OAuthRevisionLabelPodDeployer #348
Conversation
|
/assign @sttts |
|
requires openshift/library-go#763 |
|
/hold for testing |
openshift-ci-robot
added
the
do-not-merge/hold
|
/retest |
p0lyn0mial
force-pushed
the
with-custom-deployer
branch
3 times, most recently
from
e574939
to
b5d7329
Compare
|
/retest |
p0lyn0mial
force-pushed
the
with-custom-deployer
branch
from
b5d7329
to
386d0c5
Compare
p0lyn0mial
force-pushed
the
with-custom-deployer
branch
from
386d0c5
to
f89924c
Compare
p0lyn0mial
force-pushed
the
with-custom-deployer
branch
from
f89924c
to
e8271d0
Compare
|
/test e2e-aws-upgrade |
p0lyn0mial
force-pushed
the
with-custom-deployer
branch
from
e8271d0
to
d58abbb
Compare
|
|
| @@ -34,7 +34,7 @@ type oauthAPIServerController struct { | |||
| } | |||
|
|
|||
| // New creates OAuthAPIServerController that will manage encryption-config-openshift-oauth-apiserver in openshift-config-managed namespace as described in https://github.com/openshift/enhancements/blob/master/enhancements/etcd/etcd-encryption-for-separate-oauth-apis.md | |||
| // Note that this code will be removed in the future release (4.6) | |||
| // Note that this code will be removed in the future release (4.7) | |||
There was a problem hiding this comment.
| // case 1 encryption off or the secret was annotated - we are in charge | ||
| // case 2 otherwise let CAO manage its own encryption configuration | ||
| // TODO: | ||
| // - change case 1 in in 4.7 so that this operator doesn't manage CAO's encryption config when encryption is off |
There was a problem hiding this comment.
| allEncryptedGRs []schema.GroupResource | ||
| encryptedGRsManagedByExternalServer sets.String | ||
|
|
||
| secretLister corev1listers.SecretNamespaceLister | ||
| isOAuthEncryptionConfigManagedByThisOperatorFunc func() bool |
| // Whether this deployer is on/off is determined by isOAuthEncryptionConfigManagedByThisOperatorFunc | ||
| // TODO: | ||
| // remove this deployer in 4.7 | ||
| func NewOAuthRevisionLabelPodDeployerAdapter( |
There was a problem hiding this comment.
MaybeDisabledDeployer might be a better name? This is nothing special about oauth.
There was a problem hiding this comment.
DisabledByPredicateDeployer even. And the interface would be MaybeDisabledDeployer.
| "github.com/openshift/library-go/pkg/operator/encryption/statemachine" | ||
| ) | ||
|
|
||
| type DeployerExtended interface { |
| Disabled() bool | ||
| } | ||
|
|
||
| // UnionRevisionLabelPodDeployer provides unified state from multiple distinct deployers. |
There was a problem hiding this comment.
... it's converged if all delegates are converged. Each deployer can be disabled.
What if all are disabled?
There was a problem hiding this comment.
What if all are disabled?
we will treat it as if encryption was off
| return &UnionRevisionLabelPodDeployer{delegates: delegates}, nil | ||
| } | ||
|
|
||
| // DeployedEncryptionConfigSecret returns the actual encryption configuration across multiple deployers |
pkg/operator/starter.go
Outdated
| @@ -232,6 +255,14 @@ func RunOperator(ctx context.Context, controllerConfig *controllercmd.Controller | |||
| return err | |||
| } | |||
|
|
|||
| oauthEncryptionController := oauthapiencryptioncontroller.New( | |||
There was a problem hiding this comment.
this is just the secret sync controller, isn't it? Can we make that clearer?
p0lyn0mial
force-pushed
the
with-custom-deployer
branch
from
7d650bf
to
a05479a
Compare
| // That means: | ||
| // - none has reported an error | ||
| // - all have converged | ||
| // - all have observed exactly the same encryption configuration |
There was a problem hiding this comment.
nit: ... Otherwise it returns converged=false.
|
Lgtm. |
p0lyn0mial
force-pushed
the
with-custom-deployer
branch
from
a05479a
to
daf8d3d
Compare
|
/lgtm |
openshift-ci-robot
added
lgtm
…iftAPIServer deployer and a temporal OpenSiftAuthAPI deployer into one OpenSiftAuthAPI is on/off based on the annotation of the openshift-oauth-apiserver-encryption-cofngi secret. It will be removed in future releases ( >= 4.7), when OpenSiftAuthAPI deployer is on encryption controllers for this operator will wait until OpenShiftAuthAPI servers converge onto a single revision. it also starts OAuthAPIServerController that will manage encryption-config-openshift-oauth-apiserver in openshift-config-managed namespace as described in https://github.com/openshift/enhancements/blob/master/enhancements/etcd/etcd-encryption-for-separate-oauth-apis.md
p0lyn0mial
force-pushed
the
with-custom-deployer
branch
from
daf8d3d
to
f4f436e
Compare
|
/retest |
1 similar comment
|
/retest |
|
/test e2e-aws |
the test will be off unitl openshift/cluster-openshift-apiserver-operator#348 merges
the test will be off unitl openshift/cluster-openshift-apiserver-operator#348 merges
|
/retest |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: p0lyn0mial, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/test all |
|
/retest |
|
/test all |
|
/retest |
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
|
e2e-aws /retest |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
|
/retest Please review the full test history for this PR and help us cut down flakes. |
builds on #347 and adds
oauth revision label deployer(1702200)This PR adds
NewUnionRevisionLabelPodDeployerthat combines a standardOpenShiftAPIServerdeployer and a temporalOpenSiftAuthAPIdeployer into one.OpenSiftAuthAPIis on/off based on the annotation of theopenshift-oauth-apiserver-encryption-cofngisecret. It will be removed in future releases ( >= 4.7).When
OpenSiftAuthAPIdeployer isonencryption controllers for this operator will wait until OpenShiftAuthAPI servers converge onto a single revision.This PR also starts
OAuthAPIServerControllerthat will manageencryption-config-openshift-oauth-apiserverinopenshift-config-managednamespace as described in https://github.com/openshift/enhancements/blob/master/enhancements/etcd/etcd-encryption-for-separate-oauth-apis.md