've merged in the latest master commits yesterday and the issue appears to be have been resolved. Looking through the commit history, the only likely possible fix is the K8s upgrade to v1.18.6, otherwise nothing else stands out.

All CI tests are now passing which is great news to move this PR forward.

That great work man, I'm very pleased if we can ship this in master, will try to take a look at all changes.
WDYT @Miouge1 ?

This would require a big note in release note (as written in the PR) but I think we need to move away from a 2y/o version

@Miouge1
Copy link
Contributor

Miouge1 commented Aug 4, 2020

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bmelbourne, Miouge1

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 4, 2020
@k8s-ci-robot
Copy link
Contributor

@bmelbourne: you cannot LGTM your own PR.

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@floryut
Copy link
Member

floryut commented Aug 6, 2020

Ok let's roll and fix issues in other PR if need be, we need to move forward with this :)
Good job @bmelbourne
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 6, 2020
@k8s-ci-robot k8s-ci-robot merged commit 9cc70e9 into kubernetes-sigs:master Aug 6, 2020
@bmelbourne
Copy link
Contributor Author

Ok let's roll and fix issues in other PR if need be, we need to move forward with this :)
Good job @bmelbourne
/lgtm

@floryut As this was my first PR in Kubespray, thanks for your patience on this one.
Hopefully, the community will find the latest Cert Manager version useful, particularly the auto-renewal feature.

@bmelbourne bmelbourne deleted the cert-manager-0.15.2-upgrade branch August 6, 2020 07:55
erulabs added a commit to kubesail/kubespray that referenced this pull request Aug 6, 2020
@erulabs
Merge branch 'master' of https://github.com/kubernetes-sigs/kubespray
4e1e4ba 
* 'master' of https://github.com/kubernetes-sigs/kubespray: (30 commits)
  Minor Ambassador docs updates (kubernetes-sigs#6503)
  Fix cilium strict kube proxy replacement in HA (kubernetes-sigs#6473)
  Upgrade JetStack Cert-Manager to v0.15.2 (kubernetes-sigs#6414)
  Fix E306 in tests/ (kubernetes-sigs#6495)
  Fix E306 in roles/kubernetes (kubernetes-sigs#6500)
  Allows tls verify skip on webhook auth url (kubernetes-sigs#6472)
  Fix E306 in scripts/ (kubernetes-sigs#6496)
  Correct sample inventory to pass yamllint (kubernetes-sigs#6499)
  Option for MetalLB to talk BGP (kubernetes-sigs#6383)
  bootstrap-os for remove-node (kubernetes-sigs#6154)
  Quoted type constraints are deprecated (kubernetes-sigs#6497)
  Update base image to v2.13.3 (kubernetes-sigs#6494)
  Fix Flexvolume mount in Openstack Controller (kubernetes-sigs#6480)
  Remove hvac dependency (kubernetes-sigs#6476)
  Create a PodDisruptionBudget for the Cinder CSI controllerplugin (kubernetes-sigs#6385)
  Upgrade molecule to v3 (kubernetes-sigs#6468)
  Remove workaround for kubeadm upgrade (kubernetes-sigs#6478)
  Update kube-router to 1.0.1 and kube-ovn to 1.3.0 (kubernetes-sigs#6479)
  fix src for audit webhook config yaml (kubernetes-sigs#6470)
  crio: align template crio.conf with upstream (kubernetes-sigs#6432)
  ...
@bmelbourne bmelbourne mentioned this pull request Aug 31, 2020
Closed
6 tasks
LuckySB pushed a commit to southbridgeio/kubespray that referenced this pull request Jan 10, 2021
@bmelbourne @LuckySB
Upgrade JetStack Cert-Manager to v0.15.2 (kubernetes-sigs#6414)
10b5aab 
* Upgrade JetStack Cert-Manager to v0.15.2

* Add README.md table of contents
@rtsp rtsp mentioned this pull request Oct 8, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bozzo bozzo Awaiting requested review from bozzo

@EppO EppO Awaiting requested review from EppO

Assignees

@woopstar woopstar

@floryut floryut

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Cert manager version doesnt match the documentation
5 participants
@bmelbourne @k8s-ci-robot @floryut @Miouge1 @woopstar