-
Notifications
You must be signed in to change notification settings - Fork 16.8k
[stable/opa] add namespace selector to OPA webhook resource and bump … #13508
Conversation
…ersion Signed-off-by: Casey Lee <cplee@nektos.com>
Hi @cplee. Thanks for your PR. I'm waiting for a helm member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cplee I've got some questions/comments about this change. Let me know what you think!
Signed-off-by: Casey Lee <cplee@nektos.com>
@tsandall thanks for the feedback! please check this latest commit. |
@cplee this change looks OK in isolation however what I'm not sure about is how to ensure that it works as expected. I.e., users will have to make sure they label the namespace where OPA is deployed accordingly. Is there any precedent for this? Are there other cases where self-management becomes a problem? |
@tsandall I've been having some headaches with the OPA helm chart in which an update is creating a new cert that is out of sync with the cert the pod for OPA is using. This causes the webhook to fail for the other resources in the OPA helm chart...triggering a rollback. The rollback doesn't rollback cleanly since the webhook is now unable to run with inconsistent certs. At his point, the only workaround is to change the FailPolicy to Ignore. |
@cplee understood. I finally had time to test this out manually. I think since it's opt-out it's fine to have it on by default. We can recommend people label sensitive namespaces accordingly. |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cplee, tsandall The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/ok-to-test |
@tsandall: Cannot trigger testing until a trusted user reviews the PR and leaves an In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
helm#13508) * stable/opa: add namespace selector to OPA webhook resource and bump version Signed-off-by: Casey Lee <cplee@nektos.com> * stable/opa: update namespace label to be 'opt-out' vs 'opt-in' Signed-off-by: Casey Lee <cplee@nektos.com>
helm#13508) * stable/opa: add namespace selector to OPA webhook resource and bump version Signed-off-by: Casey Lee <cplee@nektos.com> * stable/opa: update namespace label to be 'opt-out' vs 'opt-in' Signed-off-by: Casey Lee <cplee@nektos.com>
…version
Signed-off-by: Casey Lee cplee@nektos.com
What this PR does / why we need it:
@tsandall
When allowing the helm chart to manage the self-signed certs, it causes certs to be recreated on an upgrade and then the webhook restricts the opa chart for upgrading itself...resulting in deadlock.
Which issue this PR fixes
Special notes for your reviewer:
Checklist
[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]
[stable/chart]