-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch to use fileca in e2e tests #309
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -52,6 +52,9 @@ spec: | |
volumeMounts: | ||
- name: fulcio-config | ||
mountPath: /etc/fulcio-config | ||
- name: fulcio-secret | ||
mountPath: /etc/fulcio-secret | ||
readOnly: true | ||
- name: oidc-info | ||
mountPath: /var/run/fulcio | ||
resources: | ||
|
@@ -62,6 +65,10 @@ spec: | |
- name: fulcio-config | ||
configMap: | ||
name: fulcio-config | ||
- name: fulcio-secret | ||
secret: | ||
secretName: fulcio-secret | ||
optional: true | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ^^ @mattmoor There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. That should make it so that it doesn't block starting it. The one interesting bit is what happens if you do want to specify the secret and it is not there yet but you'd like it to actually block. IIRC though, we watch that mount point so I think it will pick it up once it becomes available. @nsmith5 check me out :) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Looks like There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
I don't think I know what Kubernetes would do in this case. My hope would be a pod crashloop until the secret mounts, but I don't know the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The watch behaviour is also pretty paranoid about putting the server in a state where it can't serve requests so it looks for updates, but if, for instance, the cert doesn't match the key or the key can't be decrypted with the password it will just keep using the existing certs and ignore the updates from the filesystem There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ran Matt's suggestion, and things appear to work as we expect:
yay? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Nope looks good from me! Good work @jdolitsky :D There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks for checking in with Dr. Empirical 😆 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. No. I think it might behoove us to file an issue in k8s to document the behaviour in case they reserve the right to change this behaviour, or at least make sure that other folks don't have to ponder what the behaviour is. But I'm happy with the change for sure. |
||
- name: oidc-info | ||
projected: | ||
sources: | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe this will cause production to break, but I believe you can make it optional (and then it won't)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does the
optional
field added involumes
section below accomplish this?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think so. Tried adding optional in another branch and got yelled at: