feat: default extra SANs for docker for a working cluster #20
Conversation
Missed when reorganising example kustomizations in previous PR.
- Defines a cluster-level variable for defining one or more users - Patches bootstrap templates for control plane and worker node pools with user configuration
Co-authored-by: Faiq <[email protected]> Signed-off-by: Deepak Muley <[email protected]>
Address review comments
Expand comments
Without this, defaults declared in the JSON schema are not included in validation steps, which can lead to invalid failures, while also not allowing for tests that target defaults.
Fix typo in lockPassword logic, and add unit test
feat: Add examples for Nutanix provider
Add unit test for empty hashed password
Change Sudo field from pointer to value The zero value (empty string) is not valid, so the field does not need to be a pointer.
Make username required
Explain why we do not validate hashed password input
Explain why we do not validate sudo input
Update type comments
Remove errant comment
Add users to the docs site
Manually wrap lines in doc
Also deploy infra provider versions that match the API.
CPI is a term unique to the vSphere CCM. Renaming to the more generic "CCM".
feat: add nutanix csi
faiq
force-pushed
the
faiq/docker-extra-sans
branch
2 times, most recently
from
9d6b755
to
c5aa24e
Compare
| if err := h.client.Get(ctx, clusterKey, cluster); err != nil { | ||
| return err | ||
| } | ||
| defaultAPICertSANs := getDefaultAPIServerSANs(cluster) |
There was a problem hiding this comment.
IIRC from the call last week, we wanted to also set defaults in the API either here (if we get the required info of what infra provider it is) or here, that way it shows up if the user doesn't set anything.
We also talked about adding the defaults in the handler as you have here so that the user doesn't need also worry about the defaults and break the cluster.
There was a problem hiding this comment.
I thought this would be a "add defaults in handler" scenario because the wrong settings or not including these could break the cluster, which would need to be done in the handler.
There was a problem hiding this comment.
I was thinking about this some more, I wonder if we are working around the limitation of not having a mutating webhook.
What we want is to show in the API what values are being set.
Setting it in openapi schema works for defaults, but then when a user overrides it we get these implicit defaults getting added in the handler then then doesn't show up in the Cluster object.
Should we finally work on adding the webhook? It would help with this work and other similar scenarios.
There was a problem hiding this comment.
Yes! this should definitely be a webhook, but I think that requires a bigger scope than this.
There was a problem hiding this comment.
Setting it in openapi schema works for defaults, but then when a user overrides it we get these implicit defaults getting added in the handler then then doesn't show up in the Cluster object
Can you please explain a bit further? what needed to show up in Cluster object ? Wont extra SANs will be updated in KubeadmControlPlaneTemplate when the mutator adds them?
There was a problem hiding this comment.
Thanks for talking with me and explaining how webhook could work.
* docs: use an env for KUBERNETES_VERSION * docs: use a more widely available Kubernetes version Makes the command more copy-paste friendly. Kubernetes v1.28.7 is supported here by Docker, AWS and CAPX.
* fix: added support for capx * refactor: reuse existing CAPX types * fix: set allowed enums for Nutanix resource types * fix: set required for Nutanix node type * fix: reuse resource.Quantity types * fix: set defaults and validation * fix: rename field to subnets * refactor: fix handlers after API changes * test: add new unit tests * refactor: bring back host instead of address * fix: examples with updated APIs * fix: using latest capx private brach to test kube-vip fix * fix: set namespace for credentialRef The patch failed with the following error: got failure response with message failed to apply JSON patches to input: replace operation does not apply: doc is missing key: /spec/template/spec/prismCentral/credentialRef/namespace: missing value. * docs: fix users example * docs: deploying Calico for Nutanix * fix: added basic docs for nutanix mutations * fix: lint related fixes * docs: minor changes --------- Co-authored-by: Dimitri Koshkin <[email protected]>
* refactor: use a string type for Nutanix's AdditionalTrustBundle Use a string instead of a ConfigMap reference to make it easier for both the handlers to use, and the clients to set in the API. * fix: force insecure: false with additionalTrustBundle
|
WDYT of creating new separate patch for extraAPIServerCertSANsPatch for dockerExtraAPIServerCertSANsPatch |
* test: unit test for individual patch generator * test: package level unit test for HTTPProxy * test: fix data race between multiple unit test that use envtest * test: make patchgenerator generic function * fix: linting errors after rebase from main
* test: unit test for individual patch generator * test: package level unit test for HTTPProxy * test: move region and httpproxy patch generator unit test invocation * fix: linting errors * test: move all AWS patch unit tests to their own packages (#24) * test: move instanceprofile tests to its own package * test: move instancetype unit tests to its own package * test: move ami unit tests to its own package * test: move aws network tests to its own package * test: move controlplaneloadbalancer unit tests to its own package * test: move aws cni unit tests to its own package * test: fix linting errors * test: unit tests for AWS security groups * test: move customimage unit tests to their own package (#30) * test: move all Nutanix patch handler unit tests (#32) * test: move controlplane endpoint unit tests * test: move PC endpoint unit tests * test: nove machinedetails unit tests * test: move generic patch unit tests to own packages (#31) * test: move audit policy tests to their own package * test: move etcd unit tests to their own package * test: move extra api server cert sans to its own package * test: move image registry unit tests to its own package * test: move kubernetes image repository unit tests * test: move mirror unit tests * test: move users unit tests * test: remove gereric unit tests from nutanix meta patch handler * test: cleaned up meta level unit test suites
* feat: Make containerd restart its own patch * fix: unit tests for kubeadmconfigtemplate with containerdrestart patch * fix: add comment for always add containerd patch * test: move unit test to their own package --------- Co-authored-by: Shalin Patel <[email protected]>
faiq
force-pushed
the
faiq/docker-extra-sans
branch
from
8365401
to
2866602
Compare
A bit more details: I think it would be cleaner to have provider specific logic in the provider's handler. i.e. |
I disagree. I think adding another handler that touches the same exact fields on objects can be more prone to errors and harder for a developer to discover what gets applied when |
No description provided.