Using admission server in e2e test instead of applying webhook.yaml
#1377
Conversation
|
/run-e2e-in-kind |
|
/run-e2e-in-kind |
|
/run-e2e-in-kind |
Yisaer
requested review from
cofyc,
weekface,
tennix,
aylei and
DanielZhangQD
Yisaer
changed the title
webhook.yaml
tests/webhook.go
Outdated
| } | ||
| klog.Infof("success to execute helm operator upgrade") | ||
|
|
||
| //// ensure pods unchanged when upgrading operator |
There was a problem hiding this comment.
Currently, Upgrade Operator from disable webhook to enable webhook would only create a new deployment admission webhook. After we add webhook-enabled switch in tidb-controller-manager, it would be necessary to check whether upgrading Operator would cause tidbcluster restarted as tidb-controller-manager would restart.
There was a problem hiding this comment.
why should the check be commented out?
There was a problem hiding this comment.
For now, upgrading Operator from disable admission to enable admission won't restart the tidb-controller-manager so it is not necessary to check the tidbcluster.
After we add admission-webhook switch in tidb-controller-manager, the checking would be necessary.
|
/run-e2e-in-kind |
|
/run-e2e-in-kind |
tests/webhook.go
Outdated
| cmd := fmt.Sprintf(`helm upgrade %s %s --set-string %s `, | ||
| info.ReleaseName, | ||
| oa.operatorChartPath(info.Tag), | ||
| setString) |
There was a problem hiding this comment.
add webhook settings in OperatorCfg and use UpgradeOperator?
There was a problem hiding this comment.
is it possible to configure caBundle via --set-string? if it is, we can configure caBundle in OperatorConfig and update OperatorConfig.OperatorHelmSetString to use it if it exists, e.g.
- configure webhook configurations in OperatorConfig
- (if < 1.13) get caBundle from
kube-system.extension-apiserver-authentication - (if < 1.13) configure caBundle in OperatorConfig
- UpgradeOperator(OperatorConfig)
There was a problem hiding this comment.
I set cabundle by --set-string at first and encounter a multi-line problem as the cabundle content is multi-line. I used -f to avoid this problem.
Now, I add these webhook enable switch into OperatorConfig and UpgradeOperator would call SwitchAdmissionWebhook to update the admission webhook .
There was a problem hiding this comment.
you can fix the multi-line problem by escaping the value of the --set-string flag.
There was a problem hiding this comment.
The current code is fragile because it does not escape the shell arguments. another way is pass command and its arguments to exec.Command (don't use sh, then no need to escape shell arguments).
There was a problem hiding this comment.
updated, for now, the switch of each hook and admission server and the cabundle if managed by OperatorConfig.
charts/tidb-operator/values.yaml
Outdated
| statefulSets: false | ||
| ## pods hook would check requests for creating and deleting tidbcluster's pods | ||
| ## if enabled it, the pods of tidbcluster would safely created or deleted by webhook instead of controller | ||
| pods: false |
There was a problem hiding this comment.
because we will always deploy webhook eventually because many features must be implemented in webhook (defaulting & validating, etc). Maybe we can have only one gate hooksEnabled?
cc @aylei
There was a problem hiding this comment.
I am ok with these fine-grained control, but I think the default value is better to be true. The UX I expect is that when I enable webhook by setting admission.create=true, I get all the admissions out-of-box, and could disable some of them based on my customized requirement.
There was a problem hiding this comment.
updated, the podsWebhook is true in default while the stsWebhook is false as stsWebhook is a special feature.
| @@ -1,4 +1,4 @@ | |||
| {{- if eq .Values.admissionWebhook.create true }} | |||
| {{- if .Values.admissionWebhook.create }} | |||
There was a problem hiding this comment.
why we have to change the criteria
There was a problem hiding this comment.
Cause {{- if eq .Values.admissionWebhook.create true }} didn't work well when I configure the setting by helm upgrade <name> <path> --set-string key=value which would casue a comparing type error, so I use {{- if .Values.admissionWebhook.create }} to avoid it.
By the way, {{- if .Values.key.create }} is more common used in our templates. It is better to unify the compare style.
There was a problem hiding this comment.
This is should be our helm BP
charts/tidb-operator/values.yaml
Outdated
| statefulSets: false | ||
| ## pods hook would check requests for creating and deleting tidbcluster's pods | ||
| ## if enabled it, the pods of tidbcluster would safely created or deleted by webhook instead of controller | ||
| pods: false |
There was a problem hiding this comment.
I am ok with these fine-grained control, but I think the default value is better to be true. The UX I expect is that when I enable webhook by setting admission.create=true, I get all the admissions out-of-box, and could disable some of them based on my customized requirement.
tests/webhook.go
Outdated
| } | ||
| } | ||
|
|
||
| klog.Info(cmd) |
There was a problem hiding this comment.
This log helps to print the command we would execute, so it didn't need any extra info except itself.
tests/webhook.go
Outdated
| } | ||
| klog.Infof("success to execute helm operator upgrade") | ||
|
|
||
| //// ensure pods unchanged when upgrading operator |
There was a problem hiding this comment.
why should the check be commented out?
|
/run-e2e-in-test |
|
/run-e2e-test |
This comment has been minimized.
This comment has been minimized.
|
/run-e2e-in-kind |
| @@ -1,4 +1,4 @@ | |||
| {{- if eq .Values.admissionWebhook.create true }} | |||
| {{- if .Values.admissionWebhook.create }} | |||
There was a problem hiding this comment.
This is should be our helm BP
|
/run-e2e-in-kind |
What problem does this PR solve?
Using the admission webhook server in e2e instead of applying
manifests/webhook.yaml.fix some admission webhook template bugs and add update statefulset webhook configuration in admission webhook template.
Upgrading Operator from
disable webhooktoenable webhookwouldn't restarttidb-controller-manageruntil we add webhook switch in it.moving statefulset webhook configuration into
admission webhook templateand add a switch for each hook.What is changed?