console OCPBUGS-15827: Use sigs.k8s.io certwatcher for console serving certs

Use CertWatcher to update console serving certificates at runtime.

Dec 18 '23 20:12 TheRealJon

@TheRealJon: This pull request references Jira Issue OCPBUGS-15827, which is invalid:

expected the bug to target the "4.16.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Use CertWatcher to update console serving certificates at runtime.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Dec 19 '23 15:12 openshift-ci-robot

/jira refresh

Dec 19 '23 15:12 TheRealJon

@TheRealJon: This pull request references Jira Issue OCPBUGS-15827, which is valid.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.16.0) matches configured target version for branch (4.16.0)
bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact: /cc @juzhao

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Dec 19 '23 15:12 openshift-ci-robot

/retest

Jan 03 '24 21:01 TheRealJon

Please try to minimize any use of controller-runtime, they are known to do things the weird way which oftentimes results in weird bugs.

Have a look at how actual kubernetes does this for its binaries - in https://github.com/kubernetes/kubernetes/blob/246d363ea4bab2ac99a938d0cee73d72fc44de45/staging/src/k8s.io/apiserver/pkg/server/secure_serving.go#L107-L145

Jan 04 '24 15:01 stlaz

/hold based on the above comment

Jan 04 '24 15:01 stlaz

@stlaz https://github.com/openshift/console-operator/pull/822 includes a similar change. Should we create a follow-on story to move the console webhook server away from controller-runtime as well?

Also, we use controller-runtime Client in our OperandsListHandler. Client and CertWatcher are all we use from that package, and they both seem to be pretty stable in the current version we are using. Is it worth rolling a new solution to move away from this package? I'm okay with doing that if it's worthwhile but just wanted to push back a little since this does seem to work fine for us as it is.

Jan 04 '24 17:01 TheRealJon

For any new code such as this, I'd suggest checking the core Kube code first. Consider the Kube serving logic for the webhook too, to be consistent among your binaries. Note that this serving logic is already baked in to your operator for its metrics endpoint. It would be great if the whole console was capable of eventually moving towards the standard upstream options system that uses this automatically.

Jan 05 '24 08:01 stlaz

/retest

Feb 12 '24 17:02 jhadvig

@jhadvig Should we close this PR and use the k8s.io/apiserver package instead? I can open a new story for this since technically this bug was fixed by https://github.com/openshift/console-operator/pull/822 and https://github.com/openshift/console-operator/pull/833

Feb 21 '24 13:02 TheRealJon

/label tide/merge-method-squash

Feb 26 '24 17:02 TheRealJon

/hold cancel

Feb 26 '24 17:02 TheRealJon

@jhadvig This PR has been rebased and comments have been addressed. PTAL!

Feb 26 '24 17:02 TheRealJon

/retest-required

Remaining retests: 0 against base HEAD d6e2e1eb612c4f841f5ed1b11d7a5fab2e584672 and 2 for PR HEAD 805b9a485ecdf7a4a6fb80c8bcf69a2140b36c13 in total

Mar 04 '24 21:03 openshift-ci-robot

/retest-required

Remaining retests: 0 against base HEAD f968847514463e0e1eed2bc068d191c4be59462f and 1 for PR HEAD 805b9a485ecdf7a4a6fb80c8bcf69a2140b36c13 in total

Mar 05 '24 17:03 openshift-ci-robot

/retest-required

Remaining retests: 0 against base HEAD b3a6cdc5c456655b7c158e665cf88e8f87e66f32 and 0 for PR HEAD 805b9a485ecdf7a4a6fb80c8bcf69a2140b36c13 in total

Mar 06 '24 08:03 openshift-ci-robot

/hold

Revision 805b9a485ecdf7a4a6fb80c8bcf69a2140b36c13 was retested 3 times: holding

Mar 06 '24 13:03 openshift-ci-robot

/retest

Mar 06 '24 17:03 TheRealJon

/retest

Mar 12 '24 16:03 TheRealJon

/retest

Mar 12 '24 19:03 TheRealJon

/retest

Mar 22 '24 14:03 TheRealJon

/retest

Apr 01 '24 20:04 TheRealJon

/retest

Apr 02 '24 20:04 TheRealJon

/retest

Apr 08 '24 13:04 TheRealJon

/retest

Apr 09 '24 18:04 TheRealJon

@jhadvig Had to rebase, do you mind tagging again?

Apr 17 '24 17:04 TheRealJon

/unhold

Apr 17 '24 17:04 TheRealJon

/retest

Apr 18 '24 15:04 TheRealJon

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jhadvig, TheRealJon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [TheRealJon,jhadvig]

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

May 30 '24 12:05 openshift-ci[bot]

/retest-required

Remaining retests: 0 against base HEAD 03d0d6dfac3eee51ddfee013bf8d02ef1cd463da and 2 for PR HEAD 2c11c1a0f8bb9a3dd9efd5f45694e9b1ce73e669 in total

May 30 '24 13:05 openshift-ci-robot