🐛 avoid cluster auto approve failed occasionally

[skeeey]

Summary

Remove the accept cluster logic from the CSR controller, and put them in the managed cluster controller

Related issue(s)

Fixes #386

[skeeey]

/assign @qiujian16

[codecov]

Codecov Report

Attention: Patch coverage is 93.33333% with 1 lines in your changes are missing coverage. Please review.

Project coverage is 61.54%. Comparing base (22501d8) to head (5c823d4).
Report is 1 commits behind head on main.

Files	Patch %	Lines
pkg/registration/hub/managedcluster/controller.go	93.33%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #388      +/-   ##
==========================================
+ Coverage   61.48%   61.54%   +0.06%     
==========================================
  Files         133      133              
  Lines       14087    14078       -9     
==========================================
+ Hits         8662     8665       +3     
+ Misses       4672     4664       -8     
+ Partials      753      749       -4     

Flag	Coverage Δ
unit	61.54% <93.33%> (+0.06%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[nirs]

How can I test this fix?

[nirs]

Mixing typos fixes with a real change make it harder to review and make it hard to maintain the code later. If you revert this fix because it caused a regression, we will lose also the typo fixes.

[skeeey]

good suggestion, I will drop the typos fixes in this pr

[nirs]

So if we have a CSR but we cannot find the managed cluster we queue the request and will check again after some delay?

I expect that if this reconciler depends on a CSR and ManagedCluster, it will watch both resources. If the ManagedCluster is missing, you can do nothing, and once the ManagedCluster appears, you can approve the CSR.

[qiujian16]

I think we should have a separated controller to accept the cluster. All a separated controller to watch both csr and cluster. Requeue here may cause an infinite loop here, and may block the normal renew process.

[skeeey]

I will use a separated controller to handle cluster, and make this csr controller only handle the CSR , this will be more clear

[nirs]

This warning will be useful!

[nirs]

Another typo that should not be part of this fix.

[qiujian16]

why need to requeue here?

[qiujian16]

I think we should have a separated controller to accept the cluster. All a separated controller to watch both csr and cluster. Requeue here may cause an infinite loop here, and may block the normal renew process.

[skeeey]

How can I test this fix?

If you want to test with this pr, you can use my pr's repo to build your own images, then use clusteradm init --image-registry to specify the images

[nirs]

If I understand this change correctly, the only task the managedCluster controller need to do is to set hubAcceptsClient to true once?

The CSR approval is not related to this and will work correctly even if the CSR is found before the managed cluster is created?

[nirs]

The comment does is not clear about the purpose of the annotation.

Based on the new test, we want to approve the cluster once on the first time we discover it, so the cluster admin can deny the cluster. This should be explained in the comment.

[skeeey]

I will update this make it more clear

[nirs]

This works but hard to read and error prone. Maybe use a raw string literal to avoid the extra " escapes?

patch := fmt.Sprintf(`{"metadata":{"annotations":{"%s":""}},"spec":{"hubAcceptsClient":true}}`)

We don't have a value for the annotation so we use an empty string - maybe we can add a timestamp as the value to have more context? or the name of the controller adding this annotation? This can make it easier to debug issues.

[skeeey]

agree, I think a timestamp may be more help

[nirs]

Based on this test, it seems that the purpose of the annotation is to approve the cluster automatically only once, so if the cluster is denied manually it will not approved automatically again. So the annotation can be renamed to "automatically-approved".

[skeeey]

may be used this annotation
open-cluster-management.io/automaticlly-accpected-by-managedclusterctrl=<the accept time with RFC3339>

[nirs]

This comment is not needed, the comment above can explain the cases we want to handle.

[skeeey]

removed

[skeeey]

If I understand this change correctly, the only task the managedCluster controller need to do is to set hubAcceptsClient to true once?

you are correct, the managedCluster controller only set hubAcceptsClient to true once

The CSR approval is not related to this and will work correctly even if the CSR is found before the managed cluster is created?

yes, with this, the CSR approval process and managed cluster accept process will be independent

[nirs]

Looks good, but the annotation can be nicer, see comment.

I tested the previous version, the original issue is fixed.

I can do more testing when the PR is ready for merge.

[nirs]

I'm not sure "by-managedclusterctrl" is helpful, since I don't know which pod is hosting the managed cluster controller. Maybe this is better done by using "open-cluster-management.io/automatically-accepted-by" annotation, and use json value:

{"namespace":"open-cluster-management-hub","deploy":"cluster-manager-registration-controller","time":"2024-04-02 19:32:25+03:00"}

But I'm not sure about this json value, it is pretty ugly. Maybe it is better to use more annotations instead:

$ kubectl get managedcluster/dr1 -n dr1 --context hub -o yaml
apiVersion: cluster.open-cluster-management.io/v1
kind: ManagedCluster
metadata:
  annotations:
    open-cluster-management.io/automatically-accepted-on: "2024-04-02 19:32:25+03:00"
    open-cluster-management.io/controlled-by: "cluster-manager-registration-controller"
  creationTimestamp: "2024-04-02T16:30:29Z"
  finalizers:
  - open-cluster-management.io/managedclusterrole
  - managedclusterinfo.finalizers.open-cluster-management.io
  - cluster.open-cluster-management.io/api-resource-cleanup
  generation: 4
  labels:
    cluster.open-cluster-management.io/clusterset: default
    feature.open-cluster-management.io/addon-application-manager: available
    feature.open-cluster-management.io/addon-config-policy-controller: available
    feature.open-cluster-management.io/addon-governance-policy-framework: available
    feature.open-cluster-management.io/addon-work-manager: available
    name: dr1
  name: dr1
  resourceVersion: "1539"
  uid: 4c0e2a55-7907-4118-b67b-a3189285984b
  ...

Anyway, for this PR I think we can go with "automatically-accepted-on" and timestamp, and think more later how we make it easier to find the relevant controller for resources.

[skeeey]

yeah, let's go with "automatically-accepted-on" and timestamp firstly

[openshift-ci]

@nirs: changing LGTM is restricted to collaborators

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nirs, skeeey

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/registration/OWNERS [skeeey]
• test/OWNERS [skeeey]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[qiujian16]

nit: add some comment indicating this is an internal annotation, it is not to expected to be removed.

[skeeey]

added

[nirs]

I tested the latest version, 250 deploys succeeded.

During this run, found another clusteradm join issue: open-cluster-management-io/clusteradm#410

[qiujian16]

/lgtm