Finish WIP from previous commits: agent pods created in install namespace
This commit is contained in:
parent
820f1e977e
commit
526be79b11
@ -70,7 +70,7 @@ func (c *annotaterController) Sync(ctx controllerlib.Context) error {
|
||||
agentSelector := labels.SelectorFromSet(c.agentInfo.Template.Labels)
|
||||
agentPods, err := c.agentPodInformer.
|
||||
Lister().
|
||||
Pods(ControllerManagerNamespace).
|
||||
Pods(c.agentInfo.Template.Namespace).
|
||||
List(agentSelector)
|
||||
if err != nil {
|
||||
return fmt.Errorf("informer cannot list agent pods: %w", err)
|
||||
@ -91,6 +91,7 @@ func (c *annotaterController) Sync(ctx controllerlib.Context) error {
|
||||
if err := c.maybeUpdateAgentPod(
|
||||
ctx.Context,
|
||||
agentPod.Name,
|
||||
agentPod.Namespace,
|
||||
certPath,
|
||||
certPathOK,
|
||||
keyPath,
|
||||
@ -106,13 +107,14 @@ func (c *annotaterController) Sync(ctx controllerlib.Context) error {
|
||||
func (c *annotaterController) maybeUpdateAgentPod(
|
||||
ctx context.Context,
|
||||
name string,
|
||||
namespace string,
|
||||
certPath string,
|
||||
certPathOK bool,
|
||||
keyPath string,
|
||||
keyPathOK bool,
|
||||
) error {
|
||||
return retry.RetryOnConflict(retry.DefaultRetry, func() error {
|
||||
agentPod, err := c.agentPodInformer.Lister().Pods(ControllerManagerNamespace).Get(name)
|
||||
agentPod, err := c.agentPodInformer.Lister().Pods(namespace).Get(name)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@ -166,7 +168,7 @@ func (c *annotaterController) reallyUpdateAgentPod(
|
||||
)
|
||||
_, err := c.k8sClient.
|
||||
CoreV1().
|
||||
Pods(ControllerManagerNamespace).
|
||||
Pods(agentPod.Namespace).
|
||||
Update(ctx, updatedAgentPod, metav1.UpdateOptions{})
|
||||
return err
|
||||
}
|
||||
|
@ -50,6 +50,7 @@ func TestAnnotaterControllerFilter(t *testing.T) {
|
||||
func TestAnnotaterControllerSync(t *testing.T) {
|
||||
spec.Run(t, "AnnotaterControllerSync", func(t *testing.T, when spec.G, it spec.S) {
|
||||
const kubeSystemNamespace = "kube-system"
|
||||
const agentPodNamespace = "agent-pod-namespace"
|
||||
|
||||
const (
|
||||
certPath = "some-cert-path"
|
||||
@ -74,6 +75,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
|
||||
agentPodTemplate := &corev1.Pod{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "some-agent-name-",
|
||||
Namespace: agentPodNamespace,
|
||||
Labels: map[string]string{
|
||||
"some-label-key": "some-label-value",
|
||||
},
|
||||
@ -134,7 +136,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
|
||||
// fnv 32a hash of controller-manager uid
|
||||
controllerManagerPodHash := "fbb0addd"
|
||||
agentPod := agentPodTemplate.DeepCopy()
|
||||
agentPod.Namespace = kubeSystemNamespace
|
||||
agentPod.Namespace = agentPodNamespace
|
||||
agentPod.Name += controllerManagerPodHash
|
||||
agentPod.Annotations = map[string]string{
|
||||
"kube-cert-agent.pinniped.dev/controller-manager-name": controllerManagerPod.Name,
|
||||
@ -235,7 +237,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
|
||||
[]coretesting.Action{
|
||||
coretesting.NewUpdateAction(
|
||||
podsGVR,
|
||||
kubeSystemNamespace,
|
||||
agentPodNamespace,
|
||||
updatedAgentPod,
|
||||
),
|
||||
},
|
||||
@ -267,7 +269,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
|
||||
[]coretesting.Action{
|
||||
coretesting.NewUpdateAction(
|
||||
podsGVR,
|
||||
kubeSystemNamespace,
|
||||
agentPodNamespace,
|
||||
updatedAgentPod,
|
||||
),
|
||||
},
|
||||
@ -318,7 +320,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
|
||||
[]coretesting.Action{
|
||||
coretesting.NewUpdateAction(
|
||||
podsGVR,
|
||||
kubeSystemNamespace,
|
||||
agentPodNamespace,
|
||||
updatedAgentPod,
|
||||
),
|
||||
},
|
||||
@ -348,7 +350,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
|
||||
[]coretesting.Action{
|
||||
coretesting.NewUpdateAction(
|
||||
podsGVR,
|
||||
kubeSystemNamespace,
|
||||
agentPodNamespace,
|
||||
updatedAgentPod,
|
||||
),
|
||||
},
|
||||
@ -442,7 +444,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
|
||||
[]coretesting.Action{
|
||||
coretesting.NewUpdateAction(
|
||||
podsGVR,
|
||||
kubeSystemNamespace,
|
||||
agentPodNamespace,
|
||||
updatedAgentPod,
|
||||
),
|
||||
},
|
||||
@ -476,7 +478,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
|
||||
[]coretesting.Action{
|
||||
coretesting.NewUpdateAction(
|
||||
podsGVR,
|
||||
kubeSystemNamespace,
|
||||
agentPodNamespace,
|
||||
updatedAgentPod,
|
||||
),
|
||||
},
|
||||
|
@ -50,6 +50,7 @@ func TestCreaterControllerFilter(t *testing.T) {
|
||||
func TestCreaterControllerSync(t *testing.T) {
|
||||
spec.Run(t, "CreaterControllerSync", func(t *testing.T, when spec.G, it spec.S) {
|
||||
const kubeSystemNamespace = "kube-system"
|
||||
const agentPodNamespace = "agent-pod-namespace"
|
||||
|
||||
var r *require.Assertions
|
||||
|
||||
@ -65,7 +66,7 @@ func TestCreaterControllerSync(t *testing.T) {
|
||||
|
||||
agentPodTemplate := &corev1.Pod{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Namespace: "some-agent-namespace",
|
||||
Namespace: agentPodNamespace,
|
||||
Name: "some-agent-name-",
|
||||
Labels: map[string]string{
|
||||
"some-label-key": "some-label-value",
|
||||
@ -123,6 +124,7 @@ func TestCreaterControllerSync(t *testing.T) {
|
||||
controllerManagerPodHash := "fbb0addd"
|
||||
agentPod := agentPodTemplate.DeepCopy()
|
||||
agentPod.Name += controllerManagerPodHash
|
||||
agentPod.Namespace = agentPodNamespace
|
||||
agentPod.Annotations = map[string]string{
|
||||
"kube-cert-agent.pinniped.dev/controller-manager-name": controllerManagerPod.Name,
|
||||
"kube-cert-agent.pinniped.dev/controller-manager-uid": string(controllerManagerPod.UID),
|
||||
@ -247,7 +249,7 @@ func TestCreaterControllerSync(t *testing.T) {
|
||||
[]coretesting.Action{
|
||||
coretesting.NewCreateAction(
|
||||
podsGVR,
|
||||
agentPod.Namespace,
|
||||
agentPodNamespace,
|
||||
agentPod,
|
||||
),
|
||||
},
|
||||
@ -266,7 +268,7 @@ func TestCreaterControllerSync(t *testing.T) {
|
||||
[]coretesting.Action{
|
||||
coretesting.NewCreateAction(
|
||||
podsGVR,
|
||||
agentPod.Namespace,
|
||||
agentPodNamespace,
|
||||
agentPod,
|
||||
),
|
||||
},
|
||||
|
@ -64,7 +64,7 @@ func (c *deleterController) Sync(ctx controllerlib.Context) error {
|
||||
agentSelector := labels.SelectorFromSet(c.agentInfo.Template.Labels)
|
||||
agentPods, err := c.agentPodInformer.
|
||||
Lister().
|
||||
Pods(ControllerManagerNamespace).
|
||||
Pods(c.agentInfo.Template.Namespace).
|
||||
List(agentSelector)
|
||||
if err != nil {
|
||||
return fmt.Errorf("informer cannot list agent pods: %w", err)
|
||||
@ -80,7 +80,7 @@ func (c *deleterController) Sync(ctx controllerlib.Context) error {
|
||||
klog.InfoS("deleting agent pod", "pod", klog.KObj(agentPod))
|
||||
err := c.k8sClient.
|
||||
CoreV1().
|
||||
Pods(ControllerManagerNamespace).
|
||||
Pods(agentPod.Namespace).
|
||||
Delete(ctx.Context, agentPod.Name, metav1.DeleteOptions{})
|
||||
if err != nil {
|
||||
return fmt.Errorf("cannot delete agent pod: %w", err)
|
||||
|
@ -50,6 +50,7 @@ func TestDeleterControllerFilter(t *testing.T) {
|
||||
func TestDeleterControllerSync(t *testing.T) {
|
||||
spec.Run(t, "DeleterControllerSync", func(t *testing.T, when spec.G, it spec.S) {
|
||||
const kubeSystemNamespace = "kube-system"
|
||||
const agentPodNamespace = "agent-pod-namespace"
|
||||
|
||||
var r *require.Assertions
|
||||
|
||||
@ -66,6 +67,7 @@ func TestDeleterControllerSync(t *testing.T) {
|
||||
agentPodTemplate := &corev1.Pod{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "some-agent-name-",
|
||||
Namespace: agentPodNamespace,
|
||||
Labels: map[string]string{
|
||||
"some-label-key": "some-label-value",
|
||||
},
|
||||
@ -127,7 +129,7 @@ func TestDeleterControllerSync(t *testing.T) {
|
||||
// fnv 32a hash of controller-manager uid
|
||||
controllerManagerPodHash := "fbb0addd"
|
||||
agentPod := agentPodTemplate.DeepCopy()
|
||||
agentPod.Namespace = kubeSystemNamespace
|
||||
agentPod.Namespace = agentPodNamespace
|
||||
agentPod.Name += controllerManagerPodHash
|
||||
agentPod.Annotations = map[string]string{
|
||||
"kube-cert-agent.pinniped.dev/controller-manager-name": controllerManagerPod.Name,
|
||||
@ -236,7 +238,7 @@ func TestDeleterControllerSync(t *testing.T) {
|
||||
[]coretesting.Action{
|
||||
coretesting.NewDeleteAction(
|
||||
podsGVR,
|
||||
kubeSystemNamespace,
|
||||
agentPodNamespace,
|
||||
agentPod.Name,
|
||||
),
|
||||
},
|
||||
@ -261,7 +263,7 @@ func TestDeleterControllerSync(t *testing.T) {
|
||||
[]coretesting.Action{
|
||||
coretesting.NewDeleteAction(
|
||||
podsGVR,
|
||||
kubeSystemNamespace,
|
||||
agentPodNamespace,
|
||||
agentPod.Name,
|
||||
),
|
||||
},
|
||||
@ -290,7 +292,7 @@ func TestDeleterControllerSync(t *testing.T) {
|
||||
[]coretesting.Action{
|
||||
coretesting.NewDeleteAction(
|
||||
podsGVR,
|
||||
kubeSystemNamespace,
|
||||
agentPodNamespace,
|
||||
agentPod.Name,
|
||||
),
|
||||
},
|
||||
@ -319,7 +321,7 @@ func TestDeleterControllerSync(t *testing.T) {
|
||||
[]coretesting.Action{
|
||||
coretesting.NewDeleteAction(
|
||||
podsGVR,
|
||||
kubeSystemNamespace,
|
||||
agentPodNamespace,
|
||||
agentPod.Name,
|
||||
),
|
||||
},
|
||||
@ -346,7 +348,7 @@ func TestDeleterControllerSync(t *testing.T) {
|
||||
[]coretesting.Action{
|
||||
coretesting.NewDeleteAction(
|
||||
podsGVR,
|
||||
kubeSystemNamespace,
|
||||
agentPodNamespace,
|
||||
agentPod.Name,
|
||||
),
|
||||
},
|
||||
@ -371,7 +373,7 @@ func TestDeleterControllerSync(t *testing.T) {
|
||||
[]coretesting.Action{
|
||||
coretesting.NewDeleteAction(
|
||||
podsGVR,
|
||||
kubeSystemNamespace,
|
||||
agentPodNamespace,
|
||||
agentPod.Name,
|
||||
),
|
||||
},
|
||||
@ -400,7 +402,7 @@ func TestDeleterControllerSync(t *testing.T) {
|
||||
[]coretesting.Action{
|
||||
coretesting.NewDeleteAction(
|
||||
podsGVR,
|
||||
kubeSystemNamespace,
|
||||
agentPodNamespace,
|
||||
agentPod.Name,
|
||||
),
|
||||
},
|
||||
@ -426,7 +428,7 @@ func TestDeleterControllerSync(t *testing.T) {
|
||||
[]coretesting.Action{
|
||||
coretesting.NewDeleteAction(
|
||||
podsGVR,
|
||||
kubeSystemNamespace,
|
||||
agentPodNamespace,
|
||||
agentPod.Name,
|
||||
),
|
||||
},
|
||||
@ -451,7 +453,7 @@ func TestDeleterControllerSync(t *testing.T) {
|
||||
[]coretesting.Action{
|
||||
coretesting.NewDeleteAction(
|
||||
podsGVR,
|
||||
kubeSystemNamespace,
|
||||
agentPodNamespace,
|
||||
agentPod.Name,
|
||||
),
|
||||
},
|
||||
@ -470,7 +472,7 @@ func TestDeleterControllerSync(t *testing.T) {
|
||||
[]coretesting.Action{
|
||||
coretesting.NewDeleteAction(
|
||||
podsGVR,
|
||||
kubeSystemNamespace,
|
||||
agentPodNamespace,
|
||||
agentPod.Name,
|
||||
),
|
||||
},
|
||||
|
@ -146,7 +146,7 @@ func isAgentPodUpToDate(actualAgentPod, expectedAgentPod *corev1.Pod) bool {
|
||||
|
||||
func findControllerManagerPodForSpecificAgentPod(
|
||||
agentPod *corev1.Pod,
|
||||
informer corev1informers.PodInformer,
|
||||
kubeSystemPodInformer corev1informers.PodInformer,
|
||||
) (*corev1.Pod, error) {
|
||||
name, ok := agentPod.Annotations[controllerManagerNameAnnotationKey]
|
||||
if !ok {
|
||||
@ -160,7 +160,7 @@ func findControllerManagerPodForSpecificAgentPod(
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
maybeControllerManagerPod, err := informer.
|
||||
maybeControllerManagerPod, err := kubeSystemPodInformer.
|
||||
Lister().
|
||||
Pods(ControllerManagerNamespace).
|
||||
Get(name)
|
||||
|
@ -133,6 +133,7 @@ func (a *App) runServer(ctx context.Context) error {
|
||||
// Load the Kubernetes cluster signing CA.
|
||||
kubeCertAgentTemplate, kubeCertAgentLabelSelector := createKubeCertAgentTemplate(
|
||||
&cfg.KubeCertAgentConfig,
|
||||
serverInstallationNamespace,
|
||||
)
|
||||
k8sClusterCA, shutdownCA, err := getClusterCASigner(
|
||||
ctx,
|
||||
@ -322,11 +323,12 @@ func getAggregatedAPIServerConfig(
|
||||
return apiServerConfig, nil
|
||||
}
|
||||
|
||||
func createKubeCertAgentTemplate(cfg *configapi.KubeCertAgentSpec) (*corev1.Pod, string) {
|
||||
func createKubeCertAgentTemplate(cfg *configapi.KubeCertAgentSpec, serverInstallationNamespace string) (*corev1.Pod, string) {
|
||||
terminateImmediately := int64(0)
|
||||
pod := &corev1.Pod{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: *cfg.NamePrefix,
|
||||
Namespace: serverInstallationNamespace, // create the agent pods in the same namespace where Pinniped is installed
|
||||
Labels: map[string]string{
|
||||
kubeCertAgentLabelKey: "",
|
||||
},
|
||||
|
Loading…
Reference in New Issue
Block a user