search

siderolabs / talos

Talos Linux is a modern Linux distribution built for Kubernetes.
https://www.talos.dev
Mozilla Public License 2.0
6.71k stars 537 forks source link

With JSON patching, cannot remove/add/replace anything under `.cluster.apiServer` #7792

Closed stavros-k closed 1 year ago

stavros-k commented 1 year ago

Bug Report

Problems with JSON patching on .cluster.apiServer while generation config.

Description

file: patch.yaml

- op: remove
  path: /cluster/apiServer/admissionControl

Execute:

talosctl gen config "$CLUSTER_NAME" "$ENDPOINT" \
  --config-patch @patch.yaml \
  --with-examples=false \
  --with-docs=false

Output: 

failed to generate config bundle: error patching configs: failure applying rfc6902 patches to talos machine config: remove operation does not apply: doc is missing path: "/cluster/apiServer/admissionControl": missing value

However omitting the patch, ends up with admissionControl being present. Note, that my actual scenario is to patch admissionControl to add stuff, but same thing happens. Just simplified the test case here.

Using the following, makes the command execution succeed.:

- op: add
  path: /cluster/apiServer
  value: {}
- op: add
  path: /cluster/apiServer/admissionControl
  value: {}

But, now the resulting files, under the .cluster.apiServer contain only the admissionControl. So image: ..., and disablePodSecurityPolicy: true are missing.

Using strategic patching, trying to override the whole admissionControl (used same name) It end's up with duplicate namespaces (kube-system). I won't expand on this, as it probably needs a new bug report (let me know)

Logs

Environment

frezbo commented 1 year ago

this is the recommended approach https://www.talos.dev/v1.5/learn-more/knowledge-base/#disable-admissioncontrol-on-control-plane-nodes

stavros-k commented 1 year ago

Aha, I see, yes that seem to work. I suppose the --config-patch-control-plane executes after the default config is generated?

Thanks, probably this should be closed?

frezbo commented 1 year ago

I suppose the --config-patch-control-plane executes after the default config is generated?

it applies to the generated config

Thanks, probably this should be closed?

yes, if the issue is resolved :+1: