Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move rbacs for config reader to a separate handler #1441

Merged
merged 2 commits into from Jul 15, 2021
Merged

Move rbacs for config reader to a separate handler #1441

merged 2 commits into from Jul 15, 2021

Conversation

erkanerol
Copy link
Contributor

@erkanerol erkanerol commented Jul 14, 2021
edited

Signed-off-by: Erkan Erol eerol@redhat.com

With this PR, hco operator w,ill start reconciling hco.kubevirt.io:config-reader Role&RoleBinding strictly like other operands. After this PR, changes on these operands will be overwritten immediately without requiring any change on CDI or HCO CRs.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1963963

Reviewer Checklist

Reviewers are supposed to review the PR for every aspect below one by one. To check an item means the PR is either "OK" or "Not Applicable" in terms of that item. All items are supposed to be checked before merging a PR.

  • PR Message
  • Commit Messages
  • How to test
  • Unit Tests
  • Functional Tests
  • User Documentation
  • Developer Documentation
  • Upgrade Scenario
  • Uninstallation Scenario
  • Backward Compatibility
  • Troubleshooting Friendly

Release note:

NONE

@kubevirt-bot kubevirt-bot added dco-signoff: yes Indicates the PR's author has DCO signed all their commits. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Jul 14, 2021
@erkanerol erkanerol changed the title Move rbacs for config reader to separate handler WIP: Move rbacs for config reader to separate handler Jul 14, 2021
@kubevirt-bot kubevirt-bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/L release-note-none Denotes a PR that doesn't merit a release note. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Jul 14, 2021
@coveralls
Copy link
Collaborator

coveralls commented Jul 14, 2021
edited

Pull Request Test Coverage Report for Build 1033551036

  • 113 of 129 (87.6%) changed or added relevant lines in 8 files are covered.
  • 12 unchanged lines in 7 files lost coverage.
  • Overall coverage increased (+0.01%) to 70.102%
Changes Missing Coverage Covered Lines Changed/Added Lines %
pkg/controller/hyperconverged/hyperconverged_controller.go 0 2 0.0%
pkg/controller/operands/cdi.go 104 118 88.14%
Files with Coverage Reduction New Missed Lines %
pkg/controller/operands/cdi.go 1 90.6%
pkg/controller/operands/kubevirt.go 1 93.06%
pkg/controller/operands/vmImport.go 1 88.73%
pkg/controller/operands/cliDownload.go 2 89.71%
pkg/controller/operands/dashboard.go 2 78.65%
pkg/controller/operands/quickStart.go 2 82.41%
pkg/controller/operands/monitoring.go 3 86.12%
Totals Coverage Status
Change from base Build 1030817711: 0.01%
Covered Lines: 3088
Relevant Lines: 4405
💛 - Coveralls

@erkanerol erkanerol changed the title WIP: Move rbacs for config reader to separate handler WIP: Move rbacs for config reader to a separate handler Jul 14, 2021
@erkanerol erkanerol changed the title WIP: Move rbacs for config reader to a separate handler Move rbacs for config reader to a separate handler Jul 14, 2021
@kubevirt-bot kubevirt-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 14, 2021
@hco-bot
Copy link
Collaborator

hco-bot commented Jul 14, 2021

hco-e2e-image-index-azure, hco-e2e-image-index-aws lanes succeeded.
/override ci/prow/hco-e2e-image-index-gcp

@kubevirt-bot
Copy link
Contributor

@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-image-index-gcp

In response to this:

hco-e2e-image-index-azure, hco-e2e-image-index-aws lanes succeeded.
/override ci/prow/hco-e2e-image-index-gcp

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@hco-bot
Copy link
Collaborator

hco-bot commented Jul 14, 2021

hco-e2e-kv-smoke-azure lane succeeded.
/override ci/prow/hco-e2e-kv-smoke-gcp

@kubevirt-bot
Copy link
Contributor

@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-kv-smoke-gcp

In response to this:

hco-e2e-kv-smoke-azure lane succeeded.
/override ci/prow/hco-e2e-kv-smoke-gcp

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@nunnatsa
Copy link
Collaborator

nunnatsa commented Jul 15, 2021
edited

We need to check if we can entirely take it out of the code, letting OLM manage it. The main problem with creating rbacs from the code is that HCO must have permissions for that, and we need to avoid such permmissions. Can we move it to the CSV?

@erkanerol
Copy link
Contributor Author

We need to check if we can entirely take it out of the code, letting OLM manage it. The main problem with creating rbacs from the code is that HCO must have permissions for that, and we need to avoid such permmissions. Can we move it to the CSV?

@nunnatsa My understanding from the discussions in the PR below, it is not possible to create Role&RoleBinding with CSV
#498

nunnatsa
nunnatsa reviewed Jul 15, 2021
View reviewed changes
pkg/controller/operands/cdi.go Outdated

return nil
}
func (h *cdiHooks) postFound(req *common.HcoRequest, exists runtime.Object) error { return nil }
Copy link
Collaborator

@nunnatsa nunnatsa Jul 15, 2021
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the one and only real implementation of the postFound function. Please remove it from the interface and delete all the empty implementations (and the function call too).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@tiraboschi
Copy link
Member

We need to check if we can entirely take it out of the code, letting OLM manage it. The main problem with creating rbacs from the code is that HCO must have permissions for that, and we need to avoid such permmissions. Can we move it to the CSV?

@nunnatsa My understanding from the discussions in the PR below, it is not possible to create Role&RoleBinding with CSV
#498

If I correctly recall the specific problem was that a serviceAccountName was mandatory in the CSV while the console is impersonating the connected user while reading that config map.
Can you please double check if this is still relevant on CSV side?

@nunnatsa
Copy link
Collaborator

Can you please double check if this is still relevant on CSV side?

As far as I can see, this is still the case.

nunnatsa
nunnatsa requested changes Jul 15, 2021
View reviewed changes
Copy link
Collaborator

@nunnatsa nunnatsa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please see one comment about postFound

Erkan Erol added 2 commits July 15, 2021 13:18
Move rbacs for config reader to separate handler
0d09559 
Signed-off-by: Erkan Erol <eerol@redhat.com>
Remove postFound function from hcoResourceHooks
3cc9a24 
It was necessary for configreader role&rolebinding
in cdi hooks but we moved them to separate handlers
now. We don't need this function anymore.

Signed-off-by: Erkan Erol <eerol@redhat.com>
@sonarcloud
Copy link

sonarcloud bot commented Jul 15, 2021

Kudos, SonarCloud Quality Gate passed!

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

nunnatsa
nunnatsa approved these changes Jul 15, 2021
View reviewed changes
Copy link
Collaborator

@nunnatsa nunnatsa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@kubevirt-bot kubevirt-bot added the lgtm Indicates that a PR is ready to be merged. label Jul 15, 2021
@kubevirt-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nunnatsa

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubevirt-bot kubevirt-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 15, 2021
@hco-bot
Copy link
Collaborator

hco-bot commented Jul 15, 2021

hco-e2e-image-index-aws lane succeeded.
/override ci/prow/hco-e2e-image-index-gcp

@kubevirt-bot
Copy link
Contributor

@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-image-index-gcp

In response to this:

hco-e2e-image-index-aws lane succeeded.
/override ci/prow/hco-e2e-image-index-gcp

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@erkanerol
Copy link
Contributor Author

/retest

@openshift-ci
Copy link

openshift-ci bot commented Jul 15, 2021
edited

@erkanerol: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Rerun command
ci/prow/hco-e2e-image-index-gcp 3cc9a24 link /test hco-e2e-image-index-gcp
ci/prow/hco-e2e-upgrade-index-aws 3cc9a24 link /test hco-e2e-upgrade-index-aws
ci/prow/hco-e2e-kv-smoke-gcp 3cc9a24 link /test hco-e2e-kv-smoke-gcp

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@hco-bot
Copy link
Collaborator

hco-bot commented Jul 15, 2021

hco-e2e-kv-smoke-azure lane succeeded.
/override ci/prow/hco-e2e-kv-smoke-gcp

@kubevirt-bot
Copy link
Contributor

@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-kv-smoke-gcp

In response to this:

hco-e2e-kv-smoke-azure lane succeeded.
/override ci/prow/hco-e2e-kv-smoke-gcp

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@hco-bot
Copy link
Collaborator

hco-bot commented Jul 15, 2021

hco-e2e-upgrade-index-azure lane succeeded.
/override ci/prow/hco-e2e-upgrade-index-aws

@kubevirt-bot
Copy link
Contributor

@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-upgrade-index-aws

In response to this:

hco-e2e-upgrade-index-azure lane succeeded.
/override ci/prow/hco-e2e-upgrade-index-aws

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tiraboschi
Copy link
Member

/retest

@kubevirt-bot kubevirt-bot merged commit 308b57f into kubevirt:main Jul 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nunnatsa nunnatsa nunnatsa approved these changes

@sradco sradco Awaiting requested review from sradco

@tiraboschi tiraboschi Awaiting requested review from tiraboschi

Assignees

@nunnatsa nunnatsa

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. lgtm Indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note. size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@erkanerol @coveralls @hco-bot @kubevirt-bot @nunnatsa @tiraboschi