WRKLDS-728: Capabilities: drop build/apps APIService when capabilities are not enabled

[ingvagabund]

Unless a capability is unknown, install APIService object for corresponding API only when enabled.

[openshift-ci-robot]

@ingvagabund: This pull request references WRKLDS-728 which is a valid jira issue.

In response to this:

Unless a capability is unknown, install APIService object for corresponding API only when enabled.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ingvagabund]

/retest-required

[ingvagabund]

/retest-required

[ingvagabund]

/retest-required

[p0lyn0mial]

why this doesn't have to operate only on the enabled services?

[ingvagabund]

apiServicesReferences() is consumed by .WithClusterOperatorStatusController which uses the references to build a list of related objects. In case a reference has no relevant object, it gets ignored.

[p0lyn0mial]

ok, it looks like this is purely informational. It doesn't have any impact on the core logic.

[p0lyn0mial]

I think that we should either change the NewAPIServiceController controller or this function. Otherwise we cannot guarantee the clusterVersionInformer will be synced. Am I right ?

[p0lyn0mial]

In addition to that I think that we should add a reactor to the NewAPIServiceController to catch changes to clusterVersionInformer. WDYT?

[ingvagabund]

apiServices can have various implementations so any change needs to happen inside apiService.

Are you suggesting to invoke WaitForCacheSync? Checking https://github.com/openshift/cluster-openshift-apiserver-operator/blob/master/pkg/operator/starter.go#L368-L374 noone of the informers is waiting for caches to be fully synced.

[p0lyn0mial]

I think that we should add clusterVersionInformer to WithInformers here https://github.com/openshift/library-go/blob/75c7d51fc4155264ba71551d22d0a1968b7bf989/pkg/operator/apiserver/controller/apiservice/apiservice_controller.go#L66 because

// WithInformers is used to register event handlers and get the caches synchronized functions.

[p0lyn0mial]

and maybe we should change GetAPIServicesToMangeFunc to accept clusterVersionInformer configinformersconfigv1.ClusterVersionInformer ?

[p0lyn0mial]

alternative would be to add WaitForCacheSync to the apiServices function and somehow trigger the controller to call apiServices when clusterVersionInformer changes/get an event.

[p0lyn0mial]

does it make sense?

[ingvagabund]

I think that we should add clusterVersionInformer to WithInformers here

openshift/library-go#1562

[ingvagabund]

+1 for passing informers as the list of managed api services may have many different implementation which do not need clusterVersionInformer.

[p0lyn0mial]

ok, thanks.

[p0lyn0mial]

I have the same question here. Should we guarantee that the clusterVersionInformer is synced?

[p0lyn0mial]

And whether we need to add a reactor to the controller.

[ingvagabund]

That's where informer passed in dc8a55f#diff-0d623dfd885adb20f991bda4c2453aebd732ca6dbb4d1d4be6e79805c3b48de6R243 takes affect. Everytime a cluster version changes, OpenShiftAPIServerWorkload.Sync triggers.

[p0lyn0mial]

okay, so it looks like we don't need an informer, we need a Lister here :) Please change it to a Lister.

[ingvagabund]

Done

[p0lyn0mial]

do you have a unit test to cover merging ?

[ingvagabund]

dc8a55f#diff-25e7c9a2521d15c93e122ab635c1ec19358116650aa275abca5e014b514c69c2R381-R384

[p0lyn0mial]

Will you have a test that will test the disabling of this APIs?

[ingvagabund]

Already in dc8a55f#diff-25e7c9a2521d15c93e122ab635c1ec19358116650aa275abca5e014b514c69c2R241

[p0lyn0mial]

I think that we should have an e2e test for it, wdyt?

[ingvagabund]

Updating/adding e2es is the next step once this PR and openshift/cluster-openshift-controller-manager-operator#291 are merged.

[p0lyn0mial]

where are you planing to add that test ? will it be this repo or in the origin ?

[ingvagabund]

I am planning origin as we need to check for disabled controllers as well. E.g. read the config or parse the controllers logs. On the other hand we first need to update the origin tests to react on missing API so other tests (e.g. running in parallel) for Builds/DCs do not fail. Ultimately, each operator repo might have its own version of the e2e. The e2e (going here or into origin) will need a separate PR.

[p0lyn0mial]

Ideally if we could add a test here and then also run it from the origin repo. Are you planing to add the test before we ship 4.14 ?

[ingvagabund]

Yes. All tests need to land before 4.14 ships.

[p0lyn0mial]

OK. I would like to avoid shipping a feature without the tests. Thanks.

[p0lyn0mial]

won't this spam logs on every Sync ?

[p0lyn0mial]

ping

[ingvagabund]

I will increase the log level to 4

[ingvagabund]

Done

[ingvagabund]

/retest-required

[ingvagabund]

[sig-cli] oc adm must-gather runs successfully for audit logs [apigroup:config.openshift.io][apigroup:oauth.openshift.io] [Suite:openshift/conformance/parallel]

The last two e2e-aws-own failed due to empty openshift-apiserver audit logs

All OA instances are reporting bunch of:

2023-08-03T21:07:10.547646790Z W0803 21:07:10.547610       1 logging.go:59] [core] [Channel #91 SubChannel #92] grpc: addrConn.createTransport failed to connect to {
2023-08-03T21:07:10.547646790Z   "Addr": "10.0.43.149:2379",
2023-08-03T21:07:10.547646790Z   "ServerName": "10.0.43.149",
2023-08-03T21:07:10.547646790Z   "Attributes": null,
2023-08-03T21:07:10.547646790Z   "BalancerAttributes": null,
2023-08-03T21:07:10.547646790Z   "Type": 0,
2023-08-03T21:07:10.547646790Z   "Metadata": null

[p0lyn0mial]

and having a lister instead of an informer will simplify this unit tests :)

[ingvagabund]

Done

[p0lyn0mial]

mhm, should we be passing a yaml ?

[ingvagabund]

Done

[p0lyn0mial]

should we check kubeClient.Actions() instead ?

[ingvagabund]

What for?

[p0lyn0mial]

We usually do this to check what resource would be sent to the server and how many times. The Get method reads the state stored in memory, which may not necessarily correspond to the resource that would be sent to the server.

[ingvagabund]

Something like https://github.com/openshift/openshift-apiserver/blob/064c2d0ef0ecaeda2bcc4387eaaa7258cee5adcf/pkg/project/apiserver/registry/project/proxy/proxy_test.go#L96-L101? Is the goal here to add just a test for Matches("update", "configmaps")? Or, to more inspect the corresponding action? Do you have an example?

[p0lyn0mial]

Usually we verify the verbs (https://github.com/openshift/library-go/blob/abaa55e36ec42bcade37586fbeabfb5bf48cd5b8/pkg/operator/encryption/controllers/key_controller_test.go#L389)

And the content of the resource as well (https://github.com/openshift/library-go/blob/abaa55e36ec42bcade37586fbeabfb5bf48cd5b8/pkg/operator/encryption/controllers/key_controller_test.go#L302)

I think we could check both here as well.

[ingvagabund]

Done

[p0lyn0mial]

please rename it to fakeKubeClient

[ingvagabund]

TestOperatorConfigProgressingCondition uses kubeClient well. Do you wanna rename it on other test(s) as well?

[p0lyn0mial]

sure, if this is not a problem for you that would be fine :)

[ingvagabund]

Done

[p0lyn0mial]

oas uses a versioned decoder. Could we do the same here ?

scheme := runtime.NewScheme()
utilruntime.Must(openshiftcontrolplanev1.Install(scheme))
codecs := serializer.NewCodecFactory(scheme)
obj, err := runtime.Decode(codecs.UniversalDecoder(openshiftcontrolplanev1.GroupVersion, configv1.GroupVersion), configContent)
if err != nil {
	return err
}
config := obj.(*openshiftcontrolplanev1.OpenShiftAPIServerConfig)

https://github.com/openshift/openshift-apiserver/blob/df3ca642f426cf2f34abeae152a9fce80b44c63e/pkg/cmd/openshift-apiserver/cmd.go#L129

[ingvagabund]

Done

[p0lyn0mial]

would it make sense to validate the whole config and not only PerGroupOptions ?
assuming that other fields remain unchanged, this shouldn't require much more effort

[ingvagabund]

Done

[p0lyn0mial]

mhm, I still think it will be logged on every sync. What is the value of spamming the log file with this information ? Ideally if we could log it just once, right ?

[p0lyn0mial]

Maybe we need a new condition ? Does the service controller set a condition ?

[ingvagabund]

With log 4 it is good to know the operator properly reads the capabilities. Otherwise, I'd need to get the CM, decode it, read the list of disabled apiservers and compare it. Too much additional code for just a single log line.

[ingvagabund]

The API service controller sets the new Degraded condition for API service endpoints until the disabled APIService objects are deleted. The test is reported through the already existing conditions for operands.

[openshift-ci]

@ingvagabund: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-operator-encryption-rotation	fe768dd	link	true	/test e2e-gcp-operator-encryption-rotation
ci/prow/e2e-gcp-operator-encryption	fe768dd	link	true	/test e2e-gcp-operator-encryption

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[tkashem]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ingvagabund, tkashem

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [tkashem]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment