-
Notifications
You must be signed in to change notification settings - Fork 712
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add network policy for RKE2 Ingress Nginx #4300
base: dev-v2.10
Are you sure you want to change the base?
Conversation
Validation steps
Ex:- longhorn-controller: repository: rancher/hardened-sriov-cni tag: v2.6.3-build20230913
|
I have honestly got no clue about why there are so many lines modified in this PR. Steps I followed are below: $ export PACKAGE=rancher-monitoring/rancher-monitoring
$ make prepare
// made changes
$ make patch
$ make charts Did I do something wrong here? 🤔 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rancher monitoring version needs to be bumped to 104.1.1-rc1
. Recommend separating make patch
into a separate commit from make charts
for exactly this scenario, where you would to do something like rebase with drop.
Need to remove packages/rancher-monitoring/rancher-monitoring/generated-changes/overlay/crds
as a bug in charts-build-scripts includes these by accident.
...nitoring/rancher-monitoring/generated-changes/overlay/crds/crds/crd-alertmanagerconfigs.yaml
Outdated
Show resolved
Hide resolved
Validation steps
Ex:- longhorn-controller: repository: rancher/hardened-sriov-cni tag: v2.6.3-build20230913
|
@joshmeranda @alexandreLamarre thanks for your feedback, guys! I have modified as per your recommendations. Can you PTAL again? Thanks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking better, but git history could use some housekeeping. Can you update the commits to look closer to the steps outline here? Generally this will look like this:
export PACKAGE=rancher-monitoring/rancher-monitoring
make prepare
- Make the changes you need to the prepare chart, in this case adding the network policy
make patch
- Commit the changes to
packages/rancher-monitoring/rancher-monitoring/generated-changes
(don't forget to removegenerated-changes/overlay/crds
introduced by the bug) - Update the version in
package.yaml
- Commit changes to
package.yaml
make charts
- Commit changes made by
make charts
- Update and commit
release.yaml
with new version of chart
Following these steps will make it a good bit easier for the reviewer to see what was changed and why. Also make each commit smaller and prevents new chart versions from stalling our browsers when trying to load 100+ new files. Thanks!
@joshmeranda I referred to the Making Changes To Packages section which mentions making version related changes first. In context of your comment, I followed steps 6-9 first and 1-5 after that. If I follow the steps you suggested, it'd make changes to 104.1.0. And, AFAIK, 104.1.0 has already released, right? Correct me if I'm wrong because there's a good chance I am. :) |
@dharmit You're right that we don't want to make changes to I keep forgetting that the docs recommend you update the version first. That's fine as long as its a separate commit. Generally I'll update |
index.yaml
Outdated
- name: Chart Source | ||
url: https://github.com/prometheus-community/helm-charts | ||
- name: Upstream Project | ||
url: https://github.com/prometheus-operator/kube-prometheus |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's an extra space before url:
. Strictly speaking it's not a yaml error, as this block is a string, but it looks like it's intended to be input for some other yaml process, and therefore should be conforming yaml code
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Something in this process is generating broken yaml.
I see your point. However, what I have done is again just as per the docs recommendation. It recommends updating the version in I can totally do what you're recommending if that's the general practice followed by O&B team. Let me know. |
@dharmit Yeah that's totally fine to do it that way, its just less familiar. It makes it easier to ensure that the changes you made were brought into the generated chart. Feel free to continue! But you'll still want to have separate commits for updating
I get that this feels somewhat nitpicky, but because of the sheer amount of files that are updated in charts PRs it makes it much easier for reviewers to give a review. |
Validation steps
Ex:- longhorn-controller: repository: rancher/hardened-sriov-cni tag: v2.6.3-build20230913
|
No, it doesn't sound nitpicky at all, TBH. Thanks a tonne for laying down the steps. I'll update the PR accordingly. 👍🏽 |
Validation steps
Ex:- longhorn-controller: repository: rancher/hardened-sriov-cni tag: v2.6.3-build20230913
|
Validation steps
Ex:- longhorn-controller: repository: rancher/hardened-sriov-cni tag: v2.6.3-build20230913
|
Validation steps
Ex:- longhorn-controller: repository: rancher/hardened-sriov-cni tag: v2.6.3-build20230913
|
Validation steps
Ex:- longhorn-controller: repository: rancher/hardened-sriov-cni tag: v2.6.3-build20230913
|
Validation steps
Ex:- longhorn-controller: repository: rancher/hardened-sriov-cni tag: v2.6.3-build20230913
|
release.yaml
Outdated
fleet: | ||
- 104.0.1+up0.10.1-rc.1 | ||
fleet-agent: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should avoid adding references to charts that weren't updated in this PR. Remove the fleet-agent
and rancher-vsphere-csi
fields please. Otherwise LGTM!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, those changes are based on make check-release-yaml
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see release.yaml
comments above
Validation steps
Ex:- longhorn-controller: repository: rancher/hardened-sriov-cni tag: v2.6.3-build20230913
|
I don't think you need my review here -- reviews from Josh and Alexandre are sufficient. |
Validation steps
Ex:- longhorn-controller: repository: rancher/hardened-sriov-cni tag: v2.6.3-build20230913
|
@joshmeranda @alexandreLamarre I have cherry-picked commits to be added on top of dev-v2.10 branch. Can you PTAL? I think the CI needs to be re-triggered to be run against 2.10 branch. |
Seeing this upon install:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not quite working out the box for me when I set to enabled. In the rancher installed apps section it thinks that it has network policies, but they 404 when I click their links.
annotations: | ||
np.rke2.io/ingress: resolved | ||
name: rke2-ingress-network-policy | ||
namespace: {{ .Values.rke2IngressNginx.namespaceOverride }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like this doesn't actually have a default value. Is there supposed to be some sort of helper or lookup with this as an override when set? Or is this required? If required, we should add it as an empty (null) value and put a note that it should be set or something.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's there in values.yaml
.
charts/charts/rancher-monitoring/104.1.0+up57.0.3/values.yaml
Lines 335 to 347 in 4411cc0
rke2IngressNginx: | |
enabled: false | |
metricsPort: 10254 | |
component: ingress-nginx | |
# in the RKE2 cluster, the ingress-nginx-controller is deployed | |
# as a non-hostNetwork workload starting at the following versions | |
# - >= v1.22.12+rke2r1 < 1.23.0-0 | |
# - >= v1.23.9+rke2r1 < 1.24.0-0 | |
# - >= v1.24.3+rke2r1 < 1.25.0-0 | |
# - >= v1.25.0+rke2r1 | |
# As a result we do not need clients and proxies as we can directly create | |
# a service that targets the workload with the given app name | |
namespaceOverride: kube-system |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So I think looking at other similar situations to this one, what we actually want to do here is:
- define a new item in
_helpers.tpl
for this, - Call that helper here to reference that instead,
- Allow the
values.yaml
to have thenamespaceOverride
value default be empty.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So in this file we would replicate:
https://github.com/dharmit/rancher-charts/blob/aa9a6b007735706c311588752309cda89139982f/charts/rancher-monitoring/104.1.1-rc1%2Bup57.0.3/charts/prometheus-node-exporter/templates/daemonset.yaml#L5C26-L5C60
But call it: "rke2-ingress-nginx.namespace"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And in the helpers file, I think we would mimic something like:
https://github.com/dharmit/rancher-charts/blob/aa9a6b007735706c311588752309cda89139982f/charts/rancher-monitoring/104.1.1-rc1%2Bup57.0.3/templates/_helpers.tpl#L301-L310
Since we know the default value should generally be kube-system
, similar to how the default there is kube-state-metrics
.
packages/rancher-monitoring/rancher-monitoring/generated-changes/patch/values.yaml.patch
Outdated
Show resolved
Hide resolved
@ericpromislow - I think that because you left a "Requested Changes" review you must provide an "Approved" review before this PR will be passable. Ignore mine since I added them today intentionally for changes I suggested. But notice your's and alex...I think big picture we need a new PR even after mine and yours are approved since Alex can review currently. |
@mallardduck This one is coming from upstream: https://github.com/grafana/helm-charts/blob/main/charts/grafana/templates/_pod.tpl#L1016-L1021 |
Validation steps
Ex:- longhorn-controller: repository: rancher/hardened-sriov-cni tag: v2.6.3-build20230913
|
Validation steps
Ex:- longhorn-controller: repository: rancher/hardened-sriov-cni tag: v2.6.3-build20230913
|
Validation steps
Ex:- longhorn-controller: repository: rancher/hardened-sriov-cni tag: v2.6.3-build20230913
|
@mallardduck IIUC (which is based on description in rancher/rancher#45603), you have to open Prometheus Targets from the Monitoring view and check if $ cat /etc/rancher/rke2/config.yaml
cni: calico
write-kubeconfig-mode: "0644"
profile: cis
pod-security-admission-config-file: /etc/rancher/rke2/rke2-custom-pss.yaml
$ cat /etc/rancher/rke2/rke2-custom-pss.yaml
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
configuration:
apiVersion: pod-security.admission.config.k8s.io/v1beta1
kind: PodSecurityConfiguration
defaults:
enforce: "restricted"
enforce-version: "latest"
audit: "restricted"
audit-version: "latest"
warn: "restricted"
warn-version: "latest"
exemptions:
usernames: []
runtimeClasses: []
namespaces: [kube-system, cis-operator-system, tigera-operator, cattle-system, cattle-fleet-system, cattle-fleet-local-system, cattle-monitoring-system] |
Validation steps
Ex:- longhorn-controller: repository: rancher/hardened-sriov-cni tag: v2.6.3-build20230913
|
1 similar comment
Validation steps
Ex:- longhorn-controller: repository: rancher/hardened-sriov-cni tag: v2.6.3-build20230913
|
Signed-off-by: Dharmit Shah <dharmit.shah@suse.com>
Signed-off-by: Dharmit Shah <dharmit.shah@suse.com>
8944a71
to
1b30c2d
Compare
Validation steps
Ex:- longhorn-controller: repository: rancher/hardened-sriov-cni tag: v2.6.3-build20230913
|
Issue:
Addresses issue raised in rancher/rancher#45603.
Problem
Prometheus target failing to come up
Solution
Using the modified chart in this PR enables the target to come up
Testing
serviceMonitor/kube-system/rancher-monitoring-ingress-nginx/0
. It should beUP
.Engineering Testing
Manual Testing
Automated Testing
QA Testing Considerations
Regressions Considerations
Backporting considerations