djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
cec9f3c4d7
ContainerImage.Pinniped/internal
History
Ryan Richard cec9f3c4d7 Improve the selectors of Deployments and Services 
Fixes #801. The solution is complicated by the fact that the Selector
field of Deployments is immutable. It would have been easy to just
make the Selectors of the main Concierge Deployment, the Kube cert agent
Deployment, and the various Services use more specific labels, but
that would break upgrades. Instead, we make the Pod template labels and
the Service selectors more specific, because those not immutable, and
then handle the Deployment selectors in a special way.

For the main Concierge and Supervisor Deployments, we cannot change
their selectors, so they remain "app: app_name", and we make other
changes to ensure that only the intended pods are selected. We keep the
original "app" label on those pods and remove the "app" label from the
pods of the Kube cert agent Deployment. By removing it from the Kube
cert agent pods, there is no longer any chance that they will
accidentally get selected by the main Concierge Deployment.

For the Kube cert agent Deployment, we can change the immutable selector
by deleting and recreating the Deployment. The new selector uses only
the unique label that has always been applied to the pods of that
deployment. Upon recreation, these pods no longer have the "app" label,
so they will not be selected by the main Concierge Deployment's
selector.

The selector of all Services have been updated to use new labels to
more specifically target the intended pods. For the Concierge Services,
this will prevent them from accidentally including the Kube cert agent
pods. For the Supervisor Services, we follow the same convention just
to be consistent and to help future-proof the Supervisor app in case it
ever has a second Deployment added to it.

The selector of the auto-created impersonation proxy Service was
also previously using the "app" label. There is no change to this
Service because that label will now select the correct pods, since
the Kube cert agent pods no longer have that label. It would be possible
to update that selector to use the new more specific label, but then we
would need to invent a way to pass that label into the controller, so
it seemed like more work than was justified.
2021-09-14 13:35:10 -07:00
..
apiserviceref Use API service as owner ref for cluster scoped resources 2021-02-10 21:52:08 -05:00
authenticators More LDAP WIP: started controller and LDAP server connection code 2021-04-09 18:49:43 -07:00
certauthority go 1.17 bump: fix unit test failures 2021-08-27 09:46:58 -04:00
clusterhost Introduce clusterhost package to determine whether a cluster has control plane nodes 2021-02-09 11:16:01 -08:00
concierge Ensure concierge and supervisor gracefully exit 2021-08-30 20:29:52 -04:00
config Remove references to impersonationConfigMap. 2021-05-26 15:24:59 -05:00
constable Save 2 lines by using inline-style comments for Copyright 2020-09-16 10:35:19 -04:00
controller Improve the selectors of Deployments and Services 2021-09-14 13:35:10 -07:00
controllerinit Ensure concierge and supervisor gracefully exit 2021-08-30 20:29:52 -04:00
controllerlib test/integration: run parallel tests concurrently with serial tests 2021-08-26 12:59:52 -04:00
controllermanager Ensure concierge and supervisor gracefully exit 2021-08-30 20:29:52 -04:00
crud Supervisor storage garbage collection controller enabled in production 2020-12-11 15:21:34 -08:00
deploymentref Use API service as owner ref for cluster scoped resources 2021-02-10 21:52:08 -05:00
downward internal/downward: add support for (optional) pod name 2020-12-11 11:49:27 -05:00
dynamiccert dynamiccert: prevent misuse of NewServingCert 2021-08-17 12:58:32 -04:00
endpointaddr Add endpointaddr pkg for parsing host+port inputs. 2021-05-25 16:17:26 -05:00
execcredcache Add CLI caching of cluster-specific credentials. 2021-04-08 14:12:34 -05:00
fositestorage Use a custom type for our static CLI client (smaller change). 2021-06-15 15:31:48 -05:00
fositestoragei More adjustments based on PR feedback 2021-04-27 16:54:26 -07:00
groupsuffix Remove unparam linter 2021-08-19 10:20:24 -07:00
here Save 2 lines by using inline-style comments for Copyright 2020-09-16 10:35:19 -04:00
httputil Adjust our securityheader pkg to support form_post. 2021-07-09 12:08:43 -05:00
issuer dynamiccert: split into serving cert and CA providers 2021-03-15 12:24:07 -04:00
kubeclient Add leader election middleware 2021-08-20 12:18:25 -04:00
leaderelection Ensure concierge and supervisor gracefully exit 2021-08-30 20:29:52 -04:00
localuserauthenticator Switch to a slimmer distroless base image. 2021-08-09 15:05:13 -04:00
mocks Optionally allow OIDC password grant for CLI-based login experience 2021-08-12 10:45:39 -07:00
oidc Merge pull request #695 from vmware-tanzu/active-directory-identity-provider 2021-08-27 08:39:12 -07:00
ownerref internal/groupsuffix: mutate TokenCredentialRequest's Authenticator 2021-02-10 15:53:44 -05:00
plog WIP on new plog 2021-04-21 09:02:45 -07:00
registry credentialrequest: use safer approximation for ExpirationTimestamp 2021-06-23 11:07:00 -04:00
secret All controller unit tests should not cancel context until test is over 2021-03-04 17:26:01 -08:00
supervisor/server Ensure concierge and supervisor gracefully exit 2021-08-30 20:29:52 -04:00
testutil Improve the selectors of Deployments and Services 2021-09-14 13:35:10 -07:00
upstreamldap Review comments-- 2021-08-19 14:21:18 -07:00
upstreamoidc remove one nolint:unparam comment 2021-08-19 10:57:00 -07:00
valuelesscontext valuelesscontext: make unit tests more clear 2021-04-30 10:43:29 -04:00