Add options for internal cert management to component config

[tenzen-y]

Signed-off-by: tenzen-y yuki.iwai.tz@gmail.com

What type of PR is this?

/kind documentation
/kind feature
/kind api-change

What this PR does / why we need it:

I added options for internal cert management to component config and I have tested the operations in the below commands:

• For default internal cert management options

kubectl apply -k github.com/tenzen-y/kueue/config/default?ref=add-cert-options-to-component-config-default-cert-opts

• For customize namespace, serviceName and secretName

kubectl apply -k github.com/tenzen-y/kueue/config/default?ref=add-cert-options-to-component-config-customize-cert-opts

Also, I fixed Makefile and added a changelog.

Which issue(s) this PR fixes:

Fixes #270

Special notes for your reviewer:

[k8s-ci-robot]

Welcome @tenzen-y!

It looks like this is your first PR to kubernetes-sigs/kueue 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/kueue has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @tenzen-y. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tenzen-y]

Previously, main_test.go could not be tested.

[kerthcet]

Good catch.

[alculquicondor]

would -e /test work?

[tenzen-y]

Yes, It works fine.
Do you prefer to use go list ./... | grep -v -e '/test'?

[tenzen-y]

We need to specify CPU architecture to run tests on Apple Silicon machines since envtest only provides k8s components for amd64 binaries.

[tenzen-y]

/assign @alculquicondor @kerthcet

[alculquicondor]

/ok-to-test

I'll let @kerthcet do the first pass

[tenzen-y]

@kerthcet I have addressed your comments. Please take another look.

[tenzen-y]

Also, it might be better to move setOptionDefaults(opt *ctrl.Options) to SetDefaults_Configuration(cfg *Configuration) same as InternalCertManagement in another PR.

What do you think?

[kerthcet]

Also, it might be better to move setOptionDefaults(opt *ctrl.Options) to SetDefaults_Configuration(cfg *Configuration) same as InternalCertManagement in another PR.

What do you think?

Actually, it was designed on purpose before, we want to apply defaults after loading the config file. The advantage I can think of is that we apply AndFrom above, it will also set defaults, but it's out of our control since it's an imported package, applying defaults after gives us more confident. But I'm open with this.

[tenzen-y]

Also, it might be better to move setOptionDefaults(opt *ctrl.Options) to SetDefaults_Configuration(cfg *Configuration) same as InternalCertManagement in another PR.
What do you think?

Actually, it was designed on purpose before, we want to apply defaults after loading the config file. The advantage I can think of is that we apply AndFrom above, it will also set defaults, but it's out of our control since it's an imported package, applying defaults after gives us more confident. But I'm open with this.

Thanks for clarifying! @kerthcet

It seems strange that the different how to set defaults (use the SetDefaults function or apply defaults after loading config) for both InternalCertManagement and other parameters. So, it might be better to do the same logic.

In my opinion, it might be better to set all default parameters to Configuration using the SetDefaults function.

What do you think about the current logic that uses different logic for InternalCertManagement and other parameters?

[kerthcet]

Since this is optional, maybe *string will be better.

[kerthcet]

Besides, have you tried this, I have no time to test it up to now.

[tenzen-y]

Since this is optional, maybe *string will be better.

SGTM.

[tenzen-y]

Besides, have you tried this, I have no time to test it up to now.

Yes, I have tested using the below command:

kubectl apply -k github.com/tenzen-y/kueue/config/default?ref=add-cert-options-to-component-config-customize-cert-opts

The above manifests are customized namespace, serviceName, and secretName.

Detail of Configuration: https://github.com/tenzen-y/kueue/blob/add-cert-options-to-component-config-customize-cert-opts/config/components/manager/controller_manager_config.yaml

[tenzen-y]

Done.

[alculquicondor]

*string is necessary when the empty string is a valid value. But this is not the case for these fields. Empty means not-set, and we can set the default.

[kerthcet]

It seems strange that the different how to set defaults (use the SetDefaults function or apply defaults after loading config) for both InternalCertManagement and other parameters. So, it might be better to do the same logic.

In my opinion, it might be better to set all default parameters to Configuration using the SetDefaults function.

What do you think about the current logic that uses different logic for InternalCertManagement and other parameters?

I'm ok with this if we can add enough tests to improve our confidence. But we can leave it a follow up as you said.

[tenzen-y]

I'm ok with this if we can add enough tests to improve our confidence. But we can leave it a follow up as you said.

I agree with you.
I will not work on it in this PR.

[alculquicondor]

I would put it inside the internalCertManagement struct

[kerthcet]

Forget to comment here, at the very beginning I was tricked by the annotation, actually we should name this serviceNamespace. What's more, I think just modify the api is not enough, I'm making some experiments right now, I think we should also update the kustomize configuration.

[tenzen-y]

Forget to comment here, at the very beginning I was cheated by the annotation,

I don't mind, thanks for your detailed review! @kerthcet

actually we should name this serviceNamespace.

That makes sense. I will rename Namespace to ServiceNamespace and move to struct InternalCertManagement.

What's more, I think just modify the api is not enough, I'm making some experiments right now, I think we should also update the kustomize configuration.

Which kustomize configurations should we modify? namePrefix? @kerthcet

[kerthcet]

Maybe you can try with a different service rather than webhook-service, and apply an unqualified object. Then you will get an error, maybe like failed to call webhook: Post "https://webhook-service.kueue-system.svc:443/mutate-kueue-x-k8s-io-v1alpha2-resourceflavor?timeout=10s": service "webhook-service" not found.

[kerthcet]

Because we still need to update the manifests.yaml. IIUC.

[alculquicondor]

This conversation has derailed in ways I don't understand :)

I don't think it's a primary use case to change the namespace name or service name, so I think we can leave it out of the documentation. IMO, it suffices to leave the hooks in the configuration to let users change the parameters without having to rebuild the image, if they really need to.

[tenzen-y]

I don't think it's a primary use case to change the namespace name or service name, so I think we can leave it out of the documentation. IMO, it suffices to leave the hooks in the configuration to let users change the parameters without having to rebuild the image, if they really need to.

@alculquicondor That makes sense.
I will move these configurations to comments.

[tenzen-y]

Done.

[alculquicondor]

The initial conclusion of this thread was to move Namespace into InternalCertManagement as WebhookServiceNamespace

[tenzen-y]

@alculquicondor
As described in this comment by @kerthcet, I and @kerthcet updated the conclusion that we should include the namespace in struct Configuration because it represents the namespace where kueue components are deployed.

Actually the namespace helps to control where to deploy the kueue components, besides configure this field, we should also update the config/default/kustomization.yaml, to change the value of namespace.

So I think we can leave it outside the internalCertManagement

[tenzen-y]

Thank you very much for your detailed review many times! @kerthcet

[tenzen-y]

@alculquicondor I have addressed your suggestions. PTAL

[alculquicondor]

I think we can avoid the pointers.

If the field is empty len(field)==0, you can set the default.

[tenzen-y]

As described in this by @kerthcet, I changed it to *string since this field is optional. Should I change it to string?

Since this is optional, maybe *string will be better.

[kerthcet]

Still think pointer is a better choice since this is optional, if we set to string, len(field) == 0 means both unset or misconfiguration of empty string. We can't tell the difference.

[kerthcet]

Do we have any obviously disadvantages by using pointer?

[tenzen-y]

@alculquicondor

[alculquicondor]

empty string is not a valid value, so we can override it during defaulting. Using pointer just adds extra code that we can avoid. But I'm ok with it, if you feel strongly about it.

[tenzen-y]

I agree with @kerthcet. So, I'd like to use *string.
Do you have any concerns? @kerthcet

[alculquicondor]

sg, please squash.

[tenzen-y]

I have squashed.

[tenzen-y]

@kerthcet What is your opinion about #362 (comment)?

*string is necessary when the empty string is a valid value. But this is not the case for these fields. Empty means not-set, and we can set the default.

[tenzen-y]

Probably, we need to merge #379 first.

[tenzen-y]

/test pull-kueue-build-image-main

[tenzen-y]

Probably, this PR is ready to merge.

[tenzen-y]

Once this PR is merged, I will work on this.

Also, it might be better to move setOptionDefaults(opt *ctrl.Options) to SetDefaults_Configuration(cfg *Configuration) same as InternalCertManagement in another PR.

[alculquicondor]

And please squash :)

[tenzen-y]

And please squash :)

I have already squashed.

https://github.com/kubernetes-sigs/kueue/pull/362/commits

[tenzen-y]

You mean git sqush, right?

[alculquicondor]

Awesome

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alculquicondor, tenzen-y

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [alculquicondor]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tenzen-y]

@alculquicondor
Hmm..? This PR seems to be merged before I apply your suggestion.

I will create another PR to apply your suggestion.

[alculquicondor]

oh yeah... I should have checked

[kerthcet]

Thanks @tenzen-y

[tenzen-y]

Thanks @tenzen-y

@kerthcet Thanks for your review!