feat!: Add working conversion webhook with cert rotation #1066
Conversation
sbernauer
changed the title
| pub const WEBHOOK_CA_LIFETIME: Duration = Duration::from_minutes_unchecked(3); | ||
| pub const WEBHOOK_CERTIFICATE_LIFETIME: Duration = Duration::from_minutes_unchecked(2); | ||
| pub const WEBHOOK_CERTIFICATE_ROTATION_INTERVAL: Duration = Duration::from_minutes_unchecked(1); |
There was a problem hiding this comment.
reminder to bump these before merging. Currently they are so low for easy testing
sbernauer
moved this from Development: In Progress
to Development: In Review
in Stackable Engineering
sbernauer
moved this from Development: In Review
to Development: Waiting for Review
in Stackable Engineering
Techassi
moved this from Development: Waiting for Review
to Development: In Review
in Stackable Engineering
Techassi
changed the title
Co-authored-by: Techassi <[email protected]>
There was a problem hiding this comment.
I left a bunch of comments.
I encountered the ConversionWebhookServer which is missing the changes we talked about a few weeks back. As such, it doesn't make a whole lot of sense to continue the review before these changes are implemented. I've sent you an appropriate patch as a private message which should be a good starting point for the changes we discussed.
crates/stackable-operator/src/cli.rs
Outdated
| "--operator-namespace", | ||
| "stackable-operators", | ||
| "--operator-service-name", | ||
| "foo-operator", |
There was a problem hiding this comment.
note: I still feel like all these CLI unit tests are pretty much useless and should be removed to speed up the testing runs.
There was a problem hiding this comment.
I don't think they have a noticeable effect on the test runtime. Compare to the really slow doc tests, those take 1000x longer (not joking ^^)
I think the maintenance effort is a valid point, removed the CLI parsing tests in 5e41bf1
| use kube::{ | ||
| Api, Client, ResourceExt, | ||
| api::{Patch, PatchParams}, | ||
| }; | ||
| use snafu::{OptionExt, ResultExt, Snafu}; | ||
| use stackable_operator::cli::OperatorEnvironmentOptions; | ||
| use tokio::{sync::mpsc, try_join}; | ||
| use tracing::instrument; | ||
| use x509_cert::{ | ||
| Certificate, | ||
| der::{EncodePem, pem::LineEnding}, | ||
| }; |
There was a problem hiding this comment.
note: Please combine these imports with the others above.
There was a problem hiding this comment.
hmm, what imports exactly can be combined? rustfmt groups them like this
There was a problem hiding this comment.
Yeah this is sub-optimal formatting sadly. You need to manually move them to the top imports above line 11.
There was a problem hiding this comment.
I'm too stupid, can you please provide a patch that "survives" cargo fmt? 🤦♂️
| /// The environment the operator is running in, notably the namespace and service name it is | ||
| /// reachable at. | ||
| pub operator_environment: OperatorEnvironmentOptions, |
There was a problem hiding this comment.
note: Let's avoid pulling in a type from stackable_operator here. Instead, split it into two separate fields.
| /// The environment the operator is running in, notably the namespace and service name it is | |
| /// reachable at. | |
| pub operator_environment: OperatorEnvironmentOptions, | |
| pub namespace: String, | |
| pub service_name: String, |
There was a problem hiding this comment.
Hmm, I intentionally sticked with the struct that describes the k8s env. I understand your concerns, but I also really don't like too many function arguments when there is a perfectly fine struct for what we want as "information about the environment of the operator".
Maybe tomorrow we need the k8s version or if we are on OpenShift or whatnot
There was a problem hiding this comment.
The comment of the field perfectly sums this up:
The environment the operator is running in, notably the namespace and service name it is reachable at.
Currently, we only need the namespace and the service name. That's it. Why are we optimizing for something which might or might not come in the future? Regarding how the crates are currently structured, I would like to avoid more entanglement between those.
As discussed multiple times already, this needs better structure in the long run, which I can hopefully pick up soon.
I also really don't like too many function arguments
There is only a single parameter: ConversionWebhookOptions. Everything is contained in there. And having two fields instead of one, doesn't really justify mixing even more types between crates (which are not designed for that currently).
| @@ -2,4 +2,5 @@ | |||
| //! purposes. | |||
| mod conversion; | |||
|
|
|||
| pub use conversion::*; | |||
| pub use conversion::{ConversionWebhookError, ConversionWebhookOptions, ConversionWebhookServer}; | |||
| pub use kube::core::conversion::ConversionReview; | |||
There was a problem hiding this comment.
note: This is already re-exported via stackable_webhook::servers::conversion::ConversionReview. As such, please remove it from here again.
There was a problem hiding this comment.
Correct, removed in 8dc1235
| let (cert, certified_key) = Self::generate_new_cert(subject_alterative_dns_names.clone()) | ||
| .await | ||
| .context(GenerateNewCertificateSnafu)?; | ||
|
|
||
| cert_tx | ||
| .send(cert) | ||
| .await | ||
| .map_err(|_err| CertificateResolverError::SendCertificateToChannel)?; |
There was a problem hiding this comment.
note: I feel like this can be moved into its own function, because we repeat the exact same code below.
There was a problem hiding this comment.
Any reason why you didn't include the certificate generation in that function as well? That's basically also the same code across two functions.
| Also, `TlsServer::new` now returns an additional `mpsc::Receiver<Certificate>`, so that the caller | ||
| can get notified about certificate rotations happening ([#1066]). |
There was a problem hiding this comment.
note: (Addition to the comment above) This would be the perfect trigger for the operator (the caller of this function) to reconcile the CRDs.
Co-authored-by: Techassi <[email protected]>
Co-authored-by: Techassi <[email protected]>
Co-authored-by: Techassi <[email protected]>
Description
Part of stackabletech/issues#642
An working example usage can be found in stackabletech/zookeeper-operator#958 (mainly look at
rust/operator-binary/src/main.rs)Definition of Done Checklist
Author
Reviewer
Acceptance