Ensure FeatureGate is copied from cluster to MCO render source #2581
Conversation
openshift-ci
bot
added
area/control-plane-operator
| // Write out the feature gate manifest to the MCC dir. | ||
| if err := func() error { | ||
| featureGate := &configv1.FeatureGate{} | ||
| if err := p.Client.Get(ctx, client.ObjectKey{Name: "cluster"}, featureGate); err != nil { |
There was a problem hiding this comment.
you are getting the feature gate resource from the management cluster here.
We should be getting the one from the guest cluster which you can actually infer from hcp.Spec.Configuration.
See related https://github.com/openshift/hypershift/pull/2543/files
There was a problem hiding this comment.
Ahh gotcha, wasn't sure which client I had there, will rework
There was a problem hiding this comment.
Also the way this is right now, there's no trigger event / listener relation here, and this would fetch whatever happens to be there at any point in time. I think this might be good enough for starters, in future we might want to consider the feature gate input to be part of the payload version + config + pull secret signature and let it be a trigger for generating new payload appropriately.
openshift-ci
bot
added
the
area/hypershift-operator
JoelSpeed
force-pushed
the
mco-fg-render
branch
2 times, most recently
from
4faa380
to
a60b38c
Compare
| @@ -467,3 +538,22 @@ func convertRegistryOverridesToCommandLineFlag(registryOverrides map[string]stri | |||
| // this is the equivalent of null on a StringToString command line variable. | |||
| return "=" | |||
| } | |||
|
|
|||
| func fetchFeatureGateScript(featureSet configv1.FeatureSet, payloadVersion string) string { | |||
| var script = `#!/bin/sh | |||
There was a problem hiding this comment.
One concern of this approach is that if any of this criteria aren't met for "reasons", this init container will crash in loop preventing the main container from running with our clear logs or indication of what's going on.
Alternatively we could fetch this from the CPO and pass it through to make it more obvious.
Also have we considered to also run /usr/bin/cluster-config-operator render here instead of doing this?
Also what happens if the feature gate input is changed day 2?
There was a problem hiding this comment.
One concern of this approach is that if any of this criteria aren't met for "reasons", this init container will crash in loop preventing the main container from running with our clear logs or indication of what's going on.
Alternatively we could fetch this from the CPO and pass it through to make it more obvious.
The crash loop was semi deliberate, but you're right, it's not obvious. We need to make sure that when the ignition server reads the featuregate it has the correct featureset and the correct payload version present.
Also have we considered to also run /usr/bin/cluster-config-operator render here instead of doing this?
@sjenning just changed the way this works in #2585 so that there is currently only one place that the render is happening, if you would rather I can add it here as well but that would duplicate the render step, is that an issue?
Also what happens if the feature gate input is changed day 2?
If the FeatureSet changes, then the featuregate needs to be regenerated (perhaps this needs to be a field within the KASO deployment so that it gets redeployed?), if the payload version changes, then it also needs to be redeployed, but I had assumed payload version change would already trigger a rollout.
As an alternative, would it be an issue to just give the ignition server creds to fetch the featuregate directly from the guest cluster? I don't know if that goes against some design decisions within HyperShift so I'll defer to maintainers on that
There was a problem hiding this comment.
For now I've switched to rendering the feature gate using CCO as in the KAS, lets see if that works
| VolumeSource: corev1.VolumeSource{ | ||
| Secret: &corev1.SecretVolumeSource{ | ||
| // Mount the kubeconfig for the guest cluster to fetch the FeatureGate. | ||
| SecretName: hcp.Spec.KubeConfig.Name, |
There was a problem hiding this comment.
this kubeconfig is meant for external consumers. This should be using KASServiceKubeconfigSecret at most.
There was a problem hiding this comment.
Do you know if KASServiceKubeconfigSecret has got permission to read the featuregate resource in the guest cluster? If not, where would I look to add that?
|
/test e2e-aws |
JoelSpeed
force-pushed
the
mco-fg-render
branch
3 times, most recently
from
f2eb393
to
9add569
Compare
|
Failure reported by the cluster version in e2e-aws seems unrelated Otherwise this seems like it's working, no complaints from the ignition server scripts at least |
| @@ -39,6 +40,7 @@ func NewRunLocalIgnitionProviderCommand() *cobra.Command { | |||
| cmd.Flags().StringVar(&opts.Image, "image", opts.Image, "Release image") | |||
| cmd.Flags().StringVar(&opts.TokenSecret, "token-secret", opts.TokenSecret, "Token secret name") | |||
| cmd.Flags().StringVar(&opts.WorkDir, "dir", opts.WorkDir, "Working directory (default: temporary dir)") | |||
| cmd.Flags().StringVar(&opts.FeatureGate, "feature-gate", opts.FeatureGate, "Path to a rendered featuregates.config.openshift.io/v1 file") | |||
There was a problem hiding this comment.
maybe feature-gate-file for feature-gate-manifest (and struct field names to match) so we don't confuse it for the FeatureSet name or something
hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go
Outdated
Show resolved
Hide resolved
hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go
Show resolved
Hide resolved
|
Thanks for the review, I've gone through and applied the suggestions and squashed everything into a single commit, should be ready to go now I think |
| @@ -39,6 +40,7 @@ func NewRunLocalIgnitionProviderCommand() *cobra.Command { | |||
| cmd.Flags().StringVar(&opts.Image, "image", opts.Image, "Release image") | |||
| cmd.Flags().StringVar(&opts.TokenSecret, "token-secret", opts.TokenSecret, "Token secret name") | |||
| cmd.Flags().StringVar(&opts.WorkDir, "dir", opts.WorkDir, "Working directory (default: temporary dir)") | |||
| cmd.Flags().StringVar(&opts.FeatureGateManifest, "feature-gate-manifest", opts.FeatureGateManifest, "Path to a rendered featuregates.config.openshift.io/v1 manifest") | |||
There was a problem hiding this comment.
I don't see this flag used anywhere 🤔
There was a problem hiding this comment.
Line 106 is using it no?
ignition-server/cmd/start.go
Outdated
| @@ -88,6 +89,7 @@ func NewStartCommand() *cobra.Command { | |||
| cmd.Flags().StringVar(&opts.Platform, "platform", "", "The cloud provider platform name") | |||
| cmd.Flags().StringVar(&opts.WorkDir, "work-dir", opts.WorkDir, "Directory in which to store transient working data") | |||
| cmd.Flags().StringVar(&opts.MetricsAddr, "metrics-addr", opts.MetricsAddr, "The address the metric endpoint binds to.") | |||
| cmd.Flags().StringVar(&opts.FeatureGate, "feature-gate", opts.FeatureGate, "Path to a rendered featuregates.config.openshift.io/v1 file") | |||
There was a problem hiding this comment.
should change this to feature-gate-manifest as well
| @@ -322,6 +379,7 @@ func ReconcileIgnitionServer(ctx context.Context, | |||
| "--key-file", "/var/run/secrets/ignition/serving-cert/tls.key", | |||
| "--registry-overrides", util.ConvertRegistryOverridesToCommandLineFlag(registryOverrides), | |||
| "--platform", string(hcp.Spec.Platform.Type), | |||
| "--feature-gate=/shared/99_feature-gate.yaml", | |||
There was a problem hiding this comment.
this should be feature-gate-manifest now right?
ignition-server/cmd/start.go
Outdated
| @@ -56,6 +56,7 @@ type Options struct { | |||
| Platform string | |||
| WorkDir string | |||
| MetricsAddr string | |||
| FeatureGate string | |||
|
@JoelSpeed: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JoelSpeed, sjenning The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
What this PR does / why we need it:
The
FeatureGateis a required file for the MCO bootstrap once openshift/machine-config-operator#3688 merges.To avoid breaking HyperShift, make sure that we pass the
FeatureGatemanifest into the MCC dir so that the bootstrap stage can pick it up before it becomes required.Note this will now mean that the MCO can use feature gates in templates, which I think may have been a feature gap in how HyperShift supports FeatureGates up until now.
Which issue(s) this PR fixes (optional, use
fixes #<issue_number>(, fixes #<issue_number>, ...)format, where issue_number might be a GitHub issue, or a Jira story:Fixes #
Checklist