Change names for certificate keys in secret

[aneurinprice]

What type of PR is this?

/kind bug

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #8460

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Key names in the generated `vpa-tls-certs` are different. Now cert-manager compatible.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

[k8s-ci-robot]

Welcome @aneurinprice!

It looks like this is your first PR to kubernetes/autoscaler 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/autoscaler has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @aneurinprice. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: aneurinprice
Once this PR has been reviewed and has the lgtm label, please assign voelzmo for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• vertical-pod-autoscaler/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[adrianmoisey]

Changing these defaults is a backwards incompatible change, so we can't do it.

[aneurinprice]

I understand the concern, how do you think we should approach this? I feel very strongly that we should aim to use the tls secret type key names.

[adrianmoisey]

I agree with you that that would be ideal, but what problem are you trying to fix here?

[aneurinprice]

The problem I'm trying to fix is that I cannot use cert-manager to manage the webhook secret without doing some rather nasty kustomize. I'm trying to avoid having unmanaged certificates and deploying them via shell script.

My current workaround is as follows:

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: vpa-admission-controller
  namespace: kube-system
spec:
  isCA: false
  commonName: vpa-webhook
  secretName: vpa-tls-certs
  privateKey:
    algorithm: ECDSA
    size: 256
  issuerRef:
    name: selfsigned-clusterissuer
    kind: ClusterIssuer
    group: cert-manager.io
  dnsNames:
    - vpa-webhook.kube-system.svc
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: vertical-pod-autoscaler
  namespace: flux-system
spec:
  interval: 10m
  targetNamespace: kube-system
  sourceRef:
    kind: GitRepository
    name: kubernetes-autoscaler
  path: "./vertical-pod-autoscaler/deploy"
  prune: true
  timeout: 1m
  patches:
    - patch: |
        - op: replace
          path: /spec/template/spec/volumes
          value:
            - name: tls-certs
              secret:
                secretName: vpa-tls-certs
                items:
                  - key: tls.crt
                    path: serverCert.pem
                  - key: tls.key
                    path: serverKey.pem
                  - key: ca.crt
                    path: caCert.pem
      target:
        kind: Deployment
        name: vpa-admission-controller
        namespace: kube-system

My initial thought was to try and bypass this at the cert-manager level but they seemingly have no interest in allowing custom key names in the secret.

It was then I realised that VPA was not using a TLS secret or the associated key names. I decided that the fix should probably be here instead.

[adrianmoisey]

I'm not too familiar with how flux works, but is this using the manifests from https://github.com/kubernetes/autoscaler/blob/master/vertical-pod-autoscaler/deploy/ ?
If so, I'd highly recommend not using them. We don't do a good job at communicating this, but I don't consider those production ready.

[aneurinprice]

but is this using the manifests from ...

You are correct, that is where I am deploying from.

We don't do a good job at communicating this, but I don't consider those production ready.

Ah. I see.

Not to be ungrateful, but the deployment mechanism via bash scripts is.... painfully outdated. Is there not a better way to get these manifests? Perhaps naively of me, but I would have assumed that anything in main would have been good to go.

[adrianmoisey]

Ah. I see.

Not to be ungrateful, but the deployment mechanism via bash scripts is.... painfully outdated. Is there not a better way to get these manifests? Perhaps naively of me, but I would have assumed that anything in main would have been good to go.

You're 100% correct here. My ideal would be to have an official helm chart that we build and maintain, but at the moment there aren't many contributors to the project, so that hasn't happened yet.

[aneurinprice]

Okay cool, I'd quite like the opportunity to contribute so perhaps thats something I can do.

In the meantime, do you think I'm good to keep my existing kustomize but point it at vertical-pod-autoscaler-1.4.1 tag?

[adrianmoisey]

I don't necessary see a problem with that. We're not likely to change the deploy files in a backwards incompatible way. However, it means that if you want to change anything from what's set in those manifests, you'll need to do patches, which isn't great.

[omerap12]

You're 100% correct here. My ideal would be to have an official helm chart that we build and maintain, but at the moment there aren't many contributors to the project, so that hasn't happened yet.

We talked about this before and decided not to do it. Maybe we should talk about it again?