Skip to content

CNTRLPLANE-3236: kms: set required field in container sidecar #2230

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bertinatto wants to merge 1 commit into
base: master
Choose a base branch
from
Open

CNTRLPLANE-3236: kms: set required field in container sidecar #2230

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 39 additions & 6 deletions pkg/operator/encryption/kms/pluginlifecycle/sidecar_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
"github.com/openshift/library-go/pkg/operator/encryption/kms"
"github.com/stretchr/testify/require"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/resource"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
apiserverv1 "k8s.io/apiserver/pkg/apis/apiserver/v1"
Expand Down Expand Up @@ -148,9 +149,17 @@ func TestAddKMSPluginSidecarToPodSpec(t *testing.T) {
VolumeMounts: []corev1.VolumeMount{socketMount},
},
{
Name: "vault-kms-plugin-555",
Image: "quay.io/test/vault:v1",
Args: sidecarArgs,
Name: "vault-kms-plugin-555",
Image: "quay.io/test/vault:v1",
Args: sidecarArgs,
ImagePullPolicy: corev1.PullIfNotPresent,
TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
corev1.ResourceMemory: resource.MustParse("50Mi"),
corev1.ResourceCPU: resource.MustParse("5m"),
},
},
VolumeMounts: []corev1.VolumeMount{socketMount},
},
},
Expand Down Expand Up @@ -185,6 +194,14 @@ func TestAddKMSPluginSidecarToPodSpec(t *testing.T) {
"-vault-namespace=other-namespace",
"-transit-mount=transit2",
},
ImagePullPolicy: corev1.PullIfNotPresent,
TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
corev1.ResourceMemory: resource.MustParse("50Mi"),
corev1.ResourceCPU: resource.MustParse("5m"),
},
},
VolumeMounts: []corev1.VolumeMount{socketMount},
},
{
Expand All @@ -199,6 +216,14 @@ func TestAddKMSPluginSidecarToPodSpec(t *testing.T) {
"-vault-namespace=my-namespace",
"-transit-mount=transit",
},
ImagePullPolicy: corev1.PullIfNotPresent,
TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
corev1.ResourceMemory: resource.MustParse("50Mi"),
corev1.ResourceCPU: resource.MustParse("5m"),
},
},
VolumeMounts: []corev1.VolumeMount{socketMount},
},
},
Expand Down Expand Up @@ -397,9 +422,17 @@ func TestAddKMSPluginSidecarToPodSpec(t *testing.T) {
VolumeMounts: []corev1.VolumeMount{socketMount},
},
{
Name: "vault-kms-plugin-555",
Image: "quay.io/test/vault:v1",
Args: sidecarArgs,
Name: "vault-kms-plugin-555",
Image: "quay.io/test/vault:v1",
Args: sidecarArgs,
ImagePullPolicy: corev1.PullIfNotPresent,
TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
corev1.ResourceMemory: resource.MustParse("50Mi"),
corev1.ResourceCPU: resource.MustParse("5m"),
},
},
VolumeMounts: []corev1.VolumeMount{socketMount},
},
},
Expand Down
18 changes: 15 additions & 3 deletions pkg/operator/encryption/kms/pluginlifecycle/vault.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (

configv1 "github.com/openshift/api/config/v1"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/resource"
)

// newVaultSidecarProvider creates a Vault sidecar provider from the given KMS plugin configuration.
Expand Down Expand Up @@ -54,8 +55,19 @@ func (v *vault) BuildSidecarContainer() (corev1.Container, error) {
}

return corev1.Container{
Name: v.Name(),
Image: v.config.KMSPluginImage,
Args: args,
Name: v.Name(),
Image: v.config.KMSPluginImage,
Args: args,
ImagePullPolicy: corev1.PullIfNotPresent,
TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
// TODO(bertinatto): the plugin sidecar needs to be measure under heavy load to figure out good defaults.
// For now follow what most sidecars in the kube-apiserver pod do. xref:
// https://github.com/openshift/cluster-kube-apiserver-operator/commit/e15a19cd2474c8b60ce17ac16dd8f422c729847a
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
corev1.ResourceMemory: resource.MustParse("50Mi"),
corev1.ResourceCPU: resource.MustParse("5m"),
},
},
}, nil
}
25 changes: 25 additions & 0 deletions pkg/operator/encryption/kms/pluginlifecycle/vault_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
configv1 "github.com/openshift/api/config/v1"
"github.com/stretchr/testify/require"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/resource"
)

func TestVaultSidecarProvider_BuildSidecarContainer(t *testing.T) {
Expand Down Expand Up @@ -49,6 +50,14 @@ func TestVaultSidecarProvider_BuildSidecarContainer(t *testing.T) {
"-vault-namespace=my-namespace",
"-transit-mount=transit",
},
ImagePullPolicy: corev1.PullIfNotPresent,
TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
corev1.ResourceMemory: resource.MustParse("50Mi"),
corev1.ResourceCPU: resource.MustParse("5m"),
},
},
},
},
},
Expand Down Expand Up @@ -94,6 +103,14 @@ func TestVaultSidecarProvider_BuildSidecarContainer(t *testing.T) {
"-vault-namespace=my-namespace",
"-transit-mount=transit",
},
ImagePullPolicy: corev1.PullIfNotPresent,
TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
corev1.ResourceMemory: resource.MustParse("50Mi"),
corev1.ResourceCPU: resource.MustParse("5m"),
},
},
},
},
},
Expand Down Expand Up @@ -129,6 +146,14 @@ func TestVaultSidecarProvider_BuildSidecarContainer(t *testing.T) {
// "-vault-namespace=",
// "-transit-mount=",
},
ImagePullPolicy: corev1.PullIfNotPresent,
TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
corev1.ResourceMemory: resource.MustParse("50Mi"),
corev1.ResourceCPU: resource.MustParse("5m"),
},
},
},
},
},
Expand Down