add static resource controller #185
Conversation
openshift-ci-robot
requested review from
deads2k,
derekwaynecarr,
dgoodwin,
joelddiaz and
marun
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: sjenning The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Still have some RBAC work to do. |
openshift-ci-robot
added
the
do-not-merge/hold
sjenning
force-pushed
the
add-pod-identity-assets-controller
branch
from
5bd7c8a
to
6626553
Compare
|
/retest |
|
@sjenning Is the |
|
@marun yes, the service-ca-signer is the CA that signs |
sjenning
force-pushed
the
add-pod-identity-assets-controller
branch
from
6626553
to
aca1181
Compare
|
/hold cancel no point since master is locked |
openshift-ci-robot
removed
the
do-not-merge/hold
|
Updates:
|
sjenning
force-pushed
the
add-pod-identity-assets-controller
branch
from
aca1181
to
7616916
Compare
| } | ||
|
|
||
| // ApplyMutatingWebhookConfiguration merges objectmeta, does not worry about anything else | ||
| func ApplyMutatingWebhookConfiguration(client admissionregistrationclientv1beta1.MutatingWebhookConfigurationsGetter, recorder events.Recorder, required *admissionregistrationv1beta1.MutatingWebhookConfiguration) (*admissionregistrationv1beta1.MutatingWebhookConfiguration, bool, error) { |
There was a problem hiding this comment.
As written, modification of the webhook config spec (e.g the url) by other actors will not prompt action by the operator. Is this intentional?
There was a problem hiding this comment.
Yes, this is true. It currently just ensures that the resource exists basically.
Since an outside controller injects the service-ca, we really can't use Generation as Deployments do to detect changes as external changes are expected.
I would like to check more here. I'll add a TODO.
There was a problem hiding this comment.
Please review the documentation for Apply{DaemonSet,Deployment}:
I think it makes sense to set the input spec hash as an annotation to enable detection of changes across operator releases.
Regarding the use of generation to detect changes made by other actors, you're right that it can't be used in the same manner as other apply methods due to the CA field being managed by service ca. Since this behavior depends on the service ca injection annotation, it should be possible to detect when to retain the CA field of the existing resource to avoid racing. At worst this implies a second operator-initiated update when the CA is changed by service ca (to pick up the generation). I think that's a small price to pay to ensure that the operator can maintain the intended spec.
cc: @deads2k
|
trying to explain why the |
sjenning
force-pushed
the
add-pod-identity-assets-controller
branch
from
7616916
to
8055a27
Compare
|
Weird, installed a new cluster and now I'm not seeing it. Added a proper fatal error to capture it though. |
sjenning
force-pushed
the
add-pod-identity-assets-controller
branch
from
8055a27
to
d097e71
Compare
|
flake https://bugzilla.redhat.com/show_bug.cgi?id=1817588 /test e2e-aws-upgrade |
|
ok, all tests are green. I've deployed a cluster with the release image from this PR and everything looks good. I'm going to lock this in and move on to adding the |
| err := r.ReconcileResources() | ||
| if err != nil { | ||
| r.logger.Errorf("reconciliation failed, retrying in %s", retryInterval.String()) | ||
| return reconcile.Result{RequeueAfter: retryInterval}, err |
There was a problem hiding this comment.
Why a static retry schedule instead of using the built-in exponential back-off?
| requestedDeployment := resourceread.ReadDeploymentV1OrDie(v410_00_assets.MustAsset("v4.1.0/aws-pod-identity-webhook/deployment.yaml")) | ||
| requestedDeployment.Spec.Template.Spec.Containers[0].Image = r.imagePullSpec | ||
| resultDeployment, modified, err := resourceapply.ApplyDeployment(r.clientset.AppsV1(), r.eventRecorder, requestedDeployment, r.deploymentGeneration, false) | ||
| r.deploymentGeneration = resultDeployment.Generation |
There was a problem hiding this comment.
Should we read and store the Generation field before checking whether an error ocorred?
|
changes carried on in #187 And linking back to unaddressed review #187 (comment) |
|
reopening as the new head of current development and to get a CI release image with these changes |
|
/test e2e-aws |
|
these CI release images get reclaimed quickly! /test e2e-aws |
|
@sjenning: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Begins implementing openshift/enhancements#260
This controller deploys the static and templated resources required for the AWS pod identity webhook.
The image pull spec is templated into the
Deploymentusing the envvar injected into the operator by the CVO and theservice-cais templated into theMutatingWebhookConfiguration.The controller reconciles the assets if they are changed and updates the
MutatingWebhookConfigurationand does a forced rollout of theDeploymentif theservice-carotates./cc @dgoodwin @joelddiaz @derekwaynecarr @marun @deads2k