🐛 webhook: clarify CertDir default and wrap serving-cert load error#3500
🐛 webhook: clarify CertDir default and wrap serving-cert load error#3500alliasgher wants to merge 2 commits into
Conversation
|
Welcome @alliasgher! |
k8s-ci-robot
added
the
needs-ok-to-test
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: alliasgher The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Hi @alliasgher. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
size/S
alliasgher
changed the title
|
/ok-to-test |
k8s-ci-robot
added
do-not-merge/hold
|
/retest |
1 similar comment
|
/retest |
The CertDir default — <temp-dir>/k8s-webhook-server/serving-certs — is driven by os.TempDir(), which on non-Linux systems (and Linux systems with TMPDIR set) is not /tmp. When a user misplaces the serving cert, certwatcher.New returns a bare "no such file or directory" error with no hint that the path is webhook-specific and no pointer to the option they need to set. - Expand the CertDir doc comment to describe the defaulting behavior and recommend operators set it explicitly (typically to the path of a mounted Secret) rather than rely on the temp-dir default. - Wrap the certwatcher.New error so the resulting message names the paths that were attempted, includes the CertDir / CertName / KeyName values, and points at webhook.Server.Options.CertDir as the place to fix things. Fixes kubernetes-sigs#900 Signed-off-by: alliasgher <alliasgher123@gmail.com>
alliasgher
force-pushed
the
fix-webhook-certdir-error
branch
from
e31aa60 to
0f33ec9
Compare
|
Looks like this needs some test fixes, PTAL |
The builder webhook tests tolerate a missing serving cert when starting the server via os.IsNotExist(err). Now that Start wraps the cert-load failure with fmt.Errorf(...: %w), os.IsNotExist no longer matches (it does not unwrap). Switch the checks to errors.Is(err, fs.ErrNotExist), which unwraps the chain and still matches the underlying os.PathError. Signed-off-by: alliasgher <alliasgher123@gmail.com>
|
Thanks @sbueringer. Fixed in 0e057fb — the builder webhook tests gate on |
k8s-ci-robot
added
size/M
So this PR would break folks that are using os.IsNotExist. I'm not really sure if that change in error message is worth it. I don't think a lot of folks are using os.IsNotExist, but I also don't think that the current error reporting is a real problem that folks have. @alvaroaleman WDYT? |
Yeah I wouldn't change it |
5 participants
Summary
Addresses the two small, agreed-upon asks from #900:
Before
```
open /tmp/k8s-webhook-server/serving-certs/tls.crt: no such file or directory
```
After
```
failed to load serving cert from "/tmp/k8s-webhook-server/serving-certs/tls.crt" / "/tmp/k8s-webhook-server/serving-certs/tls.key" — did you mount the certificate files at webhook.Server.Options.CertDir? (CertDir="/tmp/k8s-webhook-server/serving-certs", CertName="tls.crt", KeyName="tls.key"): open /tmp/k8s-webhook-server/serving-certs/tls.crt: no such file or directory
```
Fixes #900
Tests
`go build ./pkg/webhook/...` and `go vet ./pkg/webhook/...` pass. No behavior change except the added context on the error path.