kube-apiserver doesn't expose the healthcheck via a dedicated
endpoint, instead relying on anonyomous-access being enabled. That
has previously forced us to enable the unauthenticated endpoint on
127.0.0.1:8080.
Instead we now run a small sidecar container, which
proxies /healthz and /readyz requests (only) adding appropriate
authentication using a client certificate.
This will also enable better load balancer checks in future, as these
have previously been hampered by the custom CA certificate.
Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
hack/update-expected.sh should ignore KOPSCONTROLLER_IMAGE when
regenerating the golden test outputs, just as it ignores the local
DNSCONTROLLER_IMAGE override.
There are a few env vars which are frequently set in development, but
should not be reflected in the tests. Clear them before generated the
expected output.
Justin SB
Peter Rifel
tanjunchen