New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1820255: Fix race for localhost-recovery-client-token snapshotting #815
Bug 1820255: Fix race for localhost-recovery-client-token snapshotting #815
Conversation
@tnozicka: This pull request references Bugzilla bug 1819256, which is valid. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@@ -348,6 +348,24 @@ func SyncSecret(client coreclientv1.SecretsGetter, recorder events.Recorder, sou | |||
case err != nil: | |||
return nil, false, err | |||
default: | |||
if source.Type == corev1.SecretTypeServiceAccountToken { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fix is here
@tnozicka: This pull request references Bugzilla bug 1820255, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest |
@tnozicka: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@@ -41,6 +42,18 @@ import ( | |||
"k8s.io/client-go/kubernetes" | |||
) | |||
|
|||
type encryptionProvider []schema.GroupResource |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@p0lyn0mial I suppose this could have been in library-go next to the interface as SimpleProvider
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, thx :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: soltysh, tnozicka The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@tnozicka: All pull requests linked via external trackers have merged: openshift/cluster-kube-apiserver-operator#815. Bugzilla bug 1820255 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
||
var _ controllers.Provider = encryptionProvider{} | ||
|
||
func (p encryptionProvider) EncryptedGRs() []schema.GroupResource { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@p0lyn0mial I missed this in library-go, but I think we should try to keep interfaces more verbose rather than cryptic, iow. this should've been EncryptedGroupResources
just to follow the API patterns we have everywhere. It's ok to name local variables this way but interfaces not necessarily, if in doubt look at k8s always 😉
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, thx :)
When
localhost-recovery-client-token
secret got created there is a race between kube-controller-manager to inject a token into it and revision controller that snapshots it. If it snapshots it before the token is injected we deploy without a token./cc @deads2k @soltysh @sttts