workload controller for CAO

[p0lyn0mial]

it's based on the workload controller in cas-o except it

• tries to be generic at least in (CAO)
• doesn't take operator.Generation into account because CAO will manage multiple operands and that would make them compete.

TODO:

• add config support
• add unit tests
• wire into CAO
• create a sperate package for each operator
• use static controller (make static resource controller you simply pass manifests to cluster-openshift-apiserver-operator#304)
• create a generic workload controller and reuse it in this operator and in openshif-apiserver-operator
• figure out how to wire the serving cert because at the moment I see in the logs serving.go:306] Generated self-signed cert (apiserver.local.config/certificates/apiserver.crt, apiserver.local.config/certificates/apiserver.key)
• add revision support (for etcd encryption)
• wire APIServiceController testing WithAPIServiceController for CAO #260
• move the prune controller to APIServerControllerSet (library-go) (Add prune controller to the APIServerControllerSet library-go#846)
• wire the config observers (https://issues.redhat.com/browse/MSTR-984)
• add proxy support https://issues.redhat.com/browse/MSTR-986 (not needed)
• add standard encryption tests for CAO (@p0lyn0mial ) (requires configures the storage layer to be backward compatible with OpenShift API oauth-apiserver#14)
• investigate why openapi/v2 endpoint spits back only 2 paths. (@stlaz ) (fix the openapi/v2 endpoint oauth-apiserver#15)
• add the finalizer controller
• CAO in 4.5 flips Status.ManagingOAuthAPIServer to false (OAS-O in 4.5/4.6 is ready to handle that) (@stlaz Bug 1860922: add a controller to unmanage the OAuth API #307)
• figure out how to react to changes in the deployment's spec. For example when the flags changes or were changed by the user. (@sttts) (tweak EnsureAtMostOnePodPerNode method library-go#856)
• fix failing e2e tests ( Managed cluster should ensure pods use downstream images from our release image with proper ImagePullPolicy) (@stlaz )
• what about https://github.com/openshift/enhancements/blob/master/enhancements/kube-apiserver/audit-policy.md ? (done in wires the audit policy configuration #310)
• enable the encryption tests

TODO:

• manually test the upgrade/downgrade path on an encrypted cluster (@p0lyn0mial )
• add oauth-apiserver to must-gather (and potentially CI jobs collecting audit logs) - tracked in https://bugzilla.redhat.com/show_bug.cgi?id=1862426 and Bug 1862426: gather the audit logs for oauth apiserver must-gather#144
• we want another e2e monitor tests, check the oauth-apiserver API availability (adds a new monitoring test for checking OAuth API server origin#25389)
• fix the double registration that causes the new API to panic (fixed in explicitly overwrites RESTOptionsGetter oauth-apiserver#16)
• enhancement must be updated (versions, the first should mention the second, the first must mentionManagingOAuthAPIServer as a version skew strategy) (updates ETCD Encryption For Separate OAuth APIs enhancement to reflect the current state of the world enhancements#421, updates Separate-OAuth-API-Resources enhancement to reflect the current state of the world enhancements#424)

QUESTIONS:

• do we need WithoutClusterOperatorStatusController, WithoutFinalizerController, WithoutLogLevelController, WithoutConfigUpgradableController ?

  Answer from Standa: we do want to call WithoutClusterOperatorStatusController, WithoutLogLevelController, WithoutConfigUpgradableController as these are already running

[p0lyn0mial]

tested it on my local cluster and it seems to be working.

k get ds -n openshift-oauth-apiserver 
NAME        DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR                     AGE
apiserver   3         3         3       3            3           node-role.kubernetes.io/master=   47m

k get po -n openshift-oauth-apiserver 
NAME              READY   STATUS    RESTARTS   AGE
apiserver-4htqj   1/1     Running   0          44m
apiserver-5q2hd   1/1     Running   0          44m
apiserver-w5rbv   1/1     Running   0          44m

[p0lyn0mial]

the new conditions look really good (thanks @deads2k)

  - lastTransitionTime: "2020-01-20T12:23:40Z"
    reason: AsExpected
    status: "True"
    type: OAuthAPIServerOperatorDaemonSetAvailable
  - lastTransitionTime: "2020-01-20T12:18:34Z"
    status: "False"
    type: OAuthAPIServerOperatorWorkloadDegraded
  - lastTransitionTime: "2020-01-20T12:20:53Z"
    reason: AsExpected
    status: "False"
    type: OAuthAPIServerOperatorsDaemonSetDegraded
  - lastTransitionTime: "2020-01-20T12:23:40Z"
    reason: AsExpected
    status: "False"
    type: OAuthAPIServerOperatorsDaemonSetProgressing

[stlaz]

good start, needs polishing though

[stlaz]

This should eventually be handled by openshift/cluster-openshift-apiserver-operator#304 from within the APIServerControllerset

[p0lyn0mial]

yes

[stlaz]

nit: maybe c.shouldSync(operatorSpec)?

[stlaz]

s/OAuthAPIServerOperator/OAuthAPIServerWorkloadController? Or maybe just APIServerWorkloadController

[p0lyn0mial]

yes, I should change the name, thx.

[stlaz]

have a helper function for each condition

[stlaz]

so the conditions won't ever get set?

[p0lyn0mial]

good catch, thx.

[stlaz]

I am having a bit of a trouble following everything that's being checked in this function, could you try to split it a bit to smaller separate units, have helpers for each condition type?

[stlaz]

squash formatting commit to the introducing one :)

[deads2k]

I think in the other repo we dealt with this using a specific replace, not a general flags

[sttts]

for the --v flags we did, replace or append.

[sttts]

But this is a replace if I understand the code right, just with a clever string replace syntax ${FLAGS}. So this is what I expected.

[p0lyn0mial]

yes, I do use string replace and append --v to all flags.

[deads2k]

let's call verbosity a standard replacer. YOu can imagine having those. it doesn't preclude a ${FLAGS} too

[sttts]

isn't there some clever bash escape func we can use?

[p0lyn0mial]

it has to be a valid YAM file - I tried to look up a library that would know how to format it properly but didn't find anything.

[sttts]

escape for bash and then for yaml 😱

[sttts]

https://github.com/alessio/shellescape

[sttts]

for yaml escape, we can switch from string replace to yaml replace by unmarshalling first, and then marshalling again.

[p0lyn0mial]

/retest

[p0lyn0mial]

/test e2e-aws

[p0lyn0mial]

/retest

[p0lyn0mial]

/retest

[p0lyn0mial]

e2e-aws looks quite good, openshift-oauth-apiserver namespace was created and authentication operator reported success:

  - lastTransitionTime: "2020-01-27T13:10:11Z"
    reason: AsExpected
    status: "True"
    type: OAuthAPIServerControllerWorkloadCtrlDaemonSetAvailable
  - lastTransitionTime: "2020-01-27T13:05:17Z"
    status: "False"
    type: OAuthAPIServerControllerWorkloadCtrlWorkloadDegraded
  - lastTransitionTime: "2020-01-27T13:10:51Z"
    reason: AsExpected
    status: "False"
    type: OAuthAPIServerControllerWorkloadCtrlsDaemonSetDegraded
  - lastTransitionTime: "2020-01-27T13:05:19Z"
    reason: AsExpected
    status: "False"
    type: OAuthAPIServerControllerWorkloadCtrlsDaemonSetProgressing

the only thing that worries me a bit is the initial logs from the servers - as if they were installed too early (error building REST storage: context deadline exceeded)

[p0lyn0mial]

actually error building REST storage: context deadline exceeded might be a transient error - e2e-aws-console-login looks better

[p0lyn0mial]

/test e2e-aws-upgrade

[p0lyn0mial]

/test e2e-aws

[p0lyn0mial]

Alright, so etcd related errors (for example, or the errors like) seem to have been occurring during "the initial phase" and are considered normal. Eventually, the app is up and ready.

[sttts]

order

[sttts]

/approve
Lgtm

Waiting for test feedback.

[p0lyn0mial]

Error: Error launching source instance: RequestLimitExceeded: Request limit exceeded

/retest

[sttts]

Registry down.

/retest

[sttts]

Network operator degraded.

/retest

[p0lyn0mial]

[sig-arch][Early] Managed cluster should start all core operators [Suite:openshift/conformance/parallel]
[sig-instrumentation] Prometheus when installed on the cluster shouldn't report any alerts in firing state apart from Watchdog and AlertmanagerReceiversNotConfigured [Early] [Suite:openshift/conformance/parallel]

/retest

[p0lyn0mial]

Entrypoint received interrupt: terminated for (e2e-aws-operator)

/test e2e-aws-operator

[p0lyn0mial]

Entrypoint received interrupt for (e2e-aws-operator )

/retest

[sttts]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: p0lyn0mial, sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [sttts]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sttts]

🎉