Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move mutable configmaps out of deployment manifest #1983

Merged
merged 1 commit into from
Mar 30, 2021

Conversation

hty690
Copy link
Contributor

@hty690 hty690 commented Mar 23, 2021

Moving "antrea-ca" and "antrea-cluster-identity" out of deployment manifest.
Instead creating them in the code.

Fixes #1945

@codecov-io
Copy link

codecov-io commented Mar 23, 2021

Codecov Report

Merging #1983 (79cc8e4) into main (e99a0bf) will increase coverage by 6.68%.
The diff coverage is 42.30%.

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #1983      +/-   ##
==========================================
+ Coverage   60.10%   66.78%   +6.68%     
==========================================
  Files         197      197              
  Lines       17217    17259      +42     
==========================================
+ Hits        10348    11527    +1179     
+ Misses       5762     4543    -1219     
- Partials     1107     1189      +82     
Flag Coverage Δ
e2e-tests 26.45% <38.46%> (?)
kind-e2e-tests 56.49% <40.38%> (+10.62%) ⬆️
unit-tests 41.74% <3.84%> (-0.11%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
pkg/flowaggregator/certificate.go 0.00% <0.00%> (ø)
pkg/apiserver/certificate/cacert_controller.go 58.95% <64.70%> (+24.78%) ⬆️
pkg/clusteridentity/clusteridentity.go 71.25% <64.70%> (+3.06%) ⬆️
pkg/agent/route/route_linux.go 46.30% <0.00%> (+0.32%) ⬆️
pkg/agent/controller/networkpolicy/cache.go 85.29% <0.00%> (+0.65%) ⬆️
pkg/agent/cniserver/pod_configuration.go 54.68% <0.00%> (+0.78%) ⬆️
pkg/controller/grouping/group_entity_index.go 94.58% <0.00%> (+1.27%) ⬆️
pkg/apiserver/storage/ram/store.go 81.95% <0.00%> (+1.50%) ⬆️
...ntroller/networkpolicy/networkpolicy_controller.go 71.10% <0.00%> (+1.62%) ⬆️
pkg/agent/agent.go 48.92% <0.00%> (+1.67%) ⬆️
... and 46 more

Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about flow-aggregator-ca?

if !errors.IsNotFound(err) {
return fmt.Errorf("error getting ConfigMap %s: %v", CAConfigMapName, err)
}
caConfigMap, err = c.client.CoreV1().ConfigMaps(caConfigMapNamespace).Create(context.TODO(), c.createConfigMap(caConfigMapNamespace), metav1.CreateOptions{})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why don't create the configmap with the desired content directly which can avoid an extra call?
Also feel there is no need to have another method to construct a configmap, it's just one line code that is not shared by others.

Copy link
Contributor

@jianjuns jianjuns left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you plan to cover flow-aggregator-ca as @antoninbas suggested?

@hty690
Copy link
Contributor Author

hty690 commented Mar 24, 2021

Do you plan to cover flow-aggregator-ca as @antoninbas suggested?

Yes. I'm working on it.

@hty690 hty690 force-pushed the mutable_configmap branch from 1b96532 to 3a99782 Compare March 24, 2021 02:33
Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM overall

Namespace: a.clusterIdentityConfigMapNamespace,
},
Data: map[string]string{},
BinaryData: map[string][]byte{},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to specify the two fields if they are not set

Namespace: CAConfigMapNamespace,
},
Data: map[string]string{},
BinaryData: map[string][]byte{},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto

@hty690 hty690 force-pushed the mutable_configmap branch from 3a99782 to 6226657 Compare March 24, 2021 05:25
tnqn
tnqn previously approved these changes Mar 24, 2021
Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks

@tnqn
Copy link
Member

tnqn commented Mar 24, 2021

/test-all

jianjuns
jianjuns previously approved these changes Mar 24, 2021
Comment on lines +86 to +91
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I may be missing something obvious but why don't we just add the "create" verb to the list above:

  - apiGroups:
      - ""
    resources:
      - configmaps
    resourceNames:
      - antrea-ca
      - antrea-cluster-identity
    verbs:
      - get
      - update
      - create

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wondered too, and thought maybe "create" does not work with resourceNames, but just checked and found it could. Then we should add create to the existing verb list.

Copy link
Contributor Author

@hty690 hty690 Mar 25, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added "create" to this verb list and I met the error
error when creating 'kube-system/antrea-cluster-identity' ConfigMap: configmaps is forbidden: User "system:serviceaccount:kube-system:antrea-controller" cannot create resource "configmaps" in API group "" in the namespace "kube-system"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found it works. I will recommit the changes.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Specifying resourceNames for "create" verb doesn't work: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources

Note: You cannot restrict create or deletecollection requests by resourceName. For create, this limitation is because the object name is not known at authorization time.

I did a test and it's consistent with the doc, how did you test?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I deleted and reapplied the yaml. And I found "antrea-ca" and "antrea-cluster-identity" was not deleted. and recreated. Maybe that's why I tested it with no error.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, then the current yaml makes sense.

@hty690 hty690 dismissed stale reviews from jianjuns and tnqn via 91285dc March 25, 2021 01:15
@hty690 hty690 force-pushed the mutable_configmap branch from 91285dc to 6226657 Compare March 25, 2021 04:54
}
exists = false
caConfigMap = &v1.ConfigMap{
ObjectMeta: metav1.ObjectMeta{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add the label as the previous one in manifest yaml, in case we need a way to filter all antrea resources later.

Moving "antrea-ca", "antrea-cluster-identity" and "flow-aggregator-ca"
out of deployment manifest. Instead creating them in the code.

Fixes antrea-io#1945
@hty690 hty690 force-pushed the mutable_configmap branch from 6226657 to 79cc8e4 Compare March 25, 2021 05:56
Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tnqn
Copy link
Member

tnqn commented Mar 25, 2021

/test-all

@tnqn
Copy link
Member

tnqn commented Mar 26, 2021

/test-e2e

@antoninbas antoninbas added this to the Antrea v1.0 release milestone Mar 30, 2021
@antoninbas antoninbas merged commit 2ec1b53 into antrea-io:main Mar 30, 2021
@hty690 hty690 deleted the mutable_configmap branch April 14, 2021 02:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Move mutable configmap out of deployment manifest?
5 participants