add template for TSB #15673
add template for TSB #15673
Conversation
openshift-merge-robot
added
the
size/L
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
openshift-merge-robot
added
the
approved
|
/test integration |
|
/test extended_conformance_gce |
|
@bparees @jim-minter rather than try to make this template perfect now, I'd like to start with "not offensive" and work out from there. I'm happy to explain any args if they look weird. |
|
ah, ok - I ended up commenting on the template bits at #15677 before reading this. |
no problem. The comments are fair (I responded there). I can open issues if you're willing to take it as a valid starting point. |
|
think my only question is around location (test/testdata or examples) which can be changed easily, lgtm |
|
/test extended_conformance_install_update |
|
Automatic merge from submit-queue |
| examples/service-catalog/... \ | ||
| pkg/image/admission/imagepolicy/api/v1/... | ||
| pkg/image/admission/imagepolicy/api/v1/... \ | ||
| test/testdata/templateservicebroker/... |
There was a problem hiding this comment.
is testdata really the final home for this? is this just for testing? I was under the impression it was more fundamental.
There was a problem hiding this comment.
is testdata really the final home for this? is this just for testing? I was under the impression it was more fundamental.
I'm still working it out with @sdodson. The first use-case is test/initial cluster-up cases.
| objects: | ||
|
|
||
| # to create the tsb server | ||
| - apiVersion: extensions/v1beta1 |
There was a problem hiding this comment.
do we have other GA product features built on top of beta apis? are we comfortable w/ the migration implications?
There was a problem hiding this comment.
do we have other GA product features built on top of beta apis? are we comfortable w/ the migration implications?
I'm trying to get up with @smarterclayton about why service catalog is a daemonset. Seems wrong and @pmorie isn't sure. I'd choose a deploymentconfig.
| spec: | ||
| serviceAccountName: apiserver | ||
| containers: | ||
| - name: c |
There was a problem hiding this comment.
surely we can name this better :)
There was a problem hiding this comment.
surely we can name this better :)
If you wish.
| containers: | ||
| - name: c | ||
| image: ${IMAGE} | ||
| imagePullPolicy: Never |
There was a problem hiding this comment.
IfNotPresent?
once we have an image, I can switch it. For now, doing that breaks my local images.
There was a problem hiding this comment.
why/how? if you have a local origin image you've built it should just use that, right?
There was a problem hiding this comment.
why/how? if you have a local origin image you've built it should just use that, right?
If you use a tag of :latest, the pull policy is forced to always when running with some admission plugins. Since we now have images in latest that can work, I've updated it in #15707 for you.
There was a problem hiding this comment.
I thought that pull policy was only forced if it wasn't explicitly declared otherwise. Are you telling me it will only force it to always if the value is not set to "never"? that's insane.
| kind: ServiceAccount | ||
| metadata: | ||
| namespace: ${NAMESPACE} | ||
| name: apiserver |
There was a problem hiding this comment.
is there no ordering issue w/ creating the daemonset referencing the SA before the SA exists/has the right permissions?
There was a problem hiding this comment.
is there no ordering issue w/ creating the daemonset referencing the SA before the SA exists/has the right permissions?
correct.
| namespace: ${NAMESPACE} | ||
| name: apiserver | ||
| annotations: | ||
| service.alpha.openshift.io/serving-cert-secret-name: apiserver-serving-cert |
There was a problem hiding this comment.
relying on alpha features makes me even less happy than relying on beta features. sounds like a migration headache in the making. (unless this really is for testing purposes only, but i was under the impression this was the template cluster up and ansible will use to deploy the TSB)
There was a problem hiding this comment.
Using the service serving cert signer really seems like the right thing to do here. @smarterclayton how would you like to generate our serving cert for the TSB service?
There was a problem hiding this comment.
i don't disagree that it looks like the right solution for the immediate problem, but i'm trying to head off migration pain in the future so i want to make sure we have a (not horrible) path.
There was a problem hiding this comment.
i don't disagree that it looks like the right solution for the immediate problem, but i'm trying to head off migration pain in the future so i want to make sure we have a (not horrible) path.
Imagine the migration path. We introduce the beta annotation. Because this API appears largely right (there's just not that many ways to do it), the secret with the exact same name is generated. A later apply places both annotations on the service, the secret doesn't change in meaning (might get regenerated) and the pods never know the difference.
4 participants
Separate pull that uses a daemonset in a template to run the TSB.