feat: bubble up kcert status message when it's failed #14962
Conversation
|
Welcome @ckcd! It looks like this is your first PR to knative/serving 🎉 |
|
Hi @ckcd. Thanks for your PR. I'm waiting for a knative member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
knative-prow
bot
added
size/M
ckcd
force-pushed
the
ck2402_bubble_up_kcert_failed
branch
from
0ea19a9
to
790f52d
Compare
ckcd
force-pushed
the
ck2402_bubble_up_kcert_failed
branch
2 times, most recently
from
29ca43c
to
2fc98c9
Compare
|
/ok-to-test |
1 similar comment
|
/ok-to-test |
knative-prow
bot
added
ok-to-test
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #14962 +/- ##
==========================================
+ Coverage 84.11% 84.95% +0.84%
==========================================
Files 213 213
Lines 16783 13115 -3668
==========================================
- Hits 14117 11142 -2975
+ Misses 2315 1618 -697
- Partials 351 355 +4 ☔ View full report in Codecov by Sentry. |
ckcd
force-pushed
the
ck2402_bubble_up_kcert_failed
branch
from
2fc98c9
to
fefef66
Compare
|
@izabelacg @Cali0707 @ReToCode Could please help to look at this PR? thanks. |
| Status: "False", | ||
| Reason: "CommonName Too Long", | ||
| Status: "Unknown", | ||
| Reason: "The ready condition of Cert Manager Certificate does not exist.", |
There was a problem hiding this comment.
This message does not say much (not saying the old one was much better).
| @@ -451,8 +451,8 @@ func TestCertificateNotReadyWithBubbledUpMessage(t *testing.T) { | |||
| Conditions: duckv1.Conditions{ | |||
| { | |||
| Type: "Ready", | |||
| Status: "False", | |||
| Reason: "CommonName Too Long", | |||
| Status: "Unknown", | |||
There was a problem hiding this comment.
Just want to set up different tests for different states.
There was a problem hiding this comment.
Ok, I think I was also confused because the reason message here was moved to the other tests. What about extracting the message outside of the test and re-use it in both tests? It seems like you want to test for the actual states (failed/ready) and the message just has to be there.
There was a problem hiding this comment.
@ReToCode sure, will do this change. Thanks for your idea.
|
|
||
| apistest.CheckConditionFailed(r, RouteConditionCertificateProvisioned, t) | ||
| } | ||
|
|
||
| func TestCertificateFailedWithBubbledUpMessage(t *testing.T) { |
There was a problem hiding this comment.
I don't think I get the difference between these two tests. We mark the certificate provisioning as failed in both cases. Could you please elaborate the idea behind it?
|
As API is also part of this: /cc @dprotaso |
ckcd
force-pushed
the
ck2402_bubble_up_kcert_failed
branch
from
fefef66
to
24f0f45
Compare
knative-prow
bot
added
size/L
knative-prow
bot
added
the
do-not-merge/hold
ckcd
force-pushed
the
ck2402_bubble_up_kcert_failed
branch
from
24f0f45
to
95adad8
Compare
|
Seems test failed because of data race for some irrelevant tests. I will rebase code and re-trigger the tests. -- Now all successful. |
|
@dprotaso could you please take a look at this? thanks. |
|
closing/reopening so that the PR runs against the latest commit in |
ckcd
force-pushed
the
ck2402_bubble_up_kcert_failed
branch
from
95adad8
to
e7288b1
Compare
|
@dprotaso seems all ut flow passed now. please check it, thanks. |
|
/assign @dprotaso |
|
/retest |
| }{ | ||
| { | ||
| name: "Ready with empty message", | ||
| cert: &netv1alpha1.Certificate{}, | ||
| status: corev1.ConditionTrue, | ||
| wantMessage: "", | ||
| }, |
There was a problem hiding this comment.
Do you mind compacting this to match the list style we use in other parts of the repo
see:
serving/pkg/apis/serving/v1/route_lifecycle_test.go
Lines 78 to 83 in 315a94c
There was a problem hiding this comment.
Sure, thanks for your suggestion. will do this change.
ckcd
force-pushed
the
ck2402_bubble_up_kcert_failed
branch
from
e7288b1
to
250ab9c
Compare
|
@dprotaso Thanks for your reply! I made some changes according to your idea, please take a look. Thx~ |
pkg/reconciler/route/table_test.go
Outdated
| WantCreates: []runtime.Object{ | ||
| ingressWithTLS( | ||
| Route("default", "becomes-ready", WithConfigTarget("config"), WithURL, | ||
| WithRouteUID("12-34"), WithRouteGeneration(1)), | ||
| &traffic.Config{ | ||
| Targets: map[string]traffic.RevisionTargets{ | ||
| traffic.DefaultTarget: {{ | ||
| TrafficTarget: v1.TrafficTarget{ | ||
| LatestRevision: ptr.Bool(true), | ||
| ConfigurationName: "config", | ||
| RevisionName: "config-00001", | ||
| Percent: ptr.Int64(100), | ||
| }, | ||
| }}, | ||
| }, | ||
| }, nil, nil), | ||
| simpleK8sService( | ||
| Route("default", "becomes-ready", WithConfigTarget("config"), WithRouteUID("12-34")), | ||
| WithExternalName("becomes-ready.default.example.com"), | ||
| ), | ||
| }, |
There was a problem hiding this comment.
I wouldn't expect creates in this scenario since we just want to test route propagation. I'd suggest moving these to the Objects list
pkg/reconciler/route/table_test.go
Outdated
| Object: certificateWithStatus(resources.MakeCertificates(Route("default", "becomes-ready", WithConfigTarget("config"), WithURL, WithRouteUID("12-34")), | ||
| map[string]string{"becomes-ready.default.example.com": ""}, netcfg.CertManagerCertificateClassName, "example.com")[0], failedCertStatus()), | ||
| }}, |
There was a problem hiding this comment.
Certificate shouldn't be updated. What's in Objects should be the updated certificate
pkg/reconciler/route/table_test.go
Outdated
| Object: Route("default", "becomes-ready", WithConfigTarget("config"), | ||
| WithRouteUID("12-34"), WithRouteGeneration(1), WithRouteObservedGeneration, | ||
| // Populated by reconciliation when all traffic has been assigned. | ||
| WithAddress, WithRouteConditionsHTTPDowngrade, | ||
| MarkTrafficAssigned, MarkIngressNotConfigured, WithStatusTraffic( | ||
| v1.TrafficTarget{ | ||
| RevisionName: "config-00001", | ||
| Percent: ptr.Int64(100), | ||
| LatestRevision: ptr.Bool(true), | ||
| }), MarkIngressNotConfigured, | ||
| // The certificate is not ready. So we want to have HTTP URL. | ||
| WithURL), |
There was a problem hiding this comment.
The route should be in failed state but I don't see that here
pkg/reconciler/route/table_test.go
Outdated
| // This certificate's DNS name is not the host name needed by the input Route. | ||
| ActionImpl: clientgotesting.ActionImpl{ | ||
| Namespace: "default", | ||
| Verb: "delete", | ||
| Resource: netv1alpha1.SchemeGroupVersion.WithResource("certificates"), |
There was a problem hiding this comment.
This action (deleting the certificate seems unexpected) I'm wondering if we are setting up the test correctly. I wouldn't expect the certificate to be deleted.
There was a problem hiding this comment.
@dprotaso actually for this check that Route is correctly updated when Certificate is not ready test case, it also has above WantUpdates, WantDeletes and so on.
And for both not ready and failed in this table_test.go it's hard to check the route status = notReady/failed because in this line it will override the condition with HTTPDowngrade info. That's because we use HTTPProtocol=HTTPEnabled when init NewTestReconciler.
There was a problem hiding this comment.
actually for this check that Route is correctly updated when Certificate is not ready test case, it also has above WantUpdates, WantDeletes and so on.
Yeah two things - some of the fixtures are off. Meaning they don't really reflect the state a resource can be in. Secondly, each test case varies from whichi point in time a reconciliation occurs so the starting fixtures can be different.
In the scenario where the certificate provisioning has failed. I would expect we were already in a a 'steady state' where all the objects have been created and updated but the only the certificate has been marked as 'failed'
Thus to patch your code the fixtures for this scenario would be
diff --git a/pkg/reconciler/route/table_test.go b/pkg/reconciler/route/table_test.go
index 52080a089..809690182 100644
--- a/pkg/reconciler/route/table_test.go
+++ b/pkg/reconciler/route/table_test.go
@@ -3130,10 +3130,47 @@ func TestReconcileEnableExternalDomainTLS(t *testing.T) {
}, {
Name: "check that Route is correctly updated when Certificate is failed",
Objects: []runtime.Object{
- Route("default", "becomes-ready", WithConfigTarget("config"), WithRouteUID("12-34"), WithRouteGeneration(1)),
+ Route("default", "becomes-ready", WithConfigTarget("config"), WithRouteUID("12-34"), WithRouteGeneration(1),
+ // Populated by reconciliation when all traffic has been assigned.
+ WithAddress,
+ MarkTrafficAssigned,
+ WithStatusTraffic(
+ v1.TrafficTarget{
+ RevisionName: "config-00001",
+ Percent: ptr.Int64(100),
+ LatestRevision: ptr.Bool(true),
+ }),
+ // The certificate is not ready. So we want to have HTTP URL.
+ WithInitRouteConditions,
+ MarkTrafficAssigned,
+ WithRouteObservedGeneration,
+ MarkCertificateNotReady,
+ WithAddress,
+ MarkIngressReady,
+ WithURL,
+ ),
cfg("default", "config",
WithConfigGeneration(1), WithLatestCreated("config-00001"), WithLatestReady("config-00001")),
rev("default", "config", 1, MarkRevisionReady, WithRevName("config-00001")),
+ simpleK8sService(
+ Route("default", "becomes-ready", WithConfigTarget("config"), WithRouteUID("12-34")),
+ WithExternalName(pkgnet.GetServiceHostname("private-istio-ingressgateway", "istio-system")),
+ ),
+ ingressWithTLS(
+ Route("default", "becomes-ready", WithConfigTarget("config"), WithURL,
+ WithRouteUID("12-34"), WithRouteGeneration(1)),
+ &traffic.Config{
+ Targets: map[string]traffic.RevisionTargets{
+ traffic.DefaultTarget: {{
+ TrafficTarget: v1.TrafficTarget{
+ LatestRevision: ptr.Bool(true),
+ ConfigurationName: "config",
+ RevisionName: "config-00001",
+ Percent: ptr.Int64(100),
+ },
+ }},
+ },
+ }, nil, nil, withReadyIngress),
// MakeCertificates will create a certificate with DNS name "*.test-ns.example.com" which is not the host name
// needed by the input Route.
&netv1alpha1.Certificate{
@@ -3151,64 +3188,35 @@ func TestReconcileEnableExternalDomainTLS(t *testing.T) {
},
},
Spec: netv1alpha1.CertificateSpec{
- DNSNames: []string{"abc.test.example.com"},
+ Domain: "example.com",
+ DNSNames: []string{"becomes-ready.default.example.com"},
+ SecretName: "route-12-34",
},
Status: failedCertStatus(),
},
},
- WantCreates: []runtime.Object{
- ingressWithTLS(
- Route("default", "becomes-ready", WithConfigTarget("config"), WithURL,
- WithRouteUID("12-34"), WithRouteGeneration(1)),
- &traffic.Config{
- Targets: map[string]traffic.RevisionTargets{
- traffic.DefaultTarget: {{
- TrafficTarget: v1.TrafficTarget{
- LatestRevision: ptr.Bool(true),
- ConfigurationName: "config",
- RevisionName: "config-00001",
- Percent: ptr.Int64(100),
- },
- }},
- },
- }, nil, nil),
- simpleK8sService(
- Route("default", "becomes-ready", WithConfigTarget("config"), WithRouteUID("12-34")),
- WithExternalName("becomes-ready.default.example.com"),
- ),
- },
- WantUpdates: []clientgotesting.UpdateActionImpl{{
- Object: certificateWithStatus(resources.MakeCertificates(Route("default", "becomes-ready", WithConfigTarget("config"), WithURL, WithRouteUID("12-34")),
- map[string]string{"becomes-ready.default.example.com": ""}, netcfg.CertManagerCertificateClassName, "example.com")[0], failedCertStatus()),
- }},
WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
Object: Route("default", "becomes-ready", WithConfigTarget("config"),
WithRouteUID("12-34"), WithRouteGeneration(1), WithRouteObservedGeneration,
// Populated by reconciliation when all traffic has been assigned.
- WithAddress, WithRouteConditionsHTTPDowngrade,
- MarkTrafficAssigned, MarkIngressNotConfigured, WithStatusTraffic(
+ WithAddress,
+ WithRouteConditionsHTTPDowngrade,
+ MarkTrafficAssigned,
+ WithStatusTraffic(
v1.TrafficTarget{
RevisionName: "config-00001",
Percent: ptr.Int64(100),
LatestRevision: ptr.Bool(true),
- }), MarkIngressNotConfigured,
+ }),
// The certificate is not ready. So we want to have HTTP URL.
- WithURL),
- }},
- WantEvents: []string{
- Eventf(corev1.EventTypeNormal, "Created", "Created placeholder service %q", "becomes-ready"),
- Eventf(corev1.EventTypeNormal, "Updated", "Updated Spec for Certificate %s/%s", "default", "route-12-34"),
- Eventf(corev1.EventTypeNormal, "Deleted", "Deleted orphaned Knative Certificate %s/%s", "default", "route-12-34"),
- Eventf(corev1.EventTypeNormal, "Created", "Created Ingress %q", "becomes-ready"),
- },
- WantDeletes: []clientgotesting.DeleteActionImpl{{
- // This certificate's DNS name is not the host name needed by the input Route.
- ActionImpl: clientgotesting.ActionImpl{
- Namespace: "default",
- Verb: "delete",
- Resource: netv1alpha1.SchemeGroupVersion.WithResource("certificates"),
- },
- Name: "route-12-34",
+ WithInitRouteConditions,
+ MarkTrafficAssigned,
+ WithRouteObservedGeneration,
+ WithRouteConditionsHTTPDowngrade,
+ WithAddress,
+ MarkIngressReady,
+ WithURL,
+ ),
}},
Key: "default/becomes-ready",
}, {Here we have no updates to resources and nothing being created - but we see the route's status having the HTTPDowngrade.
Unsure if you wanted to disable the HTTPDowngrade option.
Also I wouldn't expect the certificate to be deleted - I think that's because the fixture wasn't accurate.
There was a problem hiding this comment.
Hey @ckcd just following up here
There was a problem hiding this comment.
@dprotaso Thanks for your analysis! And sorry for my late reply.
I made some changes for the test case according to your suggestions. And also add a MarkCertificateProvisionFailed for testing. Please check it. Thanks.
Signed-off-by: ckcd <curtis@mail.ustc.edu.cn>
ckcd
force-pushed
the
ck2402_bubble_up_kcert_failed
branch
from
250ab9c
to
8d86ca3
Compare
|
/lgtm thanks @ckcd |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ckcd, dprotaso, ReToCode The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
knative-prow
bot
added
the
approved
|
/hold cancel |
knative-prow
bot
removed
the
do-not-merge/hold
|
/override "style / suggester / shell" |
|
@dprotaso: Overrode contexts on behalf of dprotaso: style / suggester / github_actions, style / suggester / shell, style / suggester / yaml In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@dprotaso Thank you for your patience and help!! |
|
likewise 🎉 |
Fixes #14530
Proposed Changes
Release Note