-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
label all Cilium resources with "app.kubernetes.io/part-of: cilium" #20213
Conversation
I'm not sure if I need to label resources of the type |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR. Overall I think you got the relevant resources, though I don't think we should also make it part of e.g. the service selectors.
Is the idea here to eventually deprecate the |
I don't think so. |
Yes but if we begin following the "recommended" labels, |
@gandro and @cyclinder Given that this moves us to one of the recommended k8s labels, I'd also be pretty happy if we moved |
Is there a reason those might be excluded? |
We use |
install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml
Outdated
Show resolved
Hide resolved
Thanks for the review! I totally agree. We shouldn't remove |
Since I see no labels for these resources at the moment |
On whether or not to deprecate the So if we decide to remove them, then we need to figure out a migration strategy for |
@gandro and @cyclinder I do agree. We do not want to deprecate Ideally, we can do something like:
Tho, I'm not sure if s/name/component or not? |
Update:
|
I think the both is ok, I would prefer name :) |
I like this proposal. I'm happy with @cyclinder Would you be willing to change this PR to reflect that? |
Changes lgtm, I am still a bit concerned over changing the immutable matchLabels. For example, if I try to do a helm upgrade with this branch I get:
Not sure what the best solution for this is, perhaps to have way to specify custom matchLabel selectors in values.yaml. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to me, contingent on dealing with the existing feedback. Thanks for adding to the scope of this PR.
I'm sorry to not responding for a long time since I was busy with work these days.
Hi @gandro , If my understanding is right, the current PR already reflects these changes, Right? |
Thanks! Good catch! I'll test it on my local machine, and find a best solution for this. |
Update: As before, I added two labels to each cilium resource, We set the default value of |
/test Job 'Cilium-PR-K8s-GKE' failed: Click to show.Test Name
Failure Output
If it is a flake and a GitHub issue doesn't already exist to track it, comment |
install/kubernetes/cilium/templates/etcd-operator/poddisruptionbudget.yaml
Show resolved
Hide resolved
install/kubernetes/cilium/templates/cilium-operator/poddisruptionbudget.yaml
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks you!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. Given the discussion, the well-known identity change can be simplified again. Let's not add the additional identities.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. This should be good to go form my side I think. Let's run CI again.
@cyclinder It seems like your
It's missing the |
Signed-off-by: cyclinder <qifeng.guo@daocloud.io>
@gandro Thank you very much for your help! |
/test |
I have no idea about this CI failed(gke-stable). Can this CI job be retested? |
/test-gke Yeah, looks like a provisioning issue (no k8s1 label node). GKE is currently known to be flaky and not required to merge a PR at the moment. I restarted the test anyways. |
Thanks, Does this PR require a review? This is my first contribution to cilium :) , Can you tell me about the requirements for PR merged? |
I prefer to have another code review from the policy CODEOWNERs (e.g. Chris), to ensure the well-known identity change is valid. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM for well-known identities. Given that the security identity value will not change (just the labels that map to the identity value), then this makes it safe for upgrading / downgrading. I've added the upgrade-impact
label just in case we need to review any PRs in the future regarding any changes on upgrade.
Marking this ready to merge. The GKE failure is unrelated. |
Signed-off-by: cyclinder qifeng.guo@daocloud.io
Please ensure your pull request adheres to the following guidelines:
description and a
Fixes: #XXX
line if the commit addresses a particularGitHub issue.
Fixes: #20088