remove not required insecureSkipTLSVerify #564

eumel8 · 2023-11-15T22:23:58Z

As mentioned here and discussed here the setting of insecureSkipTLSVerify in apiservice.apiregistration.k8s.io will disturb CI/CD pipelines like ArgoCD or, just in our case, Fleet. The adding of caBundle will remove insecureSkipTLSVerify automatically in the cluster. Fleet will state in "modified" instead of "active". Removing this field in Helm solves the issue.

Checklist

I have verified that my change is according to the deprecations & breaking changes policy
Commits are signed with Developer Certificate of Origin (DCO - learn more)
README is updated with new configuration values (if applicable) learn more
A PR is opened to update KEDA core (repo) (if applicable, ie. when deployment manifests are modified)

Fixes kedacore/keda#4732

hint: Helm has also this genCa function to generate certificate

Signed-off-by: Frank Kloeker <f.kloeker@telekom.de>

JorTurFer · 2023-11-21T11:26:58Z

Hello,
We have to merge this in next versions, but currently the reason for having the field is to enforce the false value because cert-controller doesn't remove it when it sets the caBundle and it conflicts

JorTurFer · 2023-11-21T11:51:51Z

I think that we can merge this for next version if we can include this PR in KEDA code: open-policy-agent/cert-controller#160

BojanZelic · 2023-12-05T00:46:08Z

You can work around this in argocd by ignoring the field in the Application or ApplicationSet

example:

syncPolicy:
  syncOptions:
    - RespectIgnoreDifferences=true
ignoreDifferences:
  - group: apiregistration.k8s.io
    kind: APIService
    jqPathExpressions:
      - .spec.insecureSkipTLSVerify

JorTurFer · 2024-01-17T21:03:00Z

I think that it's time to merge this 😄
Thanks for your contribution! ❤️

Signed-off-by: Frank Kloeker <f.kloeker@telekom.de> Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

…uing KEDA TLS certificates (#530) * feat(keda): ✨ Allow providing own cert-manager issuer in TLS certificate Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * docs(keda): 📝 Generate Helm docs Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * fix(keda): 🐛 Inject CA from cert-manager Certificate when providing own Issuer Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * refactor(keda): ♻️ Refactor values format Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * revert(keda): ⏪ Revert unnecessary auto-formatting Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * chore: Improve the CI on PRs to be more efficient (#540) Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es> Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * fix(http-add-on): Refactor the chart for next version (#523) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * feat(add-on): Supporting streamInterval configuration (#541) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * chore(add-on): Ship Release 0.6.0 (#543) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * chore: update versions in README.md (#546) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * feat: update crd to allow vault secret to handle write operation (#548) Signed-off-by: Loïs Postula <lois@postu.la> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * Fix the svc name of webhook to avoid breaking istio (#551) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * Show only logs with a severity level of ERROR or higher in the stderr (#506) Signed-off-by: Adarsh-verma-14 <t_adarsh.verma@india.nec.com> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * Support profiling for keda components (#549) Signed-off-by: yuval weber <yuval199985@gmail.com> Signed-off-by: unknown <yuval199985@gmail.com> Co-authored-by: Tom Kerkhove <kerkhove.tom@gmail.com> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * Fix TriggerAuthentication - added configuration for validation webhook (#553) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * fix: Declare missing port in KEDA operator (#552) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * Allow image registry override for all keda components (#557) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * docs: Clarify that contributors do not have to ship Helm chart (#573) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * add disable-compression arg for both operator and metrics-server (#554) Signed-off-by: Adarsh-verma-14 <t_adarsh.verma@india.nec.com> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * feat: Introduce CloudEventSources CRD and adding ClusterName parameter (#572) * Add CloudEventSources Crd and ClustetName Parameter Signed-off-by: SpiritZhou <iammrzhouzhenghan@gmail.com> * Update Signed-off-by: SpiritZhou <iammrzhouzhenghan@gmail.com> * Update Signed-off-by: SpiritZhou <iammrzhouzhenghan@gmail.com> * Update keda/values.yaml Co-authored-by: Tom Kerkhove <kerkhove.tom@gmail.com> Signed-off-by: SpiritZhou <iammrzhouzhenghan@gmail.com> * Fix Signed-off-by: SpiritZhou <iammrzhouzhenghan@gmail.com> * Update Signed-off-by: SpiritZhou <iammrzhouzhenghan@gmail.com> * Revert unnecessary update Signed-off-by: SpiritZhou <iammrzhouzhenghan@gmail.com> --------- Signed-off-by: SpiritZhou <iammrzhouzhenghan@gmail.com> Co-authored-by: Tom Kerkhove <kerkhove.tom@gmail.com> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * store 2.12.1 package at `main` (#577) Signed-off-by: Zbynek Roubalik <zroubalik@gmail.com> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * fix: restore http-add-on chart 0.6.0 indexing (#579) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * fix(add-on): Use 'main' tag for KEDA installation during CI (#582) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * set securityContext for http-add-on chart (#561) Co-authored-by: Tom Kerkhove <kerkhove.tom@gmail.com> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * Fix http-add-on operator resources (#567) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * Fix http-add-on verbosity configuration (#568) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * chore: Adjust RBAC with code (#585) * chore: Adjust RBAC with code Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es> * fix typo Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es> --------- Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * fix: Don't recreate CA with 8 months until it expires (#586) Signed-off-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * feat(ClusterRole): Add RBAC rule to allow access to `LimitRange` (#588) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * remove not required insecureSkipTLSVerify (#564) Signed-off-by: Frank Kloeker <f.kloeker@telekom.de> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * Update templates/webhooks deployment (#590) Align deployment for extraVolumes and extraVolumesMount for fix problem Error: YAML parse error on keda/templates/webhooks/deployment.yaml: error converting YAML to JSON: yaml: line 96: did not find expected key Signed-off-by: ferndem <39851927+ferndem@users.noreply.github.com> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * Fix Prometheus metrics handling for the operator. (#555) The current state of the Helm chart is slightly confusing, because: - There's no easy way to really disable prometheus metrics -- `--enable-prometheus-metrics` defaults to true anthe current code either emits `--enable-prometheus-metrics=true` or nothing at all (making it `true` once again). - The `http` container port is actually a `metrics` port (by convention from .e.g. webhook), but is present regardless of whether Prometheus metrics are enabled or not. To make it less confusing, this PR proposes renaming it. Signed-off-by: Milan Plzik <milan.plzik@grafana.com> Signed-off-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es> Co-authored-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * Fix Remove app.kubernetes.io/instance label in crd (#556) Signed-off-by: choisungwook <kgg1959@naver.com> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * Support crd-specific annotations (#584) * support crd-specific annotations Signed-off-by: Adam Walford <adamw@speechmatics.com> * update readme Signed-off-by: Adam Walford <adamw@speechmatics.com> * update docs using helm-docs Signed-off-by: Adam Walford <adamw@speechmatics.com> --------- Signed-off-by: Adam Walford <adamw@speechmatics.com> Co-authored-by: Adam Walford <adamw@speechmatics.com> Co-authored-by: Tom Kerkhove <kerkhove.tom@gmail.com> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * Add ciliumnetworkpolicies (#558) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * Add tlsConfig for ServiceMonitor (#591) Co-authored-by: guicholeo <leo.sanchez@resideo.com> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * Release 2.13.0 (#593) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * fix: Ship v2.13.1 with missing RoleBinding (#595) Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * chore(add-on): Apply HTTP Add-on changes on Helm chart (#598) Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * chore(add-on): Release v0.7.0 (#599) Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl> Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> * refactor: Unify cert-manager annotations Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> --------- Signed-off-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es> Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl> Signed-off-by: Loïs Postula <lois@postu.la> Signed-off-by: Adarsh-verma-14 <t_adarsh.verma@india.nec.com> Signed-off-by: yuval weber <yuval199985@gmail.com> Signed-off-by: unknown <yuval199985@gmail.com> Signed-off-by: SpiritZhou <iammrzhouzhenghan@gmail.com> Signed-off-by: Zbynek Roubalik <zroubalik@gmail.com> Signed-off-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es> Signed-off-by: Frank Kloeker <f.kloeker@telekom.de> Signed-off-by: ferndem <39851927+ferndem@users.noreply.github.com> Signed-off-by: Milan Plzik <milan.plzik@grafana.com> Signed-off-by: choisungwook <kgg1959@naver.com> Signed-off-by: Adam Walford <adamw@speechmatics.com> Co-authored-by: Dmytro Kovalenko <zerodayyy@zerodayyy.xyz> Co-authored-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es> Co-authored-by: Loïs Postula <lois@postu.la> Co-authored-by: Roy Gao <137811914+congzhegao@users.noreply.github.com> Co-authored-by: Adarsh Verma <113962919+Adarsh-verma-14@users.noreply.github.com> Co-authored-by: yuval weber <yuval199985@gmail.com> Co-authored-by: Tom Kerkhove <kerkhove.tom@gmail.com> Co-authored-by: Radek Fojtik <68660951+radekfojtik@users.noreply.github.com> Co-authored-by: Quentin Bisson <quentin.bisson@gmail.com> Co-authored-by: SpiritZhou <iammrzhouzhenghan@gmail.com> Co-authored-by: Zbynek Roubalik <zroubalik@gmail.com> Co-authored-by: Frank Kloeker <eumel@arcor.de> Co-authored-by: Andrew <35912177+aballman@users.noreply.github.com> Co-authored-by: Bhargav Ravuri <bhargav.ravuri@infracloud.io> Co-authored-by: ferndem <39851927+ferndem@users.noreply.github.com> Co-authored-by: Milan Plžík <4592597+mplzik@users.noreply.github.com> Co-authored-by: choisungwook <sungwook0724@lguplus.co.kr> Co-authored-by: Adam Walford <34867732+awalford16@users.noreply.github.com> Co-authored-by: Adam Walford <adamw@speechmatics.com> Co-authored-by: guicholeo <leo.sanchez@resideo.com> Co-authored-by: Jan Wozniak <wozniak.jan@gmail.com>

remove not required insecureSkipTLSVerify

ec1196e

Signed-off-by: Frank Kloeker <f.kloeker@telekom.de>

eumel8 requested a review from a team as a code owner November 15, 2023 22:23

MonolithProjects mentioned this pull request Dec 14, 2023

feat: add ignore differences lablabs/terraform-aws-eks-keda#3

Closed

7 tasks

JorTurFer enabled auto-merge (squash) January 17, 2024 21:03

JorTurFer approved these changes Jan 17, 2024

View reviewed changes

JorTurFer merged commit 641f2b0 into kedacore:main Jan 17, 2024
37 checks passed

JorTurFer pushed a commit to guicholeo/keda that referenced this pull request Jan 18, 2024

remove not required insecureSkipTLSVerify (kedacore#564)

1e0a782

Signed-off-by: Frank Kloeker <f.kloeker@telekom.de> Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

JorTurFer mentioned this pull request Feb 7, 2024

fix: Ensure that insecureSkipTLSVerify is false before setting caBundle on APIService open-policy-agent/cert-controller#160

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

remove not required insecureSkipTLSVerify #564

remove not required insecureSkipTLSVerify #564

eumel8 commented Nov 15, 2023

JorTurFer commented Nov 21, 2023

JorTurFer commented Nov 21, 2023

BojanZelic commented Dec 5, 2023

JorTurFer commented Jan 17, 2024 •

edited

Loading

remove not required insecureSkipTLSVerify #564

remove not required insecureSkipTLSVerify #564

Conversation

eumel8 commented Nov 15, 2023

Checklist

JorTurFer commented Nov 21, 2023

JorTurFer commented Nov 21, 2023

BojanZelic commented Dec 5, 2023

JorTurFer commented Jan 17, 2024 • edited Loading

JorTurFer commented Jan 17, 2024 •

edited

Loading