OCPBUGS-17157: label non-OLM resources #3017
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@stevekuznetsov: This pull request references Jira Issue OCPBUGS-17157, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
the
jira/valid-bug
stevekuznetsov
force-pushed
the
skuznets/label-for-rbac
branch
2 times, most recently
from
f1b5e49 to
de75e19
Compare
|
Was the hack commit for your local testing, to confirm things were doing what you expected, and that you didn't miss adding labels anywhere in the code base? |
openshift-ci
bot
added
the
approved
perdasilva
dismissed
their stale review
I didn't notice CI is failing - code lgtm, get CI to green and we're good =D
openshift-ci
bot
removed
the
approved
|
/approve cancel (see review dismissal for details) |
|
@ncdc yes, but I could see it being generally useful moving forward to not mistakenly re-introduce the bug. Once the informers are filtered, you'd end up knowing anyway since your controller would not do the right thing but the round-tripper failure would be much more direct. |
stevekuznetsov
force-pushed
the
skuznets/label-for-rbac
branch
3 times, most recently
from
64345e9 to
7e445f6
Compare
|
@ncdc @perdasilva this should be ready for review |
| @@ -442,34 +442,38 @@ var _ = Describe("Operator Group", func() { | |||
| }(ns) | |||
| } | |||
|
|
|||
| // Generate operatorGroupA - OwnNamespace | |||
There was a problem hiding this comment.
If you're going to have concepts in the code like "operatorGroupA" but the value in the cluster will be auto-generated, it's imperative to print that relationship for folks that debug your test.
| @@ -426,8 +426,8 @@ var _ = Describe("Operator Group", func() { | |||
| // Create crd so csv succeeds | |||
| // Ensure clusterroles created and aggregated for access provided APIs | |||
|
|
|||
| // Generate namespaceA | |||
There was a problem hiding this comment.
If you're going to have phases of a test, use a logger to make them appear in the output to make debugging failures easier.
| @@ -346,7 +346,7 @@ func catalogSourceRegistryPodSynced(catalog *operatorsv1alpha1.CatalogSource) bo | |||
| if connState != nil { | |||
| state = connState.LastObservedState | |||
| } | |||
| fmt.Printf("waiting for catalog pod %v to be available (for sync) - %s\n", catalog.GetName(), state) | |||
| fmt.Printf("waiting for catalog pod %s/%s to be available (for sync) - %s\n", catalog.GetNamespace(), catalog.GetName(), state) | |||
There was a problem hiding this comment.
Always fully qualify the object you're waiting on so that folks debugging a failing test know where to look.
| @@ -4432,17 +4432,18 @@ func fetchCSV(c versioned.Interface, name, namespace string, checker csvConditio | |||
| var fetchedCSV *operatorsv1alpha1.ClusterServiceVersion | |||
| var err error | |||
|
|
|||
| ctx.Ctx().Logf("waiting for CSV %s/%s to reach condition", namespace, name) | |||
There was a problem hiding this comment.
If a function like fetchCSV is going to validate conditions, at least log something to make it less surprising.
stevekuznetsov
force-pushed
the
skuznets/label-for-rbac
branch
from
7e445f6 to
feb1779
Compare
|
/lgtm |
openshift-ci
bot
added
the
approved
This round-tripper is added to our *rest.Config when it's possible to detect that we're in a CI environment. Developers should set $CI=true to get this behavior locally. Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
Today, our controllers use un-filtered LIST+WATCH calls to monitor the state of the cluster. For OLM-specific resource types, that's fine, since we need to know (for instance) about every CSV. For non-OLM resource groups, though, that is needlessly wasteful in memory consumption and makes our controller's footprint scale with the size of the cluster itself, irrespective of the usage of OLM. Adding a label to every resource we create is the first step in being able to filter down all of those requests to only those objects with our label. Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
stevekuznetsov
force-pushed
the
skuznets/label-for-rbac
branch
from
feb1779 to
561b097
Compare
|
New changes are detected. LGTM label has been removed. |
There was a problem hiding this comment.
This looks good to me and I wish that we had done this earlier. @perdasilva and I were recently discussing how OLM "adopts/overwrites" existing k8s resources if there is a name collision. Had we considered using labels in the past we could have written OLM such that it wouldn't delete/update resources missing these labels. Now that OLM is out in the wild there isn't a good migration path.
|
@stevekuznetsov: Jira Issue OCPBUGS-17157: Some pull requests linked via external trackers have merged:
The following pull requests linked via external trackers have not merged: These pull request must merge or be unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with Jira Issue OCPBUGS-17157 has not been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
| return i.createOrUpdateValidatingWebhook(ogNamespacelabelSelector, caPEM, desc) | ||
| case v1alpha1.MutatingAdmissionWebhook: | ||
| i.createOrUpdateMutatingWebhook(ogNamespacelabelSelector, caPEM, desc) | ||
| return i.createOrUpdateMutatingWebhook(ogNamespacelabelSelector, caPEM, desc) | ||
| case v1alpha1.ConversionWebhook: | ||
| i.createOrUpdateConversionWebhook(caPEM, desc) | ||
| return i.createOrUpdateConversionWebhook(caPEM, desc) |
There was a problem hiding this comment.
Possible change in behavior? Is this to return a possible error in these handlers?
| if rb.Labels == nil { | ||
| rb.Labels = map[string]string{} | ||
| } | ||
| rb.Labels[install.OLMManagedLabelKey] = install.OLMManagedLabelValue |
There was a problem hiding this comment.
I am seeing this idiom so much, it almost makes sense to create a utility API to initialize the labels and then add the label.
e.g.
addlabel(&rbLabels, install.OLMManagedLabelKey, install.OLMManagedLabelValue)
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: awgreene, ncdc, perdasilva, stevekuznetsov, tmshort The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
HACK: add a round-tripper to ensure we label non-OLM resources
We can either flag-gate this to dev only, or delete it before merge.
Signed-off-by: Steve Kuznetsov skuznets@redhat.com
*: label non-OLM resources
Today, our controllers use un-filtered LIST+WATCH calls to monitor the
state of the cluster. For OLM-specific resource types, that's fine,
since we need to know (for instance) about every CSV. For non-OLM
resource groups, though, that is needlessly wasteful in memory
consumption and makes our controller's footprint scale with the size of
the cluster itself, irrespective of the usage of OLM. Adding a label to
every resource we create is the first step in being able to filter down
all of those requests to only those objects with our label.
Signed-off-by: Steve Kuznetsov skuznets@redhat.com