redpanda-operator icon indicating copy to clipboard operation
redpanda-operator copied to clipboard
verified publisher icon redpanda-data

Enable webhook conversion patch in kustomization

Open RafalKorepta opened this issue 1 year ago • 10 comments

https://github.com/redpanda-data/redpanda-operator/pull/143/commits/b4809a1be725d3910f5b805e6aaf5dbc3890567a

Enable webhook conversion patch in kustomization

Kustomization is not recommented in our official documentation, but those kustomization patch are neccessery for Redpanda conversion

https://github.com/redpanda-data/redpanda-operator/pull/143/commits/605ec3a016980c20d3109026007ee42c78ffb43e

Fix ApiVersion overwrite during conversion

During conversion webhook handler controller-runtime sets desire meta api version of the destination resource from the Kubernetes API server request. Round trip marshall and unmarshall is overwriting metadata.

Reference

https://github.com/kubernetes-sigs/controller-runtime/blob/f4ca78ebc00a4717ecd1c2daea1874d69ddd0137/pkg/webhook/conversion/conversion.go#L101

RafalKorepta avatar May 17 '24 14:05 RafalKorepta

I think we might need to make some changes to the rbac kustomization.yaml as well?

chrisseto avatar May 17 '24 19:05 chrisseto

Oh wait, I think I missed something.

So we don't need to register a Mutating or Validating webhook? We just need there to exist a webhook service?

chrisseto avatar May 17 '24 19:05 chrisseto

Dang and we'll need to rush out an update to the docs as installing the CRDs through kustomize isn't going to work any more .

The helm chart will need to override the webhook settings to ensure everything is configured appropriately. What a headache.

chrisseto avatar May 17 '24 19:05 chrisseto

Yes, but webhook would register handlers for validating and mutating requests. Currently there is no logic around that in Tedpanda custom resource.

RafalKorepta avatar May 17 '24 19:05 RafalKorepta

I don't understand why CRD installation will not work anymore. I can only imagine that there is dependency on certificate. Our operator helm chart could create the self sign cert and eventually cert manager injector would include ca bundle.

RafalKorepta avatar May 17 '24 19:05 RafalKorepta

The service name and namespace need to be configured in order for the CRD's to work.

For example, for the helm chart the conversion strategy gets set to:

  conversion:
    strategy: Webhook
    webhook:
      clientConfig:
        service:
          name: '{{ include "redpanda-operator.fullname" $ }}-webhook-service'
          namespace: '{{ $.Release.Namespace }}'
          path: /convert
      conversionReviewVersions:
      - v1

chrisseto avatar May 17 '24 19:05 chrisseto

You are right. To not break users we should move to operator helm chart for consistency. I wouldn't recommend kustomization (addidiontal layer) that would take inputs to correctly render CRD.

RafalKorepta avatar May 17 '24 19:05 RafalKorepta

Want to jump on a slack huddle so we can try to tie this up and let you get to sleep?

I think kustomize is actually fine but we'd have to support kustomize for installing the entire operator which isn't happening before the weekend.

chrisseto avatar May 17 '24 20:05 chrisseto

I moved PR to draft as #144 should fix our current broken deployment.

RafalKorepta avatar May 20 '24 16:05 RafalKorepta

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

CLAassistant avatar May 20 '24 18:05 CLAassistant