k8s icon indicating copy to clipboard operation
k8s copied to clipboard

Published 20 hours ago verified publisher icon cockroachdb

Copy labels onto the resources created by the request-cert process

Open a-robinson opened this issue 6 years ago • 6 comments

It'd be easier to clean up all the resources created by us if we were to put labels on the CSRs and Secrets when we create them. Currently our docs have to instruct users to clean those up separately from everything else because they don't have the expected labels.

It should be easy enough to use the Kubernetes downward API to get the pod's labels from within the request-cert init container, then copy all of them verbatim into all CSRs and Secrets we create.

This would make a good starter task for anyone interested in playing around with kubernetes.

cc @mberhault @bobvawter

a-robinson avatar Mar 05 '18 17:03 a-robinson

I would like to contribute to this issue. @a-robinson @petermattis @danhhz is this still relevant? Thank you.

bharatnc avatar Feb 21 '20 04:02 bharatnc

Hi! I'm an SRE at CRL. The SRE team does lots of k8s stuff. If you want to do this, I can review the PR.

Are you doing it because you want to solve this specific problem? Or are you doing it because you are more generally interested in contributing to CRDB k8s stuff?

I ask because we may move away from this approach. If you are interested more generally in contributing, there might be better ways to help.

joshimhoff avatar Feb 21 '20 20:02 joshimhoff

Hi @joshimhoff, I'm doing this out of general interest. Let me know we can make this better would be awesome if I can help!

I also noticed a few things about this repo itself.

  1. Hasn't got any vendor files go.mod Example: go.sum etc.
  2. When I vendored the code I quickly noticed that the api versions in use are outdated. One example is for instance Core() is now CoreV1(): https://github.com/cockroachdb/k8s/blob/master/request-cert/k8s_certificates.go#L193
  3. Missing tests.

Thought it would be worth mentioning. On the other hand, there might be reasons for doing this, which I may not have context on.

bharatnc avatar Feb 21 '20 21:02 bharatnc

1, 2, and 3 would all be great improvements. I think they are all higher priority than the issue mentioned here. Especially tests.

joshimhoff avatar Feb 24 '20 21:02 joshimhoff

@joshimhoff should I create separate issues under the cocoroach/k8s to fix them? Also,

I ask because we may move away from this approach.

Would be interested in knowing more about that 😊.

Thank you.

bharatnc avatar Feb 24 '20 21:02 bharatnc

should I create separate issues under the cocoroach/k8s to fix them?

Yes! Thank you.

Would be interested in knowing more about that

Nothing specific at all. We are beginning work on a k8s operator (https://kubernetes.io/docs/concepts/extend-kubernetes/operator/) for CRDB, which will hope will become the main way to run on CRDB on k8s. This doesn't imply retiring request-cert; probably at first the operator will depend on request-cert instead. But I also wonder if we'll rethink our approach as part of the operator work. No specific plans though, just a musing!

@vladdy can tell you more about the operator. It's not yet open source but it would be a great place to eventually contribute, if you are interested.

joshimhoff avatar Feb 24 '20 22:02 joshimhoff