CNTRLPLANE-343: certrotationcontroller: use minutes instead of days when FeatureShortCertRotation is enabled#817
Conversation
openshift-ci
Bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
vrutkovs
force-pushed
the
short-rotation-featuregate
branch
2 times, most recently
from
cbc637b to
455f645
Compare
vrutkovs
force-pushed
the
short-rotation-featuregate
branch
from
455f645 to
c5c2087
Compare
vrutkovs
force-pushed
the
short-rotation-featuregate
branch
3 times, most recently
from
79eac26 to
1a59b1d
Compare
|
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci
Bot
added
the
lifecycle/stale
openshift-merge-robot
added
the
needs-rebase
vrutkovs
force-pushed
the
short-rotation-featuregate
branch
from
1a59b1d to
84869ad
Compare
openshift-merge-robot
removed
the
needs-rebase
vrutkovs
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@vrutkovs: This pull request references CNTRLPLANE-343 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "4.19.0" version, but no target version was set. DetailsIn response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
Bot
removed
the
do-not-merge/work-in-progress
|
/remove-lifecycle stale |
openshift-ci
Bot
removed
the
lifecycle/stale
vrutkovs
force-pushed
the
short-rotation-featuregate
branch
from
84869ad to
4b82d7b
Compare
vrutkovs
changed the title
openshift-ci
Bot
added
the
do-not-merge/work-in-progress
vrutkovs
changed the title
openshift-ci
Bot
removed
the
do-not-merge/work-in-progress
vrutkovs
force-pushed
the
short-rotation-featuregate
branch
2 times, most recently
from
7ce56f6 to
0d18cbc
Compare
vrutkovs
force-pushed
the
short-rotation-featuregate
branch
3 times, most recently
from
a9cf919 to
8b1f4fc
Compare
|
/retest |
|
/retest-required |
vrutkovs
force-pushed
the
short-rotation-featuregate
branch
2 times, most recently
from
df6e4c4 to
22bfdea
Compare
vrutkovs
force-pushed
the
short-rotation-featuregate
branch
2 times, most recently
from
63ea291 to
496cfce
Compare
| rotationDay = day | ||
| klog.Warningf("!!! UNSUPPORTED VALUE SET !!!") | ||
| klog.Warningf("Certificate rotation base set to %q", rotationDay) | ||
| monthPeriod := time.Hour * 24 * 30 |
There was a problem hiding this comment.
let's remove the defaultRotationDay constant if we do not need it anymore
| Validity: 30 * rotationDay, | ||
| Refresh: 15 * rotationDay, | ||
| Validity: monthPeriod, | ||
| Refresh: monthPeriod / 2, |
There was a problem hiding this comment.
might be useful to have different variables for the CA and the signer
There was a problem hiding this comment.
Right, in ckao we have "month", "tenMonth" and "year" periods - so we can combine those.
I think a single refresh period is okay for now, it can be extended later
| return nil, fmt.Errorf("unable to get FeatureGates: %w", err) | ||
| } | ||
|
|
||
| if featureGates.Enabled(features.FeatureShortCertRotation) { |
There was a problem hiding this comment.
I guess we do not support disabling the FG during runtime. Note: FeatureShortCertRotation is DevPreviewNoUpgrade currently and it seems the plan is to use it only for testing?
Maybe we could add a simple comment above to document the use case?
| // we need to establish some kind of delay or back pressure to prevent the rollout. This ensures we don't trigger kas restart | ||
| // during e2e tests for now. | ||
| certRotationScale*8, | ||
| featureGateAccessor, |
There was a problem hiding this comment.
The Feature is the direct successor of the certRotationScale right?
Are these comments by David obsolete? I suppose it was tuned to work with a specific scale and specific hard-coded value of 8 before.
Can we run into a similar problem with 2h/1h rotation?
There was a problem hiding this comment.
Its a replacement for cert rotation scale, yes.
The comments are obsolete - instead of tweaking scales in some operators we define a featuregate observed by every operator. The feature gate also makes your cluster unsupportable (unlike cert scale config via "secret" configmap). And also we run a test which ensures that no certs issued are longer than 8 hrs - so the config is platform wide.
Can we run into a similar problem with 2h/1h rotation?
Its possible - but we have e2e tests which ensure that rollouts happen without disruption
There was a problem hiding this comment.
Ok, great to hear that we have it covered and can remove the scale+comment.
| required.Spec.Containers[i].Env = append(container.Env, corev1.EnvVar{ | ||
| Name: "OPERATOR_IMAGE_VERSION", | ||
| Value: operatorImageVersion, | ||
| }) |
There was a problem hiding this comment.
What do we need the OPERATOR_IMAGE_VERSION env var for?
There was a problem hiding this comment.
Operands needs current operator version to make sure observed feature gates are from expected version
There was a problem hiding this comment.
Don't we pass the feature gates to operands directly? Or is this something planned? Or do you have a link where this is used?
There was a problem hiding this comment.
NewFeatureGateAccessor needs desiredVersion
which is fetched by calling status.VersionForOperatorFromEnv():
which reads env var value:
There was a problem hiding this comment.
But this is used only for the operator command (RunOperator) and not for any of the operand containers as far as I can see.
I am not against adding the OPERATOR_IMAGE_VERSION env var if we plan to use it. But if not, I would prefer to keep the KCM pod cleaner/simpler.
There was a problem hiding this comment.
Oh, right, we no longer need it (featuregates are now hardcoded in operand sidecar)
There was a problem hiding this comment.
Ok, we can add the env later if we find the need.
vrutkovs
force-pushed
the
short-rotation-featuregate
branch
from
15a364e to
84b4a48
Compare
|
|
||
| if featureGates.Enabled(features.FeatureShortCertRotation) { | ||
| refreshPeriod = time.Hour * 2 | ||
| klog.Infof("Setting monthPeriod to %v", refreshPeriod) |
There was a problem hiding this comment.
| klog.Infof("Setting monthPeriod to %v", refreshPeriod) | |
| klog.Infof("Setting refreshPeriod to %v", refreshPeriod) |
| rotationDay = day | ||
| klog.Warningf("!!! UNSUPPORTED VALUE SET !!!") | ||
| klog.Warningf("Certificate rotation base set to %q", rotationDay) | ||
| monthPeriod := time.Hour * 24 * 30 |
…CertRotation is enabled
vrutkovs
force-pushed
the
short-rotation-featuregate
branch
2 times, most recently
from
fa01763 to
a746627
Compare
|
As discussed #817 (comment), it seems we can remove the whole last commit now: a746627 |
vrutkovs
force-pushed
the
short-rotation-featuregate
branch
from
a746627 to
50e9fe2
Compare
|
Thanks! /lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: atiratree, vrutkovs The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
Bot
added
the
approved
|
/test e2e-aws-ovn |
|
@vrutkovs: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
openshift-merge-bot
Bot
merged commit 4c58d4c
into
openshift:master
|
[ART PR BUILD NOTIFIER] Distgit: ose-cluster-kube-controller-manager-operator |
5 participants
No description provided.