New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unpack bundles #1215
Unpack bundles #1215
Conversation
2fb8fc7
to
c5b3346
Compare
/retest |
2 similar comments
/retest |
/retest |
84688ca
to
fbeb16e
Compare
1d56c78
to
68fe005
Compare
} | ||
|
||
func (c *configmapUnpacker) ensureRoleBinding(roleNamespace string) (roleBinding *rbacv1.RoleBinding, err error) { | ||
fresh := &rbacv1.RoleBinding{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shouldn't these ensured resources have some reasonable ownerrefs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay. I'll add ownerrefs in the direction of Role/RoleBindings/Jobs -> ConfigMap.
The ConfigMap itself is a bit more tricky since there can exist InstallPlans that effectively reference it across several namespaces. The sensible thing to me is to add an ownerref in the direction of ConfigMap -> CatalogSource, and then propagate an error condition on the BundleLookup if it's not present when ensuring the ConfigMap.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there can exist InstallPlans that effectively reference it across several namespaces
Can you describe the case where this happens? Won't everything be scoped to one namespace?
Also - ownerrefs may not be needed at all if OLM will perform the cleanup (which might be nice for the rbac; it's not really needed after the job runs)
Rules: []rbacv1.PolicyRule{rule}, | ||
} | ||
fresh.SetNamespace(configmapNamespace) | ||
fresh.SetName(c.rbacName) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
since this uses the rbacName
set for the bundle unpacker, won't this cause an issue for multiple bundle unpacks in the same namespace at the same time? Shouldn't the role name be based on the configmapName
in some way (or generated with labels/ownerrefs?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of generating a role per bundle, we can aggregate rules on a single role that gets updated. This should shake out to be eventually consistent in the event of contention between concurrent bundle. It's simple enough to switch it over -- I'll do that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to clarify:
ResourceNames: []string{
configmapName,
},
with
fresh.SetName(c.rbacName)
and above, c.rbacName
is set:
rbacName: "olm-bundle-unpacker",
won't this mean that the ResourceNames
will be stomped over for this one Role if multiple bundles are unpacked in the same namespace?
just clarifying because I don't think the aggregation is really needed, I think we just need a role per configmap/job
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should end up being a separate PolicyRule
in the same Role
.
|
||
cond := result.GetCondition(operatorsv1alpha1.BundleLookupPending) | ||
now := c.now() | ||
if job == nil || len(job.Status.Conditions) == 0 || len(job.Status.Conditions) > 0 && job.Status.Conditions[0].Type != batchv1.JobComplete { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
non-blocking: there may be some nice ways to clean this up a bit, e.g. job.Status.ConditionMatches(operatorsv1alpha1.BundleLookupPending, func(Condition) bool { } )
} | ||
|
||
func (c *configmapUnpacker) ensureRoleBinding(roleNamespace string) (roleBinding *rbacv1.RoleBinding, err error) { | ||
fresh := &rbacv1.RoleBinding{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there can exist InstallPlans that effectively reference it across several namespaces
Can you describe the case where this happens? Won't everything be scoped to one namespace?
Also - ownerrefs may not be needed at all if OLM will perform the cleanup (which might be nice for the rbac; it's not really needed after the job runs)
@@ -67,6 +83,16 @@ func NewGenerationFromCluster(csvs []*v1alpha1.ClusterServiceVersion, subs []*v1 | |||
return g, nil | |||
} | |||
|
|||
func (g *NamespaceGeneration) AddPendingOperator(l LaunchBundleImageInfo) { | |||
g.pendingOperators[l] = struct{}{} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unless I'm missing it - this isn't adjusting the provided/required apis for the current generation?
requiredAPIs: EmptyAPIMultiOwnerSet(), | ||
uncheckedAPIs: EmptyAPISet(), | ||
missingAPIs: EmptyAPIMultiOwnerSet(), | ||
pendingOperators: BundleImageSet{}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this file is missing tests for Add/Remove pending operators
@@ -93,26 +100,20 @@ func (r *OperatorsV1alpha1Resolver) ResolveSteps(namespace string, sourceQuerier | |||
} | |||
|
|||
// add steps for any new bundle | |||
if op.Bundle() != nil { | |||
bundleSteps, err := NewStepResourceFromBundle(op.Bundle(), namespace, op.Replaces(), op.SourceInfo().Catalog.Name, op.SourceInfo().Catalog.Namespace) | |||
if op.Bundle().BundlePath == "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
double check - can op.Bundle()
be nil?
@@ -122,14 +123,25 @@ func (r *OperatorsV1alpha1Resolver) ResolveSteps(namespace string, sourceQuerier | |||
} | |||
} | |||
|
|||
if op.Bundle().BundlePath != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same - double check that op.Bundle() can't return nil
@@ -68,6 +69,29 @@ func (r *ResourceQueueSet) Requeue(namespace, name string) error { | |||
return fmt.Errorf("couldn't find queue for resource") | |||
} | |||
|
|||
// TODO: this may not actually be required if the requeue is done on the namespace rather than the installplan | |||
// RequeueAfter requeues the resource in the set with the given name and namespace (just like Requeue), but only does so after duration has passed | |||
func (r *ResourceQueueSet) RequeueAfter(namespace, name string, duration time.Duration) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see this used anywhere?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is being used in the installplan sync.
querier := NewFakeSourceQuerier(map[CatalogKey][]*api.Bundle{catalog: tt.bundlesInCatalog}) | ||
steps, subs, err := resolver.ResolveSteps(namespace, querier) | ||
steps, _, subs, err := resolver.ResolveSteps(namespace, querier) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should have some tests that return bundle lookups, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yup! good catch.
/retest |
1 similar comment
/retest |
75ef40c
to
b4ec643
Compare
/retest |
@@ -85,17 +86,14 @@ type Operator struct { | |||
catalogSubscriberIndexer map[string]cache.Indexer | |||
clientAttenuator *scoped.ClientAttenuator | |||
serviceAccountQuerier *scoped.UserDefinedServiceAccountQuerier | |||
bundleUnpacker bundle.Unpacker | |||
configmapRegistryImage string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shouldn't this be "unpackerImage"?
@@ -263,7 +264,11 @@ func NewOperatorFromBundle(bundle *api.Bundle, startingCSV string, sourceKey Cat | |||
if len(required) == 0 && len(provided) == 0 { | |||
// fallback to csv parsing | |||
if bundle.CsvJson == "" { | |||
return nil, fmt.Errorf("couldn't parse bundle") | |||
if bundle.GetBundlePath() != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this doesn't seem like the right place - if we're falling back to CSV parsing, we don't care if there's a bundlepath at all.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll admit it seems odd, but I think we still want to throw a specific error when a bundlepath isn't accompanied by the expected metadata. WDYT?
/retest |
4 similar comments
/retest |
/retest |
/retest |
/retest |
/retest |
Specifically, pulls in v1.5.5.
This extracts bundle data from an image and uses that data to populate the installplan. (The code here depends on later commits.)
WIP: this is currently using a local custom image.
Instead use image that is pullable from quay. Test data has been updated to include image building files.
The test data for generating this custom image uses a go script to generate and populate an operator registry database that references a bundle image.
2d03335
to
4cef16c
Compare
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ecordell, njhale The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Description of the change:
A refactor and continuation of #1081
Motivation for the change:
Simplification of InstallPlan updates and unpacking job management.
Reviewer Checklist
/docs