Unpack bundles#1215
Conversation
openshift-ci-robot
added
do-not-merge/work-in-progress
openshift-ci-robot
added
the
size/XXL
njhale
force-pushed
the
unpack-bundles
branch
3 times, most recently
from
2fb8fc7 to
c5b3346
Compare
|
/retest |
2 similar comments
|
/retest |
|
/retest |
njhale
force-pushed
the
unpack-bundles
branch
2 times, most recently
from
84688ca to
fbeb16e
Compare
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
njhale
force-pushed
the
unpack-bundles
branch
2 times, most recently
from
1d56c78 to
68fe005
Compare
| } | ||
|
|
||
| func (c *configmapUnpacker) ensureRoleBinding(roleNamespace string) (roleBinding *rbacv1.RoleBinding, err error) { | ||
| fresh := &rbacv1.RoleBinding{ |
There was a problem hiding this comment.
shouldn't these ensured resources have some reasonable ownerrefs?
There was a problem hiding this comment.
Okay. I'll add ownerrefs in the direction of Role/RoleBindings/Jobs -> ConfigMap.
The ConfigMap itself is a bit more tricky since there can exist InstallPlans that effectively reference it across several namespaces. The sensible thing to me is to add an ownerref in the direction of ConfigMap -> CatalogSource, and then propagate an error condition on the BundleLookup if it's not present when ensuring the ConfigMap.
There was a problem hiding this comment.
there can exist InstallPlans that effectively reference it across several namespaces
Can you describe the case where this happens? Won't everything be scoped to one namespace?
Also - ownerrefs may not be needed at all if OLM will perform the cleanup (which might be nice for the rbac; it's not really needed after the job runs)
| Rules: []rbacv1.PolicyRule{rule}, | ||
| } | ||
| fresh.SetNamespace(configmapNamespace) | ||
| fresh.SetName(c.rbacName) |
There was a problem hiding this comment.
since this uses the rbacName set for the bundle unpacker, won't this cause an issue for multiple bundle unpacks in the same namespace at the same time? Shouldn't the role name be based on the configmapName in some way (or generated with labels/ownerrefs?)
There was a problem hiding this comment.
Instead of generating a role per bundle, we can aggregate rules on a single role that gets updated. This should shake out to be eventually consistent in the event of contention between concurrent bundle. It's simple enough to switch it over -- I'll do that.
There was a problem hiding this comment.
Just to clarify:
ResourceNames: []string{
configmapName,
},
with
fresh.SetName(c.rbacName)
and above, c.rbacName is set:
rbacName: "olm-bundle-unpacker",
won't this mean that the ResourceNames will be stomped over for this one Role if multiple bundles are unpacked in the same namespace?
just clarifying because I don't think the aggregation is really needed, I think we just need a role per configmap/job
There was a problem hiding this comment.
It should end up being a separate PolicyRule in the same Role.
|
|
||
| cond := result.GetCondition(operatorsv1alpha1.BundleLookupPending) | ||
| now := c.now() | ||
| if job == nil || len(job.Status.Conditions) == 0 || len(job.Status.Conditions) > 0 && job.Status.Conditions[0].Type != batchv1.JobComplete { |
There was a problem hiding this comment.
non-blocking: there may be some nice ways to clean this up a bit, e.g. job.Status.ConditionMatches(operatorsv1alpha1.BundleLookupPending, func(Condition) bool { } )
| } | ||
|
|
||
| func (c *configmapUnpacker) ensureRoleBinding(roleNamespace string) (roleBinding *rbacv1.RoleBinding, err error) { | ||
| fresh := &rbacv1.RoleBinding{ |
There was a problem hiding this comment.
there can exist InstallPlans that effectively reference it across several namespaces
Can you describe the case where this happens? Won't everything be scoped to one namespace?
Also - ownerrefs may not be needed at all if OLM will perform the cleanup (which might be nice for the rbac; it's not really needed after the job runs)
| } | ||
|
|
||
| func (g *NamespaceGeneration) AddPendingOperator(l LaunchBundleImageInfo) { | ||
| g.pendingOperators[l] = struct{}{} |
There was a problem hiding this comment.
Unless I'm missing it - this isn't adjusting the provided/required apis for the current generation?
| requiredAPIs: EmptyAPIMultiOwnerSet(), | ||
| uncheckedAPIs: EmptyAPISet(), | ||
| missingAPIs: EmptyAPIMultiOwnerSet(), | ||
| pendingOperators: BundleImageSet{}, |
There was a problem hiding this comment.
this file is missing tests for Add/Remove pending operators
| // add steps for any new bundle | ||
| if op.Bundle() != nil { | ||
| bundleSteps, err := NewStepResourceFromBundle(op.Bundle(), namespace, op.Replaces(), op.SourceInfo().Catalog.Name, op.SourceInfo().Catalog.Namespace) | ||
| if op.Bundle().BundlePath == "" { |
There was a problem hiding this comment.
double check - can op.Bundle() be nil?
| } | ||
| } | ||
|
|
||
| if op.Bundle().BundlePath != "" { |
There was a problem hiding this comment.
same - double check that op.Bundle() can't return nil
|
|
||
| // TODO: this may not actually be required if the requeue is done on the namespace rather than the installplan | ||
| // RequeueAfter requeues the resource in the set with the given name and namespace (just like Requeue), but only does so after duration has passed | ||
| func (r *ResourceQueueSet) RequeueAfter(namespace, name string, duration time.Duration) error { |
There was a problem hiding this comment.
I don't see this used anywhere?
| resolver := NewOperatorsV1alpha1Resolver(lister, clientFake, kClientFake) | ||
| querier := NewFakeSourceQuerier(map[CatalogKey][]*api.Bundle{catalog: tt.bundlesInCatalog}) | ||
| steps, subs, err := resolver.ResolveSteps(namespace, querier) | ||
| steps, _, subs, err := resolver.ResolveSteps(namespace, querier) |
There was a problem hiding this comment.
should have some tests that return bundle lookups, right?
|
/retest |
1 similar comment
|
/retest |
njhale
force-pushed
the
unpack-bundles
branch
3 times, most recently
from
75ef40c to
b4ec643
Compare
|
/retest |
| clientAttenuator *scoped.ClientAttenuator | ||
| serviceAccountQuerier *scoped.UserDefinedServiceAccountQuerier | ||
| bundleUnpacker bundle.Unpacker | ||
| configmapRegistryImage string |
There was a problem hiding this comment.
shouldn't this be "unpackerImage"?
| // fallback to csv parsing | ||
| if bundle.CsvJson == "" { | ||
| return nil, fmt.Errorf("couldn't parse bundle") | ||
| if bundle.GetBundlePath() != "" { |
There was a problem hiding this comment.
this doesn't seem like the right place - if we're falling back to CSV parsing, we don't care if there's a bundlepath at all.
There was a problem hiding this comment.
I'll admit it seems odd, but I think we still want to throw a specific error when a bundlepath isn't accompanied by the expected metadata. WDYT?
|
/retest |
4 similar comments
|
/retest |
|
/retest |
|
/retest |
|
/retest |
|
/retest |
Specifically, pulls in v1.5.5.
This extracts bundle data from an image and uses that data to populate the installplan. (The code here depends on later commits.)
WIP: this is currently using a local custom image.
Instead use image that is pullable from quay. Test data has been updated to include image building files.
The test data for generating this custom image uses a go script to generate and populate an operator registry database that references a bundle image.
openshift-ci-robot
added
the
needs-rebase
njhale
force-pushed
the
unpack-bundles
branch
from
2d03335 to
4cef16c
Compare
openshift-ci-robot
removed
the
needs-rebase
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ecordell, njhale The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
4 participants
Description of the change:
A refactor and continuation of #1081
Motivation for the change:
Simplification of InstallPlan updates and unpacking job management.
Reviewer Checklist
/docs