Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 1765294: Use OwnerRefs to clean up SA pull secrets #61

Merged
merged 1 commit into from Feb 25, 2020
Merged

Bug 1765294: Use OwnerRefs to clean up SA pull secrets #61

merged 1 commit into from Feb 25, 2020

Conversation

adambkaplan
Copy link
Contributor

Update the service account pull secret controller to add owner
references to generated pull secrets. This ensures pull secrets are
deleted when the associated token is deleted.

@openshift-ci-robot openshift-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. labels Jan 29, 2020
@openshift-ci-robot
Copy link
Contributor

@adambkaplan: This pull request references Bugzilla bug 1765294, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

WIP - Bug 1765294: Use OwnerRefs to clean up SA pull secrets

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jan 29, 2020
@adambkaplan
Copy link
Contributor Author

/test e2e-aws-builds

@adambkaplan
Copy link
Contributor Author

/test e2e-aws-builds

@adambkaplan adambkaplan changed the title WIP - Bug 1765294: Use OwnerRefs to clean up SA pull secrets Bug 1765294: Use OwnerRefs to clean up SA pull secrets Jan 30, 2020
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 30, 2020
@adambkaplan
Copy link
Contributor Author

/assign @bparees

/cc @smarterclayton @dmage

bparees
bparees reviewed Jan 30, 2020
View reviewed changes
pkg/serviceaccounts/controllers/create_dockercfg_secrets.go Outdated
Name: tokenSecret.Name,
UID: tokenSecret.UID,
},
})
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@deads2k are you aware of any reason we wouldn't want to have ownerrefs between the dockercfg secret and the token secret? I'm sure we didn't do it originally because ownerrefs didn't exist, but now that they do can we just lifecycle the dockercfg secret w/ the tokensecret? (modulo migration concerns)

@bparees
Copy link
Contributor

bparees commented Jan 30, 2020

lgtm assuming @deads2k doesn't have a reason why it's not ok to use GC here.

@adambkaplan
Copy link
Contributor Author

/test e2e-aws-builds

@adambkaplan
Copy link
Contributor Author

/retest

1 similar comment
@adambkaplan
Copy link
Contributor Author

/retest

@adambkaplan adambkaplan mentioned this pull request Feb 4, 2020
Closed
@adambkaplan
Copy link
Contributor Author

/retest

I suspect the errors in e2e-aws-builds are real and need to be investigated further.

@adambkaplan
Copy link
Contributor Author

/test e2e-aws-builds

@adambkaplan
Copy link
Contributor Author

@bparees @deads2k this is ready for final review

@bparees
Copy link
Contributor

bparees commented Feb 11, 2020

my review stands:
lgtm assuming @deads2k doesn't have a reason why it's not ok to use GC here.

@adambkaplan
Copy link
Contributor Author

/retest

ping @deads2k per #61 (comment)

mfojtik
mfojtik reviewed Feb 13, 2020
View reviewed changes
pkg/serviceaccounts/controllers/pull_secrets.go Outdated

// hasOwnerReference checks if the given tokenSecret is the owner of the provided pullSecret
func hasOwnerReference(tokenSecret, pullSecret *v1.Secret) bool {
for _, owner := range pullSecret.OwnerReferences {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think there is upstream helper that does this in generic way

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mfojtik I found the functions in https://github.com/kubernetes/apimachinery/blob/master/pkg/apis/meta/v1/controller_ref.go. Works -ish - I need to set blockOwnerDeletion to false, otherwise I need additional RBAC permissions.

@adambkaplan adambkaplan changed the title Bug 1765294: Use OwnerRefs to clean up SA pull secrets WIP - Bug 1765294: Use OwnerRefs to clean up SA pull secrets Feb 20, 2020
@openshift-ci-robot openshift-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 20, 2020
@adambkaplan
Copy link
Contributor Author

/retest

@adambkaplan
Bug 1765294: Use OwnerRefs to clean up SA pull secrets
2d3371c 
Update the service account pull secret controller to add owner
references to generated pull secrets. This ensures pull secrets are
deleted when the associated token is deleted.
@adambkaplan adambkaplan changed the title WIP - Bug 1765294: Use OwnerRefs to clean up SA pull secrets Bug 1765294: Use OwnerRefs to clean up SA pull secrets Feb 24, 2020
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 24, 2020
adambkaplan
adambkaplan commented Feb 24, 2020
View reviewed changes
Copy link
Contributor Author

@adambkaplan adambkaplan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bparees @mfojtik updated to use the upstream ControllerRef methods.

I spoke with @deads2k last week on potential risks - no immediate red flags, though he did caution "if this breaks, you own it."

@adambkaplan
Copy link
Contributor Author

/retest

AWS rate limit issues

@bparees
Copy link
Contributor

bparees commented Feb 25, 2020

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Feb 25, 2020
@openshift-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: adambkaplan, bparees

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [adambkaplan,bparees]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot merged commit 5306fa2 into openshift:master Feb 25, 2020
@openshift-ci-robot
Copy link
Contributor

@adambkaplan: All pull requests linked via external trackers have merged. Bugzilla bug 1765294 has been moved to the MODIFIED state.

In response to this:

Bug 1765294: Use OwnerRefs to clean up SA pull secrets

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@adambkaplan
Copy link
Contributor Author

/cherrypick release-4.4

/cherrypick release-4.3

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Feb 25, 2020
Merged
@openshift-cherrypick-robot
Copy link

@adambkaplan: new pull request created: #67

In response to this:

/cherrypick release-4.4

/cherrypick release-4.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@adambkaplan
Copy link
Contributor Author

/cherrypick release-4.3

@openshift-cherrypick-robot
Copy link

@adambkaplan: new pull request created: #68

In response to this:

/cherrypick release-4.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Feb 25, 2020
Closed
@smarterclayton smarterclayton mentioned this pull request Mar 26, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mfojtik mfojtik mfojtik left review comments

@bparees bparees bparees left review comments

@soltysh soltysh Awaiting requested review from soltysh

@dmage dmage Awaiting requested review from dmage

@smarterclayton smarterclayton Awaiting requested review from smarterclayton

Assignees

@bparees bparees

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@adambkaplan @openshift-ci-robot @bparees @openshift-cherrypick-robot @mfojtik @dmage @openshift-merge-robot