Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rename root-certificate to brupop-selfsigned-ca #595

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Rename root-certificate to brupop-selfsigned-ca #595

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 23 additions & 10 deletions bottlerocket-update-operator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,6 +196,15 @@ spec:
subresources:
status: {}
---
# Source: bottlerocket-update-operator/templates/controller-priority-class.yaml
apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
name: brupop-controller-high-priority
namespace: brupop-bottlerocket-aws
preemptionPolicy: Never
value: 1000000
---
Comment on lines +199 to +207
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When running make manifest this ends up at the end rather than here. We might just move this to the end of the file to avoid it creating a dirty tree when running it, functionally it works the same.

# Source: bottlerocket-update-operator/templates/agent-service-account.yaml
apiVersion: v1
kind: ServiceAccount
Expand Down Expand Up @@ -470,6 +479,7 @@ spec:
ports:
- port: 80
targetPort: 8080
name: main
selector:
brupop.bottlerocket.aws/component: brupop-controller
---
Expand Down Expand Up @@ -653,6 +663,12 @@ spec:
port: 8443
scheme: HTTPS
initialDelaySeconds: 5
resources:
limits:
memory: 256Mi
requests:
cpu: 10m
memory: 40Mi
volumeMounts:
- mountPath: /etc/brupop-tls-keys
name: bottlerocket-tls-keys
Expand Down Expand Up @@ -721,7 +737,13 @@ spec:
value: "info"
image: public.ecr.aws/bottlerocket/bottlerocket-update-operator:v1.3.0
name: brupop
priorityClassName: brupop-controller-high-priority
resources:
limits:
memory: 256Mi
requests:
cpu: 10m
memory: 40Mi
priorityClassName: "brupop-controller-high-priority"

serviceAccountName: brupop-controller-service-account
---
Expand Down Expand Up @@ -804,12 +826,3 @@ metadata:
namespace: brupop-bottlerocket-aws
spec:
selfSigned: {}
---
# Source: bottlerocket-update-operator/templates/controller-priority-class.yaml
apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
name: brupop-controller-high-priority
namespace: brupop-bottlerocket-aws
preemptionPolicy: Never
value: 1000000
2 changes: 1 addition & 1 deletion deploy/tests/golden/custom-resource-definition.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
cert-manager.io/inject-ca-from: brupop-bottlerocket-aws/root-certificate
cert-manager.io/inject-ca-from: brupop-bottlerocket-aws/brupop-selfsigned-ca
name: bottlerocketshadows.brupop.bottlerocket.aws
spec:
conversion:
Expand Down
193 changes: 193 additions & 0 deletions deploy/tests/snapshots/insta_tests__generated_crds.snap.new
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,193 @@
---
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was this file autogenerated? I'm not sure where it came from?

source: deploy/tests/insta_tests.rs
assertion_line: 30
expression: crds
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
cert-manager.io/inject-ca-from: brupop-bottlerocket-aws/brupop-selfsigned-ca
name: bottlerocketshadows.brupop.bottlerocket.aws
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
service:
name: brupop-apiserver
namespace: brupop-bottlerocket-aws
path: /crdconvert
port: 443
conversionReviewVersions:
- v2
- v1
group: brupop.bottlerocket.aws
names:
kind: BottlerocketShadow
plural: bottlerocketshadows
shortNames:
- brs
singular: bottlerocketshadow
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.current_state
name: State
type: string
- jsonPath: .status.current_version
name: Version
type: string
- jsonPath: .spec.state
name: Target State
type: string
- jsonPath: .spec.version
name: Target Version
type: string
- jsonPath: .status.crash_count
name: Crash Count
type: string
name: v2
schema:
openAPIV3Schema:
description: Auto-generated derived type for BottlerocketShadowSpec via `CustomResource`
properties:
spec:
description: The `BottlerocketShadowSpec` can be used to drive a node through the update state machine. A node linearly drives towards the desired state. The brupop controller updates the spec to specify a node's desired state, and the host agent drives state changes forward and updates the `BottlerocketShadowStatus`.
properties:
state:
description: Records the desired state of the `BottlerocketShadow`
enum:
- Idle
- StagedAndPerformedUpdate
- RebootedIntoUpdate
- MonitoringUpdate
- ErrorReset
type: string
state_transition_timestamp:
description: The time at which the most recent state was set as the desired state.
nullable: true
type: string
version:
description: The desired update version, if any.
nullable: true
pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
type: string
required:
- state
type: object
status:
description: '`BottlerocketShadowStatus` surfaces the current state of a bottlerocket node. The status is updated by the host agent, while the spec is updated by the brupop controller.'
nullable: true
properties:
crash_count:
format: uint32
minimum: 0.0
type: integer
current_state:
description: BottlerocketShadowState represents a node's state in the update state machine.
enum:
- Idle
- StagedAndPerformedUpdate
- RebootedIntoUpdate
- MonitoringUpdate
- ErrorReset
type: string
current_version:
pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
type: string
state_transition_failure_timestamp:
nullable: true
type: string
target_version:
pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
type: string
required:
- crash_count
- current_state
- current_version
- target_version
type: object
required:
- spec
title: BottlerocketShadow
type: object
served: true
storage: true
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .status.current_state
name: State
type: string
- jsonPath: .status.current_version
name: Version
type: string
- jsonPath: .spec.state
name: Target State
type: string
- jsonPath: .spec.version
name: Target Version
type: string
name: v1
schema:
openAPIV3Schema:
description: Auto-generated derived type for BottlerocketShadowSpec via `CustomResource`
properties:
spec:
description: The `BottlerocketShadowSpec` can be used to drive a node through the update state machine. A node linearly drives towards the desired state. The brupop controller updates the spec to specify a node's desired state, and the host agent drives state changes forward and updates the `BottlerocketShadowStatus`.
properties:
state:
description: Records the desired state of the `BottlerocketShadow`
enum:
- Idle
- StagedUpdate
- PerformedUpdate
- RebootedIntoUpdate
- MonitoringUpdate
type: string
state_transition_timestamp:
description: The time at which the most recent state was set as the desired state.
nullable: true
type: string
version:
description: The desired update version, if any.
nullable: true
pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
type: string
required:
- state
type: object
status:
description: '`BottlerocketShadowStatus` surfaces the current state of a bottlerocket node. The status is updated by the host agent, while the spec is updated by the brupop controller.'
nullable: true
properties:
current_state:
description: BottlerocketShadowState represents a node's state in the update state machine.
enum:
- Idle
- StagedUpdate
- PerformedUpdate
- RebootedIntoUpdate
- MonitoringUpdate
type: string
current_version:
pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
type: string
target_version:
pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
type: string
required:
- current_state
- current_version
- target_version
type: object
required:
- spec
title: BottlerocketShadow
type: object
served: true
storage: false
subresources:
status: {}

2 changes: 1 addition & 1 deletion models/src/constants.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ pub const PUBLIC_KEY_NAME: &str = "tls.crt";
pub const PRIVATE_KEY_NAME: &str = "tls.key";
pub const TLS_KEY_MOUNT_PATH: &str = "/etc/brupop-tls-keys";
// Certificate object name
pub const ROOT_CERTIFICATE_NAME: &str = "root-certificate";
pub const ROOT_CERTIFICATE_NAME: &str = "brupop-selfsigned-ca";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is probably safe but I'm digging into how we use cert-manager under the hood to ensure we aren't going to break something else down the line. Do you happen to have links to what led you to this change?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not unfortunately. I can just attest from what Jack mentions here that this resolved an issue on our end.

Copy link

@v0lumehi v0lumehi Dec 20, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since it might help you: I just fixed this bug and set the value to cert-manager.io/inject-ca-from: brupop-bottlerocket-aws/brupop-apiserver-certificate in the CRD


// Label keys
pub const LABEL_COMPONENT: &str = brupop_domain!("component");
Expand Down