Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: Integration of certmanager for IntegrationSink #8385

Open
wants to merge 17 commits into
base: main
Choose a base branch
from
Open

WIP: Integration of certmanager for IntegrationSink #8385

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
5f7e255
Adding cert-mananger bits
matzew Nov 15, 2024
ee13099
Adding create cert manifest function
matzew Nov 29, 2024
f9dedc8
Use the make cert
matzew Dec 9, 2024
ca17520
Reconcile Certificate manifest and add RBAC
matzew Dec 10, 2024
cf6993b
Add secret filter to controller
matzew Dec 10, 2024
61d3b03
Look up secrets/certs for sink
matzew Dec 10, 2024
df66e7b
Remove old/wrong Certificate manifest and reference
matzew Dec 10, 2024
1996086
Fix controller compile
matzew Dec 10, 2024
965be22
Formatting
matzew Dec 10, 2024
7eb11b1
change the reconcile of cert manifest, and run it only w/ some form o…
matzew Dec 11, 2024
b343e1c
using filtered informer
matzew Dec 11, 2024
a0d401e
Adding Rekt test for IntegrationSink TLS support
matzew Dec 13, 2024
3e1e2a7
adding a bit of https port for deployment/service of the IntegrationSink
matzew Dec 13, 2024
a01d2a7
Mounting secrets and setting quarkus env vars for TLS support
matzew Dec 16, 2024
a2f502d
Adding flags for different TLS levels resulting in diffeerent quarkus…
matzew Dec 17, 2024
838ac03
Add knobs for tls support on controllers
matzew Dec 17, 2024
17f8e71
Remove bad comment
matzew Dec 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions cmd/controller/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,15 @@ import (
// Uncomment the following line to load the gcp plugin (only required to authenticate against GKE clusters).
// _ "k8s.io/client-go/plugin/pkg/client/auth/gcp"

"knative.dev/eventing/pkg/apis/feature"
"knative.dev/eventing/pkg/client/certmanager/injection/informers/acme/v1/challenge"
v1certificate "knative.dev/eventing/pkg/client/certmanager/injection/informers/certmanager/v1/certificate"
"knative.dev/eventing/pkg/client/certmanager/injection/informers/certmanager/v1/certificaterequest"
"knative.dev/eventing/pkg/client/certmanager/injection/informers/certmanager/v1/clusterissuer"
"knative.dev/eventing/pkg/client/certmanager/injection/informers/certmanager/v1/issuer"
"knative.dev/pkg/injection"
"knative.dev/pkg/injection/sharedmain"
"knative.dev/pkg/logging"

filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"
"knative.dev/pkg/signals"
Expand Down Expand Up @@ -53,8 +61,19 @@ func main() {
auth.OIDCLabelSelector,
eventingtls.TrustBundleLabelSelector,
sinks.JobSinkJobsLabelSelector,
"app.kubernetes.io/name",
)

var featureStore *feature.Store
featureStore = feature.NewStore(logging.FromContext(ctx).Named("feature-config-store"), func(name string, value interface{}) {
featureFlags := value.(feature.Flags)
if !featureFlags.IsDisabledTransportEncryption() && featureStore != nil {
for _, inf := range []injection.InformerInjector{challenge.WithInformer, v1certificate.WithInformer, certificaterequest.WithInformer, clusterissuer.WithInformer, issuer.WithInformer} {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this does not work, when changing the feature cfg afterwards. In the controller.go of the integrationsink I am getting a nil pointer... when accessing the cmCertificateLister there.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it doesn't, we could start / stop the informer manually without injection based on the value

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we could start / stop the informer manually without injection based on the value

you mean the "cert manager" informers, right? start / stop based on cfg change of the config-feature CM?

Any pointer to similar code for this?

Copy link
Member

@pierDipi pierDipi Dec 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

here we start a "custom" configmap informer using the factory

eventing/pkg/adapter/v2/main.go

Lines 227 to 250 in b00da59

// Manually create a ConfigMap informer for the env.GetNamespace() namespace to have it
// optionally created when needed.
infFactory := informers.NewSharedInformerFactoryWithOptions(
kubeclient.Get(ctx),
controller.GetResyncPeriod(ctx),
informers.WithNamespace(env.GetNamespace()),
informers.WithTweakListOptions(func(options *metav1.ListOptions) {
options.LabelSelector = eventingtls.TrustBundleLabelSelector
}),
)
go func() {
<-ctx.Done()
infFactory.Shutdown()
}()
inf := infFactory.Core().V1().ConfigMaps()
_ = inf.Informer() // Actually create informer
trustBundleConfigMapLister = inf.Lister().ConfigMaps(env.GetNamespace())
infFactory.Start(ctx.Done())
_ = infFactory.WaitForCacheSync(ctx.Done())

the "stop" is based on the passed context and there we can use the usual "context / cancel" pair

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

Copy link
Contributor

@skonto skonto Dec 18, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A bit of background info. We discussed a more dynamic approach in the past here. Serving requires for the controller pod to be restarted. In general making it dynamic here makes more sense as it reacts on some cm change and you can freely define your main stuff as in the adapter's main. For Serving once you disable encryption there will be downtime afaik and we wanted minimal changes back then to move with the internal encryption feature. cc @ReToCode if he has anything to add/correct me.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@skonto so you suggest going the route via knative/pkg#2989 ?

Copy link
Contributor

@skonto skonto Jan 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It depends on the UX. If you dont want a pod restart you need the dynamic informer addition/removal. The flag just avoids generating by default the init code that registers an informer factory and the related informer. We don't want to register that immediately because the feature might be disabled. We cant do this dynamically without a restart because registration does not start the informer we have to wait for sharedmain to do this. So right now once sharedmain does start the controllers and the informers you can't start a new one but potentially we could extend sharedmain to do this.

injection.Default.RegisterInformer(inf)
}
}
})

sharedmain.MainWithContext(ctx, "controller",
// Messaging
channel.NewController,
Expand Down
48 changes: 0 additions & 48 deletions config/core-tls/integration-sink-tls-certificate.yaml
View file
Open in desktop

This file was deleted.

29 changes: 29 additions & 0 deletions config/core/roles/controller-clusterroles.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -221,3 +221,32 @@ rules:
- "delete"
- "patch"
- "watch"

- apiGroups:
- "cert-manager.io"
resources:
- "certificates"
- "clusterissuers"
- "certificaterequests"
- "issuers"
verbs:
- "get"
- "list"
- "create"
- "update"
- "delete"
- "patch"
- "watch"

- apiGroups:
- "acme.cert-manager.io"
resources:
- "challenges"
verbs:
- "get"
- "list"
- "create"
- "update"
- "delete"
- "patch"
- "watch"
6 changes: 4 additions & 2 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ go 1.22.7

require (
github.com/ahmetb/gen-crd-api-reference-docs v0.3.1-0.20210420163308-c1402a70e2f1
github.com/cert-manager/cert-manager v1.13.3
github.com/cloudevents/conformance v0.2.0
github.com/cloudevents/sdk-go/observability/opencensus/v2 v2.15.2
github.com/cloudevents/sdk-go/protocol/mqtt_paho/v2 v2.0.0-20240508060731-1ed9471c98bd
Expand Down Expand Up @@ -60,7 +61,7 @@ require (
github.com/blendle/zapdriver v1.3.1 // indirect
github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/emicklei/go-restful/v3 v3.12.1 // indirect
github.com/evanphx/json-patch v5.9.0+incompatible // indirect
github.com/evanphx/json-patch/v5 v5.9.0 // indirect
Expand All @@ -84,7 +85,7 @@ require (
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/prometheus/client_golang v1.19.1 // indirect
github.com/prometheus/client_model v0.6.1 // indirect
github.com/prometheus/common v0.55.0 // indirect
Expand Down Expand Up @@ -119,6 +120,7 @@ require (
k8s.io/klog v1.0.0 // indirect
k8s.io/klog/v2 v2.130.1 // indirect
k8s.io/kube-openapi v0.0.0-20240808142205-8e686545bdb8 // indirect
sigs.k8s.io/gateway-api v0.8.0 // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
)
10 changes: 8 additions & 2 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,8 @@ github.com/blendle/zapdriver v1.3.1/go.mod h1:mdXfREi6u5MArG4j9fewC+FGnXaBR+T4Ox
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g=
github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw=
github.com/cert-manager/cert-manager v1.13.3 h1:3R4G0RI7K0OkTZhWlVOC5SGZMYa2NwqmQJoyKydrz/M=
github.com/cert-manager/cert-manager v1.13.3/go.mod h1:BM2+Pt/NmSv1Zr25/MHv6BgIEF9IUxA1xAjp80qkxgc=
github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
Expand Down Expand Up @@ -91,8 +93,9 @@ github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3Ee
github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs=
github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU=
github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
Expand Down Expand Up @@ -327,8 +330,9 @@ github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/profile v1.2.1/go.mod h1:hJw3o1OdXxsrSjjVksARp5W95eeEaEfptyVZyv6JUPA=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
Expand Down Expand Up @@ -850,6 +854,8 @@ knative.dev/reconciler-test v0.0.0-20241223131247-96258bea6ce4/go.mod h1:zDapuiJ
rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
sigs.k8s.io/gateway-api v0.8.0 h1:isQQ3Jx2qFP7vaA3ls0846F0Amp9Eq14P08xbSwVbQg=
sigs.k8s.io/gateway-api v0.8.0/go.mod h1:okOnjPNBFbIS/Rw9kAhuIUaIkLhTKEu+ARIuXk2dgaM=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
Expand Down
14 changes: 14 additions & 0 deletions hack/update-codegen.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,13 @@ kube::codegen::gen_client \
--with-watch \
"${REPO_ROOT_DIR}/pkg/apis"

kube::codegen::gen_client \
Copy link
Contributor

@skonto skonto Jan 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@matzew You can clean up this as in https://github.com/knative/serving/pull/15703/files#diff-149dfe7bb29d1191dceae3a52915e750e64b7f87257a5fb309c29d3056e2a95d. We are removing the generated clientsets in favor of the original ones

--boilerplate "${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt" \
--output-dir "${REPO_ROOT_DIR}/pkg/client/certmanager" \
--output-pkg "knative.dev/eventing/pkg/client/certmanager" \
--with-watch \
"${REPO_ROOT_DIR}/vendor/github.com/cert-manager/cert-manager/pkg/apis"

group "Knative Codegen"

# Knative Injection
Expand All @@ -52,6 +59,13 @@ ${KNATIVE_CODEGEN_PKG}/hack/generate-knative.sh "injection" \
"sinks:v1alpha1 eventing:v1alpha1 eventing:v1beta1 eventing:v1beta2 eventing:v1beta3 eventing:v1 messaging:v1 flows:v1 sources:v1alpha1 sources:v1beta2 sources:v1 duck:v1beta1 duck:v1" \
--go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt

# Knative Injection (for cert-manager)
${KNATIVE_CODEGEN_PKG}/hack/generate-knative.sh "injection" \
knative.dev/eventing/pkg/client/certmanager github.com/cert-manager/cert-manager/pkg/apis \
"certmanager:v1 acme:v1" \
--disable-informer-init \
--go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt

group "Generating API reference docs"

${REPO_ROOT_DIR}/hack/update-reference-docs.sh
Expand Down
133 changes: 133 additions & 0 deletions pkg/client/certmanager/clientset/versioned/clientset.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading