Closed tmshort closed 1 week ago
Name | Link |
---|---|
Latest commit | 3ca71ba867f727fd33e6f2ade490af902ca95664 |
Latest deploy log | https://app.netlify.com/sites/olmv1/deploys/6679b799478a640008286750 |
Deploy Preview | https://deploy-preview-960--olmv1.netlify.app |
Preview on mobile | Toggle QR Code...Use your smartphone camera to open QR code link. |
To edit notification comments on pull requests, go to your Netlify site configuration.
Attention: Patch coverage is 70.00000%
with 12 lines
in your changes missing coverage. Please review.
Project coverage is 79.28%. Comparing base (
58b4363
) to head (3ca71ba
). Report is 4 commits behind head on main.
Files | Patch % | Lines |
---|---|---|
internal/httputil/httputil.go | 66.66% | 5 Missing and 5 partials :warning: |
...nternal/controllers/clusterextension_controller.go | 71.42% | 1 Missing and 1 partial :warning: |
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
To consolidate catalogd
's certificate would require modifying catalogd; it would also allow catalogd to be placed back into its own namespace.
I can't get kustomize to use a different directory, so I'm applying the yaml for the certificates directly from a file, which also means I can apply them for Tilt from the same source.
TL;DR: The challenge I've run into w/ adding the certificates is being able to put them into the cert-manager namespace for the ClusterIssuer
. I tried various kustomize
options and transformations
and none of them seemed to work. I would love to get rid of the HEREDOC and yaml used to create the certificates. If anyone has any ideas, I'm all ears.
A number of my comments in this PR were based on the understanding that this is only about making our E2E setup work with TLS. After chatting with @joelanford and @tmshort I got more context.
The primary objective of the PR to get rid of InsecureSkipTLSVerify
and use TLS in E2E, but it also prepares the ground for using single ClusterIssuer
for all OLMv1 components. E.g. we can use it for catalogd too.
Explanation from @joelanford:
- create a single ClusterIssuer in the standard install
- any OLMv1 component that needs a certificate gets it from there, no matter which namespace that component is in.
- any OLMv1 component that needs a CA can create a certificate (if it doesn't already have one), and that cert secret will contain the CA.
That setup would mean that we could move catalogd back to its own namespace if we wanted to, and it would mean that the e2e registry would be automatically trusted by the standard setup because operator-controller would already have the CA.
Three follow-ons to this PR:
kustomization
of operator-controller to create the ClusterIssuer
and required resources in the cert-manager
namespace (rather than via HEREDOC and separate YAML), for use by operator-controller, and eventually catalogd
. The challenge here is the multiple namespaces. This may require an RFC or other documentation.ClusterIssuer
for certificates.
2a. Possibly move catalogd back into it's own namespace, especially if the olmv1-system
namespace security parameters are overwrittenFollow ups should be captured by this epic: https://github.com/operator-framework/operator-controller/issues/967
The changes themselves look fine to me, but I noticed the e2es are failing. Any insights as to why?
I made a change that passed due to caching issues... I had to fix it up and it should be ok now.
Fixes: #921
Remove the InsecureSkipTLSVerify annotations.
Description
Reviewer Checklist