craigcondit opened a new pull request #346: URL: https://github.com/apache/incubator-yunikorn-k8shim/pull/346
- Admission controller now registers its own certificates and webhooks on startup - Added new example deployment files for admission controller - Removed admission controller bootstrap code from scheduler image ### What is this PR for? This PR splits the admission controller away from the scheduler and allows them to be deployed independently. The admission controller now manages its own TLS certificates. This allows for the rotation of certificates prior to expiration without downtime of the admission controller service (assuming replicas > 1). On startup: - On startup, a K8S secret "admission-controller-secrets" in the current namespace is queries for two CA certs (primary and secondary). - If either cert is missing or expired / expiring within 90 days, it is regenerated with a 1-year expiration. - If both certs are unavailable, one is created with a 6-month expiration, and the other with 1-year. - The updated certs (if any) are saved back to the K8S secret store. - In all cases, a new, ephemeral server certificate is signed with the CA cert having the latest expiration time. This cert is used for the webhook HTTPS server. The admission controller also registers its own webhooks on startup if they are not present or outdated. On startup: - The existing validating webhook (for configmaps) and mutating webhook (for pods) are queried. - If the webhooks do not exist, they are created. If they do exist, they are validated and updated if necessary. - The validation process checks the caBundle provided to ensure it contains both of the CA certificates either loaded or generated at startup. Health checks (startup probe and readiness probe) have been added to the admission controller to allow reliable usage of multiple admission controllers behind a load balancer. This will help facilitate upgrades and avoid downtime leading to pods not being mutated properly. Admission controller deployment scripts have been removed from the scheduler image. Updated deployment examples to reflect new usage. ### What type of PR is it? * [ ] - Bug Fix * [x] - Improvement * [ ] - Feature * [ ] - Documentation * [ ] - Hot Fix * [ ] - Refactoring ### Todos * [ ] - Task ### What is the Jira issue? https://issues.apache.org/jira/browse/YUNIKORN-941 ### How should this be tested? Use the deployments in deployments/scheduler: - admission-controller-rbac.yaml - admission-controller-secrets.yaml - admission-controller.yaml ### Screenshots (if appropriate) <img width="1269" alt="admission-controller" src="https://user-images.githubusercontent.com/12699633/146619041-0305aa45-c7d8-41f6-98b4-4c60244a0025.png";> ### Questions: * [ ] - The licenses files need update. * [ ] - There is breaking changes for older versions. * [ ] - It needs documentation. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
![https://user-images.githubusercontent.com/12699633/146619041-0305aa45-c7d8-41f6-98b4-4c60244a0025.png"](https://user-images.githubusercontent.com/12699633/146619041-0305aa45-c7d8-41f6-98b4-4c60244a0025.png"){kind=link}