-
Notifications
You must be signed in to change notification settings - Fork 463
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update cloud credentials even for unwanted machine deployments. #3224
Update cloud credentials even for unwanted machine deployments. #3224
Conversation
A sample implementation in a provider extension looks like gardener/gardener-extension-provider-aws#223 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't a more "lightweight" and cleaner approach be if we split the DeployMachineClasses
function into DeployMachineClassSecrets
and DeployMachineClasses
. Then DeployMachineClassSecrets
can always crupdate all machine class secrets, including those still in the system but meanwhile potentially unwanted, and DeployMachineClasses
can handle the machine classes without crupdating the secrets. This is more adaptation effort in the extensions, but probably has a cleaner flow and a cleaner WorkerDelegate
interface. What is your opinion?
57631d6
to
869569b
Compare
Actually, I wanted to move the cloud credential into dedicated single secret and mount it into the machine-controller-manager deployment, just how it is done for the cloud-controller-manager, however MCM does not support such option at the moment. I changed the PR to patch all machine class secrets, for those that are up-to-date, this should be an empty patch. |
869569b
to
3a00016
Compare
In a discussion with @vpnachev and @timuthy we talked about an option for easier handling in the future: If the machine classes would support to read the infrastructure credentials from a different secret than the user-data then we don't need all this special logic. We could just reuse the already existing The MCM maintainers @hardikdr @prashanth26 @AxiomSamarth wanted to discuss internally. Assuming that we agree on this, we'd like to merge this PR as is, despite the fact that it "uglyfies" the /assign @vpnachev @timuthy @hardikdr @prashanth26 @AxiomSamarth |
The MCM maintainers accepted the proposal, so we can |
Frankly, I didn't expect an implementation in MCM this quick (thanks @rfranzke 🚀). Does it then still even make sense to proceed with this PR instead of waiting for the next MCM release? |
For backwards compatibility reasons we should proceed, I think. Some provider extension might want/need to stick to a certain MCM version for whatever reasons, so let's get this fix in or for a couple of releases. WDYT? |
Okay, makes sense. Thank you! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
How to categorize this PR?
/area robustness
/kind bug
/priority normal
What this PR does / why we need it:
The worker controller will now update the cloud credentials also for machine deployments that are not referenced by the worker resource, e.g. they are in deletion.
Which issue(s) this PR fixes:
Part of #3023
Special notes for your reviewer:
Release note: