Bug 1497839 - copy secrets to transient namespace and always run #473
Conversation
pkg/apb/executor.go
Outdated
| } | ||
|
|
||
| // Using a new UUID is sane, because it will have some gurantee | ||
| // of uniquenes and will meet DNS name requirements. |
There was a problem hiding this comment.
nit
Using a new UUID is sane, because it will have some guarantee
of uniqueness and will meet DNS name requirements.
pkg/apb/executor.go
Outdated
| namespace := v1.Namespace{ | ||
| ObjectMeta: metav1.ObjectMeta{ | ||
| Labels: map[string]string{transientNameSpaceKey: spec.FQName}, | ||
| Name: executionContext.Namespace, |
There was a problem hiding this comment.
You could use GenerateName
https://github.com/kubernetes/community/blob/master/contributors/devel/api-conventions.md#idempotency, but then you would have to get the name after you have created the namespace.
There was a problem hiding this comment.
I think then we could give the namespace a name that is more obvious like apb-namespace-(unique suffix).
shawn-hurley
force-pushed
the
copy-secrets
branch
from
dbd1e05
to
f9d9b4e
Compare
openshift-ci-robot
added
the
size/M
|
Example Namespace: |
| namespace := v1.Namespace{ | ||
| ObjectMeta: metav1.ObjectMeta{ | ||
| Labels: labels, | ||
| GenerateName: fmt.Sprintf("%s-%.4s-", spec.FQName, action), |
There was a problem hiding this comment.
What's the upper limit on the size of this field? 64 chars? We should guarantee we're under it.
There was a problem hiding this comment.
I can make this change if you like, but my understanding is that GenerateName handles this for you:
Names generated by the system may be requested using metadata.generateName. GenerateName indicates that the name should be made unique by the server prior to persisting it. A non-empty value for the field indicates the name will be made unique (and the name returned to the client will be different than the name passed). The value of this field will be combined with a unique suffix on the server if the Name field has not been provided. The provided value must be valid within the rules for Name, and may be truncated by the length of the suffix required to make the value unique on the server. If this field is specified, and Name is not present, the server will NOT return a 409 if the generated name exists - instead, it will either return 201 Created or 504 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header).
There was a problem hiding this comment.
No change needed, that looks good! Thank you for the link 👍
pkg/apb/svc_acct.go
Outdated
| @@ -236,8 +237,11 @@ func (s *ServiceAccountManager) DestroyApbSandbox(executionContext ExecutionCont | |||
| if asbNamespace != executionContext.Namespace { | |||
| s.log.Debug("Deleting namespace %s", executionContext.Namespace) | |||
| k8scli.CoreV1().Namespaces().Delete(executionContext.Namespace, &metav1.DeleteOptions{}) | |||
|
|
|||
| } else { | |||
| //We should not be attempting to run pods in the ASB namespace, if we are, something is seriously wrong. | |||
pkg/apb/executor.go
Outdated
| @@ -201,3 +200,22 @@ func checkPullPolicy(policy string) (v1.PullPolicy, error) { | |||
|
|
|||
| return value, nil | |||
| } | |||
|
|
|||
| func copySecretsToNamespace(executionContext ExecutionContext, | |||
There was a problem hiding this comment.
Nit: We have a couple stylistic patterns for long function signatures in the codebase right now. Admittedly, it's not super consistent, but we should try to not introduce other forms as well IMO. Personally, I like a vertically favored format:
func copySecretsToNamespace(
executionContext ExecutionContext,
clusterConfig ClusterConfig,
k8scli *clientset.Clientset,
secrets []string,
) error { // Return values
// Implementation
}
Also a longer form format, wrapping after the last full var/type crosses something like 80 chars:
func copySecretsToNamespace(executionContext ExecutionContext, clusterConfig ClusterConfig,
k8scli *clientset.Clientset, secrets []string) error {
// Implementation
}
I would just advocate picking one and sticking with it.
pkg/apb/svc_acct.go
Outdated
|
|
||
| } else { | ||
| //We should not be attempting to run pods in the ASB namespace, if we are, something is seriously wrong. | ||
| panic(fmt.Errorf("Broker is attempting to delete its own namespace")) |
There was a problem hiding this comment.
+1, let's not implode 🎉
|
@shawn-hurley @djzager meant to request changes, apparently I can't operate github. |
shawn-hurley
force-pushed
the
copy-secrets
branch
from
42a5614
to
6a56cee
Compare
Add additional labels to apb pod for use when debugging failed apb execution.
|
doublecomboACK |
…nshift#473) * Bug 1497839 - copy secrets to transient namespace and always run the APB in the transient namespace. * using kubernetes generatename to get a unique name that is readable. * update based on PR comments * Make transient namespace name user friendly Add additional labels to apb pod for use when debugging failed apb execution.
Describe what this PR does and why we need it:
Removes split code path based on secrets to run the APB in the transient namespace always
Changes proposed in this pull request
Does this PR depend on another PR (Use this to track when PRs should be merged)
depends-on
N/A
Which issue this PR fixes (This will close that issue when PR gets merged)
N/A
Fixes: #385