Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add metrics role and extend view role #519

Merged
merged 2 commits into from
Nov 23, 2020
Merged

Add metrics role and extend view role #519

merged 2 commits into from
Nov 23, 2020

Conversation

svor
Copy link
Contributor

@svor svor commented Nov 5, 2020

Signed-off-by: svor vsvydenk@redhat.com

What does this PR do?

  • Adds new verb get with " " APIGroups to get an information about limited resources
  • Adds new APIGroups metrics.k8s.io to get an information from Metric server

What issues does this PR fix or reference?

eclipse-che/che#17205

@svor svor self-assigned this Nov 5, 2020
@openshift-ci-robot
Copy link

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@svor svor changed the title Extend view Role Add metrics role and extend view role Nov 9, 2020
@svor
Copy link
Contributor Author

svor commented Nov 9, 2020

Minishift / Testing latest changes (pull_request) check should be passed after applying these changes: https://github.com/eclipse/che-operator/pull/519/files#diff-dd2b7f73672812f28eaeefd88568f005bc349b4647e015a36b2789ad29b5221fL89

@svor svor marked this pull request as ready for review November 9, 2020 14:18
@svor svor requested a review from ericwill November 9, 2020 14:18
@ericwill
Copy link

ericwill commented Nov 9, 2020

I'm out of my element here, so will defer to a subject matter expert's judgement 😃

@tolusha
Copy link
Contributor

tolusha commented Nov 10, 2020
edited
Loading

@svor
To have all tests passed:

@svor svor mentioned this pull request Nov 10, 2020
Merged
9 tasks
tolusha
tolusha reviewed Nov 11, 2020
View reviewed changes
pkg/controller/che/che_controller.go Outdated
},
},
}
role, err := deploy.SyncRoleToCluster(deployContext, "exec", execPolicyRule)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pls. create a new function in role.go

SyncExecRoleToCluster(..)

and move

execPolicyRule := []rbac.PolicyRule{
		{
			APIGroups: []string{
				"",
			},
			Resources: []string{
				"pods/exec",
			},
			Verbs:     []string{
				"*",
			},
		},
	}
	role, err := deploy.SyncRoleToCluster(deployContext, "exec", execPolicyRule)

Pls. do accordingly for other changes...

Copy link
Contributor Author

@svor svor Nov 11, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated. @tolusha could you pls take another look
Also still have some problems with Check nightly "opm" bundle action. From the logs i see a message:

Nightly bundle file deploy/olm-catalog/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml should be updated in your pr

but che-operator/olm/update-nightly-bundle.sh script doesn't provide any updates.

tolusha
tolusha reviewed Nov 11, 2020
View reviewed changes
pkg/deploy/tls.go Outdated
},
},
}
role, err := SyncRoleToCluster(deployContext, CheTLSJobRoleName, policyRule)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pls. create a corresponding function in role.go

tolusha
tolusha reviewed Nov 11, 2020
View reviewed changes
pkg/deploy/role.go Outdated
},
},
}
return SyncRoleToCluster(deployContext, "che-tls-job-role", tlsPolicyRule)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

use the const
https://github.com/svor/che-operator/blob/sv/metrics/pkg/deploy/tls.go#L39

tolusha
tolusha approved these changes Nov 11, 2020
View reviewed changes
Copy link
Contributor

@tolusha tolusha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's wait for PR check passed

@AndrienkoAleksandr
Copy link
Contributor

AndrienkoAleksandr commented Nov 17, 2020
edited
Loading

Hello, @svor take a look, please, one more thing: update roles. For example user could have installed Che, and operator installs role with new 'verb'. In the our current code, this role won't be updated: https://github.com/eclipse/che-operator/blob/4c194ddeb57e0717b8de7083efdf40cd43634a93/pkg/deploy/role.go#L42 and https://github.com/eclipse/che-operator/blob/4c194ddeb57e0717b8de7083efdf40cd43634a93/pkg/deploy/role.go#L48 . So you need apply differ to compare roles, and if role was changed(for newer Che we want more permissions), then we should update role. We have a good examples in the code how to do that.
Example: here was evaluated diff between pvc https://github.com/eclipse/che-operator/blob/4c194ddeb57e0717b8de7083efdf40cd43634a93/pkg/deploy/pvc.go#L71 and if pvc is differ, then we make update:
https://github.com/eclipse/che-operator/blob/4c194ddeb57e0717b8de7083efdf40cd43634a93/pkg/deploy/pvc.go#L76
The same thing you should do for role object to prevent update issue.

tolusha
tolusha requested changes Nov 17, 2020
View reviewed changes
Copy link
Contributor

@tolusha tolusha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pls fix @AndrienkoAleksandr 's remarks

@svor
Copy link
Contributor Author

svor commented Nov 17, 2020

@AndrienkoAleksandr Thank you for detailed explanation, your remark makes sense 100%! I'll update this PR

@svor
Extend view role. Add a role for metrics api
01e6581 
Signed-off-by: svor <vsvydenk@redhat.com>
@svor
code cleanup
44a3046 
Signed-off-by: svor <vsvydenk@redhat.com>
@svor
Copy link
Contributor Author

svor commented Nov 20, 2020

View Role was updated successfully in my local k8s environment. Logs from che-operator pod:

time="2020-11-20T15:54:20Z" level=info msg="Updating existed object: Role, name: view"
Difference:
  &v1.Role{
  	... // 2 ignored fields
  	Rules: []v1.PolicyRule{
  		{
  			Verbs: []string{
  				"list",
+ 				"get",
  			},
  			APIGroups: []string{""},
  			Resources: []string{"pods"},
  			... // 2 ignored fields
  		},
+ 		{
+ 			Verbs:     []string{"list", "get", "watch"},
+ 			APIGroups: []string{"metrics.k8s.io"},
+ 			Resources: []string{"pods"},
+ 		},
  	},
  }

@openshift-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: AndrienkoAleksandr, svor, tolusha
To complete the pull request process, please assign after the PR has been reviewed.
You can assign the PR to them by writing /assign in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@svor svor merged commit 2e0bfec into eclipse-che:master Nov 23, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tolusha tolusha tolusha approved these changes

@AndrienkoAleksandr AndrienkoAleksandr AndrienkoAleksandr approved these changes

@davidfestal davidfestal Awaiting requested review from davidfestal

@nickboldt nickboldt Awaiting requested review from nickboldt

@ericwill ericwill Awaiting requested review from ericwill

Assignees

@svor svor

@tolusha tolusha

@AndrienkoAleksandr AndrienkoAleksandr

Labels
lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@svor @openshift-ci-robot @ericwill @tolusha @AndrienkoAleksandr