New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
workload controller for CAO #243
workload controller for CAO #243
Conversation
tested it on my local cluster and it seems to be working.
|
the new conditions look really good (thanks @deads2k)
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good start, needs polishing though
// manage assets | ||
directResourceResults := resourceapply.ApplyDirectly(c.kubeClient, c.eventRecorder, assets.Asset, | ||
"oauth-apiserver/ns.yaml", | ||
"oauth-apiserver/apiserver-clusterrolebinding.yaml", | ||
"oauth-apiserver/svc.yaml", | ||
"oauth-apiserver/sa.yaml", | ||
"oauth-apiserver/cm.yaml", | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should eventually be handled by openshift/cluster-openshift-apiserver-operator#304 from within the APIServerControllerset
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes
return err | ||
} | ||
|
||
if run, err := c.canRunOperator(operatorSpec); !run { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: maybe c.shouldSync(operatorSpec)
?
|
||
type syncOperatorFunc func() (*appsv1.DaemonSet, []error) | ||
|
||
type OAuthAPIServerOperator struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/OAuthAPIServerOperator/OAuthAPIServerWorkloadController
? Or maybe just APIServerWorkloadController
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, I should change the name, thx.
dsAvailableCondition.Status = operatorv1.ConditionFalse | ||
dsAvailableCondition.Reason = "NoDaemon" | ||
dsAvailableCondition.Message = message |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
have a helper function for each condition
dsDegradedCondition.Reason = "NoDaemon" | ||
dsDegradedCondition.Message = message | ||
|
||
return errors.NewAggregate(errs) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so the conditions won't ever get set?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good catch, thx.
return true, nil | ||
} | ||
|
||
func (c *OAuthAPIServerOperator) updateOperatorStatus(workload *appsv1.DaemonSet, errs []error) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am having a bit of a trouble following everything that's being checked in this function, could you try to split it a bit to smaller separate units, have helpers for each condition type?
eventRecorder events.Recorder | ||
versionRecorder status.VersionGetter | ||
preRunCachesSynced []cache.InformerSynced | ||
queue workqueue.RateLimitingInterface |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
squash formatting commit to the introducing one :)
bindata/oauth-apiserver/ds.yaml
Outdated
@@ -57,7 +57,7 @@ spec: | |||
--etcd-keyfile=/var/run/secrets/etcd-client/tls.key \ | |||
--etcd-certfile=/var/run/secrets/etcd-client/tls.crt \ | |||
--shutdown-delay-duration=3s \ | |||
--v=2 | |||
${FLAGS} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think in the other repo we dealt with this using a specific replace, not a general flags
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for the --v
flags we did, replace or append.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But this is a replace if I understand the code right, just with a clever string replace syntax ${FLAGS}
. So this is what I expected.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, I do use string replace and append --v
to all flags.
bindata/oauth-apiserver/ds.yaml
Outdated
@@ -57,7 +57,7 @@ spec: | |||
--etcd-keyfile=/var/run/secrets/etcd-client/tls.key \ | |||
--etcd-certfile=/var/run/secrets/etcd-client/tls.crt \ | |||
--shutdown-delay-duration=3s \ | |||
--v=2 | |||
${FLAGS} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's call verbosity a standard replacer. YOu can imagine having those. it doesn't preclude a ${FLAGS} too
// TODO: add LatestAvailableRevision support | ||
//"${REVISION}", strconv.Itoa(int(authOperator.Status.LatestAvailableRevision)), | ||
"${REVISION}", "1", | ||
"${VERBOSITY}", loglevelToKlog(authOperator.Spec.LogLevel), | ||
"${FLAGS}", strings.Join(padFlags(operandFlags, strings.Repeat(" ", 14)), " \\\n"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
isn't there some clever bash escape func we can use?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it has to be a valid YAM
file - I tried to look up a library that would know how to format it properly but didn't find anything.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
escape for bash and then for yaml 😱
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for yaml escape, we can switch from string replace to yaml replace by unmarshalling first, and then marshalling again.
69c961d
to
5c1b9b7
Compare
/retest |
/test e2e-aws |
/retest |
1 similar comment
/retest |
the only thing that worries me a bit is the initial logs from the servers - as if they were installed too early (error building REST storage: context deadline exceeded) |
actually |
/test e2e-aws-upgrade |
/test e2e-aws |
Alright, so etcd related errors (for example, or the errors like) seem to have been occurring during "the initial phase" and are considered normal. Eventually, the app is up and ready. |
kyaml "k8s.io/apimachinery/pkg/util/yaml" | ||
"k8s.io/client-go/kubernetes" | ||
"regexp" | ||
"strings" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
order
makes it compile again gens bindata adds oauth-apiserver to image references wires apiServerArguments escapes args and wires PreconditionFulfilled wires ObserveStorageURLsToArguments wires the encryption-config secret switches to ApplyDeployment and the new EnsureAtMostOnePodPerNode
the test will be off unitl openshift/cluster-openshift-apiserver-operator#348 merges
adds config observer for oauth apiserver adds config observer for encryption-config secret wires ObserveStorageURLsToArguments adds the finalizer controller to the oauth-apiserver controllerset and the secret revision pruner moves configOverridesController and logLevelController to RunOperator
3887f85
to
ce68aac
Compare
ce68aac
to
fdac04e
Compare
fdac04e
to
3582236
Compare
/approve Waiting for test feedback. |
/retest |
Registry down. /retest |
Network operator degraded. /retest |
/retest |
/test e2e-aws-operator |
/retest |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: p0lyn0mial, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
🎉 |
it's based on the workload controller in
cas-o
except itoperator.Generation
into account becauseCAO
will manage multiple operands and that would make them compete.TODO:
CAO
openshif-apiserver-operator
serving.go:306] Generated self-signed cert (apiserver.local.config/certificates/apiserver.crt, apiserver.local.config/certificates/apiserver.key)
APIServiceController
testing WithAPIServiceController for CAO #260openapi/v2
endpoint spits back only2
paths. (@stlaz ) (fix the openapi/v2 endpoint oauth-apiserver#15)Status.ManagingOAuthAPIServer
tofalse
(OAS-O in 4.5/4.6 is ready to handle that) (@stlaz Bug 1860922: add a controller to unmanage the OAuth API #307)Managed cluster should ensure pods use downstream images from our release image with proper ImagePullPolicy
) (@stlaz )TODO:
ManagingOAuthAPIServer
as a version skew strategy) (updates ETCD Encryption For Separate OAuth APIs enhancement to reflect the current state of the world enhancements#421, updates Separate-OAuth-API-Resources enhancement to reflect the current state of the world enhancements#424)QUESTIONS:
do we need
WithoutClusterOperatorStatusController
,WithoutFinalizerController
,WithoutLogLevelController
,WithoutConfigUpgradableController
?Answer from Standa: we do want to call WithoutClusterOperatorStatusController, WithoutLogLevelController, WithoutConfigUpgradableController as these are already running