✨ Networking config for default mode webhooks #379
Conversation
Signed-off-by: Ben Perry <[email protected]>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: bhperry The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
| // Metrics may be disabled by setting a value of "0" or "". | ||
| // +optional | ||
| // +kubebuilder:default=":8080" | ||
| MetricsBindAddress string `json:"metricsBindAddress"` |
There was a problem hiding this comment.
this is and health check are commonly the same address and port with different paths.
There was a problem hiding this comment.
I don't think controller-runtime supports that
There was a problem hiding this comment.
I see, but do we need different addresses? Could we update exiting webhookConfiguration struct by adding healthinessPort and metricsPort into it?
There was a problem hiding this comment.
I opted to use *BindAddress because:
- This is the format expected by controller-runtime. Kubebuilder generates CLI args in this same format as well.
- When
HostNetwork: trueis set, it may be desirable to bind healthcheck or metrics to localhost in order to prevent exposing those listeners externally
I did also consider simply adding new fields to WebhhokConfiguration, but they don't apply to Hosted options so I did not think it made sense to have extra fields in the public facing API that can only be used in some cases.
There was a problem hiding this comment.
hrm, I think it might. Is to expose the address so another apiserver could access it. In some case, hostnetwork might be needed. Actually hosted mode is not quite used anyway, I just feel we do not need another configuration for the webhook.
There was a problem hiding this comment.
My understanding of hosted mode was that it's a remote webhook not directly controlled by OCM. And the webhook configuration is just an address/port to reach it. So while metrics/health/hostNet might be used in that remote location, they would not be controlled by this API config.
Is that not correct?
There was a problem hiding this comment.
it is not quite correct, the address/port is still the setting on the webhook server to be exposed. The hosted mode means the controller/webhook server is running in cluster1, while hub cluster is cluster2. So the hub cluster needs to wire to the webhook server in cluster1 with an accessible address/port
Summary
API changes to support customizing webhook ports and hostNetwork in Default installation mode
Related issue(s)
open-cluster-management-io/ocm#1035