Bug 1863011: Fix checking if ClusterRoleBindings need update

[paulfantom]

• I added CHANGELOG entry for this change.
• No user facing changes, so no entry in CHANGELOG was needed.

Fixing CRB re-creation checks by using the same logic as we have for RoleBindings.

[openshift-ci-robot]

@paulfantom: This pull request references Bugzilla bug 1863011, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.6.0) matches configured target release for branch (4.6.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

WIP: Bug 1863011: Do not use annotations for detecting if resource needs to be reconciled

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@paulfantom: This pull request references Bugzilla bug 1863011, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.6.0) matches configured target release for branch (4.6.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

WIP: Bug 1863011: Prevent unnecessary recreations of ClusterRoleBindings

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@paulfantom: This pull request references Bugzilla bug 1863011, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.6.0) matches configured target release for branch (4.6.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

WIP: Bug 1863011: Do not compare annotations to detect if recreation is needed

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[s-urbaniak]

I believe we have to be a little smarter. If we just ignore the annotations then it is fine, but I think we have to preserve the existing annotations of the object that was found, aka crb.Annotations = existing.Annotations.

[s-urbaniak]

cc @sttts @p0lyn0mial for verification

[p0lyn0mial]

you could "merge" the annotation map instead of ignoring it.

please have a look at https://github.com/openshift/library-go/blob/master/pkg/operator/resource/resourceapply/rbac.go#L58 this is what we use in our operators.

[sttts]

Either merging, or restrict deep equal to the annotation "subdomain" you own, e.g. monitoring.openshift.io. But you have to allow everything else without wiping it, e.g. important.customer.com/foo: bar. It's allowed for every actor to put annotations.

[paulfantom]

@p0lyn0mial in case of merging annotations, should we follow the same pattern you have of merging whole ObjectMeta? Is there any benefit to such approach?

[p0lyn0mial]

We don't merge the whole ObjectMeta, just only a few things

func EnsureObjectMeta(modified *bool, existing *metav1.ObjectMeta, required metav1.ObjectMeta) {
	SetStringIfSet(modified, &existing.Namespace, required.Namespace)
	SetStringIfSet(modified, &existing.Name, required.Name)
	MergeMap(modified, &existing.Labels, required.Labels)
	MergeMap(modified, &existing.Annotations, required.Annotations)
}

[paulfantom]

Seems like we had an incorrect logic for checking if CRB needs a change. The last commit fixes it by porting logic used in RB to do the same

[openshift-ci-robot]

@paulfantom: This pull request references Bugzilla bug 1863011, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.6.0) matches configured target release for branch (4.6.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1863011: Do not compare annotations to detect if recreation is needed

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@paulfantom: This pull request references Bugzilla bug 1863011, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.6.0) matches configured target release for branch (4.6.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1863011: Fix checking if ClusterRoleBindings need update

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[paulfantom]

Fixing the annotation issue will be done as part of https://bugzilla.redhat.com/show_bug.cgi?id=1879930

[simonpasquier]

Fixing CRB re-creation checks by using the same logic as we have for RoleBindings.

Looking at the code it seems that CreateOrUpdateRoleBinding should be updated too?

cluster-monitoring-operator/pkg/client/client.go

Lines 1056 to 1061 in 40bb0e8

	if reflect.DeepEqual(rb.RoleRef, r.RoleRef) &&
	reflect.DeepEqual(rb.Subjects, r.Subjects) &&
	reflect.DeepEqual(rb.Labels, r.Labels) &&
	reflect.DeepEqual(rb.Annotations, r.Annotations) {
	return nil
	}

[paulfantom]

Looking at the code it seems that CreateOrUpdateRoleBinding should be updated too?

Yes, but we also have another BZ to fix this for all resources: https://bugzilla.redhat.com/show_bug.cgi?id=1879930.

That said I updated CreateOrUpdateRoleBindings and rebased.

[sttts]

what happens when you set your own annoations? Having a time bomb known to fail without unit tests or other means to tell is not a good idea.

[sttts]

isn't annotation merge logic simple enough to just do it here rather than adding two TODOs plus those "means" I mention above? Seems like time well spend to make it correct once and for all.

[paulfantom]

We are aware and I am working on a fix for this in a follow-up BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1879930. Fix would be applied to all resources, not only CRB.

[s-urbaniak]

My 2 cents: if the merging logic is not too much effort, I'd pull it in as @sttts suggests. especially given the fact that 4.6 is going to be an LTS release.

@paulfantom do you estimate how much effort it would mean to pull in merging for cluster-role-bindings/role-bindings only? I agree that tackling all the other resources can be done separately as they don't seem to suffer the issue we're observing here.

[paulfantom]

ok, I added merging Annotations for RBs and CRBs. Other resources will be done in follow-up PR.

I am re-using github.com/imdario/mergo for merging as we already have it in vendor due to transitive dependency on k8s/client-go.

[s-urbaniak]

/lgtm once green

[s-urbaniak]

/lgtm

[sttts]

this won't remove old annotations. Is that ok?

At least this must be godoc'ed on this func.

[sttts]

Also this mutates rb.Annotation.

/hold

[paulfantom]

Yes, this won't remove old annotations. The goal was to merge old/existing ones with what is defined by the operator.

Since rb and crb is what we hardcode in operator, mutating rb.Annotation is how we can update whole object with added Annotations.

I have added a comment to reflect that.

[sttts]

it is very bad style to have side-effects in such a function, especially when named CreateOrUpdateRoleBinding. None of the upstream client funcs does that for a reason. This func should not divert. It is even dangerious if it does because consumers will not expect it and potentially invalidate objects from a cache.

[s-urbaniak]

I agree here, for the caller this is unexpected. @paulfantom let's make sure we address this in the follow-up. An easy way forward would be to create a deep copy of rb.

[s-urbaniak]

/test e2e-aws-operator
/hold cancel

[s-urbaniak]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: paulfantom, s-urbaniak

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [paulfantom,s-urbaniak]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[paulfantom]

/retest

[openshift-ci-robot]

@paulfantom: All pull requests linked via external trackers have merged:

• openshift/cluster-monitoring-operator#932

Bugzilla bug 1863011 has been moved to the MODIFIED state.

In response to this:

Bug 1863011: Fix checking if ClusterRoleBindings need update

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.