New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-14994: Don't add clientca-configmap finalizer if deleting #948
OCPBUGS-14994: Don't add clientca-configmap finalizer if deleting #948
Conversation
@Miciah: This pull request references Jira Issue OCPBUGS-14994, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/assign |
@@ -191,7 +191,7 @@ func (r *reconciler) Reconcile(ctx context.Context, request reconcile.Request) ( | |||
} | |||
|
|||
const finalizer = "ingresscontroller.operator.openshift.io/finalizer-clientca-configmap" | |||
if len(ic.Spec.ClientTLS.ClientCA.Name) != 0 && !slice.ContainsString(ic.Finalizers, finalizer) { | |||
if len(ic.Spec.ClientTLS.ClientCA.Name) != 0 && ic.DeletionTimestamp == nil && !slice.ContainsString(ic.Finalizers, finalizer) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you add a unit test for this change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
d6ec543
to
b3ea675
Compare
/retest-required |
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
/remove-lifecycle stale |
/test e2e-gpc-ovn |
/assign @frobware |
expectDelete: []client.Object{}, | ||
}, | ||
{ | ||
name: "source configmap absent, target configmap absent, finalizer absent", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't the source configmap present in existingObjects
and expectUpdate
? And the finalizer is present in expectUpdate
too. Am I reading it wrong?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this test case, the IngressController exists and specifies the "ca-bundle" configmap, but the configmap doesn't exist, so the controller can add the finalizer but cannot copy the configmap.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it's not too much trouble, it would be helpful to specify in the test name
what the outcome of the test is supposed to be. So here, because there is no cm
in the existingObjects
, there is no cm
in the expectUpdate
? And, it is ok for the configmap name to be there in the ic
even if there is no cm
object? And we only add a finalizer if there is a configmap name, even if there is no matching cm
object?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it's not too much trouble, it would be helpful to specify in the test name what the outcome of the test is supposed to be.
So here, because there is no cm in the existingObjects, there is no cm in the expectUpdate?
Correct. There is no source configmap, so the controller cannot make a copy of it.
And, it is ok for the configmap name to be there in the ic even if there is no cm object?
It can happen, so the controller needs to handle the case. The router pods cannot start until the configmap exists though because the router pods have a volume mount for the configmap.
And we only add a finalizer if there is a configmap name, even if there is no matching cm object?
Correct.
Namespace: "openshift-ingress-operator", | ||
Name: "test", | ||
}, | ||
Spec: operatorv1.IngressControllerSpec{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is the configmap being examined in these tests?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The purpose of this controller is to copy the user-provided configmap, which is specified in the IngressController, from the "openshift-config" namespace into the "openshift-ingress" namespace, so the test is written to give the controller an IngressController that specifies a configmap and verify that the controller copies the configmap if it exists.
Did I understand your question correctly and answer it? Should I add a code comment with the above explanation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was expecting a test that only checked for refraining of adding the finalizer when deleting.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The controller was missing test coverage entirely, so I added a comprehensive test, including test cases for the specific issue in OCPBUGS-14994. Would it be better if I split it into two commits: one to add the test and one to add the specific test case that is related to OCPBUGS-14994?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, this is fine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, just a comment regarding the necessity of the OperatorNamespace in Test_Reconcile.
/retest |
/lgtm |
Don't add the clientca-configmap finalizer to an IngressController if it is marked for deletion. Before this commit, the clientca-configmap controller would attempt to add (or re-add) its finalizer to an IngressController that had been marked for deletion. This attempt resulted in the following error from the API: IngressController.operator.openshift.io "test-client-ca-configmap" is invalid: metadata.finalizers: Forbidden: no new finalizers can be added if the object is being deleted, found new finalizers []string{"ingresscontroller.operator.openshift.io/finalizer-clientca-configmap"} The controller would retry adding the finalizer repeatedly, causing the same error to be repeatedly logged until the deletion completed. This commit fixes OCPBUGS-14994. https://issues.redhat.com/browse/OCPBUGS-14994 * pkg/operator/controller/clientca-configmap/controller.go (Reconcile): Only attempt to add the finalizer if the IngressController is not marked for deletion. * pkg/operator/controller/clientca-configmap/controller_test.go: New file. (Test_Reconcile): New test. Verify that Reconcile adds and removes the finalizer and creates, updates, or deletes the target configmap as appropriate. (fakeClientRecorder): New type, used in Test_Reconcile. (Create, Delete, Update): New methods for fakeClientRecorder to implement the controller-runtime client.Client interface.
* pkg/operator/controller/clientca-configmap/controller.go (Config): * pkg/operator/controller/clientca-configmap/controller_test.go (Test_Reconcile): * pkg/operator/operator.go (New): Remove unused OperatorNamespace field.
3a3fb20
to
e9ceaf5
Compare
@Miciah: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Good doc additions on both the test function and individual test cases. /lgtm |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: candita The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@Miciah: Jira Issue OCPBUGS-14994: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-14994 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Fix included in accepted release 4.15.0-0.nightly-2023-10-31-054858 |
Don't add the clientca-configmap finalizer to an IngressController if it is marked for deletion.
Before this change, the clientca-configmap controller would attempt to add (or re-add) its finalizer to an IngressController that had been marked for deletion. This attempt resulted in the following error from the API:
The controller would retry adding the finalizer repeatedly, causing the same error to be repeatedly logged until the deletion completed.
pkg/operator/controller/clientca-configmap/controller.go
(Reconcile
): Only attempt to add the finalizer if the IngressController is not marked for deletion.