-
Notifications
You must be signed in to change notification settings - Fork 498
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using admission server in e2e test instead of applying webhook.yaml
#1377
Conversation
/run-e2e-in-kind |
/run-e2e-in-kind |
/run-e2e-in-kind |
webhook.yaml
tests/webhook.go
Outdated
} | ||
klog.Infof("success to execute helm operator upgrade") | ||
|
||
//// ensure pods unchanged when upgrading operator |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently, Upgrade Operator from disable webhook
to enable webhook
would only create a new deployment
admission webhook. After we add webhook-enabled
switch in tidb-controller-manager
, it would be necessary to check whether upgrading Operator would cause tidbcluster
restarted as tidb-controller-manager
would restart.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why should the check be commented out?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For now, upgrading Operator from disable admission
to enable admission
won't restart the tidb-controller-manager
so it is not necessary to check the tidbcluster
.
After we add admission-webhook switch in tidb-controller-manager
, the checking would be necessary.
/run-e2e-in-kind |
/run-e2e-in-kind |
tests/webhook.go
Outdated
cmd := fmt.Sprintf(`helm upgrade %s %s --set-string %s `, | ||
info.ReleaseName, | ||
oa.operatorChartPath(info.Tag), | ||
setString) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add webhook settings in OperatorCfg and use UpgradeOperator
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is it possible to configure caBundle
via --set-string
? if it is, we can configure caBundle
in OperatorConfig and update OperatorConfig.OperatorHelmSetString
to use it if it exists, e.g.
- configure webhook configurations in OperatorConfig
- (if < 1.13) get caBundle from
kube-system.extension-apiserver-authentication
- (if < 1.13) configure caBundle in OperatorConfig
- UpgradeOperator(OperatorConfig)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I set cabundle by --set-string
at first and encounter a multi-line problem as the cabundle content is multi-line. I used -f
to avoid this problem.
Now, I add these webhook enable switch
into OperatorConfig
and UpgradeOperator
would call SwitchAdmissionWebhook
to update the admission webhook .
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you can fix the multi-line problem by escaping the value of the --set-string
flag.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The current code is fragile because it does not escape the shell arguments. another way is pass command and its arguments to exec.Command
(don't use sh
, then no need to escape shell arguments).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated, for now, the switch of each hook and admission server and the cabundle if managed by OperatorConfig
.
charts/tidb-operator/values.yaml
Outdated
statefulSets: false | ||
## pods hook would check requests for creating and deleting tidbcluster's pods | ||
## if enabled it, the pods of tidbcluster would safely created or deleted by webhook instead of controller | ||
pods: false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
because we will always deploy webhook eventually because many features must be implemented in webhook (defaulting & validating, etc). Maybe we can have only one gate hooksEnabled
?
cc @aylei
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am ok with these fine-grained control, but I think the default value is better to be true
. The UX I expect is that when I enable webhook by setting admission.create=true
, I get all the admissions out-of-box, and could disable some of them based on my customized requirement.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated, the podsWebhook
is true
in default while the stsWebhook
is false
as stsWebhook
is a special feature.
@@ -1,4 +1,4 @@ | |||
{{- if eq .Values.admissionWebhook.create true }} | |||
{{- if .Values.admissionWebhook.create }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why we have to change the criteria
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cause {{- if eq .Values.admissionWebhook.create true }}
didn't work well when I configure the setting by helm upgrade <name> <path> --set-string key=value
which would casue a comparing type error, so I use {{- if .Values.admissionWebhook.create }}
to avoid it.
By the way, {{- if .Values.key.create }}
is more common used in our templates. It is better to unify the compare style.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is should be our helm BP
charts/tidb-operator/values.yaml
Outdated
statefulSets: false | ||
## pods hook would check requests for creating and deleting tidbcluster's pods | ||
## if enabled it, the pods of tidbcluster would safely created or deleted by webhook instead of controller | ||
pods: false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am ok with these fine-grained control, but I think the default value is better to be true
. The UX I expect is that when I enable webhook by setting admission.create=true
, I get all the admissions out-of-box, and could disable some of them based on my customized requirement.
tests/webhook.go
Outdated
} | ||
} | ||
|
||
klog.Info(cmd) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This log helps to print the command we would execute, so it didn't need any extra info except itself.
tests/webhook.go
Outdated
} | ||
klog.Infof("success to execute helm operator upgrade") | ||
|
||
//// ensure pods unchanged when upgrading operator |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why should the check be commented out?
/run-e2e-in-test |
/run-e2e-test |
This comment has been minimized.
This comment has been minimized.
/run-e2e-in-kind |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@@ -1,4 +1,4 @@ | |||
{{- if eq .Values.admissionWebhook.create true }} | |||
{{- if .Values.admissionWebhook.create }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is should be our helm BP
/run-e2e-in-kind |
What problem does this PR solve?
Using the admission webhook server in e2e instead of applying
manifests/webhook.yaml
.fix some admission webhook template bugs and add update statefulset webhook configuration in admission webhook template.
Upgrading Operator from
disable webhook
toenable webhook
wouldn't restarttidb-controller-manager
until we add webhook switch in it.moving statefulset webhook configuration into
admission webhook template
and add a switch for each hook.What is changed?