Added a watcher for secret #169
Conversation
Nithish555
force-pushed
the
secret
branch
5 times, most recently
from
796743b to
213b67b
Compare
| ctrl "sigs.k8s.io/controller-runtime" | ||
| "sigs.k8s.io/controller-runtime/pkg/client" | ||
|
|
||
| "antrea.io/antrea/pkg/util/env" |
There was a problem hiding this comment.
Should we really import a new package to access the environment variable? Can we not access it directly?
There was a problem hiding this comment.
Yeah. We should import os or this package.
| // Client in controller requires reconciler for each object that are under watch. So to avoid reconciler and use only | ||
| // watch, that can be implemented by clientset. | ||
| if r.clientset, err = kubernetes.NewForConfig(ctrl.GetConfigOrDie()); err != nil { | ||
| r.Log.Error(err, "error while creating config") |
There was a problem hiding this comment.
Can you re-phrase the error, as config does not indicate which config is being referred to.?
There was a problem hiding this comment.
What should we add.
There was a problem hiding this comment.
may be "error while fetching cluster configuration"?
| r.Log.Info("Waiting for shared informer caches to be synced") | ||
| // Blocking call to wait till the informer caches are synced by controller run-time | ||
| // or the context is Done. | ||
| if !(*r.Mgr).GetCache().WaitForCacheSync(context.TODO()) { | ||
| return fmt.Errorf("failed to sync shared informer cache") | ||
| } | ||
|
|
| } | ||
| } | ||
|
|
||
| // resetWatcher Create a watcher for secret |
There was a problem hiding this comment.
| // resetWatcher Create a watcher for secret | |
| // resetWatcher creates a watcher for Secret |
| var err error | ||
| for { | ||
| if r.watcher, err = r.clientset.CoreV1().Secrets(env.GetPodNamespace()).Watch(context.Background(), metav1.ListOptions{}); err != nil { | ||
| r.Log.Error(err, "error while creating secret watcher") |
There was a problem hiding this comment.
| r.Log.Error(err, "error while creating secret watcher") | |
| r.Log.Error(err, "error creating Secret watcher") |
|
|
||
| } | ||
|
|
||
| // setupSecretWatcher Set up a watcher. |
There was a problem hiding this comment.
| // setupSecretWatcher Set up a watcher. | |
| // setupSecretWatcher set up a watcher for Secret objects. |
| _ = fakeClient.Create(context.Background(), account) | ||
| go func() { | ||
| //err = reconciler.setupSecretWatcher() | ||
| //Expect(err).Should(HaveOccurred()) |
There was a problem hiding this comment.
nit: remove?
Cleanup the unit-tests and remove unused code.
go.mod
Outdated
| @@ -38,6 +38,7 @@ require ( | |||
| github.com/PuerkitoBio/purell v1.1.1 // indirect | |||
| github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect | |||
| github.com/beorn7/perks v1.0.1 // indirect | |||
| github.com/blang/semver v3.5.1+incompatible // indirect | |||
There was a problem hiding this comment.
In the L42, latest version of github.com/blang/semver is already added as indirect dependency. So you can remove this. Same for go.sum file as well.
|
|
||
| // getCPABySecret returns nil only when the Secret is not used by any CloudProvideAccount CR, | ||
| // otherwise the dependent CloudProvideAccount CR will be returned. | ||
| func (r *CloudProviderAccountReconciler) getCPABySecret(s types.NamespacedName) (error, []cloudv1alpha1.CloudProviderAccount) { |
There was a problem hiding this comment.
Change the function to getCpaBySecret.
| namespacedName := types.NamespacedName{Namespace: secret.Namespace, Name: secret.Name} | ||
| err, cpaItems := r.getCPABySecret(namespacedName) | ||
| if err != nil { | ||
| r.Log.Error(err, "error while getting CPA by Secret %v", secret.Name) |
There was a problem hiding this comment.
For consistent logging(Similiar to L297), can you dump the secret NamespacedName instead of Name?
| // result vpc cache will contain vpcs from old and new accounts. | ||
| err := r.processCreate(&namespacedName, &cpa) | ||
| if err != nil { | ||
| r.Log.Error(err, "error while adding the secret in CPAs") |
There was a problem hiding this comment.
Any error returned in watchSecret() will exit the controller and restart the pod.
IMO, we should not be restarting for error in L293, since only one CPA credentials update failed. May be we can just log an error and let user check the logs.
@reachjainrahul Any suggestions here?
| } | ||
| } | ||
|
|
||
| // setupSecretWatcher Set up a watcher for Secret objects. |
There was a problem hiding this comment.
| // setupSecretWatcher Set up a watcher for Secret objects. | |
| // setupSecretWatcher set up a watcher for Secret objects. |
| // Create CPA | ||
| _ = fakeClient.Create(context.Background(), account) | ||
| go func() { | ||
| ch <- reconciler.setupSecretWatcher() // writing |
There was a problem hiding this comment.
nit: remove //comment
| err = os.Setenv("POD_NAMESPACE", testSecretNamespacedName.Namespace) | ||
| Expect(err).ShouldNot(HaveOccurred()) | ||
| // Create secret | ||
| _, err = reconciler.clientset.CoreV1().Secrets(testSecretNamespacedName.Namespace). |
There was a problem hiding this comment.
Add a comment explaining why you need to created a Secret using clientset and fakeClient
Nithish555
force-pushed
the
secret
branch
6 times, most recently
from
e03b059 to
dff0991
Compare
| r.mutex.Lock() | ||
| secret := event.Object.(*v1.Secret) | ||
| namespacedName := types.NamespacedName{Namespace: secret.Namespace, Name: secret.Name} | ||
| r.Log.Info("Received request for update", "Secret", namespacedName) |
There was a problem hiding this comment.
| r.Log.Info("Received request for update", "Secret", namespacedName) | |
| r.Log.Info("Received request", "Secret", namespacedName, "operation", update) |
| - name: POD_NAMESPACE | ||
| valueFrom: | ||
| fieldRef: | ||
| fieldPath: metadata.namespace |
There was a problem hiding this comment.
This will require changes in the helm charts as well.
here: nephe/build/charts/nephe/templates/controller/deployment.yaml
| _, _ = GinkgoWriter.Write([]byte(fmt.Sprintf("Got admission response %+v\n", response))) | ||
| Expect(response.Allowed).To(BeTrue()) | ||
| }) | ||
| It("Validate Secret delete without dependent AWS CPA", func() { |
There was a problem hiding this comment.
Delete tests should not be removed.
| }) | ||
|
|
||
| // The below set of tests validate Secret update/delete for Azure config. | ||
| It("Validate Azure Secret delete with dependent Azure CPA", func() { |
| r.accountProviderType = make(map[types.NamespacedName]common.ProviderType) | ||
| // Client in controller requires reconciler for each object that are under watch. So to avoid reconciler and use only |
There was a problem hiding this comment.
When you say client, you are referring to client from controller-runtime/pkg/client right?
| } | ||
| } | ||
| } | ||
|
|
||
| // setWatcher sets the controller sync status and watcher. |
There was a problem hiding this comment.
nit: update function name
|
|
||
| delete(r.accountProviderType, *namespacedName) | ||
| } | ||
|
|
||
| func (r *CloudProviderAccountReconciler) getAccountProviderType(namespacedName *types.NamespacedName) common.ProviderType { | ||
| r.mutex.Lock() | ||
| defer r.mutex.Unlock() | ||
|
|
|
|
||
| return r.accountProviderType[*namespacedName] | ||
| } | ||
|
|
||
| // getCpaBySecret returns nil only when the Secret is not used by any CloudProvideAccount CR, | ||
| // otherwise the dependent CloudProvideAccount CR will be returned. |
There was a problem hiding this comment.
| // otherwise the dependent CloudProvideAccount CR will be returned. | |
| // otherwise the dependent CloudProvideAccount CRs will be returned. |
| func (r *CloudProviderAccountReconciler) getCpaBySecret(s types.NamespacedName) (error, []crdv1alpha1.CloudProviderAccount) { | ||
| cpaList := &crdv1alpha1.CloudProviderAccountList{} | ||
| if err := r.Client.List(context.TODO(), cpaList, &client.ListOptions{}); err != nil { | ||
| return fmt.Errorf("failed to get CloudProviderAccount list, err:%v", err), nil |
There was a problem hiding this comment.
nit: for consistency
| return fmt.Errorf("failed to get CloudProviderAccount list, err:%v", err), nil | |
| return fmt.Errorf("failed to get CloudProviderAccount list, err %v", err), nil |
| } | ||
| } | ||
|
|
||
| // resetWatcher create a watcher for Secret |
There was a problem hiding this comment.
nit: function name different
| Expect(err).ShouldNot(HaveOccurred()) | ||
| // Create secret | ||
| // Created a secret using clientset because watcher is created using clientset. So inorder to know | ||
| // watcher if the secret is modified secret should be created using clientset. Secret should be created using |
There was a problem hiding this comment.
Does this convey message correctly?
Create a secret using both fakeClient and clientSet, since secret watcher uses cleintset while reconciler using client from controller run-time. Both secret watcher and reconciler should be able to retrieve the secret object.
Nithish555
force-pushed
the
secret
branch
3 times, most recently
from
855e065 to
cfd4867
Compare
pkg/config/env.go
Outdated
| func GetPodNamespace() string { | ||
| podNamespace := os.Getenv(PodNamespaceEnvKey) | ||
| if podNamespace == "" { | ||
| klog.Errorf("environment variable %v not found", PodNamespaceEnvKey) |
There was a problem hiding this comment.
Do not add new logger package here. We don't use klog.
There was a problem hiding this comment.
What log should we add.
There was a problem hiding this comment.
Its actually a FATAL error in our case. If this does not exist, then we should continue further.
The log message you added does not crash the pod. Suppose namespace is not set, what would happen to the watcher? will it throw an error? If it throws an error, then we will be in state where we are continuously calling resetting the watcher object.
There was a problem hiding this comment.
In our class we handle this error.
| r.mutex.Lock() | ||
| secret := event.Object.(*v1.Secret) | ||
| namespacedName := types.NamespacedName{Namespace: secret.Namespace, Name: secret.Name} | ||
| r.Log.WithName("Secret").Info("Received request", "Secret", namespacedName, "operation", "update") |
There was a problem hiding this comment.
Instead of prefixing all the log messages with r.Log.WithName("Secret")
can we do initialize a local variable and use it?
log := Log.WithName("Secret")
There was a problem hiding this comment.
Then we should initialize logger for each secret methods.
There was a problem hiding this comment.
In the other functions, you can keep r.Log.WithName("Secret")
There was a problem hiding this comment.
Why only this function requires variable
There was a problem hiding this comment.
Is it temporary, or this is the way we will have Secret prefix ?
Nithish555
force-pushed
the
secret
branch
3 times, most recently
from
ebf6687 to
b9b28ed
Compare
| // Client in controller requires reconciler for each object that are under watch. So to avoid reconciler and use only | ||
| // watch, that can be implemented by clientset. | ||
| if r.clientset, err = kubernetes.NewForConfig(ctrl.GetConfigOrDie()); err != nil { | ||
| r.Log.Error(err, "error creating client config") |
There was a problem hiding this comment.
creating config or just client?
There was a problem hiding this comment.
Both right. Because ctr.GetConfigOrDie creates config and kubernetes creates clientset
| for _, cpa := range cpaItems { | ||
| // If the credentials are updated to new cloud account then vpc cache is not updated. As a | ||
| // result vpc cache will contain vpcs from old and new accounts. | ||
| accountNamespacedName := types.NamespacedName{Namespace: cpa.Namespace, Name: cpa.Name} |
There was a problem hiding this comment.
@Anandkumar26 Please comment on this.
There was a problem hiding this comment.
@reachjainrahul Consider we have account 1, with cred 1. We get 10 VPCs from account.
Now user updates the cred 1 to cred 2. (Cred 2 can potential point to different account, same region).
In this particular scenario, VPCs cache will have:
- VPCs from account 1 (Since they never got deleted upon secret modification)
- VPCs from new account (updated credentials)
There was a problem hiding this comment.
@Nithish555 please remove the comment..
There was a problem hiding this comment.
Please remove the entire comment
| } | ||
|
|
||
| // getPodNamespace gets the namespace of the pod. | ||
| func (r *CloudProviderAccountReconciler) getPodNamespace() string { |
There was a problem hiding this comment.
I dont think this is required here.. You should check for empty ns in GetPodNamespace. not here.. Also verify if nephe is launched in default Namespace, whats the value you get.
There was a problem hiding this comment.
This is required because the GetPodNamespace is generic so we should not handle it there. Because in this case we exit the pod.
The same namespace value which is configured in the pod metadata.
| credential := `{"accessKeyId": "keyId","accessKeySecret": "Secret"}` | ||
| err = os.Setenv("POD_NAMESPACE", testSecretNamespacedName.Namespace) | ||
| Expect(err).ShouldNot(HaveOccurred()) | ||
| // Create a secret using both fakeClient and clientSet, since secret watcher uses cleintset |
Nithish555
force-pushed
the
secret
branch
3 times, most recently
from
2632dfa to
a48b6f0
Compare
|
/nephe-test-e2e-kind |
Signed-off-by: nithishs <[email protected]>
No description provided.