Skip to content

Bug 1765294: Use OwnerRefs to clean up SA pull secrets#61

Merged
openshift-merge-robot merged 1 commit intoopenshift:masterfrom
adambkaplan:pull-secret-use-ownerrefs
Feb 25, 2020
Merged

Bug 1765294: Use OwnerRefs to clean up SA pull secrets#61
openshift-merge-robot merged 1 commit intoopenshift:masterfrom
adambkaplan:pull-secret-use-ownerrefs

Conversation

@adambkaplan
Copy link
Copy Markdown
Contributor

@adambkaplan adambkaplan commented Jan 29, 2020

Update the service account pull secret controller to add owner
references to generated pull secrets. This ensures pull secrets are
deleted when the associated token is deleted.

@openshift-ci-robot openshift-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. labels Jan 29, 2020
@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Jan 29, 2020

@adambkaplan: This pull request references Bugzilla bug 1765294, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

WIP - Bug 1765294: Use OwnerRefs to clean up SA pull secrets

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jan 29, 2020
@adambkaplan
Copy link
Copy Markdown
Contributor Author

adambkaplan commented Jan 29, 2020

/test e2e-aws-builds

@adambkaplan adambkaplan force-pushed the pull-secret-use-ownerrefs branch from 42b2649 to 3d24283 Compare January 30, 2020 14:05
@adambkaplan
Copy link
Copy Markdown
Contributor Author

adambkaplan commented Jan 30, 2020

/test e2e-aws-builds

@adambkaplan adambkaplan changed the title WIP - Bug 1765294: Use OwnerRefs to clean up SA pull secrets Bug 1765294: Use OwnerRefs to clean up SA pull secrets Jan 30, 2020
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 30, 2020
@adambkaplan
Copy link
Copy Markdown
Contributor Author

adambkaplan commented Jan 30, 2020

/assign @bparees

/cc @smarterclayton @dmage

@adambkaplan adambkaplan force-pushed the pull-secret-use-ownerrefs branch from 3d24283 to 7455a42 Compare January 30, 2020 14:12
bparees
bparees reviewed Jan 30, 2020
View reviewed changes
Comment thread pkg/serviceaccounts/controllers/create_dockercfg_secrets.go Outdated
Name: tokenSecret.Name,
UID: tokenSecret.UID,
},
})
Copy link
Copy Markdown
Contributor

@bparees bparees Jan 30, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@deads2k are you aware of any reason we wouldn't want to have ownerrefs between the dockercfg secret and the token secret? I'm sure we didn't do it originally because ownerrefs didn't exist, but now that they do can we just lifecycle the dockercfg secret w/ the tokensecret? (modulo migration concerns)

bparees
bparees reviewed Jan 30, 2020
View reviewed changes
Comment thread pkg/serviceaccounts/controllers/pull_secrets.go Outdated
bparees
bparees reviewed Jan 30, 2020
View reviewed changes
Comment thread pkg/serviceaccounts/controllers/create_dockercfg_secrets.go Outdated
@bparees
Copy link
Copy Markdown
Contributor

bparees commented Jan 30, 2020

lgtm assuming @deads2k doesn't have a reason why it's not ok to use GC here.

@adambkaplan adambkaplan force-pushed the pull-secret-use-ownerrefs branch from 7455a42 to 13b5462 Compare January 30, 2020 20:44
adambkaplan
adambkaplan commented Jan 31, 2020
View reviewed changes
Comment thread pkg/serviceaccounts/controllers/pull_secrets.go Outdated
@adambkaplan
Copy link
Copy Markdown
Contributor Author

adambkaplan commented Jan 31, 2020

/test e2e-aws-builds

@adambkaplan
Copy link
Copy Markdown
Contributor Author

adambkaplan commented Feb 3, 2020

/retest

1 similar comment
@adambkaplan
Copy link
Copy Markdown
Contributor Author

adambkaplan commented Feb 4, 2020

/retest

@adambkaplan adambkaplan mentioned this pull request Feb 4, 2020
Closed
@adambkaplan
Copy link
Copy Markdown
Contributor Author

adambkaplan commented Feb 5, 2020

/retest

I suspect the errors in e2e-aws-builds are real and need to be investigated further.

@adambkaplan
Copy link
Copy Markdown
Contributor Author

adambkaplan commented Feb 6, 2020

/test e2e-aws-builds

@adambkaplan adambkaplan force-pushed the pull-secret-use-ownerrefs branch from 5395f2b to 938624a Compare February 11, 2020 14:02
@adambkaplan
Copy link
Copy Markdown
Contributor Author

adambkaplan commented Feb 11, 2020

@bparees @deads2k this is ready for final review

@bparees
Copy link
Copy Markdown
Contributor

bparees commented Feb 11, 2020

my review stands:
lgtm assuming @deads2k doesn't have a reason why it's not ok to use GC here.

@adambkaplan
Copy link
Copy Markdown
Contributor Author

adambkaplan commented Feb 13, 2020

/retest

ping @deads2k per #61 (comment)

mfojtik
mfojtik reviewed Feb 13, 2020
View reviewed changes
Comment thread pkg/serviceaccounts/controllers/pull_secrets.go Outdated

// hasOwnerReference checks if the given tokenSecret is the owner of the provided pullSecret
func hasOwnerReference(tokenSecret, pullSecret *v1.Secret) bool {
for _, owner := range pullSecret.OwnerReferences {
Copy link
Copy Markdown
Contributor

@mfojtik mfojtik Feb 13, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think there is upstream helper that does this in generic way

Copy link
Copy Markdown
Contributor Author

@adambkaplan adambkaplan Feb 20, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mfojtik I found the functions in https://github.com/kubernetes/apimachinery/blob/master/pkg/apis/meta/v1/controller_ref.go. Works -ish - I need to set blockOwnerDeletion to false, otherwise I need additional RBAC permissions.

@adambkaplan adambkaplan changed the title Bug 1765294: Use OwnerRefs to clean up SA pull secrets WIP - Bug 1765294: Use OwnerRefs to clean up SA pull secrets Feb 20, 2020
@openshift-ci-robot openshift-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 20, 2020
@adambkaplan
Copy link
Copy Markdown
Contributor Author

adambkaplan commented Feb 20, 2020

/retest

@adambkaplan
Bug 1765294: Use OwnerRefs to clean up SA pull secrets
2d3371c 
Update the service account pull secret controller to add owner
references to generated pull secrets. This ensures pull secrets are
deleted when the associated token is deleted.
@adambkaplan adambkaplan force-pushed the pull-secret-use-ownerrefs branch from 1c3dff5 to 2d3371c Compare February 24, 2020 13:54
@adambkaplan adambkaplan changed the title WIP - Bug 1765294: Use OwnerRefs to clean up SA pull secrets Bug 1765294: Use OwnerRefs to clean up SA pull secrets Feb 24, 2020
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 24, 2020
adambkaplan
adambkaplan commented Feb 24, 2020
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@adambkaplan adambkaplan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bparees @mfojtik updated to use the upstream ControllerRef methods.

I spoke with @deads2k last week on potential risks - no immediate red flags, though he did caution "if this breaks, you own it."

@adambkaplan
Copy link
Copy Markdown
Contributor Author

adambkaplan commented Feb 25, 2020

/retest

AWS rate limit issues

@bparees
Copy link
Copy Markdown
Contributor

bparees commented Feb 25, 2020

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Feb 25, 2020
@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Feb 25, 2020

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: adambkaplan, bparees

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [adambkaplan,bparees]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot merged commit 5306fa2 into openshift:master Feb 25, 2020
@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Feb 25, 2020

@adambkaplan: All pull requests linked via external trackers have merged. Bugzilla bug 1765294 has been moved to the MODIFIED state.

Details

In response to this:

Bug 1765294: Use OwnerRefs to clean up SA pull secrets

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@adambkaplan
Copy link
Copy Markdown
Contributor Author

adambkaplan commented Feb 25, 2020

/cherrypick release-4.4

/cherrypick release-4.3

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Feb 25, 2020
Merged
@openshift-cherrypick-robot
Copy link
Copy Markdown

openshift-cherrypick-robot commented Feb 25, 2020

@adambkaplan: new pull request created: #67

Details

In response to this:

/cherrypick release-4.4

/cherrypick release-4.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@adambkaplan
Copy link
Copy Markdown
Contributor Author

adambkaplan commented Feb 25, 2020

/cherrypick release-4.3

@openshift-cherrypick-robot
Copy link
Copy Markdown

openshift-cherrypick-robot commented Feb 25, 2020

@adambkaplan: new pull request created: #68

Details

In response to this:

/cherrypick release-4.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Feb 25, 2020
Closed
@smarterclayton smarterclayton mentioned this pull request Mar 26, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bparees bparees bparees left review comments

@soltysh soltysh Awaiting requested review from soltysh

@dmage dmage Awaiting requested review from dmage

@smarterclayton smarterclayton Awaiting requested review from smarterclayton

+1 more reviewer

@mfojtik mfojtik mfojtik left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@bparees bparees

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@adambkaplan @openshift-ci-robot @bparees @openshift-cherrypick-robot @mfojtik @dmage @openshift-merge-robot