search

openziti / helm-charts

various helm charts for openziti-test-kitchen projects
https://openziti.io/helm-charts/
Apache License 2.0
7 stars 8 forks source link

configmap "ziti-controller-ctrl-plane-cas" not found in ziti-controller-0.2.6 #95

Closed sa-ChristianAnton closed 1 year ago

sa-ChristianAnton commented 1 year ago

After upgrading ziti-controller from 0.2.4 to 0.2.6, the ziti-controller pod did not start up:

  Warning  FailedMount  32s (x8 over 95s)  kubelet            MountVolume.SetUp failed for volume "ziti-controller-ctrl-plane-cas" : configmap "ziti-controller-ctrl-plane-cas" not found

Reason was that the "Bundle" object created with trust-manager had the following "target" configuration:

  target:
    configMap:
      key: ctrl-plane-cas.crt
    namespaceSelector:
      matchLabels:
        openziti.io/namespace: enabled

...when no namespace was labeled with this label/value pair. I manually, as a workaround did this:

kubectl label ns openziti openziti.io/namespace=enabled

Than the configmap was created immediately, and ziti-router started just fine.

As a solution for this, should the values.yaml be changed to contain something like this?

trust-manager:
  # -- install the trust-manager subchart to provide CRD Bundle
  enabled: false
  app:
    trust:
      # -- trust-manager needs to be configured to trust the namespace in which
      # the controller is deployed so that it will create the Bundle resource
      # for the ctrl plane trust bundle
      namespaceSelector:
        kubernetes.io/metadata.name: openziti

and template this into the currently hardcoded section of templates/ca-bundle.yaml? Currently, in ca-bundle.yaml there is the label selector hardcoded, and the values' trust-manager.app.trust.namespace is not being used anywhere in the templates. Seems it has been left over in one of the latest commits.

qrkourier commented 1 year ago

Thanks for starting a conversation about this. I regret that I overlooked creating a situation where the controller's own namespace is not automatically selected!

There are two namespace-related variables here.

  1. Trust Manager's trusted namespace (trust-manager.app.trust.namespace): TM will only source certs from ConfigMaps and Secrets in the trusted namespace. Tangentially, there's a thread here with the maintainers about the possibility of having multiple trusted namespaces, which would allow multiple instances of Ziti in the same cluster in separate namespaces.
  2. The namespaces where a particular Bundle resource should be sync'd (each Bundle's namespaceSelector)

The values under trust-manager are generally consumed by the subchart according to its own values scheme. I like your solution of an optional namespace selector, and prefer to minimize comingling the parent chart and subchart values, and because this namespace-related property has a different purpose from app.trust.

Will you please look over the attached PR?