-
Notifications
You must be signed in to change notification settings - Fork 498
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Webhook for PD upgrader #1040
Webhook for PD upgrader #1040
Conversation
This comment has been minimized.
This comment has been minimized.
add10a2
to
c1d1bd5
Compare
790c92f
to
563054c
Compare
/run-e2e-test |
5623ac0
to
8ad32bf
Compare
2ec236a
to
404ede4
Compare
/run-e2e-in-kind |
cpu: 80m | ||
memory: 50Mi | ||
## Interval Hour to Refresh CA Cert | ||
certRefreshIntervalHour: 336 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AdmissionController will refresh CA cert before certRefreshIntervalHour
hour on its expireDate.
} | ||
|
||
/* | ||
* currently we only use one replica for admission-controller-webhook |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently we just set replica as 1 for admissioncontroller so we don't have lease lock from apiServer as we are using Lister here.
pkg/util/certUtil.go
Outdated
return hex.EncodeToString(out) | ||
} | ||
|
||
func GenerateRSAKeyPair(namespace, serviceName string) ([]byte, []byte, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CertUtil help us generate CA Cert for a certain service with ten years default validity period
} | ||
} | ||
|
||
func (pc *PodAdmissionControl) AdmitPods(ar v1beta1.AdmissionReview) *v1beta1.AdmissionResponse { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AdmitPods will only check AdmissionReview with Delete Operation.
|
||
if l.IsPD() { | ||
pdClient := pc.pdControl.GetPDClient(pdapi.Namespace(namespace), tcName, tc.Spec.EnableTLSCluster) | ||
return pc.admitDeletePdPods(pod, ownerStatefulSet, tc, pdClient) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently we only check Delete AdmissionReview For PD Pod.
@@ -89,9 +89,14 @@ func serve(w http.ResponseWriter, r *http.Request, admit admitFunc) { | |||
responseAdmissionReview.Response.UID = requestedAdmissionReview.Request.UID | |||
|
|||
marshalAndWrite(responseAdmissionReview, w) | |||
webhookHandler.RefreshCertPEMExpirationHandler(RefreshJobConfig) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
WebHook Server will check whether CA cert would be expired at each serving request.
@@ -133,7 +128,6 @@ func main() { | |||
oa.CheckTidbClusterStatusOrDie(cluster) | |||
|
|||
// upgrade | |||
oa.RegisterWebHookAndServiceOrDie(certCtx, ocfg) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove e2e webhook.
9529337
to
cde02ab
Compare
…-operator into Yisaer-pd_delete_pods_webhook
Can we divide the whole process into several steps? implement the webhook controller and can use the webhook in tidb-operator optionally
in this step, we focus on webhook logic deploy/configure webhook controllerrequest/sign/configure/renew cert for webhook controller in this step, we focus on webhook deployment and management use the webhook controller by defaultwhen it's stable, we can switch to use webhook controller by default but have an option to switch back production-readywhen it's production-ready, we can remove the old logic in the controller and require the webhook to exist in our deployment In each step, we introduce small changes to our code. It's easier to review and we can have enough tests before enabling the new feature by default. |
/run-e2e-in-kind |
spec: | ||
groups: | ||
- system:authenticated | ||
request: $(cat ${tmpdir}/server.csr | base64 | tr -d '\n') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
base64 | tr -d '\n'
can be base64 -w0
kubectl get csr ${csrName} | ||
if [ "$?" -eq 0 ]; then | ||
break | ||
fi |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be better to sleep a while here?
} | ||
|
||
server.Spec.Template.Annotations = map[string]string{ | ||
"checksum/config": certUtils.Checksum(secret.Data["cert.pem"]), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"checksum/config": certUtils.Checksum(secret.Data["cert.pem"]), | |
"checksum/cert": certUtils.Checksum(secret.Data["cert.pem"]), |
BTW, no need to preserve other annotations?
Co-Authored-By: DanielZhangQD <36026334+DanielZhangQD@users.noreply.github.com>
Is this PR still needed after #1101 is merged? |
This request is no more needed now. |
What problem does this PR solve?
#992
What is changed and how does it work?
Tidb-Operator will only need to edit statefulset spec during pd upgrading and to edit replicas during pd scale-in. The webhook server will ensure that each pd pod will be safely deleted.
And I also add one more component as an init job to auto-create CA cert and csr for webhook configuration which would be much user-friendly.
Currently I package
tidb-operator-initializer
in the same docker image as others and installopenssl
andkubectl
intidb-operator
image whichinitializer
use these in the script to manage CA cert.Packaging all necessary process into 2 images would need us to change some e2e test script which would have huge influence for other e2e test.
After we moved our e2e CI script into code repo instead of jenkins server, I would pakcage
tidb-operator-initializer
in a different image so that other e2e test won't be influenced.Check List
Tests
Code changes
Side effects
N/A
Related changes