Bug 1764704: Sync router-ca to the console namespace #328
Conversation
|
@jhadvig: This pull request references Bugzilla bug 1764704, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
bugzilla/valid-bug
| { | ||
| name: api.RouterCAConfigMapName, | ||
| readOnly: true, | ||
| path: "/var/router-ca", |
There was a problem hiding this comment.
We need to set this as the oauthEndpointCAFile in the console config map.
There was a problem hiding this comment.
Should we conditionally fall back to the previous CA (not add this volume) if the router-ca does not exist for some reason?
There was a problem hiding this comment.
Like, if we hit FailedGet or MissingRouterCABundle on the RouterCAValidation check, can we still roll out a usable console.
|
@benjaminapetersen @spadgett comments addressed |
|
/retest |
1 similar comment
|
/retest |
/retest |
jhadvig
force-pushed
the
bz1764704
branch
2 times, most recently
from
f3bf5cf to
cb632ca
Compare
|
@benjaminapetersen updated the PR, with couple of nits I've found... PTAL |
| recorder events.Recorder | ||
| } | ||
|
|
||
| func NewResourceSyncController( |
There was a problem hiding this comment.
I may be inclined to use the previous name, or come up with something that isn't so similar to the resourcesynccontroller.NewResourceSyncController() in starter.go. This might get confusing later.
resourcesynccontroller.NewResourceSyncController() is responsible for grabbing source files from other namespaces and syncing them to destination files in our namespace.
This ctrl is currently tasked with maintaining these resources (delete mostly) based in management state.
|
|
||
| switch operatorConfig.Spec.ManagementState { | ||
| case operatorsv1.Managed: | ||
| klog.V(4).Infoln("console is in a managed state: syncing secrets and configmaps") |
There was a problem hiding this comment.
For now, we are only syncing the one, router-ca. Lets update the comment to this to ensure the logs are accurate. Perhaps we can comment on ResourceSyncController struct above indicating the future intent, that this ctrl could maintain all the boring resources like configmaps/secrets that just need to exist/not exist based on ManagementState.
| return okToMount, reason, err | ||
| } | ||
|
|
||
| func (c *consoleOperator) ValidateRouterCAConfigMap() (routerCA *corev1.ConfigMap, reason string, err error) { |
There was a problem hiding this comment.
Pondering if this can live in the new controller instead of adding it here.
There was a problem hiding this comment.
Ah, probably not now yet, as the actualDeployment, depChanged, depErrReason, depErr := co.SyncDeployment(set.Operator, cm, serviceCAConfigMap, routerCAConfigMap, trustedCAConfigMap, sec, rt, set.Proxy, customLogoCanMount) needs it. Future TODO: break that down into smaller bits.
pkg/console/starter/starter.go
Outdated
|
|
||
| // resourceSyncController contains additional locig for all the secrets and | ||
| // configmaps that we resourceSyncer is taking care of | ||
| resourceSyncController := resourcesync.NewResourceSyncController( |
There was a problem hiding this comment.
NIT: I still think we should pair up client-informer for related resources:
// operatorconfig
operatorConfigClient.OperatorV1().Consoles(),
operatorConfigInformers.Operator().V1().Consoles(),
// configmap
kubeClient.CoreV1(),
kubeInformersNamespaced.Core().V1().ConfigMaps(), There was a problem hiding this comment.
Dont have any any strong feelings against. Done it this way cause the controllers we started to create have the arguments structured in this way - clients | informers | ...
There was a problem hiding this comment.
I updated this recently:
https://github.com/openshift/console-operator/blob/master/pkg/console/starter/starter.go#L149 in #310.
|
/hold |
openshift-ci-robot
added
the
do-not-merge/hold
|
@benjaminapetersen updated the PR with additional commit that is adding the fallback to the |
| // If the `router-ca` configmap in `openshift-console` exist we should mount that to the console container, | ||
| // otherwise default to `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt` | ||
| _, rcaErr := co.configMapClient.ConfigMaps(api.OpenShiftConsoleNamespace).Get(api.RouterCAConfigMapName, metav1.GetOptions{}) | ||
| if rcaErr != nil && apierrors.IsNotFound(rcaErr) { |
There was a problem hiding this comment.
what about other errors? this only covers 404.
There was a problem hiding this comment.
is there anything else that would matter?
There was a problem hiding this comment.
was thinking about it and wasn't really sure if any other errors should matter in this context... saying that not really sure what should be the reason and type of the created condition, if there will be other error type... also if it makes sense to even create one in this case...
There was a problem hiding this comment.
Maybe we should just add a log and call it good:
if rcaErr != nil {
klog.V(4).Infof("router-ca GET error: %s",rcaErr)
}Agree with you, probably doesn't matter, unless there is some funny state we aren't thinking about. But a 4+ log level dumping some detail may be helpful.
| clientSecretFilePath = "/var/oauth-config/clientSecret" | ||
| oauthEndpointCAFilePath = "/var/router-ca/ca-bundle.crt" | ||
| clientSecretFilePath = "/var/oauth-config/clientSecret" | ||
| oauthEndpointCAFilePath = "/var/router-ca/ca-bundle.crt" |
There was a problem hiding this comment.
Lets fix the name here as well, routerCAFIlePath vs oauthEndpointCAFilePath.
oauthEndpointCAFilePath and defaultOAuthEndpointCAFilePath sound like the same thing.
There was a problem hiding this comment.
yeah, probably it will be better to give the true names with an additional comment
| statusPageID string | ||
| customProductName string | ||
| customLogoFile string | ||
| routerCA string |
There was a problem hiding this comment.
This property should prob be generically CAFile, as it may be the router-CA, or it may not. The if check below decides which.
jhadvig
left a comment
jhadvig
left a comment
There was a problem hiding this comment.
@benjaminapetersen comments addressed.
Wasn't really sure if it make sense to have report and condition here since if there is not the router-ca than we have a valid fallback...
PTAL
| "github.com/openshift/console-operator/pkg/console/operator" | ||
| "github.com/openshift/console-operator/pkg/console/starter" | ||
| "github.com/openshift/console-operator/pkg/console/subresource/configmap" | ||
| "github.com/openshift/console-operator/pkg/console/subresource/consoleserver" |
There was a problem hiding this comment.
It appears we have been missing this pkg in our unit tests
There was a problem hiding this comment.
Not ideal to have to manually add these eh? Prob should update this script to loop the directory instead, but looks good for now.
|
|
||
| func (b *ConsoleServerCLIConfigBuilder) authServer() Auth { | ||
| // we need this fallback due to the way our unit test are structured, | ||
| // where the ConsoleServerCLIConfigBuilder object is being instantiated empty |
There was a problem hiding this comment.
not a bad thing I thing... It's good to have a fallback here...
There was a problem hiding this comment.
It can't function correctly without one or the other, correct? Is it just because of unit test structure, or is the config broken without an entry?
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
| clientID: console | ||
| clientSecretFile: /var/oauth-config/clientSecret | ||
| oauthEndpointCAFile: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt | ||
| oauthEndpointCAFile: /var/router-ca/ca-bundle.crt |
There was a problem hiding this comment.
I think we may want to add 2 new tests here:
name: "Test configmap with router-ca",
name: "Test configmap without router-ca",
Probably can duplicate the test name: "Test default configmap, no customization", and just swap the bool & output. This would make it explicit.
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: benjaminapetersen, jhadvig The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
/retest |
|
@jhadvig: All pull requests linked via external trackers have merged. Bugzilla bug 1764704 has been moved to the MODIFIED state. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
5 participants
Syncing the
router-cafromopenshift-config-managednamespace toopenshift-consolenamespace and pasing to theconsoledeployment.Will update the unit tests after the first round of review to avoid unnecessary rewrites.
/assign @benjaminapetersen