Skip to content

CORE-18638 Add permission for ingress controller to read IngressClass #5268

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Merged
merged 2 commits into from
Dec 15, 2023
Merged

CORE-18638 Add permission for ingress controller to read IngressClass #5268

merged 2 commits into from
Dec 15, 2023

Conversation

davidcurrie
Copy link
Contributor

Without permission to read cluster-scoped IngressClass resources, the ingress-nginx controller processes updates to all Ingress resources in the target namespace, regardless of whether or not they are associated with the ingress class it is configured with. (Reported in kubernetes/ingress-nginx#9662.) This results in the controller updating any Ingress resources defined for the REST API or P2P Gateway and consequent loss of connectivity until the rightful controller updates the resources again. The status flip-flops between the two controllers.

This change gives the controller permission to view IngressClass resources, which it does not really need (it uses the annotation-based approach to defining the ingress class) but causes it to check the ingress class name correctly.

@corda-jenkins-ci02
Copy link
Contributor

corda-jenkins-ci02 bot commented Dec 14, 2023
edited
Loading

Jenkins build for PR 5268 build 3

Build Successful:
Jar artifact version produced by this PR: 5.2.0.0-alpha-1702653947933
Helm chart version produced by this PR: 5.2.0-alpha.1702653947933
Helm chart pushed to: oci://corda-os-docker-dev.software.r3.com/helm-charts/pr-5268/corda

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

@davidcurrie
Copy link
Contributor Author

Verified in https://ci02.dev.r3.com/job/Corda5/job/corda-simulations/job/release%2F5.2/50/ that the corda-rest-worker ingress is now untouched by the token selection worker ingress controller.

@davidcurrie davidcurrie marked this pull request as ready for review December 15, 2023 17:14
jujoramos
jujoramos approved these changes Dec 15, 2023
View reviewed changes
Copy link
Contributor

@jujoramos jujoramos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@davidcurrie davidcurrie merged commit b02a4e4 into corda:release/os/5.2 Dec 15, 2023
@davidcurrie davidcurrie deleted the CORE-18638 branch December 15, 2023 17:38
emilybowe pushed a commit that referenced this pull request Dec 18, 2023
@davidcurrie @emilybowe
CORE-18638 Add permission for ingress controller to read IngressClass (
78c75fa 
…#5268)
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@jujoramos jujoramos jujoramos approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@davidcurrie @jujoramos