✨ Registration-agent supports multiple bootstrapkubeconfigs.

[xuezhaojun]

Summary

Klusterlet supports configure multiple bootstrapkubeconfigs and switch when hub doesn't accpet it or failed to connect to a hub.

Special Notes:

• The feature is depends on the auto-approve enabled and configured.
• Currently, you can't rebootstrap or restart a agent by change the items in bootstrapkubeconfigs.
• The bootstrapkubeconfigs should use long-term credentials.

[qiujian16]

can we split this to two PRs. the first one only update the registration part.

[xuezhaojun]

can we split this to two PRs. the first one only update the registration part.

Yes, I have split the PR and now it only contains registration part.

[codecov]

Codecov Report

Attention: Patch coverage is 44.88189% with 140 lines in your changes missing coverage. Please review.

Project coverage is 62.12%. Comparing base (add5d45) to head (19f1f5c).
Report is 9 commits behind head on main.

Files	Patch %	Lines
pkg/registration/spoke/bootstrapkubeconfigs.go	0.00%	60 Missing ⚠️
pkg/registration/spoke/spokeagent.go	8.33%	44 Missing ⚠️
...ation/spoke/registration/hub_timeout_controller.go	40.74%	13 Missing and 3 partials ⚠️
...ration/spoke/registration/hub_accept_controller.go	26.31%	12 Missing and 2 partials ⚠️
pkg/registration/spoke/options.go	61.53%	5 Missing ⚠️
pkg/common/helpers/ssar.go	98.80%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #443      +/-   ##
==========================================
- Coverage   62.71%   62.12%   -0.59%     
==========================================
  Files         136      140       +4     
  Lines       11578    11728     +150     
==========================================
+ Hits         7261     7286      +25     
- Misses       3549     3670     +121     
- Partials      768      772       +4     

Flag	Coverage Δ
unit	62.12% <44.88%> (-0.59%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[qiujian16]

/approve

2 nit comment on test, but should not block merge. This is a good start. Great work!

[qiujian16]

do we have an existing assert that already cover this ?

[qiujian16]

do we have an existing helper that already did this?

[xuezhaojun]

I think you mean this function?

ocm/test/integration/registration/spokeagent_rebootstrap_test.go

Line 104 in add5d45

assertSuccessClusterBootstrap := func(testNamespace, managedClusterName, hubKubeconfigSecret string,

It's a closure function, and do multiple jobs in one function. The approveAndAcceptManagedCluster and assertManagedClusterSuccessfullyJoined is first and second parts from this function.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: qiujian16, xuezhaojun

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [qiujian16]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[xuezhaojun]

/assign @zhujian7

[zhujian7]

Suggested change

	// 2. BootstrapKubeconfigSecret is the secret, a eventhandler will watch it, if the secret is changed, threbootstrap.
	// 2. BootstrapKubeconfigSecret is the secret, an event handler will watch it, if the secret is changed, then rebootstrap.

?

[xuezhaojun]

Good catch, fixed.

[zhujian7]

should we return the error here?

[xuezhaojun]

The controller will reconcile every minute, it could be a timer actually. whether reconcile again on the error case doesn't matter, we have a TODO to implement the timeout feature in leaseController later on.

[zhujian7]

@xuezhaojun great work!
/lgtm
/hold for other reviewers

[xuezhaojun]

@xuezhaojun great work! /lgtm /hold for other reviewers

@zhujian7 Thanks for the review! Code updated according to the comments, also need a /lgtm again.

[xuezhaojun]

/hold

[zhujian7]

I think we should have more UTs to cover #443 (comment)

[xuezhaojun]

I think we should have more UTs to cover #443 (comment)

The score doesn't perfectly reflect the coverage, we have many lines of uncovered code are imports or construction functions like:

func GetBootstrapSSARs() []authorizationv1.SelfSubjectAccessReview {
	var reviews []authorizationv1.SelfSubjectAccessReview
	clusterResource := authorizationv1.ResourceAttributes{
		Group:    "cluster.open-cluster-management.io",
		Resource: "managedclusters",
		// TODO: add the resourceName @xuezhaojun https://github.com/open-cluster-management-io/ocm/pull/443#discussion_r1609202000
	}
	reviews = append(reviews, generateSelfSubjectAccessReviews(clusterResource, "create", "get")...)

	certResource := authorizationv1.ResourceAttributes{
		Group:    "certificates.k8s.io",
		Resource: "certificatesigningrequests",
	}
	return append(reviews, generateSelfSubjectAccessReviews(certResource, "create", "get", "list", "watch")...)
}

And intergration-test also covers some logic of the controller at the high level.

[qiujian16]

/lgtm

[xuezhaojun]

/unhold