cli: uninstall command #725
Conversation
ndhanushkodi
requested review from
a team,
ishustava,
sadjamz and
kschoche
and removed request for
a team
ndhanushkodi
force-pushed
the
cli-uninstall
branch
from
92a202b
to
ac3a4fb
Compare
cli/README.md
Outdated
| -skip-wipe-data | ||
| Skip deleting all PVCs, Secrets, and Service Accounts associated with | ||
| Consul Helm installation without prompting for approval to delete. The | ||
| default is false. | ||
|
|
||
| -wipe-data | ||
| Delete all PVCs, Secrets, and Service Accounts associated with Consul | ||
| Helm installation without prompting for approval to delete. Only use | ||
| this when persisted data from previous installations is no longer | ||
| necessary. The default is false. |
There was a problem hiding this comment.
If skip-wipe-data is defaulted false (meaning wipe the data) and wipe-data is defaulted false (meaning dont wipe the data) what is the actual default behaviour? I'm assuming that we meant that skip-wipe-data is defaulted to true?
| c.once.Do(c.init) | ||
|
|
||
| defer func() { | ||
| if err := c.Close(); err != nil { |
There was a problem hiding this comment.
Just out of curiosity what does c.Close() here do? would c.UI.Output() still be usable if c.Close() failed?
There was a problem hiding this comment.
👍 that's a good question. I'm curious about this as well. It looks like c.Close attempts to close the UI if the UI implements io.Closer interface, so I'm curious if that means that we won't be able to output to it anymore.
There was a problem hiding this comment.
I switched this to using the logger instead. In our case, the UI doesn't implement the closer interface, so Close() would be a no-op. But we could potentially choose to implement it in the future if we say "upgrade" our UI.
| } | ||
| } | ||
| if len(secretNames) > 0 { | ||
| c.UI.Output("Consul secrets deleted.", terminal.WithSuccessStyle()) |
There was a problem hiding this comment.
This is a super nit comment, but if there are 3 secrets and 2 got deleted and the third exits the for loop because you cant delete it for some reason then neither of these Outputs get processed properly. I suppose it is okay since it "should work" in happy path.
There was a problem hiding this comment.
Maybe the correct thing to do is output the Error via c.UI.Output() instead of return the error, and then continue to process the other secrets?
I guess this logic applies to the other similar functions, if you choose.
There was a problem hiding this comment.
Yeah +1 to Kyle's question. I left a similar question in the deletePVCs function too.
There was a problem hiding this comment.
I think its ok because in an error case, it will exit the function at the point of the error without printing either of these outputs here, and just print the first error it got to. Then when a user re-runs uninstall after fixing their issue, it should succeed and delete the secrets properly.
ndhanushkodi
force-pushed
the
cli-install
branch
2 times, most recently
from
4857b15
to
749c942
Compare
ndhanushkodi
force-pushed
the
cli-uninstall
branch
from
ac3a4fb
to
4f73fd4
Compare
ndhanushkodi
force-pushed
the
cli-install
branch
from
8b22214
to
5f3b109
Compare
ndhanushkodi
force-pushed
the
cli-uninstall
branch
from
4f73fd4
to
dd282f4
Compare
ndhanushkodi
force-pushed
the
cli-uninstall
branch
from
dd282f4
to
d00c301
Compare
There was a problem hiding this comment.
This is impressive work!!! I'm so excited about this ❤️ This is a lot of work, and I really appreciate how easy this was to read.
I've only reviewed the command (and not tests) and had some comments that I wanted to clarify before proceeding with the rest of the review. I've also left some minor edits.
I've also ran some manual tests and discussed the issues I ran into with Nitya already but wanted to document them here for posterity:
- I think we need to change the helm list functionality to list any pending/uninstalled releases so that if your installation has failed, the uninstall will still find the release.
- We need make sure that the kubernetes client is initialized with the correct namespace. With the 0.33.0 release currently, uninstall fails because tls-init-cleanup job doesn't have
Namespaceset in its template. We've fixed it now in the latest helm release, but we should still make sure that the client is initialized correctly. - It would be nice to default release name and namespace to
consulfor a case when I forgot to wipe-data in a previous uninstall. That way rerunning uninstall would still just work.
There is also another issue that we haven't discussed that I think would be nice to fix but doesn't have to be part of this PR. In my testing I kept running into errors saying that tls-init-cleanup job or service account etc already exist. It'd be nice if the uninstall command cleaned those up before calling helm delete.
| c.once.Do(c.init) | ||
|
|
||
| defer func() { | ||
| if err := c.Close(); err != nil { |
There was a problem hiding this comment.
👍 that's a good question. I'm curious about this as well. It looks like c.Close attempts to close the UI if the UI implements io.Closer interface, so I'm curious if that means that we won't be able to output to it anymore.
| } | ||
| } | ||
| if len(secretNames) > 0 { | ||
| c.UI.Output("Consul secrets deleted.", terminal.WithSuccessStyle()) |
There was a problem hiding this comment.
Yeah +1 to Kyle's question. I left a similar question in the deletePVCs function too.
| } | ||
|
|
||
| // deleteServiceAccounts deletes service accounts that have foundReleaseName in their name. | ||
| func (c *Command) deleteServiceAccounts(foundReleaseName, foundReleaseNamespace string) error { |
There was a problem hiding this comment.
I'm curious why do we delete only service accounts and not roles, rolebindings, clusterroles, and clusterrolebindings?
There was a problem hiding this comment.
removing this function in favor of: https://app.asana.com/0/1200500259727746/1201031492148291/f
There was a problem hiding this comment.
Actually in testing I am noticing the consul-tls-init role, rolebinding, and service account are sticking around if they are not manually deleted when installing with -preset=secure. I went ahead and added that logic to delete roles/rolebindings/service accounts. I plan to add logic in the future for jobs, clusterroles, and clusterrolebindings if we see cases those aren't being deleted!
ndhanushkodi
added
area/acls
ndhanushkodi
force-pushed
the
cli-uninstall
branch
3 times, most recently
from
a5a0c22
to
eb31fec
Compare
- delete roles, rolebindings, service accounts by label - use hack for setting namespace for helm kube client - fallback to release name/namespace consul
ndhanushkodi
force-pushed
the
cli-uninstall
branch
from
560b896
to
280cd71
Compare
| rolebindings, err := c.kubernetes.RbacV1().RoleBindings("default").List(context.TODO(), metav1.ListOptions{}) | ||
| require.NoError(t, err) | ||
| require.Len(t, rolebindings.Items, 0) | ||
| } |
There was a problem hiding this comment.
I think we can also add tests for the findExistingInstallation function.
There was a problem hiding this comment.
This one is kind of tricky for similar reasons to
consul-k8s/cli/cmd/install/install.go
Line 338 in e77da79
I think I can open a separate PR this week to refactor the helm logic out of uninstall.findExistingInstallation and install.checkForPreviousInstallations, and unit test the part that's unrelated to helm logic. The reason to pull it out into a separate PR is since I'll be focusing on testing within the acceptance tests PR we can add this additional testing there after a quick refactor.
The port-forward sometimes fails randomly
Based off of a demo branch @sadjamz worked on here: https://github.com/hashicorp/consul-k8s-cli/tree/uninstall
Changes proposed in this PR:
consul-k8s uninstalluninstalls the Consul Helm installation with options to wipe all dataIf you don't provide the release name/namespace, it will find the release whose metadata.name matches "consul", and then prompt to uninstall that release and any pvcs/secrets based on that.
You can provide the release name/namespace in a case where you have already
helm uninstall'ed the consul helm installation, but still have PVCs, Secrets, etc to clean up.Note that this PR is difficult to unit test-- acceptance tests are coming as the next task after install/uninstall are complete. The Helm steps are difficult to mock out for reasons mentioned in the install PR:
cli: support install command #713 (comment)
consul-k8s/cli/cmd/install/install.go
Line 338 in e77da79
How I've tested this PR:
Manual testing of the cases mentioned below, a few unit tests.
How I expect reviewers to test this PR:
Code review
Test it out:
cd cligo build -o ./bin/consul-k8s./bin/consul-k8s uninstallIf you can test out the command with the following flags and let me know if you have behaviour suggestions.
a) no flags
b) -name and -namespace set
c) -auto-approve
d) -wipe-all-data
Checklist: