Mlo 133 create admission controller #906
Conversation
️✅ There are no secrets present in this pull request anymore.If these secrets were true positive and are still valid, we highly recommend you to revoke them. 🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request. |
parikls
force-pushed
the
MLO-133-create-admission-controller
branch
from
e7451fe to
2767261
Compare
MLO-133: charts
| LABEL_APOLO_ORG_NAME = "platform.apolo.us/org" | ||
| LABEL_APOLO_PROJECT_NAME = "platform.apolo.us/project" | ||
| LABEL_APOLO_STORAGE_MOUNT_PATH = "platform.apolo.us/storage.mountPath" | ||
| LABEL_APOLO_STORAGE_HOST_PATH = "platform.apolo.us/storage.hostPath" |
There was a problem hiding this comment.
@zubenkoivan two questions here:
- since this will be a single label of a JSON type, I think we can support multiple mounts?
- WDYT about a name
platform.apolo.us/injectStorage? orplatform.apolo.us/storage.Inject?
There was a problem hiding this comment.
let's use platform.apolo.us/inject-storage
- add label selector for admission controller - use new secrets - refactoring of a webhook and an admission controller
| subjects: | ||
| - kind: ServiceAccount | ||
| name: {{ .Values.admissionController.app_name}} | ||
| namespace: platform |
There was a problem hiding this comment.
| namespace: platform | |
| namespace: {{ .Release.Namespace }} |
| subjects: | ||
| - kind: ServiceAccount | ||
| name: {{ .Values.admissionController.app_name }} | ||
| namespace: platform |
There was a problem hiding this comment.
| namespace: platform | |
| namespace: {{ .Release.Namespace }} |
|
|
||
| context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) | ||
|
|
||
| crt_file = tempfile.NamedTemporaryFile(mode="w", delete=False, suffix='.crt') |
There was a problem hiding this comment.
You can use it also as a context manager instead and pass delete=True, delete_on_close=False
| value=[] | ||
| ) | ||
|
|
||
| for mount_path, storage_path in injection_spec.items(): |
There was a problem hiding this comment.
We should also support volume mount modes (readonly, readwrite). We support them in cli
| future_volume_name = create_injection_volume_name() | ||
|
|
||
| # add a volume host path | ||
| admission_review.add_patch( |
There was a problem hiding this comment.
There can be multiple volumes. For example user wants to mount storages of different orgs and copy data between them.
| kind: Deployment | ||
| metadata: | ||
| name: {{ .Values.admissionController.app_name }} | ||
| namespace: platform |
There was a problem hiding this comment.
let's not define namespace, helm by default installs resources in the namespace where helm release is created
| kind: Service | ||
| metadata: | ||
| name: {{ .Values.admissionController.app_name }}-svc | ||
| namespace: platform |
There was a problem hiding this comment.
let's remove namespace
|
|
||
|
|
||
| admissionController: | ||
| app_name: "storage-admission-controller" |
There was a problem hiding this comment.
let's remove it and use generated name
| labels.get("app") == LABEL_PLATFORM_STORAGE_POD and | ||
| labels.get("service") == LABEL_PLATFORM_STORAGE_POD | ||
| ): | ||
| return await self._handle_new_platform_storage_pod( |
There was a problem hiding this comment.
I was thinking that we could mount all volumes to admission controller. In this case we won't need to listen to changes in platform storage pods, it will have the latest available volumes. We will only need to load volumes of the pod hosting this service during startup. wdyt?
| failurePolicy: Fail | ||
| objectSelector: | ||
| matchLabels: | ||
| platform.apolo.us/storage-injection-webhook: "enabled" |
There was a problem hiding this comment.
| platform.apolo.us/storage-injection-webhook: "enabled" | |
| platform.apolo.us/inject-storage: "true" |
wdyt?
No description provided.