OCPBUGS-14994: Don't add clientca-configmap finalizer if deleting #948
Conversation
openshift-ci-robot
added
jira/severity-low
|
@Miciah: This pull request references Jira Issue OCPBUGS-14994, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/assign |
| @@ -191,7 +191,7 @@ func (r *reconciler) Reconcile(ctx context.Context, request reconcile.Request) ( | |||
| } | |||
|
|
|||
| const finalizer = "ingresscontroller.operator.openshift.io/finalizer-clientca-configmap" | |||
| if len(ic.Spec.ClientTLS.ClientCA.Name) != 0 && !slice.ContainsString(ic.Finalizers, finalizer) { | |||
| if len(ic.Spec.ClientTLS.ClientCA.Name) != 0 && ic.DeletionTimestamp == nil && !slice.ContainsString(ic.Finalizers, finalizer) { | |||
There was a problem hiding this comment.
Could you add a unit test for this change?
There was a problem hiding this comment.
Miciah
force-pushed
the
OCPBUGS-14994-do-not-add-clientca-configmap-finalizer-if-deleting
branch
from
d6ec543
to
b3ea675
Compare
|
/retest-required |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci
bot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
openshift-ci
bot
removed
the
lifecycle/stale
|
/test e2e-gpc-ovn |
|
/assign @frobware |
| expectDelete: []client.Object{}, | ||
| }, | ||
| { | ||
| name: "source configmap absent, target configmap absent, finalizer absent", |
There was a problem hiding this comment.
Isn't the source configmap present in existingObjects and expectUpdate? And the finalizer is present in expectUpdate too. Am I reading it wrong?
There was a problem hiding this comment.
In this test case, the IngressController exists and specifies the "ca-bundle" configmap, but the configmap doesn't exist, so the controller can add the finalizer but cannot copy the configmap.
There was a problem hiding this comment.
If it's not too much trouble, it would be helpful to specify in the test name what the outcome of the test is supposed to be. So here, because there is no cm in the existingObjects, there is no cm in the expectUpdate? And, it is ok for the configmap name to be there in the ic even if there is no cm object? And we only add a finalizer if there is a configmap name, even if there is no matching cm object?
There was a problem hiding this comment.
If it's not too much trouble, it would be helpful to specify in the test name what the outcome of the test is supposed to be.
So here, because there is no cm in the existingObjects, there is no cm in the expectUpdate?
Correct. There is no source configmap, so the controller cannot make a copy of it.
And, it is ok for the configmap name to be there in the ic even if there is no cm object?
It can happen, so the controller needs to handle the case. The router pods cannot start until the configmap exists though because the router pods have a volume mount for the configmap.
And we only add a finalizer if there is a configmap name, even if there is no matching cm object?
Correct.
| Namespace: "openshift-ingress-operator", | ||
| Name: "test", | ||
| }, | ||
| Spec: operatorv1.IngressControllerSpec{ |
There was a problem hiding this comment.
Why is the configmap being examined in these tests?
There was a problem hiding this comment.
The purpose of this controller is to copy the user-provided configmap, which is specified in the IngressController, from the "openshift-config" namespace into the "openshift-ingress" namespace, so the test is written to give the controller an IngressController that specifies a configmap and verify that the controller copies the configmap if it exists.
Did I understand your question correctly and answer it? Should I add a code comment with the above explanation?
There was a problem hiding this comment.
I was expecting a test that only checked for refraining of adding the finalizer when deleting.
There was a problem hiding this comment.
The controller was missing test coverage entirely, so I added a comprehensive test, including test cases for the specific issue in OCPBUGS-14994. Would it be better if I split it into two commits: one to add the test and one to add the specific test case that is related to OCPBUGS-14994?
|
/retest |
|
/lgtm |
Don't add the clientca-configmap finalizer to an IngressController if it is
marked for deletion.
Before this commit, the clientca-configmap controller would attempt to
add (or re-add) its finalizer to an IngressController that had been marked
for deletion. This attempt resulted in the following error from the API:
IngressController.operator.openshift.io "test-client-ca-configmap" is invalid: metadata.finalizers: Forbidden: no new finalizers can be added if the object is being deleted, found new finalizers []string{"ingresscontroller.operator.openshift.io/finalizer-clientca-configmap"}
The controller would retry adding the finalizer repeatedly, causing the
same error to be repeatedly logged until the deletion completed.
This commit fixes OCPBUGS-14994.
https://issues.redhat.com/browse/OCPBUGS-14994
* pkg/operator/controller/clientca-configmap/controller.go (Reconcile):
Only attempt to add the finalizer if the IngressController is not marked
for deletion.
* pkg/operator/controller/clientca-configmap/controller_test.go: New file.
(Test_Reconcile): New test. Verify that Reconcile adds and removes the
finalizer and creates, updates, or deletes the target configmap as
appropriate.
(fakeClientRecorder): New type, used in Test_Reconcile.
(Create, Delete, Update): New methods for fakeClientRecorder to implement
the controller-runtime client.Client interface.
* pkg/operator/controller/clientca-configmap/controller.go (Config): * pkg/operator/controller/clientca-configmap/controller_test.go (Test_Reconcile): * pkg/operator/operator.go (New): Remove unused OperatorNamespace field.
Miciah
force-pushed
the
OCPBUGS-14994-do-not-add-clientca-configmap-finalizer-if-deleting
branch
from
3a3fb20
to
e9ceaf5
Compare
|
@Miciah: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Good doc additions on both the test function and individual test cases. /lgtm |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: candita The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
@Miciah: Jira Issue OCPBUGS-14994: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-14994 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Fix included in accepted release 4.15.0-0.nightly-2023-10-31-054858 |
Don't add the clientca-configmap finalizer to an IngressController if it is marked for deletion.
Before this change, the clientca-configmap controller would attempt to add (or re-add) its finalizer to an IngressController that had been marked for deletion. This attempt resulted in the following error from the API:
The controller would retry adding the finalizer repeatedly, causing the same error to be repeatedly logged until the deletion completed.
pkg/operator/controller/clientca-configmap/controller.go(Reconcile): Only attempt to add the finalizer if the IngressController is not marked for deletion.