Refactor controller initialization (part 2)

[mfojtik]

This is a follow up what started in #13996 and is tracked here: https://trello.com/c/ZtOfFpFz/907-5-use-kubernetes-controller-roles

In a nutshell:

• We are switching to upstream RBAC roles for upstream controllers (should be already done)
• We are switching to new initialization of origin controllers (this PR)

[mfojtik]

@enj @sttts attempt to fix the serviceaccount controllers... basically I created "pre" group for them and start them before we run kubernetes controllers. To make it work, I added RootClientBuilder into ControllerContext only for the pre-initialization (actually only serviceaccount-tokens controllers use it). For other origin controllers I erase that field so they don't accidentialy use it.

@deads2k if we go this path, I think we should move the loop where we start the controllers (initFn) into controllers.go as we duplicate the code between pre-initialization and initialization ;-)

[mfojtik]

@deads2k copied from kube, i guess this will make better experience for people writing the rules? ;-)

[sttts]

Aren't that accessible constants in kube? If not, maybe they should be public.

[mfojtik]

they are but i was going to avoid importing the upstream bootstrap package just to get them.

[sttts]

We need the same for auditing. So we probably make them available in k8s.io/apiserver/pkg/endpoints/request

[mfojtik]

@sttts i will go with TODO for now and once we have stable location we can import

[deads2k]

Also, we don't use the ReadWrite or Read variables in controller policy.

[mfojtik]

@deads2k wonder if we want/need this... this controller will use the RootClientBuilder which means privileged client will be used.

[mfojtik]

nuked this.

[mfojtik]

maybe deserve a better name?

[deads2k]

only the SA token controller needs to run first, right?

[mfojtik]

yeah, not sure about the serviceaccount controller (and pullsecrets/etc.) they ran first in old world.

[mfojtik]

@deads2k @sttts still valid comment?

[sttts]

Not sure. What does a blame say? Last rebase or ages ago?

[mfojtik]

@ncdc addded this in Nov/2016... if this refers to args options then maybe the comment is still valid.

[ncdc]

That was a comment that I was reacting to changes made between kube 1.4 and 1.5. It can be deleted.

[mfojtik]

@deads2k want confirm that returning true and error here is ok.

[sttts]

A godoc wouldn't harm. It's not obvious what the bool means.

[mfojtik]

will come soon

[mfojtik]

ignore this pathetic attempt to imitate kube messages ;-)

[sttts]

lower case errors

[sttts]

twice the same import?

[deads2k]

We don't use these in the controller_policy upstream. Mutation is rarely uniform in the controllers and the powers are subtly different. Update can require knowledge of resourceversion, patch doesn't. Delete requires knowledge of names, deletecollection does not.

[mfojtik]

@deads2k i knew you will not like it... i realized that those rules are too broad for controllers where we know what controllers can/cannot do.

[deads2k]

this one ought not require pre-init

[deads2k]

this one doesn't need to be pre-init

[deads2k]

I would try to wire this down separately into the init function when you create the struct the init function lives on. It's not a preferred means of creating the init function (makes it harder to read), but we really don't want this escaping

[mfojtik]

i can wire this from MasterConfig I believe and pass it in the struct.

[deads2k]

if we have nothing in here, don't have the struct. Just a bare function.

[deads2k]

return false, nil. returning an error will fatal the process.

[mfojtik]

so use glog?

[deads2k]

so use glog?

You can if you like. The caller actually drops a message in the log saying its skipping it.

[deads2k]

Running only one worker is a little weird.

[deads2k]

I like this. Much cleaner than what we had before.

[deads2k]

return false, nil. The bool indicates that this controller was enabled, the error means we couldn't start the controller when we were supposed to. So returning false without an error means "skipped" and return an error means, "couldn't fullfill intent, crashloop."

[deads2k]

I see this as outstanding.

[deads2k]

this one is correct.

[deads2k]

Only the CA file contents please. []byte

[deads2k]

Only the CA file contents please. []byte

Reasoning: This should be a runtime optimized config, so content instead of file reference (which is easier for a user) and this controller only needs to know the non-secret information. If we ever separate out these controllers, it doesn't need the full config.

[deads2k]

I see this as still outstanding.

[deads2k]

no options, no struct.

[deads2k]

I think we can more or less hard code this one first, then start it directly. The others simply flow from it.

[deads2k]

why did this move?

[deads2k]

@mfojtik want to clean up what you have so far and merge it rather than growing bigger?

[mfojtik]

@deads2k just cleaning up and addressing comments... yeah I would prefer to add this in iteration to prevent rebasing hell.

[mfojtik]

@deads2k this was interrupted by #14321 (merge conflict)

@pweil- @jupierce @smarterclayton i would really like to merge this otherwise this will be a rebase hell once the dcut opens. This is improving security of the controllers (well previously there was no security...). Also I would like QA to spend time on running on this to capture bugs associated with new controller privileges.

[mfojtik]

flake is: #14208

[test]

[mfojtik]

flake : #14353

[mfojtik]

[test]

[mfojtik]

@smarterclayton seems like this is not broken after I rebased against the shared informers stuff... the serviceaccount-token controller is not creating tokens (seems like the informer is stuck or not started).

[smarterclayton]

Once the two controllers are started, we need to start the subset of Kube informers that control secrets and service accounts. See the old code, there's a massive comment right after the controller start

[mfojtik]

Once the two controllers are started, we need to start the subset of Kube informers that control secrets and service accounts. See the old code, there's a massive comment right after the controller start

@smarterclayton I saw that comment and I made sure we do start the kube informers right after the controller (serviceaccount-token) is started. That controller indeed starts and origin runs and I even see some tokens creates but there are no SA/secrets for new projects...

[mfojtik]

@smarterclayton hrm... this has to be a goroutine now.... a cost I pay for rebasing this without coffe.

[openshift-bot]

Evaluated for origin testextended up to f0d6e70

[mfojtik]

flake: #14122

[test]

[openshift-bot]

continuous-integration/openshift-jenkins/testextended FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin_extended/528/) (Base Commit: 375c727) (Extended Tests: core(builds))

[mfojtik]

[test] again

[mfojtik]

dockerhub flake (pulling centos...)

[test]

[openshift-bot]

Evaluated for origin test up to f0d6e70

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/1889/) (Base Commit: 1bf8a17)

[mfojtik]

[merge] (lets see if the merge is open now ;-)

[mfojtik]

re- [merge]

[openshift-bot]

Evaluated for origin merge up to f0d6e70

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_origin/892/) (Base Commit: 90592c5) (Image: devenv-rhel7_6300)