-
Notifications
You must be signed in to change notification settings - Fork 595
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tweaks to get tests to work with private registry #1870
Conversation
Signed-off-by: Doug Davis <dug@us.ibm.com>
test/common/creation.go
Outdated
} | ||
|
||
// CreateClusterRoleOrFail creates the given ClusterRole or fail the test if there is an error. | ||
func (client *Client) CreateClusterRoleOrFail(cr *rbacv1.ClusterRole) { | ||
crs := client.Kube.Kube.RbacV1().ClusterRoles() | ||
if _, err := crs.Create(cr); err != nil { | ||
client.T.Fatalf("Failed to create cluster role %q: %v", cr.Name, err) | ||
if !strings.Contains(err.Error(), "already exists") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you change these to use:
"k8s.io/apimachinery/pkg/api/errors"
and in particular IsNotFound()
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was looking for that - thanks!
test/common/test_runner.go
Outdated
|
||
testSecret, _ := defSecI.Get(TestPullSecretName, metav1.GetOptions{}) | ||
|
||
// Check again. I've seen cases where it lies and if we need it |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this seems odd, and is there a reason why you don't check the err returned? I'm not sure what you mean by "It" lies, are you saying above line returns nil, but the one below returns true?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No I mean that the apiserver will return nil+err even though the secret does exist. I can't explain why or how, but I ran into it often enough that I decided to just ask again to be sure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@vagababov Have you seen something like this before? Seems b0rk3n?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not really. What is the actual error you're getting? If I were to guess you got either network problem error (connection refused, dial timeout) or overload error from API server.
Which leads me to the main problem I see here: "never ignore errors".
Also, I'd highly recommend to switch to informers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the err that's returned?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let me change the code to show the error (if I even get one) to see what's up.. But to add more intrigue, I've also seen cases like this....
I had this code:
if testSecret != nil {
// Found the secret, so now make a copy in our new namespace
newSecret, err := nsSecI.Create(
&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: testSecret.ObjectMeta.Name,
},
Data: testSecret.Data,
Type: testSecret.Type,
})
if err != nil {
t.Fatalf("TestSetup: Error copying the secret: %s", err)
}
Notice I would use the "name" from "testSecret", which should never be empty. Yet I would get this error:
test_runner.go:82: namespace is : "test-default-broker-with-many-deprecated-triggers" test_runner.go:168:
TestSetup: Error copying the secret: Secret "" is invalid: metadata.name: Required value: name or
generateName is required
I never saw this on my local testing, or IKS, only using Prow.
test/common/test_runner.go
Outdated
testSecret, _ = defSecI.Get(TestPullSecretName, metav1.GetOptions{}) | ||
} | ||
|
||
if testSecret != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This function seems similar in description, yet it's different and I'm trying to understand why? :) Can this be hoisted into a separate function and reused instead of having two versions of it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
they are similar but different. This one only deals with the "default" SA and knows it can blindly copy the secret. Th other one deals with a new SA (so not "default") and needs to check to see if the secret already exists so it doesn't try to duplicate it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They both have the check and re-check (which I must say is extremely worrying and seems extremely flaky and a bug in the k8s if that's the case).
I think having a method that deals with copying the secret into the namespace would be good to hoist out, then rejiggering the ServiceAccount secret could be the only difference between the two if I understand correctly?
e40f7ff
to
6844dad
Compare
/test pull-knative-eventing-integration-tests |
Signed-off-by: Doug Davis <dug@us.ibm.com>
@vaikas-google are you ok with the general direction I went for the pull secrets? if so, I'd like to update the docs as part of this PR before it gets merged. |
test/common/test_runner.go
Outdated
testSecret, _ = defSecI.Get(TestPullSecretName, metav1.GetOptions{}) | ||
} | ||
|
||
if testSecret != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reverse the flow to be more go-style
if tS == nil { fail/return/break}
// normal code goes here unindented
0cb93f7
to
8280bfd
Compare
/hold until I do more testing |
So from the test logs it's indeed failing with 'not found': Where is this secret created, is there a race there somewhere? |
those logs were old - it shouldn't print that "not found" error in Prow. That should be fixed now, but I'm testing locally, where I do have the secret created, to see if it does the copy correctly. |
Signed-off-by: Doug Davis <dug@us.ibm.com>
test/common/test_runner.go
Outdated
|
||
// Just double checking | ||
if srcSecret == nil { | ||
return nil, fmt.Errorf("Error copying secret, it's nil w/o error") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no formatting errors.New
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
// it. | ||
// It'll either return a pointer to the new Secret or and error indicating | ||
// why it couldn't do it. | ||
func CopySecret(client *Client, srcNS string, srcSecretName string, tgtNS string, svcAccount string) (*corev1.Secret, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The function is inconsistent. Sometimes it calls Fatalf
sometimes returns errors (should always do second, though).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yep missed that - fixed
3f0d474
to
4a5b5fc
Compare
Signed-off-by: Doug Davis <dug@us.ibm.com>
/approve leaving lgtm for @vagababov in case he had anything else. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: duglin, vaikas-google The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, since you asked for a real review, I'll leave some obligatory nits :-)
test/common/test_runner.go
Outdated
@@ -17,6 +17,7 @@ limitations under the License. | |||
package common | |||
|
|||
import ( | |||
goerrs "errors" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd rather we alias k8s package rather than built in, but 🤷♂
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah I thought about that but decided to keep the amount of changes lower - but I'll do it
test/common/test_runner.go
Outdated
_, err = tgtNSSvcAccI.Patch(svcAccount, types.StrategicMergePatchType, | ||
[]byte(`{"imagePullSecrets":[{"name":"`+srcSecretName+`"}]}`)) | ||
if err != nil { | ||
return nil, fmt.Errorf("Patch failed on NS/SA (%s/%s): %s", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return nil, fmt.Errorf("Patch failed on NS/SA (%s/%s): %s", | |
return nil, fmt.Errorf("patch failed on NS/SA (%s/%s): %s", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
test/common/test_runner.go
Outdated
// If the secret already exists then that's ok - some other test | ||
// must have created it | ||
if err != nil && !errors.IsAlreadyExists(err) { | ||
return nil, fmt.Errorf("Error copying the Secret: %s", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return nil, fmt.Errorf("Error copying the Secret: %s", err) | |
return nil, fmt.Errorf("frror copying the Secret: %s", err) |
See: https://github.com/golang/go/wiki/CodeReviewComments#error-strings
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I'll go with error
instead of frror
:-)
test/common/test_runner.go
Outdated
|
||
// Just double checking | ||
if srcSecret == nil { | ||
return nil, goerrs.New("Error copying Secret, it's nil w/o error") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return nil, goerrs.New("Error copying Secret, it's nil w/o error") | |
return nil, goerrs.New("error copying Secret, it's nil w/o error") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
test/common/test_runner.go
Outdated
// This is needed for cases where the images are in a private registry. | ||
_, err := CopySecret(client, "default", TestPullSecretName, namespace, "default") | ||
if err != nil && !errors.IsNotFound(err) { | ||
t.Fatalf("Error copying the secret into ns %q: %s", namespace, err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
t.Fatalf("Error copying the secret into ns %q: %s", namespace, err) | |
t.Fatalf("error copying the secret into ns %q: %s", namespace, err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
test/common/test_runner.go
Outdated
@@ -38,6 +40,8 @@ import ( | |||
_ "k8s.io/client-go/plugin/pkg/client/auth/oidc" | |||
) | |||
|
|||
var TestPullSecretName = "kn-eventing-test-pull-secret" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
var TestPullSecretName = "kn-eventing-test-pull-secret" | |
const TestPullSecretName = "kn-eventing-test-pull-secret" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Thanks.
Signed-off-by: Doug Davis <dug@us.ibm.com>
forgot to re-ping after my latest push. I think all comments are addressed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Not sure if you'll have to manually merge this change on master - #1898 /retest |
/retest |
1 similar comment
/retest |
Signed-off-by: Doug Davis dug@us.ibm.com
Proposed Changes
While trying to get the e2e tests to work with a private registry I had to make some "interesting"
choices. This PR isn't all of them, but they're most of the ones I can share at this time. They include:
default
namespace calledkn-eventing-test-pull-secret
when creating new namespaces and service accounts. Andif it exists, we will now inject that secret as an ImagePullSecret into the namespace's
default
service accounts, or the new service account.I'm not 100% sure these are the best solutions, but they at least worked for me. I'm open to
other ideas for how to get the PullSecret injected. If the PullSecret approach sounds out
I can then update the test docs to mention it.
Note - this does not get around #1862
Release Note