HNC: Update hncconfig validator to avoid overwriting source #1102
Comments
|
/cc @adrianludwin I tried implementing it and it seemed working fine and I will do more tests on it. Please let me know if there's any concerns of the changes in the forest (new |
|
@rjbez17 does this lgty? As discussed offline: this lgtm. We'll add a confirmation prompt in |
|
This LGTM aside from the potential race conditions of user created objects being created during a propagation/propagation change. Which could occur when using something like helm/kustomize to update a large amount of resources. I think our existing protections should help with this though. Overall, I think this will work, just would like to make sure we understand most of the edge cases in the PR before merging. |
|
Yeah, we can never guarantee that HNC is fully "up-to-date" since any
object can change at any time. But that's just life in a distributed
system. Agreed to having a close look at the edge cases when the PR is
ready.
…On Mon, Sep 14, 2020 at 10:48 AM Ryan Bezdicek ***@***.***> wrote:
This LGTM aside from the potential race conditions of user created objects
being created during a propagation/propagation change. Which could occur
when using something like helm/kustomize to update a large amount of
resources. I think our existing protections should help with this though.
Overall, I think this will work, just would like to make sure we
understand most of the edge cases in the PR before merging.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1102 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AE43PZHYP52N5EHV5LCPKVLSFYUM5ANCNFSM4RLUITWQ>
.
|
|
Update here: discussed offline with @adrianludwin : Thus now having #1106 with 2 commits (refactoring & webhook change) in it. |
|
@yiqigao217 @GinnyJI is there anything more we need to do for this? |
|
The implementation is done, so closing this. |
Part of #1076 , see http://bit.ly/hnc-propagation-conflict.
Overwriting source could happen when a type is changed from another mode to
Propagatemode and there happens to be an ancestor and a descendant objects with the same name.The current hncconfig validator only checks if the new configuration meets the restrictions, e.g. no duplicate types,
Propagatemode forRoleandRolebinding, etc. Now since we need to detect a mode change, we will need to get the old configuration, which can be done by adding acheckForest()func.We also need to get all the objects, especially the object names, of the types that are changed from others to
Propagate. The current forest (in-memory data-structure) only stores user-created objects if the type mode isPropagate. Therefore, we cannot get the objects from the forest for those types switched toPropagatefrom others.A proposal is that we can
objectNames(map[schema.GroupVersionKind]map[string]bool) to theforest.Namespacestruct, to store all the names of the user-created objects by GVK as long as there's an object reconciler for the GVK.Propagate, to first change it toRemovemode so that an object reconciler can be created for this type. Or we can just update the user guide to say that it requires changing toRemovemode first for any mode changes betweenIgnoreandPropagate, since we already require that forPropagate => Ignoreswitch.forest.ns.AddObjectName()insyncSource()func andforest.ns.RemoveObjectName()insyncMissingObject()func.With
objectNamesfield in the forest, the hncconfig validator can detect the object name conflicts for non-Propagatetypes. As for the conflicts, the data-structure will look like this:with specified GVK and object name, and groups of
affectedNamespacesgrouped by the first ancestor namespace name, considering the conflicts can happen on different branches in the forest and users have to resolve them separatedly.The text was updated successfully, but these errors were encountered: