search

k8snetworkplumbingwg / net-attach-def-admission-controller

An admission controller to check resources as defined by the NPWG spec
Apache License 2.0
4 stars 15 forks source link

Make installer idempotent #12

Open dougbtv opened 5 years ago

dougbtv commented 5 years ago

I've ran into some issues before where I've got to remove the CSR to let it regen everything. There's probably a number of these we can fix up in the installer

Feedback from @dcbw

at the very least if the secret exists, bail eg if we have a secret already, then we don't need to do any of the CSR stuff it should perhaps still reconcile (and recrete) the webhook config and service, if they don't exist

dougbtv commented 5 years ago

More information:

[zshi@192 openshift-aws]$ oc logs install-net-attach-def-admission-controller-7558f8f477-gnfrg -n multus
I0114 06:16:20.805426       1 main.go:28] starting webhook installation
I0114 06:16:20.807821       1 installer.go:41] generating Certificate Signing Request
2019/01/14 06:16:20 [INFO] received CSR
2019/01/14 06:16:20 [INFO] generating key: rsa-2048
2019/01/14 06:16:21 [INFO] encoded CSR
I0114 06:16:21.603198       1 installer.go:308] raw CSR and private key successfully created
I0114 06:16:21.634796       1 installer.go:58] CSR net-attach-def-admission-controller-csr already exists, trying to reuse it
I0114 06:16:21.634814       1 installer.go:78] using already issued certificate for CSR net-attach-def-admission-controller-csr
I0114 06:16:21.634822       1 installer.go:315] signed certificate successfully obtained
I0114 06:16:21.644833       1 installer.go:280] secret net-attach-def-admission-controller-secret already exists, removing it first
I0114 06:16:21.667687       1 installer.go:285] secret net-attach-def-admission-controller-secret removed
I0114 06:16:21.690156       1 installer.go:322] secret successfully created
I0114 06:16:21.697318       1 installer.go:256] validating webhook net-attach-def-admission-controller-validating-config already exists, removing it first
I0114 06:16:21.710655       1 installer.go:261] validating webhook configuration net-attach-def-admission-controller-validating-config removed
I0114 06:16:21.722235       1 installer.go:329] validating webhook configuration successfully created
I0114 06:16:21.735874       1 installer.go:256] validating webhook net-attach-def-admission-controller-isolating-config already exists, removing it first
I0114 06:16:21.750037       1 installer.go:261] validating webhook configuration net-attach-def-admission-controller-isolating-config removed
I0114 06:16:21.756337       1 installer.go:335] Isolating webhook configuration successfully created
I0114 06:16:21.763667       1 installer.go:244] service net-attach-def-admission-controller-service already exists, removing it first
I0114 06:16:21.844900       1 installer.go:249] service net-attach-def-admission-controller-service removed
I0114 06:16:21.869995       1 installer.go:342] service successfully created
I0114 06:16:21.870012       1 installer.go:344] all resources created successfully

and...

[zshi@192 openshift-aws]$ oc logs net-attach-def-admission-controller-server-5b5d4cbc7d-zmkr2 -n multus
I0114 06:18:24.810735       1 main.go:34] starting net-attach-def-admission-controller webhook server
F0114 06:18:24.813449       1 main.go:46] error starting web server: tls: private key does not match public key
goroutine 1 [running]:
github.com/K8sNetworkPlumbingWG/net-attach-def-admission-controller/vendor/github.com/golang/glog.stacks(0xc420362800, 0xc420368000, 0x70, 0xbb)
    /go/src/github.com/K8sNetworkPlumbingWG/net-attach-def-admission-controller/gopath/src/github.com/K8sNetworkPlumbingWG/net-attach-def-admission-controller/vendor/github.com/golang/glog/glog.go:766 +0xcf
github.com/K8sNetworkPlumbingWG/net-attach-def-admission-controller/vendor/github.com/golang/glog.(*loggingT).output(0x19bf320, 0xc400000003, 0xc4200f4840, 0x1932413, 0x7, 0x2e, 0x0)
    /go/src/github.com/K8sNetworkPlumbingWG/net-attach-def-admission-controller/gopath/src/github.com/K8sNetworkPlumbingWG/net-attach-def-admission-controller/vendor/github.com/golang/glog/glog.go:717 +0x30f
github.com/K8sNetworkPlumbingWG/net-attach-def-admission-controller/vendor/github.com/golang/glog.(*loggingT).printf(0x19bf320, 0xc400000003, 0x1110fd9, 0x1d, 0xc420159f48, 0x1, 0x1)
    /go/src/github.com/K8sNetworkPlumbingWG/net-attach-def-admission-controller/gopath/src/github.com/K8sNetworkPlumbingWG/net-attach-def-admission-controller/vendor/github.com/golang/glog/glog.go:655 +0x14b
github.com/K8sNetworkPlumbingWG/net-attach-def-admission-controller/vendor/github.com/golang/glog.Fatalf(0x1110fd9, 0x1d, 0xc420159f48, 0x1, 0x1)
    /go/src/github.com/K8sNetworkPlumbingWG/net-attach-def-admission-controller/gopath/src/github.com/K8sNetworkPlumbingWG/net-attach-def-admission-controller/vendor/github.com/golang/glog/glog.go:1145 +0x67
main.main()
    /go/src/github.com/K8sNetworkPlumbingWG/net-attach-def-admission-controller/gopath/src/github.com/K8sNetworkPlumbingWG/net-attach-def-admission-controller/cmd/webhook/main.go:46 +0x38c
dougbtv commented 5 years ago

Best practices example for admission controller installation procedure: https://github.com/openshift/library-go/blob/master/pkg/operator/resource/resourceapply/apiregistration.go#L14