-
Notifications
You must be signed in to change notification settings - Fork 829
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: agent report secret #1990
Conversation
4285a60
to
3b194dc
Compare
Thanks @CharlesQQ |
ac9e92e
to
1def733
Compare
yes,I test it, karmada search can fetch cluster's resource in pull mode successfully, but sometimes, when restart karmada, karmada-search-controller might print log, whatever in push or pull mode:
I think it might aggregated-apiserver restarted and not started completely when karamda-search already started; so is might be necessary aggregated-apiserver running healthy when restarting karmada-search? |
/cc @RainbowMango |
Sorry @CharlesQQ , I missed this PR, so busy these days. |
441d900
to
50f65db
Compare
50f65db
to
45fa371
Compare
Generally looks good to me. |
cmd/agent/app/options/options.go
Outdated
fs.StringVar(&o.ClusterProvider, "cluster-provider", "", "Provider of the joining cluster.") | ||
fs.StringVar(&o.ClusterRegion, "cluster-region", "", "The region of the joining cluster.") | ||
fs.StringVar(&o.ClusterZone, "cluster-zone", "", "The zone of the joining cluster") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please don't combine these flags with this PR. This PR focus on reporting the secret thing.
You can do it by a separated PR. By the way, the --cluster-zone
might need to update to --cluster-zones
and it accepts a string. (The API part also needs an update).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can add provider
, region
, zone
flags and related code in the next pr.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @CharlesQQ Why are the three flags still in this PR?
45fa371
to
eedf381
Compare
73e2225
to
6c92a44
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks~
cmd/agent/app/agent.go
Outdated
} | ||
} | ||
} | ||
if opts.IsKubeImpersonatorEnabled() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if opts.IsKubeImpersonatorEnabled() if false?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if opts.IsKubeImpersonatorEnabled() if false?
if IsKubeCredentialsEnabled
and IsKubeImpersonatorEnabled
is false, mutateFunc is nil, and return err
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When IsKubeCredentialsEnabled and IsKubeImpersonatorEnabled are false, we need to create a Cluster object without them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
got it!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The logic here still seems to be a bit problematic. When IsKubeImpersonatorEnabled
is false, mutateFunc will be nil.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I don't understand clearly. When mutate is nill, do we just create an empty Cluster object?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When mutate is nill, do we just create an empty Cluster object?
Oh, that's really a problem
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
review again pls? @XiShanYongYe-Chang
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
okay~
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When report-secrets
is {"KubeCredentials", "KubeImpersonator"}
, only impersonator secret will be report.
I suggest to update like this:
--- a/cmd/agent/app/agent.go
+++ b/cmd/agent/app/agent.go
@@ -312,8 +312,7 @@ func startServiceExportController(ctx controllerscontext.Context) (bool, error)
func generateClusterInControllerPlane(opts util.ClusterRegisterOption) (*clusterv1alpha1.Cluster, error) {
clusterObj := &clusterv1alpha1.Cluster{ObjectMeta: metav1.ObjectMeta{Name: opts.ClusterName}}
- var mutateFunc, tempFunc func(cluster *clusterv1alpha1.Cluster)
- tempFunc = func(cluster *clusterv1alpha1.Cluster) {
+ mutateFunc := func(cluster *clusterv1alpha1.Cluster) {
cluster.Spec.SyncMode = clusterv1alpha1.Pull
cluster.Spec.APIEndpoint = opts.ClusterAPIEndpoint
cluster.Spec.ProxyURL = opts.ProxyServerAddress
@@ -340,28 +339,22 @@ func generateClusterInControllerPlane(opts util.ClusterRegisterOption) (*cluster
cluster.Spec.ProxyURL = url.String()
}
}
- }
- if opts.IsKubeCredentialsEnabled() {
- mutateFunc = func(cluster *clusterv1alpha1.Cluster) {
- tempFunc(cluster)
+
+ if opts.IsKubeCredentialsEnabled() {
cluster.Spec.SecretRef = &clusterv1alpha1.LocalSecretReference{
Namespace: opts.Secret.Namespace,
Name: opts.Secret.Name,
}
}
- }
- if opts.IsKubeImpersonatorEnabled() {
- mutateFunc = func(cluster *clusterv1alpha1.Cluster) {
- tempFunc(cluster)
+
+ if opts.IsKubeImpersonatorEnabled() {
cluster.Spec.ImpersonatorSecretRef = &clusterv1alpha1.LocalSecretReference{
Namespace: opts.ImpersonatorSecret.Namespace,
Name: opts.ImpersonatorSecret.Name,
}
}
}
- if mutateFunc == nil {
- mutateFunc = tempFunc
- }
/assign |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @CharlesQQ for your hard work, and sorry for the delay.
I can focus on it this week.
Just a suggestion for get it easy to move this PR forward,
please keep PR as small as you can, and don't couple too much refactor work in it.
58a7b88
to
2f7acb6
Compare
Thanks for your hard work. |
2f7acb6
to
aedb2ea
Compare
fixed, why e2e test failed? |
I'm not sure, but please rebase your code with the master, and push again. |
It's maybe not an occasional mistake:
For the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to report KubeImpersonator
by default, our CI needs this.
cmd/agent/app/agent.go
Outdated
} | ||
} | ||
} | ||
if opts.IsKubeImpersonatorEnabled() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When report-secrets
is {"KubeCredentials", "KubeImpersonator"}
, only impersonator secret will be report.
I suggest to update like this:
--- a/cmd/agent/app/agent.go
+++ b/cmd/agent/app/agent.go
@@ -312,8 +312,7 @@ func startServiceExportController(ctx controllerscontext.Context) (bool, error)
func generateClusterInControllerPlane(opts util.ClusterRegisterOption) (*clusterv1alpha1.Cluster, error) {
clusterObj := &clusterv1alpha1.Cluster{ObjectMeta: metav1.ObjectMeta{Name: opts.ClusterName}}
- var mutateFunc, tempFunc func(cluster *clusterv1alpha1.Cluster)
- tempFunc = func(cluster *clusterv1alpha1.Cluster) {
+ mutateFunc := func(cluster *clusterv1alpha1.Cluster) {
cluster.Spec.SyncMode = clusterv1alpha1.Pull
cluster.Spec.APIEndpoint = opts.ClusterAPIEndpoint
cluster.Spec.ProxyURL = opts.ProxyServerAddress
@@ -340,28 +339,22 @@ func generateClusterInControllerPlane(opts util.ClusterRegisterOption) (*cluster
cluster.Spec.ProxyURL = url.String()
}
}
- }
- if opts.IsKubeCredentialsEnabled() {
- mutateFunc = func(cluster *clusterv1alpha1.Cluster) {
- tempFunc(cluster)
+
+ if opts.IsKubeCredentialsEnabled() {
cluster.Spec.SecretRef = &clusterv1alpha1.LocalSecretReference{
Namespace: opts.Secret.Namespace,
Name: opts.Secret.Name,
}
}
- }
- if opts.IsKubeImpersonatorEnabled() {
- mutateFunc = func(cluster *clusterv1alpha1.Cluster) {
- tempFunc(cluster)
+
+ if opts.IsKubeImpersonatorEnabled() {
cluster.Spec.ImpersonatorSecretRef = &clusterv1alpha1.LocalSecretReference{
Namespace: opts.ImpersonatorSecret.Namespace,
Name: opts.ImpersonatorSecret.Name,
}
}
}
- if mutateFunc == nil {
- mutateFunc = tempFunc
- }
d42cedb
to
a397f78
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you!
/lgtm
Great! Seems we are ready to move this forward now. And, before merging this patch, I want to confirm if this fixed the issue addressed by #1946, can you help to confirm that? (Please test with the latest patch) |
yes, I test it,and karamda-search can fetch resource from cluster in pull mode sueecessfully, but if restart karamda and karmada-aggregated-apiserver not healthy, log print following message:
|
Signed-off-by: charlesQQ <charles_ali@qq.com>
a397f78
to
8738617
Compare
Did anything change in the force push? |
yes,has code conflict in agent/app/options, because of last merge add new flag |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
👍
/approve I can see the |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: RainbowMango The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Ok~ |
Signed-off-by: charlesQQ charles_ali@qq.com
What type of PR is this?
/kind feature
What this PR does / why we need it:
Allowed karmada-agent report secret for Pull mode cluster
Which issue(s) this PR fixes:
Part of #1946
Special notes for your reviewer:
Does this PR introduce a user-facing change?: