Skip to content

feat: enable HA hub agents by optionally depending on cert manager #366

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
weng271190436 wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat: enable HA hub agents by optionally depending on cert manager #366

weng271190436 wants to merge 5 commits into from

Conversation

@weng271190436
Copy link
Collaborator

@weng271190436 weng271190436 commented Dec 5, 2025
edited
Loading

Description of your changes

Currently the in memory 10-year self-signed cert cannot be shared among replicas of hub agents so only the leader has a valid cert registered with API server

Using cert manger decouples cert management and hub agent core functionality. It also does cert rotation.

Trying to partially address Azure/fleet#1224

Fixes #

I have:

  • Run make reviewable to ensure this PR is ready for review.

How has this code been tested

Special notes for your reviewer

@weng271190436 weng271190436 mentioned this pull request Dec 5, 2025
Open
1 task
@weng271190436 weng271190436 force-pushed the weiweng/enable-ha-hub-agents branch from 766ac60 to 91a764b Compare December 5, 2025 20:40
weng271190436
weng271190436 commented Dec 5, 2025
View reviewed changes
cmd/hubagent/main.go
// Add webhook readiness check AFTER controllers are set up (when ResourceInformer is initialized)
// This prevents webhook from accepting requests before discovery cache is populated
if opts.EnableWebhook {
if err := mgr.AddReadyzCheck("webhook-cache", webhook.ResourceInformerReadinessChecker(validator.ResourceInformer)); err != nil {
Copy link
Collaborator Author

@weng271190436 weng271190436 Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR stacks on top of an informer readiness check change because now that I have multiple replicas of webhook servers, it becomes likely that some webhook servers might start serving requests before the cache is synced

@weng271190436 weng271190436 force-pushed the weiweng/enable-ha-hub-agents branch 3 times, most recently from 7850aa5 to 177d5a7 Compare December 5, 2025 21:53
@codecov
Copy link

codecov bot commented Dec 5, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 69.81132% with 16 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
pkg/webhook/webhook.go 46.66% 12 Missing and 4 partials ⚠️

📢 Thoughts on this report? Let us know!

ryanzhang-oss
ryanzhang-oss reviewed Dec 6, 2025
View reviewed changes
Wei Weng added 5 commits December 8, 2025 15:27
wait for informer cache sync before webhook accepting requests
f046bb4 
Signed-off-by: Wei Weng <Wei.Weng@microsoft.com>
add a comment
a11d22e 
Signed-off-by: Wei Weng <Wei.Weng@microsoft.com>
simplify fake client
091e019 
Signed-off-by: Wei Weng <Wei.Weng@microsoft.com>
explain the behavior of AddReadyzCheck
573400b 
Signed-off-by: Wei Weng <Wei.Weng@microsoft.com>
enable HA hub agent
69ab42b 
Signed-off-by: Wei Weng <Wei.Weng@microsoft.com>
@weng271190436 weng271190436 force-pushed the weiweng/enable-ha-hub-agents branch from 177d5a7 to 69ab42b Compare December 8, 2025 15:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ryanzhang-oss ryanzhang-oss ryanzhang-oss approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@weng271190436 @ryanzhang-oss