search

openshift / vertical-pod-autoscaler-operator

An Operator for running the Vertical Pod Autoscaler on OpenShift
Apache License 2.0
27 stars 30 forks source link

Auto-obtain TLS Key/Cert for Mutating Webhook Service (+ cleanup) #9

Closed joelsmith closed 4 years ago

joelsmith commented 4 years ago

This PR contains several updates in separate commits:

  1. Update RBAC to match latest operand
  2. Have OLM install VPA and VPA checkpoint CRDs
    • Also, make VPA controller CRD namespace instead of cluster scoped
    • Also, fix OLM manfiest data, add default channel
  3. Use a unique "app" label for each of the three controllers

  4. Auto-obtain TLS Key/Cert for Mutating Webhook Service

    To avoid having the manual step of an admin having to generate a TLS key/cert pair for use by the Admission Controller's Mutating Webhook Service, we needed to re-arrange a lot things:

    • Have the operator create the service, complete with annotations which the OpenShift service-ca controller sees so that it will generate the key/cert pair and make them available in a secret
    • Have the operator create an empty configmap, annotated so that the OpenShift service-ca controller will provide the CA cert used to create the service's key/cert pair
    • Update the admission controller pod so that it mounts the secret with the TLS key/cert pair and also the configmap with the CA cert.
    • Use admission controller args to use cert/key from the secret and configmap

    Additonally:

    • fix a small constant capitalization mistake
joelsmith commented 4 years ago

@rphillips I'll sync with you tomorrow, but could you PTAL? /assign @rphillips

rphillips commented 4 years ago

/lgtm /retest

rphillips commented 4 years ago

/lgtm

openshift-ci-robot commented 4 years ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: joelsmith, rphillips

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openshift/vertical-pod-autoscaler-operator/blob/master/OWNERS)~~ [joelsmith] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
joelsmith commented 4 years ago

/retest

openshift-bot commented 4 years ago

/retest

Please review the full test history for this PR and help us cut down flakes.