Webhook for PD upgrader #1040
Webhook for PD upgrader #1040
Conversation
This comment has been minimized.
This comment has been minimized.
Yisaer
force-pushed
the
pd_delete_pods_webhook
branch
from
add10a2
to
c1d1bd5
Compare
Yisaer
force-pushed
the
pd_delete_pods_webhook
branch
2 times, most recently
from
790c92f
to
563054c
Compare
|
/run-e2e-test |
Yisaer
force-pushed
the
pd_delete_pods_webhook
branch
from
5623ac0
to
8ad32bf
Compare
Yisaer
force-pushed
the
pd_delete_pods_webhook
branch
from
2ec236a
to
404ede4
Compare
|
/run-e2e-in-kind |
| cpu: 80m | ||
| memory: 50Mi | ||
| ## Interval Hour to Refresh CA Cert | ||
| certRefreshIntervalHour: 336 |
There was a problem hiding this comment.
AdmissionController will refresh CA cert before certRefreshIntervalHour hour on its expireDate.
| } | ||
|
|
||
| /* | ||
| * currently we only use one replica for admission-controller-webhook |
There was a problem hiding this comment.
Currently we just set replica as 1 for admissioncontroller so we don't have lease lock from apiServer as we are using Lister here.
pkg/util/certUtil.go
Outdated
| return hex.EncodeToString(out) | ||
| } | ||
|
|
||
| func GenerateRSAKeyPair(namespace, serviceName string) ([]byte, []byte, error) { |
There was a problem hiding this comment.
CertUtil help us generate CA Cert for a certain service with ten years default validity period
| } | ||
| } | ||
|
|
||
| func (pc *PodAdmissionControl) AdmitPods(ar v1beta1.AdmissionReview) *v1beta1.AdmissionResponse { |
There was a problem hiding this comment.
AdmitPods will only check AdmissionReview with Delete Operation.
|
|
||
| if l.IsPD() { | ||
| pdClient := pc.pdControl.GetPDClient(pdapi.Namespace(namespace), tcName, tc.Spec.EnableTLSCluster) | ||
| return pc.admitDeletePdPods(pod, ownerStatefulSet, tc, pdClient) |
There was a problem hiding this comment.
Currently we only check Delete AdmissionReview For PD Pod.
| @@ -89,9 +89,14 @@ func serve(w http.ResponseWriter, r *http.Request, admit admitFunc) { | |||
| responseAdmissionReview.Response.UID = requestedAdmissionReview.Request.UID | |||
|
|
|||
| marshalAndWrite(responseAdmissionReview, w) | |||
| webhookHandler.RefreshCertPEMExpirationHandler(RefreshJobConfig) | |||
There was a problem hiding this comment.
WebHook Server will check whether CA cert would be expired at each serving request.
| @@ -133,7 +128,6 @@ func main() { | |||
| oa.CheckTidbClusterStatusOrDie(cluster) | |||
|
|
|||
| // upgrade | |||
| oa.RegisterWebHookAndServiceOrDie(certCtx, ocfg) | |||
Yisaer
force-pushed
the
pd_delete_pods_webhook
branch
from
9529337
to
cde02ab
Compare
…-operator into Yisaer-pd_delete_pods_webhook
|
Can we divide the whole process into several steps? implement the webhook controller and can use the webhook in tidb-operator optionally
in this step, we focus on webhook logic deploy/configure webhook controllerrequest/sign/configure/renew cert for webhook controller in this step, we focus on webhook deployment and management use the webhook controller by defaultwhen it's stable, we can switch to use webhook controller by default but have an option to switch back production-readywhen it's production-ready, we can remove the old logic in the controller and require the webhook to exist in our deployment In each step, we introduce small changes to our code. It's easier to review and we can have enough tests before enabling the new feature by default. |
|
/run-e2e-in-kind |
| spec: | ||
| groups: | ||
| - system:authenticated | ||
| request: $(cat ${tmpdir}/server.csr | base64 | tr -d '\n') |
There was a problem hiding this comment.
base64 | tr -d '\n' can be base64 -w0
| kubectl get csr ${csrName} | ||
| if [ "$?" -eq 0 ]; then | ||
| break | ||
| fi |
There was a problem hiding this comment.
Would it be better to sleep a while here?
| } | ||
|
|
||
| server.Spec.Template.Annotations = map[string]string{ | ||
| "checksum/config": certUtils.Checksum(secret.Data["cert.pem"]), |
There was a problem hiding this comment.
| "checksum/config": certUtils.Checksum(secret.Data["cert.pem"]), | |
| "checksum/cert": certUtils.Checksum(secret.Data["cert.pem"]), |
BTW, no need to preserve other annotations?
Co-Authored-By: DanielZhangQD <36026334+DanielZhangQD@users.noreply.github.com>
|
Is this PR still needed after #1101 is merged? |
|
This request is no more needed now. |
What problem does this PR solve?
#992
What is changed and how does it work?
Tidb-Operator will only need to edit statefulset spec during pd upgrading and to edit replicas during pd scale-in. The webhook server will ensure that each pd pod will be safely deleted.
And I also add one more component as an init job to auto-create CA cert and csr for webhook configuration which would be much user-friendly.
Currently I package
tidb-operator-initializerin the same docker image as others and installopensslandkubectlintidb-operatorimage whichinitializeruse these in the script to manage CA cert.Packaging all necessary process into 2 images would need us to change some e2e test script which would have huge influence for other e2e test.
After we moved our e2e CI script into code repo instead of jenkins server, I would pakcage
tidb-operator-initializerin a different image so that other e2e test won't be influenced.Check List
Tests
Code changes
Side effects
N/A
Related changes