support cert-manager for generating tls and ca #555
Conversation
✅ Deploy Preview for capsule-documentation canceled.
|
|
|
||
| var metricsAddr, namespace, configurationName string | ||
|
|
||
| var goFlagSet goflag.FlagSet | ||
|
|
||
| flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.") | ||
| flag.BoolVar(&enableSecretController, "enable-secret-controller", true, |
There was a problem hiding this comment.
Do we need this flag?
If we're missing the Secret since non-existing, the Pod will not be started until those are available for the mount.
There was a problem hiding this comment.
we need to disable build-in reconciler to be able to generate secret using cert-manager. By default it is set to true, so nothing will change
There was a problem hiding this comment.
Ok, I'm getting the point, I was more pointing to another issue.
If I install capsule with helm upgrade --install --set certManager.generateCertificates=true, I'll end up with Deployment, ServiceAccount, Service, Webhooks, and all the required resources except the Secret, with the additional ones managed by cert-manager, such as Certificate, Issue and other custom resources.
Since we're mounting the Capsule TLS certificate in the Deployment, if this is missing, the Pod won't start due to missing Volume.
With that said, I'm wondering if we truly need that flag, since Kubernetes already waits for the Secret to be created by cert-manager.
There was a problem hiding this comment.
if you want to use cert-manager to generate tls\ca secrets, you will need to install chart using helm upgrade --instal --set manager.options.enableSecretController=false --set certManager.generateCertificates=true. This will disable build-in secretController and enable cert-manager certificate. Secret with tls\ca will be generated before the start of the Capsule pod and will be mounted inside the deployment as before, webhooks will be patched with generated caData. I've verified this locally and everything is working fine :)
There was a problem hiding this comment.
I don't have any doubts about it, pretty sure it works. I'm just wondering why we should disable the secret reconciler since the CA and TLS would be created by cert-manager.
Capsule would just check if the Secret CA and TLS are there, and read their value. Pretty sure I'm missing something.
There was a problem hiding this comment.
@MaxFedotov can't we use the cert-manager's CA Injector?
There was a problem hiding this comment.
We can, but we need to template the name of the certificate in cert-manager annotation:
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "capsule.fullname" . }}-webhook-cert
And templates and variables can't be used in crds :(
There was a problem hiding this comment.
@MaxFedotov WDYT on moving CRD definition from crds folder to templates? Do you see any drawbacks to this?
We're already minor bumping upon any new CRD update, since we're informing users I don't see any issue on this.
There was a problem hiding this comment.
The only problem will be that resources in crds folder are not deleted with helm uninstall. If we move them to templates folder, they will be removed (and with the removing of crds all tenants and namespaces will be deleted as well). And one more thing to check is the ordering when applying resources. We have a capsuleConfiguration crd and capsuleConfiguration resource with default configuration, so we need to ensure that crd will be applied first
There was a problem hiding this comment.
@prometherion let's do the same way as in cert-manager helm chart - put all crds in templates/crds.yaml
|
Besides the ongoing discussion, I think we should change the logic here: Actually, the code is not aware we have to ignore the secret since managed externally, maybe I could address this in a different issue: WDYT @MaxFedotov ? |
Completely ok :) you make a separate PR or add a commit to this? |
@MaxFedotov we can fix it later, let's get this merged. |
closes #554
Added new flag to Capsule
enable-secret-controller, which enables or disables secretcontroller reconcilers.added 2 new options to Capsule helm chart:
manager.options.enableSecretController- configuresenable-secret-controllerflagcertManager.generateCertificates- enables cert-manager certificates yaml and other stuff