make TSB run separately in oc cluster up #15677
Conversation
openshift-merge-robot
added
the
size/XL
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
openshift-merge-robot
added
approved
openshift-merge-robot
removed
the
needs-rebase
| examples/service-catalog/... \ | ||
| pkg/image/admission/imagepolicy/api/v1/... | ||
| pkg/image/admission/imagepolicy/api/v1/... \ | ||
| test/testdata/templateservicebroker/... |
There was a problem hiding this comment.
wonder whether this should be examples/templateservicebroker
There was a problem hiding this comment.
wonder whether this should be examples/templateservicebroker
We're going to need it to update the e2e tests to create based on the template.
There was a problem hiding this comment.
hack/update-generated-bindata.sh already pulls from many locations in examples for extended tests, a new one would need to be added, that's all
| } | ||
|
|
||
| // Wait for the apiserver endpoint to become available | ||
| err = wait.Poll(5*time.Second, 600*time.Second, func() (bool, error) { |
There was a problem hiding this comment.
@csrwng ptal - wonder if we should wait here or whether this should go in oc cluster status? Also whether a /healthz should be used instead, if it exists, that is
There was a problem hiding this comment.
Also whether a /healthz should be used instead, if it exists, that is
You're not guaranteed to have access to the service network, right? If we get the healthcheck right (TODO in the template I guess), then this does what we want.
There was a problem hiding this comment.
true; I think that for better or worse, in general oc cluster up doesn't wait for things to be ready before returning. I think the API aggregator may be the single exception
There was a problem hiding this comment.
@jim-minter @deads2k if the web console is unusable before this starts then yes, I agree, it makes sense to wait here.
There was a problem hiding this comment.
@jim-minter @deads2k if the web console is unusable before this starts then yes, I agree, it makes sense to wait here.
@csrwng it looks to be a pre-existing problem. oc cluster up doesn't wait for the broker.servicecatalog/status to be ready before finishing. For some reason, that takes quite a while (long after the TSB is running).
There was a problem hiding this comment.
oc cluster up (today) waits for the SC api to be available because it has to register the TSB with the SC before it can proceed. If you're saying that the api becomes available before the service catalog actually considers itself ready (and that the SC isn't ready until significantly later) that's news to me, i've never seen an issue doing oc cluster up and then going straight to the web console.
There was a problem hiding this comment.
If you're saying that the api becomes available before the service catalog actually considers itself ready (and that the SC isn't ready until significantly later) that's news to me, i've never seen an issue doing oc cluster up and then going straight to the web console.
Takes maybe 15 seconds. The service catalog is running, but the service catalog hasn't filled in any status (good or bad) on the broker resource.
There was a problem hiding this comment.
by broker resource you mean the TSB broker resource in particular? ie we've created the TSB broker resource object (registered the TSB w/ the SC) but the SC hasn't updated the status to indicate it has successfully imported the TSB's catalog?
If so my guess is we're in the following flow:
- SC has come up
- TSB is registered but auth is not dropped yet
- SC tries to call the TSB to get the catalog, can't (due to lack of auth)
- SC enters some sort of backoff/retry loop for (3) (no idea what the interval is)
- you drop auth
- SC eventually retries and gets the catalog
If so, i guess that would imply a couple things:
- once the SC supports auth the problem mostly goes away
- the SC should be updating the broker resource w/ some sort of status while its failing to reach the TSB due to auth errors
There was a problem hiding this comment.
If so my guess is we're in the following flow:
Sounds probable. I'm going to leave this as-is for now then.
There was a problem hiding this comment.
@pmorie should be able to 1) confirm my suspicions and 2) clarify what the retry interval is and why the status isn't updated while it's retrying.
pkg/oc/bootstrap/docker/up.go
Outdated
|
|
||
| // Install template service broker | ||
| c.addTask(conditionalTask("Installing template service broker", c.InstallTemplateServiceBroker, func() bool { | ||
| return c.ShouldInstallServiceCatalog |
There was a problem hiding this comment.
typo? is useTemplateServiceBroker used?
There was a problem hiding this comment.
typo? is useTemplateServiceBroker used?
I'll move it.
| parameters: | ||
| - name: IMAGE | ||
| value: openshift/origin:latest | ||
| - name: TSB_TEMPLATE_NAMESPACE |
There was a problem hiding this comment.
TSB_TEMPLATE_NAMESPACES plural?
There was a problem hiding this comment.
TSB_TEMPLATE_NAMESPACES plural?
It's a weird thing. I don't know how to plumb this through with a template to the arg. I'm going to talk with @sdodson about how we want to handle config long term. Can I carry it as-is for now knowing it won't survive contact with ansible?
| name: template-service-broker | ||
| parameters: | ||
| - name: IMAGE | ||
| value: openshift/origin:latest |
There was a problem hiding this comment.
worried about the how this gets productised (something I know nothing about) - is it down to ansible and oc cluster up to handle setting this according to the version and handling upgrade? presumably oc cluster up should be setting this then?
There was a problem hiding this comment.
worried about the how this gets productised (something I know nothing about) - is it down to ansible and oc cluster up to handle setting this according to the version and handling upgrade? presumably oc cluster up should be setting this then?
Yes, but I have to work with @sdodson on whether and how to handle the image bits.
| name: apiserver | ||
| labels: | ||
| apiserver: "true" | ||
| spec: |
There was a problem hiding this comment.
parameterised nodeselector needed?
There was a problem hiding this comment.
parameterised nodeselector needed?
I think I'd leave it to be controlled by the namespace annotations to avoid being prescriptive about deployment topology.
| } | ||
|
|
||
| // create the actual resources required | ||
| if err = instantiateTemplate(osClient, clientcmd.ResourceMapper(f), tsbNamespace, tsbTemplateName, tsbNamespace, nil, true); err != nil { |
There was a problem hiding this comment.
Think parameter IMAGE should be being set here
There was a problem hiding this comment.
Think parameter IMAGE should be being set here
Ok. I spoke with @bparees and he's ok with versioning gating all of service-catalog on 3.7 (no longer allow 3.6), so I think I can do that.
openshift-merge-robot
added
size/L
|
Comments addressed and rebased on the latest master. @jim-minter ptal |
| imageTemplate.Latest = false | ||
|
|
||
| if err = instantiateTemplate(osClient, clientcmd.ResourceMapper(f), tsbNamespace, tsbTemplateName, tsbNamespace, map[string]string{ | ||
| "IMAGE": imageTemplate.ExpandOrDie(""), |
There was a problem hiding this comment.
image format used here.
|
|
||
| // service catalog requires the TSB, which requires 3.7 | ||
| serverVersion, _ := c.OpenShiftHelper().ServerPrereleaseVersion() | ||
| if serverVersion.LT(openshiftVersion37) { |
There was a problem hiding this comment.
Does this prevent someone instantiating a 3.6 server + SC using a latest origin oc client? In theory the idea is that this should be possible.
There was a problem hiding this comment.
it does. After much discussion between @deads2k and I, this is the path of least resistance. It's not ideal but we're not going to lose too much sleep over it given the tech preview nature of the SC in 3.6.
If you're using the latest(3.7) oc client binary and you want to use the SC/TSB with cluster up, you will need to also use the latest (3.7) images.
| // special case for someone who is building a local image using commits based on 3.6.0.alpha2. They most likely | ||
| // have the necessary changes. | ||
| if serverVersion.EQ(openshiftVersion36alpha2) && (serverVersion.String() != openshiftVersion36alpha2.String()) { | ||
| if c.ImageVersion == "latest" { |
There was a problem hiding this comment.
I special cased --version=latest since that should be latest.
There was a problem hiding this comment.
we don't know what "openshift/origin:latest" is on their local machine so i think you still need to check the server version. passing "--version=latest" to oc cluster up does not enforce a pullalways behavior.
There was a problem hiding this comment.
we don't know what "openshift/origin:latest" is on their local machine so i think you still need to check the server version. passing "--version=latest" to oc cluster up does not enforce a pullalways behavior.
That would block this pull on a new tag to be able to better handle cases where someone built the latest oc from source, did not build the images, did not pull new images, and ran with --service-catalog=true. Would you rather block on on that edge or merge this (which will work for most sane cases against head) and take a TODO?
| } | ||
| // TODO we want to use this eventually, but until we have our own image for TSB, we have to hardcode this origin | ||
| //return c.OpenShiftHelper().InstallTemplateServiceBroker(f, c.imageFormat()) | ||
| return c.OpenShiftHelper().InstallTemplateServiceBroker(f, c.Image) |
There was a problem hiding this comment.
@jim-minter I had to hardcode the image format to be our base image. See the comment above.
|
/retest |
|
@bparees can you confirm lgtm-ness here |
|
lgtm (i am not /lgtm'ing any of these PRs because i don't know what order you're trying to merge things in) |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
/retest |
|
/test end_to_end |
|
Rechecking the cluster up test. Nothing else I have conflicts. letting this in without retest. |
|
/test extended_conformance_install_update |
|
/retest |
|
Automatic merge from submit-queue |
5 participants
This combines several other pulls together to make the TSB run separately in cluster-up. I tested it locally via the admin console.