-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using discovery client to properly check for cluster-scoped resources #1319
Conversation
Summary: - [x] proper applying and re-applying of cluster-scoped resources in the apply task - [x] ownership is **NOT** set for cluster-scoped resources to the `Instance` **Note**: the second change has implications, because we would previously set `ownerReference` of **all** resources (even cluster-scoped ones like CRDs) to the `Instance` and though k8s [GC docs](https://kubernetes.io/docs/concepts/workloads/controllers/garbage-collection/) clearly state that _"Cross-namespace owner references are disallowed by design"_ it would still garbage collect them when the Instance was uninstalled. This is not the case anymore. Operators must utilize the `cleanup` plan to remove cluster-scoped resources. Fixes #1288 #1265
pkg/engine/helpers/object_key.go
Outdated
@@ -0,0 +1,62 @@ | |||
package helpers |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had to extract these methods into a separate package because of circular dependencies 😞
// 1) Namespace-scoped dependents can only specify owners in the same namespace, and owners that are cluster-scoped. | ||
// 2) Cluster-scoped dependents can only specify cluster-scoped owners, but not namespace-scoped owners. | ||
// More: https://kubernetes.io/docs/concepts/workloads/controllers/garbage-collection/ | ||
if isNamespaced { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here, we don't set ownerReference for cluster-scoped resources anymore.
@@ -113,10 +114,17 @@ func main() { | |||
} | |||
|
|||
log.Print("Setting up instance controller") | |||
discoveryClient, err := utils.GetDiscoveryClient(mgr) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lots of line changes deal with the fact that we wire the discoverClient
through the workflow engine 🤷♂
@@ -687,8 +691,34 @@ func FakeDiscoveryClient() discovery.DiscoveryInterface { | |||
{ | |||
GroupVersion: corev1.SchemeGroupVersion.String(), | |||
APIResources: []metav1.APIResource{ | |||
{Name: "pods", Namespaced: true, Kind: "Pod"}, | |||
{Name: "namespaces", Namespaced: false, Kind: "Namespace"}, | |||
{Name: "pod", Namespaced: true, Kind: "Pod"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since fake discovery client is now needed in many of the workflow
package tests, I extended it with the types we use in tests.
Note, this PR does not cache the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is similar to some work / thoughts on the matter. I have 1 thought for consideration and 1 reason to reject this...
consideration: We are now passing 2 Clients
. would it make sense to have a struct of Client which is a struct of different Client types? I'm good either way.
reason for rejection:
the use of package names utils
, util
or helpers
is strongly discouraged. I was hoping to get rid of the ones we have... we shouldn't add to that list of tech debt IMO.
We need this in our docs... good design choice IMO! 👏 |
They're two completely different interfaces. Conflating both would add to confusion IMHO
I couldn't agree more! I think I lost half an hour of my life trying to find a better name for it and...still failed 😆 It has to be either a new package or an existing one (but not |
Signed-off-by: Andreas Neumann <aneumann@mesosphere.com>
@kensipe I've renamed Regarding the Clients: I think the way it is right now is ok, but with the next client we need we should consider a struct :) |
Renamed the package as requested ;)
…#1319) Summary: - [x] proper applying and re-applying of cluster-scoped resources in the apply task - [x] ownership is **NOT** set for cluster-scoped resources to the `Instance` **Note**: the second change has implications, because we would previously set `ownerReference` of **all** resources (even cluster-scoped ones like CRDs) to the `Instance` and though k8s [GC docs](https://kubernetes.io/docs/concepts/workloads/controllers/garbage-collection/) clearly state that _"Cross-namespace owner references are disallowed by design"_ it would still garbage collect them when the Instance was uninstalled. This is not the case anymore. Operators must utilize the `cleanup` plan to remove cluster-scoped resources. Fixes #1288 #1265 Co-authored-by: Andreas Neumann <aneumann@mesosphere.com> Signed-off-by: Andreas Neumann <aneumann@mesosphere.com>
…#1319) Summary: - [x] proper applying and re-applying of cluster-scoped resources in the apply task - [x] ownership is **NOT** set for cluster-scoped resources to the `Instance` **Note**: the second change has implications, because we would previously set `ownerReference` of **all** resources (even cluster-scoped ones like CRDs) to the `Instance` and though k8s [GC docs](https://kubernetes.io/docs/concepts/workloads/controllers/garbage-collection/) clearly state that _"Cross-namespace owner references are disallowed by design"_ it would still garbage collect them when the Instance was uninstalled. This is not the case anymore. Operators must utilize the `cleanup` plan to remove cluster-scoped resources. Fixes #1288 #1265 Co-authored-by: Andreas Neumann <aneumann@mesosphere.com> Signed-off-by: Thomas Runyon <runyontr@gmail.com>
Summary: previously any error returned by the `DefaultEnhancer` was treated as fatal. It made sense because it would act deterministically on a prepared set of resources. However, since #1319 enhancer also uses discovery interface to determine whether or not given resource is namespaced. These API requests may fail and must be retried, hence the introduction of a transient error. Fixes #1413 Signed-off-by: Aleksey Dukhovniy <alex.dukhovniy@googlemail.com>
… errors (#1427) Summary: previously any error returned by the `Enhancer` was treated as fatal. It made sense because it would act deterministically on a prepared set of resources. However, since #1319 enhancer also uses the discovery interface to determine whether or not the given resource is namespaced. These API requests may fail and must be retried. With this fix, `DefaultEnhancer` clearly marks certain errors as fatal. Fixes #1413 Signed-off-by: Aleksey Dukhovniy <alex.dukhovniy@googlemail.com>
Summary:
Instance
Note: the second change has implications, because we would previously set
ownerReference
of all resources (even cluster-scoped ones like CRDs) to theInstance
and though k8s GC docs clearly state that "Cross-namespace owner references are disallowed by design" it would still garbage collect them when the Instance was uninstalled. This is not the case anymore. Operators must utilize thecleanup
plan to remove cluster-scoped resources.Fixes #1288 #1265