Using discovery client to properly check for cluster-scoped resources #1319
Conversation
Summary: - [x] proper applying and re-applying of cluster-scoped resources in the apply task - [x] ownership is **NOT** set for cluster-scoped resources to the `Instance` **Note**: the second change has implications, because we would previously set `ownerReference` of **all** resources (even cluster-scoped ones like CRDs) to the `Instance` and though k8s [GC docs](https://kubernetes.io/docs/concepts/workloads/controllers/garbage-collection/) clearly state that _"Cross-namespace owner references are disallowed by design"_ it would still garbage collect them when the Instance was uninstalled. This is not the case anymore. Operators must utilize the `cleanup` plan to remove cluster-scoped resources. Fixes #1288 #1265
zen-dog
requested review from
gerred,
jbarrick-mesosphere and
nfnt
as code owners
pkg/engine/helpers/object_key.go
Outdated
| @@ -0,0 +1,62 @@ | |||
| package helpers | |||
There was a problem hiding this comment.
I had to extract these methods into a separate package because of circular dependencies 😞
| // 1) Namespace-scoped dependents can only specify owners in the same namespace, and owners that are cluster-scoped. | ||
| // 2) Cluster-scoped dependents can only specify cluster-scoped owners, but not namespace-scoped owners. | ||
| // More: https://kubernetes.io/docs/concepts/workloads/controllers/garbage-collection/ | ||
| if isNamespaced { |
There was a problem hiding this comment.
Here, we don't set ownerReference for cluster-scoped resources anymore.
| @@ -113,10 +114,17 @@ func main() { | |||
| } | |||
|
|
|||
| log.Print("Setting up instance controller") | |||
| discoveryClient, err := utils.GetDiscoveryClient(mgr) | |||
There was a problem hiding this comment.
Lots of line changes deal with the fact that we wire the discoverClient through the workflow engine 🤷♂
| @@ -687,8 +691,34 @@ func FakeDiscoveryClient() discovery.DiscoveryInterface { | |||
| { | |||
| GroupVersion: corev1.SchemeGroupVersion.String(), | |||
| APIResources: []metav1.APIResource{ | |||
| {Name: "pods", Namespaced: true, Kind: "Pod"}, | |||
| {Name: "namespaces", Namespaced: false, Kind: "Namespace"}, | |||
| {Name: "pod", Namespaced: true, Kind: "Pod"}, | |||
There was a problem hiding this comment.
Since fake discovery client is now needed in many of the workflow package tests, I extended it with the types we use in tests.
|
Note, this PR does not cache the |
There was a problem hiding this comment.
This is similar to some work / thoughts on the matter. I have 1 thought for consideration and 1 reason to reject this...
consideration: We are now passing 2 Clients. would it make sense to have a struct of Client which is a struct of different Client types? I'm good either way.
reason for rejection:
the use of package names utils, util or helpers is strongly discouraged. I was hoping to get rid of the ones we have... we shouldn't add to that list of tech debt IMO.
We need this in our docs... good design choice IMO! 👏 |
They're two completely different interfaces. Conflating both would add to confusion IMHO
I couldn't agree more! I think I lost half an hour of my life trying to find a better name for it and...still failed 😆 It has to be either a new package or an existing one (but not |
Signed-off-by: Andreas Neumann <aneumann@mesosphere.com>
|
@kensipe I've renamed Regarding the Clients: I think the way it is right now is ok, but with the next client we need we should consider a struct :) |
zen-dog
dismissed
kensipe’s stale review
Renamed the package as requested ;)
…#1319) Summary: - [x] proper applying and re-applying of cluster-scoped resources in the apply task - [x] ownership is **NOT** set for cluster-scoped resources to the `Instance` **Note**: the second change has implications, because we would previously set `ownerReference` of **all** resources (even cluster-scoped ones like CRDs) to the `Instance` and though k8s [GC docs](https://kubernetes.io/docs/concepts/workloads/controllers/garbage-collection/) clearly state that _"Cross-namespace owner references are disallowed by design"_ it would still garbage collect them when the Instance was uninstalled. This is not the case anymore. Operators must utilize the `cleanup` plan to remove cluster-scoped resources. Fixes #1288 #1265 Co-authored-by: Andreas Neumann <aneumann@mesosphere.com> Signed-off-by: Andreas Neumann <aneumann@mesosphere.com>
…#1319) Summary: - [x] proper applying and re-applying of cluster-scoped resources in the apply task - [x] ownership is **NOT** set for cluster-scoped resources to the `Instance` **Note**: the second change has implications, because we would previously set `ownerReference` of **all** resources (even cluster-scoped ones like CRDs) to the `Instance` and though k8s [GC docs](https://kubernetes.io/docs/concepts/workloads/controllers/garbage-collection/) clearly state that _"Cross-namespace owner references are disallowed by design"_ it would still garbage collect them when the Instance was uninstalled. This is not the case anymore. Operators must utilize the `cleanup` plan to remove cluster-scoped resources. Fixes #1288 #1265 Co-authored-by: Andreas Neumann <aneumann@mesosphere.com> Signed-off-by: Thomas Runyon <runyontr@gmail.com>
Summary: previously any error returned by the `DefaultEnhancer` was treated as fatal. It made sense because it would act deterministically on a prepared set of resources. However, since #1319 enhancer also uses discovery interface to determine whether or not given resource is namespaced. These API requests may fail and must be retried, hence the introduction of a transient error. Fixes #1413 Signed-off-by: Aleksey Dukhovniy <alex.dukhovniy@googlemail.com>
… errors (#1427) Summary: previously any error returned by the `Enhancer` was treated as fatal. It made sense because it would act deterministically on a prepared set of resources. However, since #1319 enhancer also uses the discovery interface to determine whether or not the given resource is namespaced. These API requests may fail and must be retried. With this fix, `DefaultEnhancer` clearly marks certain errors as fatal. Fixes #1413 Signed-off-by: Aleksey Dukhovniy <alex.dukhovniy@googlemail.com>
Summary:
InstanceNote: the second change has implications, because we would previously set
ownerReferenceof all resources (even cluster-scoped ones like CRDs) to theInstanceand though k8s GC docs clearly state that "Cross-namespace owner references are disallowed by design" it would still garbage collect them when the Instance was uninstalled. This is not the case anymore. Operators must utilize thecleanupplan to remove cluster-scoped resources.Fixes #1288 #1265