mirror of
https://github.com/outbackdingo/cozystack.git
synced 2026-01-27 18:18:41 +00:00
5acf62824a
## What this PR does Since 0.37, many requests to the k8s API now go through a mutating webhook (lineage-controller-webhook). Since the lineage webhook makes multiple requests to the k8s API and, indirectly, to the Cozystack API server, each request for, e.g., creating a secret now causes a lot of chatter between the webhook, the k8s API, and the Cozystack API. When this happens cross-node or, worse yet, cross-zone, this can blow up the latency for simple requests. ### BREAKING CHANGES This patch changes the Cozystack API to a DaemonSet targetting controlplane nodes, configures its service for an `Local` internal traffic policy and adds environment variables indicating that the k8s API server is to be found at \<hostIP\>:6443, **not only for the Cozystack API, but also for the lineage-controller-webhook.** This is a valid configuration in most scenarios, including the default installation method on top of Talos Linux in Cozystack, however, if this is not valid in your environment, you must now set the values `.lineageControllerWebhook.localK8sAPIEndpoint.enabled` and `.cozystackAPI.localK8sAPIEndpoint.enabled` to `false` in the respective system Helm releases. ### Release note ```release-note [api,lineage] Configure all chatter between the Lineage webhook, the Cozystack API server and the Kubernetes API server to be confined to a single controlplane node, improving k8s API latency. ``` <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Optional local Kubernetes API endpoint mode with configurable topology (DaemonSet vs Deployment), replica setting, service behavior, and node scheduling. * Certificate lifecycle managed via cert-manager with namespace-scoped issuers and certificates; secret-backed TLS assets with restricted permissions. * Controller runtime flag to select API workload kind; webhook can optionally target local API host/port. * **Security** * Enforced TLS verification using cert-manager CA injection; removed insecure TLS-skip behavior. * **Permissions** * Controller role expanded to allow daemonset management. <!-- end of auto-generated comment: release notes by coderabbit.ai -->