-
Notifications
You must be signed in to change notification settings - Fork 228
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add options for internal cert management to component config #362
Add options for internal cert management to component config #362
Conversation
Welcome @tenzen-y! |
Hi @tenzen-y. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Makefile
Outdated
@@ -118,11 +118,11 @@ vet: ## Run go vet against code. | |||
|
|||
.PHONY: test | |||
test: generate fmt vet ## Run tests. | |||
$(GO_CMD) test $(GO_TEST_FLAGS) ./pkg/... -coverprofile cover.out | |||
$(GO_CMD) test $(GO_TEST_FLAGS) $(shell go list ./... | grep -v -e test -e apis) -coverprofile cover.out |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Previously, main_test.go
could not be tested.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would -e /test
work?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, It works fine.
Do you prefer to use go list ./... | grep -v -e '/test'
?
|
||
.PHONY: test-integration | ||
test-integration: manifests generate fmt vet envtest ginkgo ## Run tests. | ||
KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" \ | ||
KUBEBUILDER_ASSETS="$(shell $(ENVTEST) --arch=amd64 use $(ENVTEST_K8S_VERSION) -p path)" \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to specify CPU architecture to run tests on Apple Silicon machines since envtest only provides k8s components for amd64 binaries.
/assign @alculquicondor @kerthcet |
/ok-to-test I'll let @kerthcet do the first pass |
@kerthcet I have addressed your comments. Please take another look. |
Also, it might be better to move What do you think? |
Actually, it was designed on purpose before, we want to apply defaults after loading the config file. The advantage I can think of is that we apply |
Thanks for clarifying! @kerthcet It seems strange that the different how to set defaults (use the SetDefaults function or apply defaults after loading config) for both InternalCertManagement and other parameters. So, it might be better to do the same logic. In my opinion, it might be better to set all default parameters to Configuration using the SetDefaults function. What do you think about the current logic that uses different logic for InternalCertManagement and other parameters? |
@@ -27,6 +27,10 @@ import ( | |||
type Configuration struct { | |||
metav1.TypeMeta `json:",inline"` | |||
|
|||
// Namespace is the namespace in which kueue is deployed and is also used as part of DNSName. | |||
// Defaults to kueue-system. | |||
Namespace string `json:"namespace,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this is optional, maybe *string will be better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Besides, have you tried this, I have no time to test it up to now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this is optional, maybe *string will be better.
SGTM.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Besides, have you tried this, I have no time to test it up to now.
Yes, I have tested using the below command:
kubectl apply -k github.com/tenzen-y/kueue/config/default?ref=add-cert-options-to-component-config-customize-cert-opts
The above manifests are customized namespace, serviceName, and secretName.
Detail of Configuration: https://github.com/tenzen-y/kueue/blob/add-cert-options-to-component-config-customize-cert-opts/config/components/manager/controller_manager_config.yaml
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
*string
is necessary when the empty string is a valid value. But this is not the case for these fields. Empty means not-set, and we can set the default.
I'm ok with this if we can add enough tests to improve our confidence. But we can leave it a follow up as you said. |
I agree with you. |
@@ -27,6 +27,10 @@ import ( | |||
type Configuration struct { | |||
metav1.TypeMeta `json:",inline"` | |||
|
|||
// Namespace is the namespace in which kueue is deployed and is also used as part of DNSName. | |||
// Defaults to kueue-system. | |||
Namespace *string `json:"namespace,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would put it inside the internalCertManagement struct
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Forget to comment here, at the very beginning I was tricked by the annotation, actually we should name this serviceNamespace. What's more, I think just modify the api is not enough, I'm making some experiments right now, I think we should also update the kustomize configuration.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Forget to comment here, at the very beginning I was cheated by the annotation,
I don't mind, thanks for your detailed review! @kerthcet
actually we should name this serviceNamespace.
That makes sense. I will rename Namespace
to ServiceNamespace
and move to struct InternalCertManagement
.
What's more, I think just modify the api is not enough, I'm making some experiments right now, I think we should also update the kustomize configuration.
Which kustomize configurations should we modify? namePrefix
? @kerthcet
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe you can try with a different service rather than webhook-service
, and apply an unqualified object. Then you will get an error, maybe like failed to call webhook: Post "https://webhook-service.kueue-system.svc:443/mutate-kueue-x-k8s-io-v1alpha2-resourceflavor?timeout=10s": service "webhook-service" not found
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because we still need to update the manifests.yaml. IIUC.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This conversation has derailed in ways I don't understand :)
I don't think it's a primary use case to change the namespace name or service name, so I think we can leave it out of the documentation. IMO, it suffices to leave the hooks in the configuration to let users change the parameters without having to rebuild the image, if they really need to.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think it's a primary use case to change the namespace name or service name, so I think we can leave it out of the documentation. IMO, it suffices to leave the hooks in the configuration to let users change the parameters without having to rebuild the image, if they really need to.
@alculquicondor That makes sense.
I will move these configurations to comments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The initial conclusion of this thread was to move Namespace into InternalCertManagement
as WebhookServiceNamespace
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@alculquicondor
As described in this comment by @kerthcet, I and @kerthcet updated the conclusion that we should include the namespace in struct Configuration
because it represents the namespace where kueue components are deployed.
Actually the namespace helps to control where to deploy the kueue components, besides configure this field, we should also update the config/default/kustomization.yaml, to change the value of namespace.
So I think we can leave it outside the internalCertManagement
Thank you very much for your detailed review many times! @kerthcet |
@alculquicondor I have addressed your suggestions. PTAL |
@@ -27,6 +27,10 @@ import ( | |||
type Configuration struct { | |||
metav1.TypeMeta `json:",inline"` | |||
|
|||
// Namespace is the namespace in which kueue is deployed. It is used as part of DNSName of the webhook Service. | |||
// Defaults to kueue-system. | |||
Namespace *string `json:"namespace,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can avoid the pointers.
If the field is empty len(field)==0
, you can set the default.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Still think pointer is a better choice since this is optional, if we set to string, len(field) == 0
means both unset or misconfiguration of empty string. We can't tell the difference.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we have any obviously disadvantages by using pointer?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
empty string is not a valid value, so we can override it during defaulting. Using pointer just adds extra code that we can avoid. But I'm ok with it, if you feel strongly about it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sg, please squash.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have squashed.
@kerthcet What is your opinion about #362 (comment)?
|
Signed-off-by: tenzen-y <yuki.iwai.tz@gmail.com> Co-authored-by: Aldo Culquicondor <1299064+alculquicondor@users.noreply.github.com>
db32a3b
to
33e0459
Compare
Probably, we need to merge #379 first. |
/test pull-kueue-build-image-main |
Probably, this PR is ready to merge. |
Once this PR is merged, I will work on this.
|
And please squash :) |
I have already squashed. https://github.com/kubernetes-sigs/kueue/pull/362/commits |
You mean git sqush, right? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alculquicondor, tenzen-y The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@alculquicondor I will create another PR to apply your suggestion. |
oh yeah... I should have checked |
Thanks @tenzen-y |
Signed-off-by: tenzen-y yuki.iwai.tz@gmail.com
What type of PR is this?
/kind documentation
/kind feature
/kind api-change
What this PR does / why we need it:
I added options for internal cert management to component config and I have tested the operations in the below commands:
kubectl apply -k github.com/tenzen-y/kueue/config/default?ref=add-cert-options-to-component-config-default-cert-opts
kubectl apply -k github.com/tenzen-y/kueue/config/default?ref=add-cert-options-to-component-config-customize-cert-opts
Also, I fixed Makefile and added a changelog.
Which issue(s) this PR fixes:
Fixes #270
Special notes for your reviewer: