Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

⚠️ Remove the Secret's OwnerReferences before pivot #1411

Merged
merged 1 commit into from
Sep 12, 2019
Merged

⚠️ Remove the Secret's OwnerReferences before pivot #1411

merged 1 commit into from
Sep 12, 2019

Conversation

tahsinrahman
Copy link
Contributor

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #1404

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Sep 10, 2019
@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Sep 10, 2019
@tahsinrahman
Copy link
Contributor Author

/cc @vincepri

@tahsinrahman tahsinrahman changed the title Remove the Secret's OwnerReferences before pivot ⚠️ Remove the Secret's OwnerReferences before pivot Sep 10, 2019
detiber
detiber reviewed Sep 10, 2019
View reviewed changes
cmd/clusterctl/phases/pivot.go Outdated
// Remove owner reference.
secret.SetOwnerReferences(nil)
// Remove owner reference only if they're part of our known APIGroup
for _, ownerRef := range secret.OwnerReferences {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we remove the ownerReferences here, then the Secrets will be orphaned if the Cluster is deleted post pivot, since the Secrets are not adopted by the Cluster.

I'm wondering if we should also keep track of which secrets had ownerReferences, and set the proper ownerReferences after the Cluster has been migrated? @vincepri thoughts?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we can do that instead, re-setting the owner references after being created, because I don't think they'll be actually reconciled after they're created. @tahsinrahman Do you think you could tackle that as part of the PR?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure, i'll try!

vincepri
vincepri approved these changes Sep 12, 2019
View reviewed changes
Copy link
Member

@vincepri vincepri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve
/assign @detiber

The last change seems to remove only UIDs, which it should be ok to create the secrets with the same owners as before given that these are pivoted last

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: tahsinrahman, vincepri

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 12, 2019
@detiber
Copy link
Member

detiber commented Sep 12, 2019

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 12, 2019
@k8s-ci-robot k8s-ci-robot merged commit 5cd7261 into kubernetes-sigs:master Sep 12, 2019
@jdef
Copy link
Contributor

jdef commented Sep 19, 2019
edited

This breaks pivot, which seemed to work just a few days ago:

F0919 14:52:43.716118   50979 alpha_phase_pivot.go:55] unable to pivot Cluster API Components: unable to pivot cluster API objects: Failed to move cluster: default/test1: failed to move Secrets for Cluster default/test1 to target cluster: failed to move Secret default/test1-ca: error copying Secret default/test1-ca to target cluster: error creating Secret default/test1-ca: Secret "test1-ca" is invalid: metadata.ownerReferences.uid: Invalid value: "": uid must not be empty

k --kubeconfig=/tmp/gcp-kubeconfig version
Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.3", GitCommit:"2d3c76f9091b6bec110a5e63777c332469e0cba2", GitTreeState:"clean", BuildDate:"2019-09-03T18:55:44Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.3", GitCommit:"2d3c76f9091b6bec110a5e63777c332469e0cba2", GitTreeState:"clean", BuildDate:"2019-08-19T11:05:50Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"linux/amd64"}

EDIT

in this case, the secret is owned by:

  - apiVersion: bootstrap.cluster.x-k8s.io/v1alpha2
    kind: KubeadmConfig
    name: test1-controlplane-0
    uid: 079cc1bc-7242-4dcc-8375-a401cc9ffa4d

which, in turn, is owned by the first control plane machine of the source cluster:

- apiVersion: bootstrap.cluster.x-k8s.io/v1alpha2
  kind: KubeadmConfig
  metadata:
    creationTimestamp: "2019-09-19T19:14:39Z"
    generation: 1
    name: test1-controlplane-0
    namespace: default
    ownerReferences:
    - apiVersion: cluster.x-k8s.io/v1alpha2
      kind: Machine
      name: test1-controlplane-0
      uid: e206438d-0dad-46d7-985d-2f940977ac05
    resourceVersion: "51174"
    selfLink: /apis/bootstrap.cluster.x-k8s.io/v1alpha2/namespaces/default/kubeadmconfigs/test1-controlplane-0
    uid: 079cc1bc-7242-4dcc-8375-a401cc9ffa4d

@ncdc
Copy link
Contributor

ncdc commented Sep 19, 2019

@jdef would you mind filing an issue?

This was referenced Sep 19, 2019
Closed
Closed
andrewsykim
andrewsykim reviewed Sep 23, 2019
View reviewed changes
cmd/clusterctl/phases/pivot.go
// Remove owner reference.
secret.SetOwnerReferences(nil)
// remove the UID from ownerReferences as it will be different across clusters
for i := 0; i < len(secret.OwnerReferences); i++ {
Copy link
Member

@andrewsykim andrewsykim Sep 23, 2019
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So I think this fails API validation here, because an ownerRef can't have an empty UID.

@andrewsykim andrewsykim mentioned this pull request Sep 24, 2019
Merged
@tahsinrahman tahsinrahman deleted the secret-ownerref branch September 27, 2019 20:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@detiber detiber detiber left review comments

@andrewsykim andrewsykim andrewsykim left review comments

@vincepri vincepri vincepri approved these changes

@justinsb justinsb Awaiting requested review from justinsb

Assignees

@detiber detiber

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Clusterctl should remove the Secret's OwnerReferences before pivot
7 participants
@tahsinrahman @k8s-ci-robot @detiber @jdef @ncdc @vincepri @andrewsykim