Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: migrate CA secret to new namespace #476

Merged
merged 12 commits into from
Jul 22, 2024
Merged

feat: migrate CA secret to new namespace #476

merged 12 commits into from
Jul 22, 2024

Conversation

dervoeti
Copy link
Member

Description

Fixes #453 by creating a one-time job that copies the secret over to the new namespace if it does not exist there yet.

Definition of Done Checklist

Author
Preview Give feedback

Reviewer
Preview Give feedback

Acceptance
Preview Give feedback

@dervoeti dervoeti force-pushed the feat/migrate-secret-to-new-namespace branch from 56ed99b to 08b6614 Compare July 22, 2024 12:07
@dervoeti dervoeti force-pushed the feat/migrate-secret-to-new-namespace branch from 08b6614 to bf66f2c Compare July 22, 2024 12:26
dervoeti and others added 7 commits July 22, 2024 15:06
@dervoeti @nightkr
Update deploy/helm/secret-operator/templates/secret_migration_job.yaml
6b8fe9b 
Co-authored-by: Natalie Klestrup Röijezon <[email protected]>
@dervoeti @nightkr
Update deploy/helm/secret-operator/templates/secret_migration_job.yaml
50a2634 
Co-authored-by: Natalie Klestrup Röijezon <[email protected]>
@dervoeti @nightkr
Update deploy/helm/secret-operator/templates/secret_migration_job.yaml
1d6ee43 
Co-authored-by: Natalie Klestrup Röijezon <[email protected]>
@dervoeti @nightkr
Update deploy/helm/secret-operator/templates/secret_migration_job.yaml
4eea88b 
Co-authored-by: Natalie Klestrup Röijezon <[email protected]>
@dervoeti @nightkr
Update deploy/helm/secret-operator/templates/secret_migration_job.yaml
fe019e4 
Co-authored-by: Natalie Klestrup Röijezon <[email protected]>
@dervoeti
fix: copy paste error
c4607b2
@dervoeti
fix: merged migration resoures into one file
e02ba21
NickLarsenNZ
NickLarsenNZ previously approved these changes Jul 22, 2024
View reviewed changes
Copy link
Member

@NickLarsenNZ NickLarsenNZ left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved based on the shellcheck pass, and the described testing (in the team call).

@dervoeti
Copy link
Member Author

dervoeti commented Jul 22, 2024
edited
Loading

I now created separate RBAC rules for the Job now instead of using the ones from secret-operator.

Reasoning (besides better security):
The Job should run before secret-op starts and the SecretClass is created, because otherwise a race condition might occur where secret-op is already started but the Job did not finish yet, hence the Secret is not yet copied over to the new namespace and secret-op might create a new CA (if a Pod requests a cert). Since the Job needs a ServiceAccount to view/edit Secrets and that ServiceAccount needs to be created before the installation of secret-op as well, the ServiceAccount and other RBAC resources have been created and also annotated with the Hook annotations for Helm.
I set the hook-delete-policy to hook-succeeded so all the resources from this one time job will automatically be deleted if it succeeds. The hook-weight annotations make sure the RBAC resources are created before the Job.

Just retested it a couple of times, works as expected.

@dervoeti dervoeti mentioned this pull request Jul 22, 2024
Open
labrenbe
labrenbe approved these changes Jul 22, 2024
View reviewed changes
Copy link
Member

@labrenbe labrenbe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@dervoeti dervoeti added this pull request to the merge queue Jul 22, 2024
Merged via the queue into main with commit b034d99 Jul 22, 2024
31 checks passed
@dervoeti dervoeti deleted the feat/migrate-secret-to-new-namespace branch July 22, 2024 15:33
@dervoeti dervoeti mentioned this pull request Jul 23, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Techassi Techassi Techassi left review comments

@nightkr nightkr nightkr left review comments

@lfrancke lfrancke lfrancke left review comments

@labrenbe labrenbe labrenbe approved these changes

@NickLarsenNZ NickLarsenNZ NickLarsenNZ left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Reuse an existing TLS CA from a previous installation
6 participants
@dervoeti @lfrancke @nightkr @NickLarsenNZ @Techassi @labrenbe