Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: use pre-install helm hook to prepare rancher for turtles #192

Merged
merged 1 commit into from
Oct 6, 2023
Merged

fix: use pre-install helm hook to prepare rancher for turtles #192

merged 1 commit into from
Oct 6, 2023

Conversation

salasberryfin
Copy link
Contributor

What this PR does / why we need it:

Currently, installing Rancher Turtles in an existing Rancher Manager after disabling embedded CAPI, results in validating/mutating webhooks being left behind after the feature is disabled. If you try and apply a CAPI manifest you will get an error:

time="2023-10-03T14:18:36Z" level=error msg="error syncing 'cluster-fleet-local-local-1a3d67d0a899/clusters-clusters': handler bundle-deploy: failed to create  │
│ resource: Internal error occurred: failed calling webhook \"default.cluster.cluster.x-k8s.io\": failed to call webhook: Post \"https://capi-webhook-service.cat/ │
│ tle-provisioning-capi-system.svc:443/mutate-cluster-x-k8s-io-v1beta1-cluster?timeout=10s\": service \"capi-webhook-service\" not found, requeuing"

To avoid having to manually delete these webhooks and disable the feature flag, this PR adds a pre-install Helm hook that:

  1. Disables embedded CAPI.
  2. Deletes mutating/validating webhooks (creating a Service Account, Cluster Role and Cluster Role Binding).

This is not the fanciest of solutions but it allows to install Rancher Turtles just using helm install in an existing Rancher Manager. We can later change Rancher and remove this hook if we find a more robust option.

Which issue(s) this PR fixes:
Fixes #185

Special notes for your reviewer:

When this gets merged, we'll need to update the docs accordingly.

Checklist:

  • squashed commits into logical changes
  • includes documentation
  • adds unit tests
  • adds or updates e2e tests

@salasberryfin salasberryfin added the kind/bug Something isn't working label Oct 4, 2023
@salasberryfin salasberryfin requested a review from a team as a code owner October 4, 2023 16:31
@salasberryfin salasberryfin mentioned this pull request Oct 4, 2023
Closed
3 tasks
Danil-Grigorev
Danil-Grigorev previously approved these changes Oct 5, 2023
View reviewed changes
@salasberryfin
Copy link
Contributor Author

We may need to install Rancher before Rancher Turtles in the E2E environment for the Feature kind to be available. Looks like this is triggering CI failures.

@salasberryfin salasberryfin force-pushed the add-helm-pre-install-hook branch 7 times, most recently from cd29889 to cd5b194 Compare October 5, 2023 09:57
Danil-Grigorev
Danil-Grigorev previously approved these changes Oct 5, 2023
View reviewed changes
@Danil-Grigorev
Copy link
Contributor

E2e tests are passing with this change, so failure here could be ignored.

@salasberryfin
Copy link
Contributor Author

Thanks @Danil-Grigorev. Should we consider this PR superseded by yours #190 and close it?

@Danil-Grigorev
Copy link
Contributor

I don’t know. Can go both ways, you can cherry pick the commit #190 and the other one could be closed. Or this PR could be merged without e2e tests passing, and followed by #190 separately.

@salasberryfin
Copy link
Contributor Author

Let's merge this first and then #190 and keep them as independent PRs.

richardcase
richardcase reviewed Oct 5, 2023
View reviewed changes
Copy link
Contributor

@richardcase richardcase left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In my head i was thinking of something actually in the Rancher Turtles binary but this is an interesting approach.

charts/rancher-turtles/templates/pre-install-job.yaml Show resolved Hide resolved
charts/rancher-turtles/templates/pre-install-job.yaml Outdated Show resolved Hide resolved
charts/rancher-turtles/templates/pre-install-job.yaml Outdated Show resolved Hide resolved
@salasberryfin
Copy link
Contributor Author

salasberryfin commented Oct 5, 2023
edited
Loading

I added flags for disabling embedded capi and deleting rancher webhooks:

rancherTurtles:
  ...
  features:
    disable-embedded-capi:
      enabled: true
    cleanup-rancher-webhook:
      enabled: true
      image: rancher/kubectl

Also, changed the deleting webhook Job to use rancher/kubectl image. This has to now be separated into two different jobs: one for each webhook deletion (mutating/validating).

richardcase
richardcase previously approved these changes Oct 6, 2023
View reviewed changes
Copy link
Contributor

@richardcase richardcase left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thanks for adding the flags in the values.

Although there is a chart linrt failure.

@salasberryfin salasberryfin force-pushed the add-helm-pre-install-hook branch 2 times, most recently from d719cd3 to e888cce Compare October 6, 2023 09:56
Danil-Grigorev
Danil-Grigorev previously approved these changes Oct 6, 2023
View reviewed changes
Copy link
Contributor

@Danil-Grigorev Danil-Grigorev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some minor suggestions, but LGTM as is.

charts/rancher-turtles/values.yaml Outdated Show resolved Hide resolved
charts/rancher-turtles/values.yaml Outdated Show resolved Hide resolved
.github/workflows/test_chart.yaml

- name: Install Rancher
run: helm install rancher rancher-stable/rancher --namespace cattle-system --create-namespace --set bootstrapPassword=rancheradmin --set replicas=1 --set hostname="e2e.dev.rancher" --set 'extraEnv[0].name=CATTLE_FEATURES' --set global.cattle.psp.enabled=false --version ${{ env.RANCHER_VERSION }} --wait

- name: Run chart-testing (install)
run: helm install rancher-turtles out/charts/rancher-turtles/ -n rancher-turtles-system --create-namespace --wait --set cluster-api-operator.cluster-api.enabled=false --set cluster-api-operator.enabled=false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
run: helm install rancher-turtles out/charts/rancher-turtles/ -n rancher-turtles-system --create-namespace --wait --set cluster-api-operator.cluster-api.enabled=false --set cluster-api-operator.enabled=false
run: helm install rancher-turtles out/charts/rancher-turtles/ -n rancher-turtles-system --create-namespace --wait --set cluster-api-operator.cluster-api.enabled=false --set cluster-api-operator.enabled=false --set features. disable-embedded-capi.enabled=false --set features.cleanup-rancher-webhook.enabled=false

As this workflow represents the default flow of installing rancher-turtles in a fresh cluster, we might not need to bring rancher with it. Just making sure the chart is installable.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand your point but I would say, considering these flags are enable by default, we should test them as well to validate the chart.

Danil-Grigorev
Danil-Grigorev reviewed Oct 6, 2023
View reviewed changes
.github/workflows/test_chart.yaml
Comment on lines +64 to +75
- name: Add cert-manager chart repo
run: helm repo add jetstack https://charts.jetstack.io

- name: Add rancher chart repo
run: helm repo add rancher-stable https://releases.rancher.com/server-charts/stable

- name: Install cert-manager
run: helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version ${{ env.CERT_MANAGER_VERSION }} --set installCRDs=true --wait

- name: Install Rancher
run: helm install rancher rancher-stable/rancher --namespace cattle-system --create-namespace --set bootstrapPassword=rancheradmin --set replicas=1 --set hostname="e2e.dev.rancher" --set 'extraEnv[0].name=CATTLE_FEATURES' --set global.cattle.psp.enabled=false --version ${{ env.RANCHER_VERSION }} --wait

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- name: Add cert-manager chart repo
run: helm repo add jetstack https://charts.jetstack.io
- name: Add rancher chart repo
run: helm repo add rancher-stable https://releases.rancher.com/server-charts/stable
- name: Install cert-manager
run: helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version ${{ env.CERT_MANAGER_VERSION }} --set installCRDs=true --wait
- name: Install Rancher
run: helm install rancher rancher-stable/rancher --namespace cattle-system --create-namespace --set bootstrapPassword=rancheradmin --set replicas=1 --set hostname="e2e.dev.rancher" --set 'extraEnv[0].name=CATTLE_FEATURES' --set global.cattle.psp.enabled=false --version ${{ env.RANCHER_VERSION }} --wait

In addition to https://github.com/rancher-sandbox/rancher-turtles/pull/192/files#r1348559835

@salasberryfin salasberryfin merged commit f9cf357 into rancher:main Oct 6, 2023
7 of 8 checks passed
This was referenced Oct 6, 2023
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Danil-Grigorev Danil-Grigorev Danil-Grigorev approved these changes

@richardcase richardcase richardcase approved these changes

Assignees
No one assigned
Labels
kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add option to delete old Rancher webhooks
3 participants
@salasberryfin @Danil-Grigorev @richardcase