New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuthRevisionLabelPodDeployer #348
OAuthRevisionLabelPodDeployer #348
Conversation
/assign @sttts |
requires openshift/library-go#763 |
/hold for testing |
/retest |
e574939
to
b5d7329
Compare
/retest |
b5d7329
to
386d0c5
Compare
386d0c5
to
f89924c
Compare
f89924c
to
e8271d0
Compare
/test e2e-aws-upgrade |
e8271d0
to
d58abbb
Compare
|
@@ -34,7 +34,7 @@ type oauthAPIServerController struct { | |||
} | |||
|
|||
// New creates OAuthAPIServerController that will manage encryption-config-openshift-oauth-apiserver in openshift-config-managed namespace as described in https://github.com/openshift/enhancements/blob/master/enhancements/etcd/etcd-encryption-for-separate-oauth-apis.md | |||
// Note that this code will be removed in the future release (4.6) | |||
// Note that this code will be removed in the future release (4.7) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// case 1 encryption off or the secret was annotated - we are in charge | ||
// case 2 otherwise let CAO manage its own encryption configuration | ||
// TODO: | ||
// - change case 1 in in 4.7 so that this operator doesn't manage CAO's encryption config when encryption is off |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
allEncryptedGRs []schema.GroupResource | ||
encryptedGRsManagedByExternalServer sets.String | ||
|
||
secretLister corev1listers.SecretNamespaceLister | ||
isOAuthEncryptionConfigManagedByThisOperatorFunc func() bool |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: s/Func//
// Whether this deployer is on/off is determined by isOAuthEncryptionConfigManagedByThisOperatorFunc | ||
// TODO: | ||
// remove this deployer in 4.7 | ||
func NewOAuthRevisionLabelPodDeployerAdapter( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
MaybeDisabledDeployer might be a better name? This is nothing special about oauth.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
DisabledByPredicateDeployer even. And the interface would be MaybeDisabledDeployer.
"github.com/openshift/library-go/pkg/operator/encryption/statemachine" | ||
) | ||
|
||
type DeployerExtended interface { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
MaybeDisabledDeployer
Disabled() bool | ||
} | ||
|
||
// UnionRevisionLabelPodDeployer provides unified state from multiple distinct deployers. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
... it's converged if all delegates are converged. Each deployer can be disabled.
What if all are disabled?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if all are disabled?
we will treat it as if encryption was off
return &UnionRevisionLabelPodDeployer{delegates: delegates}, nil | ||
} | ||
|
||
// DeployedEncryptionConfigSecret returns the actual encryption configuration across multiple deployers |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
.... if they all agree.
pkg/operator/starter.go
Outdated
@@ -232,6 +255,14 @@ func RunOperator(ctx context.Context, controllerConfig *controllercmd.Controller | |||
return err | |||
} | |||
|
|||
oauthEncryptionController := oauthapiencryptioncontroller.New( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is just the secret sync controller, isn't it? Can we make that clearer?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure
7d650bf
to
a05479a
Compare
// That means: | ||
// - none has reported an error | ||
// - all have converged | ||
// - all have observed exactly the same encryption configuration |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: ... Otherwise it returns converged=false.
Lgtm. |
a05479a
to
daf8d3d
Compare
/lgtm |
…iftAPIServer deployer and a temporal OpenSiftAuthAPI deployer into one OpenSiftAuthAPI is on/off based on the annotation of the openshift-oauth-apiserver-encryption-cofngi secret. It will be removed in future releases ( >= 4.7), when OpenSiftAuthAPI deployer is on encryption controllers for this operator will wait until OpenShiftAuthAPI servers converge onto a single revision. it also starts OAuthAPIServerController that will manage encryption-config-openshift-oauth-apiserver in openshift-config-managed namespace as described in https://github.com/openshift/enhancements/blob/master/enhancements/etcd/etcd-encryption-for-separate-oauth-apis.md
daf8d3d
to
f4f436e
Compare
/retest |
1 similar comment
/retest |
/test e2e-aws |
the test will be off unitl openshift/cluster-openshift-apiserver-operator#348 merges
the test will be off unitl openshift/cluster-openshift-apiserver-operator#348 merges
/retest |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: p0lyn0mial, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test all |
/retest |
/test all |
/retest |
/hold cancel |
e2e-aws /retest |
/retest Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
/retest Please review the full test history for this PR and help us cut down flakes. |
builds on #347 and adds
oauth revision label deployer
(1702200)This PR adds
NewUnionRevisionLabelPodDeployer
that combines a standardOpenShiftAPIServer
deployer and a temporalOpenSiftAuthAPI
deployer into one.OpenSiftAuthAPI
is on/off based on the annotation of theopenshift-oauth-apiserver-encryption-cofngi
secret. It will be removed in future releases ( >= 4.7).When
OpenSiftAuthAPI
deployer ison
encryption controllers for this operator will wait until OpenShiftAuthAPI servers converge onto a single revision.This PR also starts
OAuthAPIServerController
that will manageencryption-config-openshift-oauth-apiserver
inopenshift-config-managed
namespace as described in https://github.com/openshift/enhancements/blob/master/enhancements/etcd/etcd-encryption-for-separate-oauth-apis.md