-
Notifications
You must be signed in to change notification settings - Fork 902
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Required patch policy aborts rendering of entire composite #2175
Comments
I think Crossplane should deploy the ones it can all the time, providing an eventual consistency without imposing an order requirement in the |
This thread points to some of the things we are seeing here I think, but it was focused on patching back to the composite resource and that motivated the fix. I imagine we could do a similar fix patching to managed resources but I need to look a little closer. |
Looks like if we fail to render any resources then we don't apply any of them:
// We want to ensure we can render all of our composed resources before we
// apply any of them. We prefer to avoid creating or updating any composed
// resources if we know we won't be able to create or update all of them.
refs := make([]corev1.ObjectReference, len(tas))
cds := make([]resource.Composed, len(tas))
for i, ta := range tas {
cd := composed.New(composed.FromReference(ta.Reference))
if err := r.composed.Render(ctx, cr, cd, ta.Template); err != nil {
log.Debug(errRenderCD, "error", err, "index", i)
r.record.Event(cr, event.Warning(reasonCompose, errors.Wrapf(err, errFmtRender, i)))
return reconcile.Result{RequeueAfter: shortWait}, nil
}
cds[i] = cd
refs[i] = *meta.ReferenceTo(cd, cd.GetObjectKind().GroupVersionKind())
} Guessing we need to skip on something like:
|
It seems like there's a couple of cases in which folks would want to use required patches:
If I follow correctly cases 1, 2, and 3 are working but 4 is not. I agree we should fix this to enable case 4, but I don't think we need to consider this a release blocker. We could address this in 1.2 or even in a 1.1.1 patch release. |
Yep, I think that's accurate, but depending on how case 4 is fixed it could also enable a 5th case by circumstance - where an optional field on the XR that is set |
Regarding discussion in Slack around the
Required
patch policy in combination with bidirectional patching.This appears to be intentional behaviour instead of an actual bug (and I suspect this is how Compositions have always behaved) but seems somewhat counter-intuitive to me when used with bi-directional patching and the
Required
policy.What happened?
I was attempting to use a bi-directional patch within a single composition so I could use the ARN of one base resource in the body of another base resource (
Bucket
ARN in anIAMPolicy
document).My belief was that I would be able to use the following XRD / Composition:
I thought what would happen here is that the patch on the
Bucket
would be a no-op because thefromField
doesn't exist, theBucket
resource would be created, and then the patch on thePolicy
would be rejected (and only the Policy resource would not be created) as thefromField
does not exist yet and is setRequired
.What actually happens is the error from the
Required
patch on thePolicy
(cannot render composed resource from resource template at index 1: cannot apply the patch at index 0: status: no such field
) causes the entire composition to be aborted and requeued, with no resources applied to the cluster - the Bucket is never created, so can never populate its'status
field for thePolicy
patch to work on.Removing the
Required
policy from the patch allows both resources to be created but until theBucket
is ready and its' value is patched back, thePolicy
resource is invalid (in this case, contains an empty format string placeholder from the string transform).If this invalid resource were rejected by the provider (e.g. there was a policy check before creation on the
provider-aws
side that threw an error) then I don't think it would be possible to bypass and the resources would never be created.How can we reproduce it?
Create a Composition and XRD based on the above code, and create an instance of it. Watch as the Composition never completes first reconciliation, instead aborting due to the patching failure of the
IAMPolicy
.What environment did it happen in?
Crossplane version: v1.2.0-rc.0.5.ge4491ffd
cc @negz @muvaf @mcavoyk
The text was updated successfully, but these errors were encountered: