search

akuity / kargo

Application lifecycle orchestration
https://kargo.akuity.io/
Apache License 2.0
1.54k stars 132 forks source link

Simple helm chart fix #2367

Closed austinflowspace closed 1 month ago

austinflowspace commented 1 month ago

Inside the webhook-server chart/kargo. If you disable TLS the webhook-server sits in initialization because it can't find the cert that won't be created.

Screenshot 2024-07-29 at 7 17 40 PM

I'll paste my PR below

austinflowspace commented 1 month ago

Actually, jk, I can't one second:

        {{- if .Values.webhooksServer.tls.selfSignedCert }}
        - mountPath: /tmp/k8s-webhook-server/serving-certs
          name: cert
          readOnly: true
        {{- end }}
        {{- if .Values.kubeconfigSecrets.kargo }}
        - mountPath: /etc/kargo/kubeconfigs
          name: kubeconfigs
          readOnly: true
        {{- end }}
        {{- with .Values.webhooksServer.securityContext | default .Values.global.securityContext }}
        securityContext:
          {{- toYaml . | nindent 10 }}
        {{- end }}
        resources:
          {{- toYaml .Values.webhooksServer.resources | nindent 10 }}
      volumes:
      {{- if .Values.webhooksServer.tls.selfSignedCert }}
      - name: cert
        secret:
          defaultMode: 0644
          secretName: kargo-webhooks-server-cert
      {{- end }}
austinflowspace commented 1 month ago

Here is the line: https://github.com/akuity/kargo/blob/main/charts/kargo/templates/webhooks-server/deployment.yaml#L76

austinflowspace commented 1 month ago

I actually see this now: time="2024-07-30T02:23:47Z" level=info msg="Starting Kargo Webhooks Server" commit=fc64b2fe2eab04d6177c73755d02f6bab6b75a1c version=v0.8.1 time="2024-07-30T02:23:47Z" level=info msg="Registering a mutating webhook" GVK="{\"Group\":\"kargo.akuity.io\",\"Version\":\"v1alpha1\",\"Kind\":\"Freight\"}" logger=controller-runtime.builder path=/mutate-kargo-akuity-io-v1alpha1-freight time="2024-07-30T02:23:47Z" level=info msg="Registering webhook" logger=controller-runtime.webhook path=/mutate-kargo-akuity-io-v1alpha1-freight time="2024-07-30T02:23:47Z" level=info msg="Registering a validating webhook" GVK="{\"Group\":\"kargo.akuity.io\",\"Version\":\"v1alpha1\",\"Kind\":\"Freight\"}" logger=controller-runtime.builder path=/validate-kargo-akuity-io-v1alpha1-freight time="2024-07-30T02:23:47Z" level=info msg="Registering webhook" logger=controller-runtime.webhook path=/validate-kargo-akuity-io-v1alpha1-freight time="2024-07-30T02:23:47Z" level=info msg="skip registering a mutating webhook, object does not implement admission.Defaulter or WithDefaulter wasn't called" GVK="{\"Group\":\"kargo.akuity.io\",\"Version\":\"v1alpha1\",\"Kind\":\"Project\"}" logger=controller-runtime.builder time="2024-07-30T02:23:47Z" level=info msg="Registering a validating webhook" GVK="{\"Group\":\"kargo.akuity.io\",\"Version\":\"v1alpha1\",\"Kind\":\"Project\"}" logger=controller-runtime.builder path=/validate-kargo-akuity-io-v1alpha1-project time="2024-07-30T02:23:47Z" level=info msg="Registering webhook" logger=controller-runtime.webhook path=/validate-kargo-akuity-io-v1alpha1-project time="2024-07-30T02:23:47Z" level=info msg="Registering a mutating webhook" GVK="{\"Group\":\"kargo.akuity.io\",\"Version\":\"v1alpha1\",\"Kind\":\"Promotion\"}" logger=controller-runtime.builder path=/mutate-kargo-akuity-io-v1alpha1-promotion time="2024-07-30T02:23:47Z" level=info msg="Registering webhook" logger=controller-runtime.webhook path=/mutate-kargo-akuity-io-v1alpha1-promotion time="2024-07-30T02:23:47Z" level=info msg="Registering a validating webhook" GVK="{\"Group\":\"kargo.akuity.io\",\"Version\":\"v1alpha1\",\"Kind\":\"Promotion\"}" logger=controller-runtime.builder path=/validate-kargo-akuity-io-v1alpha1-promotion time="2024-07-30T02:23:47Z" level=info msg="Registering webhook" logger=controller-runtime.webhook path=/validate-kargo-akuity-io-v1alpha1-promotion time="2024-07-30T02:23:47Z" level=info msg="Registering a mutating webhook" GVK="{\"Group\":\"kargo.akuity.io\",\"Version\":\"v1alpha1\",\"Kind\":\"Stage\"}" logger=controller-runtime.builder path=/mutate-kargo-akuity-io-v1alpha1-stage time="2024-07-30T02:23:47Z" level=info msg="Registering webhook" logger=controller-runtime.webhook path=/mutate-kargo-akuity-io-v1alpha1-stage time="2024-07-30T02:23:47Z" level=info msg="Registering a validating webhook" GVK="{\"Group\":\"kargo.akuity.io\",\"Version\":\"v1alpha1\",\"Kind\":\"Stage\"}" logger=controller-runtime.builder path=/validate-kargo-akuity-io-v1alpha1-stage time="2024-07-30T02:23:47Z" level=info msg="Registering webhook" logger=controller-runtime.webhook path=/validate-kargo-akuity-io-v1alpha1-stage time="2024-07-30T02:23:47Z" level=info msg="Registering a mutating webhook" GVK="{\"Group\":\"kargo.akuity.io\",\"Version\":\"v1alpha1\",\"Kind\":\"Warehouse\"}" logger=controller-runtime.builder path=/mutate-kargo-akuity-io-v1alpha1-warehouse time="2024-07-30T02:23:47Z" level=info msg="Registering webhook" logger=controller-runtime.webhook path=/mutate-kargo-akuity-io-v1alpha1-warehouse time="2024-07-30T02:23:47Z" level=info msg="Registering a validating webhook" GVK="{\"Group\":\"kargo.akuity.io\",\"Version\":\"v1alpha1\",\"Kind\":\"Warehouse\"}" logger=controller-runtime.builder path=/validate-kargo-akuity-io-v1alpha1-warehouse time="2024-07-30T02:23:47Z" level=info msg="Registering webhook" logger=controller-runtime.webhook path=/validate-kargo-akuity-io-v1alpha1-warehouse time="2024-07-30T02:23:47Z" level=info msg="Starting webhook server" logger=controller-runtime.webhook time="2024-07-30T02:23:47Z" level=info msg="Stopping and waiting for non leader election runnables" time="2024-07-30T02:23:47Z" level=info msg="Stopping and waiting for leader election runnables" time="2024-07-30T02:23:47Z" level=info msg="Stopping and waiting for caches" time="2024-07-30T02:23:47Z" level=info msg="Stopping and waiting for webhooks" time="2024-07-30T02:23:47Z" level=info msg="Stopping and waiting for HTTP servers" time="2024-07-30T02:23:47Z" level=info msg="Wait completed, proceeding to shutdown the manager" time="2024-07-30T02:23:47Z" level=error error="start Kargo webhook manager: open /tmp/k8s-webhook-server/serving-certs/tls.crt: no such file or directory"

krancour commented 1 month ago

If you disable TLS the webhook-server sits in initialization because it can't find the cert that won't be created.

@austinflowspace how are you disabling TLS on the webhook server? That is deliberately not an option in the chart since, to the best of my knowledge, the k8s API server will only communicate with secure webhook servers.

austinflowspace commented 1 month ago

Turning off TLS on all values in the chart. Imo, I think it blocks more devs from spinning this up locally if we have to have a certificate up. You could just turn off webhook-server (not entirely sure how that will affect kargo).

I kinda disagree with that "the k8s API server will only communicate with secure webhook servers." It could very well be true but a bare bones k8s cluster doesn't have encryption to allow people to develop quickly.

Again, imo, i think there is even fewer people who are doing k8s "correctly" (cert-manager, OPA, etc.) and forcing people to have to have those configured out of the gate to use your tool. Makes the barrier for entry harder. cc: @krancour

hiddeco commented 1 month ago

What is your precise desire to run Kargo (locally) against a bare-bones cluster? As I can only imagine this being for development purposes, for which we have all sorts of tooling to facilitate the further dependencies (be it Tilt, or one of the many make targets).

krancour commented 1 month ago

I presume "bare bones cluster" to basically mean local, development-grade cluster.

To elaborate on what @hiddeco mentioned, if you intend to run Kargo from source and hack on it, you can install cert-manager (required if you want the chart to furnish the cert for you), Argo CD (not required, but highly recommended), and Argo Rollouts (also not required, but highly recommended) with a single command: make hack-install-prereqs. tilt up will build and deploy Kargo from source.

If you don't want to hack and just bang the tires -- again, on a local cluster -- the scripts used by our quickstart similarly take care of pre-installing all required and recommended dependencies.

Lastly, in a production scenario, a self-signed cert generated by cert-manager should, in nearly all cases, be sufficient because it is only the k8s API server that needs to trust that cert and the webhook registration will ensure the CA used for signing that cert is provided to the k8s API server.

You have the option to bring-your-own cert as well. Just populate the correct secret via whatever means you like. I have yet to encounter any compelling reason to do so.

austinflowspace commented 1 month ago

I get what you are saying, I think it just causes more time for someone to look into your tool. I know engineers (including myself) have deemed a tool unusable because we didn't want to do the initialization steps. Ik it would be a big ask to have a "development" mode that would allow for TLS and any other feature making it production ready to be turned off. Honestly would be happy to help with that personally.

I think Kargo has the potential of filling a huge gap that Argo makes when staging deployments. @krancour @hiddeco

krancour commented 1 month ago

@austinflowspace we have already gone very far out of our way to ensure this was trivial to set up both for the scenario of contributing and for trying it out. Installing for production is barely harder than any of those. We have yet to hear one other person claim getting started was difficult so your argument that this is too hard just isn't resonating.