search

cert-manager / trust-manager

trust-manager is an operator for distributing trust bundles across a Kubernetes cluster.
https://cert-manager.io/docs/projects/trust-manager/
Apache License 2.0
233 stars 64 forks source link

Production readiness Helm chart tweaks #309

Closed wallrj closed 4 months ago

wallrj commented 4 months ago

Warnings

$ helm upgrade trust-manager bin/chart/trust-manager-v1.14.1.tgz --install --create-namespace --namespace venafi --values values.yaml
Release "trust-manager" has been upgraded. Happy Helming!
NAME: trust-manager
LAST DEPLOYED: Wed Feb 28 17:15:33 2024
NAMESPACE: venafi
STATUS: deployed
REVISION: 3
TEST SUITE: None
NOTES:
⚠️  WARNING: Consider increasing the Helm value `replicaCount` to 2 if you require high availability.
⚠️  WARNING: Consider setting the Helm value `podDisruptionBudget.enabled` to true if you require high availability.

trust-manager v1.14.1 has been deployed successfully!
Your installation includes a default CA package, using the following
default CA package image:

quay.io/jetstack/cert-manager-package-debian:20210119.0

It's imperative that you keep the default CA package image up to date.
To find out more about securely running trust-manager and to get started
with creating your first bundle, check out the documentation on the
cert-manager website:

https://cert-manager.io/docs/projects/trust-manager/

Testing

Given a 3-node cluster with two "platform" nodes with cert-manager and trust-manager deployed with PDBs, I was able to drain node 1, and see node 1 Pods rescheduled to node 2

$ kubectl drain kind-worker --ignore-daemonsets --delete-emptydir-data
node/kind-worker cordoned
Warning: ignoring DaemonSet-managed Pods: kube-system/kindnet-7hdl6, kube-system/kube-proxy-t8s8h
evicting pod venafi/trust-manager-54dbf9c6c-9p5ns
evicting pod venafi/cert-manager-cainjector-7d77c9dbb9-6rfjw
evicting pod venafi/cert-manager-7d8db8dc5d-wff2z
evicting pod venafi/cert-manager-webhook-b5f7b7977-n7p7j
pod/cert-manager-7d8db8dc5d-wff2z evicted
pod/trust-manager-54dbf9c6c-9p5ns evicted
pod/cert-manager-cainjector-7d77c9dbb9-6rfjw evicted
pod/cert-manager-webhook-b5f7b7977-n7p7j evicted
node/kind-worker drained

then I attempted to drain node 2 and see that it was blocked until I uncordoned node1

$ kubectl drain kind-worker2 --ignore-daemonsets --delete-emptydir-data
node/kind-worker2 cordoned
Warning: ignoring DaemonSet-managed Pods: kube-system/kindnet-7tcnd, kube-system/kube-proxy-6w9n2
evicting pod venafi/cert-manager-7d8db8dc5d-c8rvp
evicting pod venafi/cert-manager-webhook-b5f7b7977-xmhzk
evicting pod venafi/cert-manager-cainjector-7d77c9dbb9-2fc9j
evicting pod venafi/cert-manager-7d8db8dc5d-56vvt
evicting pod venafi/trust-manager-54dbf9c6c-zvggr
evicting pod venafi/trust-manager-54dbf9c6c-5pngb
evicting pod venafi/cert-manager-cainjector-7d77c9dbb9-fwkfm
evicting pod venafi/cert-manager-webhook-b5f7b7977-cwmz6
evicting pod venafi/cert-manager-webhook-b5f7b7977-dljlg
error when evicting pods/"cert-manager-cainjector-7d77c9dbb9-fwkfm" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
error when evicting pods/"cert-manager-7d8db8dc5d-56vvt" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
error when evicting pods/"cert-manager-webhook-b5f7b7977-xmhzk" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
error when evicting pods/"trust-manager-54dbf9c6c-zvggr" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
pod/cert-manager-webhook-b5f7b7977-cwmz6 evicted
pod/cert-manager-cainjector-7d77c9dbb9-2fc9j evicted
pod/cert-manager-7d8db8dc5d-c8rvp evicted
pod/trust-manager-54dbf9c6c-5pngb evicted
pod/cert-manager-webhook-b5f7b7977-dljlg evicted
evicting pod venafi/cert-manager-cainjector-7d77c9dbb9-fwkfm
error when evicting pods/"cert-manager-cainjector-7d77c9dbb9-fwkfm" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
evicting pod venafi/cert-manager-webhook-b5f7b7977-xmhzk
evicting pod venafi/cert-manager-7d8db8dc5d-56vvt
error when evicting pods/"cert-manager-7d8db8dc5d-56vvt" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
error when evicting pods/"cert-manager-webhook-b5f7b7977-xmhzk" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
evicting pod venafi/trust-manager-54dbf9c6c-zvggr
error when evicting pods/"trust-manager-54dbf9c6c-zvggr" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
evicting pod venafi/cert-manager-cainjector-7d77c9dbb9-fwkfm
error when evicting pods/"cert-manager-cainjector-7d77c9dbb9-fwkfm" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
evicting pod venafi/cert-manager-7d8db8dc5d-56vvt
evicting pod venafi/cert-manager-webhook-b5f7b7977-xmhzk
error when evicting pods/"cert-manager-webhook-b5f7b7977-xmhzk" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
error when evicting pods/"cert-manager-7d8db8dc5d-56vvt" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
evicting pod venafi/trust-manager-54dbf9c6c-zvggr
error when evicting pods/"trust-manager-54dbf9c6c-zvggr" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
evicting pod venafi/cert-manager-cainjector-7d77c9dbb9-fwkfm
evicting pod venafi/cert-manager-webhook-b5f7b7977-xmhzk
evicting pod venafi/cert-manager-7d8db8dc5d-56vvt
error when evicting pods/"cert-manager-webhook-b5f7b7977-xmhzk" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
evicting pod venafi/trust-manager-54dbf9c6c-zvggr
error when evicting pods/"trust-manager-54dbf9c6c-zvggr" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
pod/cert-manager-cainjector-7d77c9dbb9-fwkfm evicted
pod/cert-manager-7d8db8dc5d-56vvt evicted
evicting pod venafi/cert-manager-webhook-b5f7b7977-xmhzk
evicting pod venafi/trust-manager-54dbf9c6c-zvggr
pod/cert-manager-webhook-b5f7b7977-xmhzk evicted
pod/trust-manager-54dbf9c6c-zvggr evicted
node/kind-worker2 drained
jetstack-bot commented 4 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: SgtCoDFish

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/cert-manager/trust-manager/blob/main/OWNERS)~~ [SgtCoDFish] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment