Finish WIP from previous commits: agent pods created in install namespace

This commit is contained in:
Ryan Richard 2020-09-21 17:15:36 -07:00
parent 820f1e977e
commit 526be79b11
7 changed files with 42 additions and 32 deletions

View File

@ -70,7 +70,7 @@ func (c *annotaterController) Sync(ctx controllerlib.Context) error {
agentSelector := labels.SelectorFromSet(c.agentInfo.Template.Labels)
agentPods, err := c.agentPodInformer.
Lister().
Pods(ControllerManagerNamespace).
Pods(c.agentInfo.Template.Namespace).
List(agentSelector)
if err != nil {
return fmt.Errorf("informer cannot list agent pods: %w", err)
@ -91,6 +91,7 @@ func (c *annotaterController) Sync(ctx controllerlib.Context) error {
if err := c.maybeUpdateAgentPod(
ctx.Context,
agentPod.Name,
agentPod.Namespace,
certPath,
certPathOK,
keyPath,
@ -106,13 +107,14 @@ func (c *annotaterController) Sync(ctx controllerlib.Context) error {
func (c *annotaterController) maybeUpdateAgentPod(
ctx context.Context,
name string,
namespace string,
certPath string,
certPathOK bool,
keyPath string,
keyPathOK bool,
) error {
return retry.RetryOnConflict(retry.DefaultRetry, func() error {
agentPod, err := c.agentPodInformer.Lister().Pods(ControllerManagerNamespace).Get(name)
agentPod, err := c.agentPodInformer.Lister().Pods(namespace).Get(name)
if err != nil {
return err
}
@ -166,7 +168,7 @@ func (c *annotaterController) reallyUpdateAgentPod(
)
_, err := c.k8sClient.
CoreV1().
Pods(ControllerManagerNamespace).
Pods(agentPod.Namespace).
Update(ctx, updatedAgentPod, metav1.UpdateOptions{})
return err
}

View File

@ -50,6 +50,7 @@ func TestAnnotaterControllerFilter(t *testing.T) {
func TestAnnotaterControllerSync(t *testing.T) {
spec.Run(t, "AnnotaterControllerSync", func(t *testing.T, when spec.G, it spec.S) {
const kubeSystemNamespace = "kube-system"
const agentPodNamespace = "agent-pod-namespace"
const (
certPath = "some-cert-path"
@ -73,7 +74,8 @@ func TestAnnotaterControllerSync(t *testing.T) {
agentPodTemplate := &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: "some-agent-name-",
Name: "some-agent-name-",
Namespace: agentPodNamespace,
Labels: map[string]string{
"some-label-key": "some-label-value",
},
@ -134,7 +136,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
// fnv 32a hash of controller-manager uid
controllerManagerPodHash := "fbb0addd"
agentPod := agentPodTemplate.DeepCopy()
agentPod.Namespace = kubeSystemNamespace
agentPod.Namespace = agentPodNamespace
agentPod.Name += controllerManagerPodHash
agentPod.Annotations = map[string]string{
"kube-cert-agent.pinniped.dev/controller-manager-name": controllerManagerPod.Name,
@ -235,7 +237,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
[]coretesting.Action{
coretesting.NewUpdateAction(
podsGVR,
kubeSystemNamespace,
agentPodNamespace,
updatedAgentPod,
),
},
@ -267,7 +269,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
[]coretesting.Action{
coretesting.NewUpdateAction(
podsGVR,
kubeSystemNamespace,
agentPodNamespace,
updatedAgentPod,
),
},
@ -318,7 +320,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
[]coretesting.Action{
coretesting.NewUpdateAction(
podsGVR,
kubeSystemNamespace,
agentPodNamespace,
updatedAgentPod,
),
},
@ -348,7 +350,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
[]coretesting.Action{
coretesting.NewUpdateAction(
podsGVR,
kubeSystemNamespace,
agentPodNamespace,
updatedAgentPod,
),
},
@ -442,7 +444,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
[]coretesting.Action{
coretesting.NewUpdateAction(
podsGVR,
kubeSystemNamespace,
agentPodNamespace,
updatedAgentPod,
),
},
@ -476,7 +478,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
[]coretesting.Action{
coretesting.NewUpdateAction(
podsGVR,
kubeSystemNamespace,
agentPodNamespace,
updatedAgentPod,
),
},

View File

@ -50,6 +50,7 @@ func TestCreaterControllerFilter(t *testing.T) {
func TestCreaterControllerSync(t *testing.T) {
spec.Run(t, "CreaterControllerSync", func(t *testing.T, when spec.G, it spec.S) {
const kubeSystemNamespace = "kube-system"
const agentPodNamespace = "agent-pod-namespace"
var r *require.Assertions
@ -65,7 +66,7 @@ func TestCreaterControllerSync(t *testing.T) {
agentPodTemplate := &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Namespace: "some-agent-namespace",
Namespace: agentPodNamespace,
Name: "some-agent-name-",
Labels: map[string]string{
"some-label-key": "some-label-value",
@ -123,6 +124,7 @@ func TestCreaterControllerSync(t *testing.T) {
controllerManagerPodHash := "fbb0addd"
agentPod := agentPodTemplate.DeepCopy()
agentPod.Name += controllerManagerPodHash
agentPod.Namespace = agentPodNamespace
agentPod.Annotations = map[string]string{
"kube-cert-agent.pinniped.dev/controller-manager-name": controllerManagerPod.Name,
"kube-cert-agent.pinniped.dev/controller-manager-uid": string(controllerManagerPod.UID),
@ -247,7 +249,7 @@ func TestCreaterControllerSync(t *testing.T) {
[]coretesting.Action{
coretesting.NewCreateAction(
podsGVR,
agentPod.Namespace,
agentPodNamespace,
agentPod,
),
},
@ -266,7 +268,7 @@ func TestCreaterControllerSync(t *testing.T) {
[]coretesting.Action{
coretesting.NewCreateAction(
podsGVR,
agentPod.Namespace,
agentPodNamespace,
agentPod,
),
},

View File

@ -64,7 +64,7 @@ func (c *deleterController) Sync(ctx controllerlib.Context) error {
agentSelector := labels.SelectorFromSet(c.agentInfo.Template.Labels)
agentPods, err := c.agentPodInformer.
Lister().
Pods(ControllerManagerNamespace).
Pods(c.agentInfo.Template.Namespace).
List(agentSelector)
if err != nil {
return fmt.Errorf("informer cannot list agent pods: %w", err)
@ -80,7 +80,7 @@ func (c *deleterController) Sync(ctx controllerlib.Context) error {
klog.InfoS("deleting agent pod", "pod", klog.KObj(agentPod))
err := c.k8sClient.
CoreV1().
Pods(ControllerManagerNamespace).
Pods(agentPod.Namespace).
Delete(ctx.Context, agentPod.Name, metav1.DeleteOptions{})
if err != nil {
return fmt.Errorf("cannot delete agent pod: %w", err)

View File

@ -50,6 +50,7 @@ func TestDeleterControllerFilter(t *testing.T) {
func TestDeleterControllerSync(t *testing.T) {
spec.Run(t, "DeleterControllerSync", func(t *testing.T, when spec.G, it spec.S) {
const kubeSystemNamespace = "kube-system"
const agentPodNamespace = "agent-pod-namespace"
var r *require.Assertions
@ -65,7 +66,8 @@ func TestDeleterControllerSync(t *testing.T) {
agentPodTemplate := &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: "some-agent-name-",
Name: "some-agent-name-",
Namespace: agentPodNamespace,
Labels: map[string]string{
"some-label-key": "some-label-value",
},
@ -127,7 +129,7 @@ func TestDeleterControllerSync(t *testing.T) {
// fnv 32a hash of controller-manager uid
controllerManagerPodHash := "fbb0addd"
agentPod := agentPodTemplate.DeepCopy()
agentPod.Namespace = kubeSystemNamespace
agentPod.Namespace = agentPodNamespace
agentPod.Name += controllerManagerPodHash
agentPod.Annotations = map[string]string{
"kube-cert-agent.pinniped.dev/controller-manager-name": controllerManagerPod.Name,
@ -236,7 +238,7 @@ func TestDeleterControllerSync(t *testing.T) {
[]coretesting.Action{
coretesting.NewDeleteAction(
podsGVR,
kubeSystemNamespace,
agentPodNamespace,
agentPod.Name,
),
},
@ -261,7 +263,7 @@ func TestDeleterControllerSync(t *testing.T) {
[]coretesting.Action{
coretesting.NewDeleteAction(
podsGVR,
kubeSystemNamespace,
agentPodNamespace,
agentPod.Name,
),
},
@ -290,7 +292,7 @@ func TestDeleterControllerSync(t *testing.T) {
[]coretesting.Action{
coretesting.NewDeleteAction(
podsGVR,
kubeSystemNamespace,
agentPodNamespace,
agentPod.Name,
),
},
@ -319,7 +321,7 @@ func TestDeleterControllerSync(t *testing.T) {
[]coretesting.Action{
coretesting.NewDeleteAction(
podsGVR,
kubeSystemNamespace,
agentPodNamespace,
agentPod.Name,
),
},
@ -346,7 +348,7 @@ func TestDeleterControllerSync(t *testing.T) {
[]coretesting.Action{
coretesting.NewDeleteAction(
podsGVR,
kubeSystemNamespace,
agentPodNamespace,
agentPod.Name,
),
},
@ -371,7 +373,7 @@ func TestDeleterControllerSync(t *testing.T) {
[]coretesting.Action{
coretesting.NewDeleteAction(
podsGVR,
kubeSystemNamespace,
agentPodNamespace,
agentPod.Name,
),
},
@ -400,7 +402,7 @@ func TestDeleterControllerSync(t *testing.T) {
[]coretesting.Action{
coretesting.NewDeleteAction(
podsGVR,
kubeSystemNamespace,
agentPodNamespace,
agentPod.Name,
),
},
@ -426,7 +428,7 @@ func TestDeleterControllerSync(t *testing.T) {
[]coretesting.Action{
coretesting.NewDeleteAction(
podsGVR,
kubeSystemNamespace,
agentPodNamespace,
agentPod.Name,
),
},
@ -451,7 +453,7 @@ func TestDeleterControllerSync(t *testing.T) {
[]coretesting.Action{
coretesting.NewDeleteAction(
podsGVR,
kubeSystemNamespace,
agentPodNamespace,
agentPod.Name,
),
},
@ -470,7 +472,7 @@ func TestDeleterControllerSync(t *testing.T) {
[]coretesting.Action{
coretesting.NewDeleteAction(
podsGVR,
kubeSystemNamespace,
agentPodNamespace,
agentPod.Name,
),
},

View File

@ -146,7 +146,7 @@ func isAgentPodUpToDate(actualAgentPod, expectedAgentPod *corev1.Pod) bool {
func findControllerManagerPodForSpecificAgentPod(
agentPod *corev1.Pod,
informer corev1informers.PodInformer,
kubeSystemPodInformer corev1informers.PodInformer,
) (*corev1.Pod, error) {
name, ok := agentPod.Annotations[controllerManagerNameAnnotationKey]
if !ok {
@ -160,7 +160,7 @@ func findControllerManagerPodForSpecificAgentPod(
return nil, nil
}
maybeControllerManagerPod, err := informer.
maybeControllerManagerPod, err := kubeSystemPodInformer.
Lister().
Pods(ControllerManagerNamespace).
Get(name)

View File

@ -133,6 +133,7 @@ func (a *App) runServer(ctx context.Context) error {
// Load the Kubernetes cluster signing CA.
kubeCertAgentTemplate, kubeCertAgentLabelSelector := createKubeCertAgentTemplate(
&cfg.KubeCertAgentConfig,
serverInstallationNamespace,
)
k8sClusterCA, shutdownCA, err := getClusterCASigner(
ctx,
@ -322,11 +323,12 @@ func getAggregatedAPIServerConfig(
return apiServerConfig, nil
}
func createKubeCertAgentTemplate(cfg *configapi.KubeCertAgentSpec) (*corev1.Pod, string) {
func createKubeCertAgentTemplate(cfg *configapi.KubeCertAgentSpec, serverInstallationNamespace string) (*corev1.Pod, string) {
terminateImmediately := int64(0)
pod := &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: *cfg.NamePrefix,
Name: *cfg.NamePrefix,
Namespace: serverInstallationNamespace, // create the agent pods in the same namespace where Pinniped is installed
Labels: map[string]string{
kubeCertAgentLabelKey: "",
},