Unable to use the mutation webhook method with kubernetes 1.21.5 and admissionregistration.k8s.io/v1 on GKE about berglas HOT 11 CLOSED

Some k8s tools upgraded to go 1.17 without a regard for backwards compat, which is making this impossible to deploy to Cloud Functions right now, since the latest available version there is 1.16.

• kubernetes-sigs/controller-tools#643
• kubernetes-sigs/json#8

#180 is the update PR. You can put it in a container and run it on Cloud Run, but there's no way to run it on Cloud Functions right now.

from berglas.

Right - you can do this without the webhook. The webhook just automates the steps you described above (although it uses a sidecar instead).

from berglas.

@peterldowns

if I understand correctly, the changes in #180 can be used with Cloud Run, as the Dockerfile/build can use the latest go (1.17) version?
Will try it also in few weeks/months also.

from berglas.

ping! No auto close please :-)

from berglas.

Also interested in the response here, I have never worked on kubernetes things before but we would like to upgrade our cluster to 1.22 (currently on 1.21) and the MutatingWebhookConfiguration beta api "will no longer be served". Happy users of Berglas, but not sure how to make this fix ourselves.

from berglas.

@sethvargo thank you for the explanation, and for having already fixed this and gotten it ready to go in your PR! I see that you are a member of Google Cloud Platform and work at Google -- is there anything I can do to help request that Cloud Functions add a go1.17/go1.18 runtime? I don't know if you're directly involved, but maybe there's a better place to ask than here? Thank you again for your time and for maintaining Berglas, it's been a wonderfully simple solution that's let us use the Google Cloud Secrets Manager for everything both inside k8s and outside.

from berglas.

I don't have any control over that, sorry.

from berglas.

No problem. We'll just deploy the Cloud Run container instead. Thank you again for your support.

from berglas.

Correct - you can use Cloud Run. I didn't want to switch to Cloud Run because it introduces complexity that folks who aren't familiar with Docker or containers might not want to take on.

from berglas.

After looking at the gcloud run samples, my current solution for "typical" kubernetes deployments without using the kubernetes webhook approach:

• Add this line in the Dockerfile to add the berglas binary: COPY --from=us-docker.pkg.dev/berglas/berglas/berglas:latest /bin/berglas /bin/berglas
• In the deployment container spec, set a command line (example with python): command: ["/bin/berglas", "exec", "--", "python", "server.py"]
• Ensure to have a proper kubernetes service account in the namespace.

The remaining thing is to make it work for helm charts, which do not have the /bin/berglas binary. Many helms allow to pass a command, so this part is fine. For the /bin/berglas binary, I guess you could inject it using an initContainer and mount a volume if the helm has initContainer parameters. But if it does not have initContainer parameters, not sure how it can be done. Any ideas?

from berglas.

This issue is stale because it has been open for 14 days with no
activity. It will automatically close after 7 more days of inactivity.

from berglas.