bharatnc
commented
4 years ago I would like to contribute to this issue. @a-robinson @petermattis @danhhz is this still relevant? Thank you.
Open a-robinson opened 6 years ago
bharatnc
commented
4 years ago I would like to contribute to this issue. @a-robinson @petermattis @danhhz is this still relevant? Thank you.
joshimhoff
commented
4 years ago Hi! I'm an SRE at CRL. The SRE team does lots of k8s stuff. If you want to do this, I can review the PR.
Are you doing it because you want to solve this specific problem? Or are you doing it because you are more generally interested in contributing to CRDB k8s stuff?
I ask because we may move away from this approach. If you are interested more generally in contributing, there might be better ways to help.
bharatnc
commented
4 years ago Hi @joshimhoff, I'm doing this out of general interest. Let me know we can make this better would be awesome if I can help!
I also noticed a few things about this repo itself.
go.mod Example: go.sum etc. Core() is now CoreV1(): https://github.com/cockroachdb/k8s/blob/master/request-cert/k8s_certificates.go#L193Thought it would be worth mentioning. On the other hand, there might be reasons for doing this, which I may not have context on.
joshimhoff
commented
4 years ago 1, 2, and 3 would all be great improvements. I think they are all higher priority than the issue mentioned here. Especially tests.
bharatnc
commented
4 years ago @joshimhoff should I create separate issues under the cocoroach/k8s to fix them?
Also,
I ask because we may move away from this approach.
Would be interested in knowing more about that 😊.
Thank you.
joshimhoff
commented
4 years ago should I create separate issues under the cocoroach/k8s to fix them?
Yes! Thank you.
Would be interested in knowing more about that
Nothing specific at all. We are beginning work on a k8s operator (https://kubernetes.io/docs/concepts/extend-kubernetes/operator/) for CRDB, which will hope will become the main way to run on CRDB on k8s. This doesn't imply retiring request-cert; probably at first the operator will depend on request-cert instead. But I also wonder if we'll rethink our approach as part of the operator work. No specific plans though, just a musing!
@vladdy can tell you more about the operator. It's not yet open source but it would be a great place to eventually contribute, if you are interested.
It'd be easier to clean up all the resources created by us if we were to put labels on the CSRs and Secrets when we create them. Currently our docs have to instruct users to clean those up separately from everything else because they don't have the expected labels.
It should be easy enough to use the Kubernetes downward API to get the pod's labels from within the request-cert init container, then copy all of them verbatim into all CSRs and Secrets we create.
This would make a good starter task for anyone interested in playing around with kubernetes.
cc @mberhault @bobvawter