Adding cascading deletion support to federated namespaces

[nikhiljindal]

Ref #33612

With this change, whenever a federated namespace is deleted with DeleteOptions.OrphanDependents = false, then federation namespace controller first deletes the corresponding namespaces from all underlying clusters before deleting the federated namespace.

cc @kubernetes/sig-cluster-federation @caesarxuchao

Adding support for DeleteOptions.OrphanDependents for federated namespaces. Setting it to false while deleting a federated namespace also deletes the corresponding namespace from all registered clusters.

---

This change is

[nikhiljindal]

I am working on updating our e2e test

[nikhiljindal]

Updated the PR to include e2e changes. Verified that test/e2e/federated-namespace passes

[caesarxuchao]

Sorry, I'm not familiar with the federation code base. I asked two question, they might be silly. I'll take another pass tomorrow.

[caesarxuchao]

I don't get why you need to make the Set. Why not just make []api_v1.FinalizerName directly?

[nikhiljindal]

Fixed, thx

[caesarxuchao]

I thought ProcessDeletion should take a fed_v1.Namespace, why is it taking a regular namespace?

[nikhiljindal]

There is no special fed_v1.Namespace. We use the same v1.Namespace object in federation

[nikhiljindal]

Updated the code as per comments. Ready for another look

[caesarxuchao]

The federated namespace is deleted before the underlying cluster namespaces are deleted from etcd, right? This is consistent with the mode of the garbage collector, i.e., asynchronous, but different from deletion of a cluster namespace, which is synchronous. I'm not sure if this is what you want.

[nikhiljindal]

No. federated namespace will not be deleted unless the namespaces have been deleted in all underlying clusters.

[caesarxuchao]

Where is it blocked? It seems the UpdateOnError is not blocking.

[nikhiljindal]

Yes it was blocked until the Delete request succeeded for all clusters but it wasnt waiting for all resources to go away. Updated the code to wait.

[nikhiljindal]

Updated the controller to add a DeleteFederatedDependents finalizer before creating any dependent resources in sub clusters. This now ensures that the federation resource is not deleted unless all dependents have been removed.
PTAL.

[nikhiljindal]

Updated the code as discussed. I am now creating the finalizer in ObjectMeta.Finalizers instead of putting it in NamespaceSpec.Finalizers.
Verified that federated-namespace e2e test passes :)

[nikhiljindal]

Retrying unit test
@k8s-bot unit test this

[nikhiljindal]

Retrying unit test
@k8s-bot unit test this

[caesarxuchao]

Just ideas: DeleteUnderlyingClusterObjects, DeleteDependentsInUnderlyingClusters. Not sure if DeleteFederatedDependents is intuitive. Your call.

[nikhiljindal]

Renamed to DeleteFromUnderlyingClusters

[caesarxuchao]

Do you need to pass an empty deleteOptions? Can it be nil?

[nikhiljindal]

Yes nil should work as well. Will try :)

[caesarxuchao]

This function is deleteNamespaceResourcesAndRemoveNamespaceSpecFinalizer :) Maybe split it to two functions? "KubernetesFinalizer" is not clear.

[nikhiljindal]

Yes, I can rename it to deleteNamespaceResourcesAndRemoveNamespaceSpecFinalizer but thats a bit long ;)
I think the current name is fine (its a private func).
I dont want to change that code much.
There is a TODO to make it consistent with the kubernetes code. We should be able to reuse the same code in kubernetes and federation to delete namespace resources.

[caesarxuchao]

Ok. I still think "NamespaceSpecFinalizer" is more clear than "KubernetesFinalizer". Your call, as it's a private func.

There is a TODO to make it consistent with the kubernetes code. We should be able to reuse the same code in kubernetes and federation to delete namespace resources.

Not sure I follow this part. What kubernetes code are you referring to?

[nikhiljindal]

To clarify, I named it removeKubernetesFinalizer because it removes the finalizer called FinalizerKubernetes.

Not sure I follow this part. What kubernetes code are you referring to?

kubernetes namespace controller also has the same code that deletes all resources in a namespace before removing the finalizer - same as what this function does.

[caesarxuchao]

To clarify, I named it removeKubernetesFinalizer because it removes the finalizer called FinalizerKubernetes.

I think FinalizerKubernetes is a bad name :)

[nikhiljindal]

Yes now it is. It is clear now that we should have been more specific. I guess the thinking at that time was that this is the finalizer that kubernetes is adding to do its work. Now we have so many so its better to be specific.

[caesarxuchao]

That does sound like a bug? Could you open an issue?

[nikhiljindal]

Fixing in #35478

[caesarxuchao]

Where is the "wait" is implemented?

[nikhiljindal]

Wait is implemented by not returning success here.
Since len(operations) > 0 we return here without removing the finalizer. Next time this function is called, we will again first compute if we want to do any operations in underlying clusters. If at any time, len(operation) = 0, then we proceed. Else we wait till len(operations) == 0.
Caller is expected to keep calling HandleObjectInUnderlyingClusters until it returns success (err == nil).

[caesarxuchao]

I see. I didn't notice you called deliverNamespace to process the namespace again in the future. So it looks good.

[caesarxuchao]

What is Federation12?

[nikhiljindal]

Will fix before committing.

[caesarxuchao]

Do you want to check in this code?

[nikhiljindal]

Yes helps in debugging.

[caesarxuchao]

Why not just call Update? Calling Finalize looks like it's delete the namespace.spec.finalizer

[nikhiljindal]

Why?
My expectation is that if only the list of finalizers are being modified, then we should use Finalize(). Else use update().
Is that not correct?

[caesarxuchao]

No. Finalize is a special method that only exists in the namespace client. So I think we should call Finalize() only when we update the namespace.spec.finalizer.

[nikhiljindal]

oh ok. Hadnt realized the spec.Finalizer and ObjectMeta.Finalizer difference. You are right. Will update

[nikhiljindal]

Fixed

[caesarxuchao]

I think you should check if all resources are actually deleted to make the deletion synchronous. Cluster namespace deletion will wait for all resources are deleted. Perhaps this will be easier to implement after you apply the deleteHelper pattern to other resources?

[nikhiljindal]

I think you should check if all resources are actually deleted to make the deletion synchronous.

Yes this is not required right now since all deletions are immediate (there is no cascading deletion). Will need to update this before enabling cascading deletion for any of these resources.
The plan is to refactor kubernetes namespace controller code to make the namespace deletion code reusable and then use it here.
Leaving as is in this PR.

[caesarxuchao]

Ok. Thanks for the explanation.

[caesarxuchao]

Add a comment? Also mention the OrphanFinalizer will take precedence.

[nikhiljindal]

done, thx

[nikhiljindal]

Verified that federation namespace e2e test is passing

[nikhiljindal]

Replaced Finalize() by Update() as per the comment above and squashed commits.
PTAL.

[caesarxuchao]

LGTM. Thanks @nikhiljindal !

[k8s-ci-robot]

Jenkins verification failed for commit b95fac161531a5df07b034d52047b2351b0bf5f9. Full PR test history.

The magic incantation to run this job again is @k8s-bot verify test this. Please help us cut down flakes by linking to an open flake issue when you hit one in your PR.

[nikhiljindal]

Trying to satisfy bazel and fix unit tests

[k8s-ci-robot]

Jenkins GCE e2e failed for commit ebbbd02abc6ef6b4da535e39fc1493444771cb7d. Full PR test history.

The magic incantation to run this job again is @k8s-bot cvm gce e2e test this. Please help us cut down flakes by linking to an open flake issue when you hit one in your PR.

[k8s-ci-robot]

Jenkins Kubemark GCE e2e failed for commit ebbbd02abc6ef6b4da535e39fc1493444771cb7d. Full PR test history.

The magic incantation to run this job again is @k8s-bot kubemark e2e test this. Please help us cut down flakes by linking to an open flake issue when you hit one in your PR.

[k8s-ci-robot]

Jenkins GKE smoke e2e failed for commit ebbbd02abc6ef6b4da535e39fc1493444771cb7d. Full PR test history.

The magic incantation to run this job again is @k8s-bot cvm gke e2e test this. Please help us cut down flakes by linking to an open flake issue when you hit one in your PR.

[k8s-ci-robot]

Jenkins GCI GKE smoke e2e failed for commit ebbbd02abc6ef6b4da535e39fc1493444771cb7d. Full PR test history.

The magic incantation to run this job again is @k8s-bot gci gke e2e test this. Please help us cut down flakes by linking to an open flake issue when you hit one in your PR.

[k8s-ci-robot]

Jenkins GCI GCE e2e failed for commit ebbbd02abc6ef6b4da535e39fc1493444771cb7d. Full PR test history.

The magic incantation to run this job again is @k8s-bot gci gce e2e test this. Please help us cut down flakes by linking to an open flake issue when you hit one in your PR.

[k8s-ci-robot]

Jenkins GCE etcd3 e2e failed for commit ebbbd02abc6ef6b4da535e39fc1493444771cb7d. Full PR test history.

The magic incantation to run this job again is @k8s-bot gce etcd3 e2e test this. Please help us cut down flakes by linking to an open flake issue when you hit one in your PR.

[k8s-ci-robot]

Jenkins unit/integration failed for commit ebbbd02abc6ef6b4da535e39fc1493444771cb7d. Full PR test history.

The magic incantation to run this job again is @k8s-bot unit test this. Please help us cut down flakes by linking to an open flake issue when you hit one in your PR.

[nikhiljindal]

All tests passed. Adding back LGTM

[k8s-github-robot]

@k8s-bot test this [submit-queue is verifying that this PR is safe to merge]

[k8s-github-robot]

Automatic merge from submit-queue