Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add PDB fields in the policy server spec. #698

Merged
merged 1 commit into from
Apr 4, 2024

Conversation

jvanz
Copy link
Member

@jvanz jvanz commented Mar 27, 2024

Description

Adds two new fields in the PolicyServerSpec: minAvailable and maxUnavailable. These fields are used to create a PodDisruptionBudget for the policy server pods. Both fields cannot be set together because Kubernetes does not allow setting both together in the PDB spec.

Fix #692

Test

make test

NOTE: this is a draft PR because I would like to make it "ready for review" together with the Helm chart changes. However, you can review it already.

@jvanz jvanz self-assigned this Mar 27, 2024
Copy link

codecov bot commented Mar 27, 2024

Codecov Report

Attention: Patch coverage is 66.66667% with 17 lines in your changes are missing coverage. Please review.

Project coverage is 50.56%. Comparing base (3fa9744) to head (91159f2).

Files Patch % Lines
internal/pkg/admission/reconciler.go 0.00% 11 Missing ⚠️
...g/admission/policy-server-pod-disruption-budget.go 84.21% 3 Missing and 3 partials ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main     #698      +/-   ##
==========================================
- Coverage   50.91%   50.56%   -0.35%     
==========================================
  Files          26       27       +1     
  Lines        1970     2021      +51     
==========================================
+ Hits         1003     1022      +19     
- Misses        866      891      +25     
- Partials      101      108       +7     
Flag Coverage Δ
integration-tests 68.61% <ø> (-3.14%) ⬇️
unit-tests 44.97% <66.66%> (+0.74%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@jvanz jvanz marked this pull request as ready for review March 27, 2024 19:04
@jvanz jvanz requested a review from a team as a code owner March 27, 2024 19:04
return err
}, timeout, pollInterval).Should(Succeed())
Eventually(func(g Gomega) error {
return policyServerPodDisruptionBudgetExists(policyServerName)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could make the tests stricter by using a getTestPDB utility function and testing that the values are set correctly see

Expect(validatingWebhookConfiguration.Webhooks[0].ClientConfig.CABundle).To(Equal(caSecret.Data[constants.PolicyServerCARootPemName]))
instead of asserting the existence of the PDB.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've pushed a gomega matcher to address this request. It's a little bit different from what you request. During the tests I found out that if we follow the example that you sent, the tests will fail after the first failed tried in the Eventually call. As far as I can see, the example test is not failing only because the order of the tests. In other words, it's passing because the order of the execution and due how the controller set policy status. The webhook always exists when the test start. To fix the test, we can follow the approach that I've used in this PR. Or we should update the Expect calls to be g.Expect (using the argument of the function.

Copy link
Member Author

@jvanz jvanz Apr 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll open an PR to address this problem.

pkg/apis/policies/v1/policyserver_webhook.go Outdated Show resolved Hide resolved
controllers/utils_test.go Outdated Show resolved Hide resolved
Comment on lines 49 to 64
_, err := controllerutil.CreateOrUpdate(ctx, k8s, pdb, func() error {
pdb.Name = buildPodDisruptionBudgetName(policyServer)
pdb.Namespace = namespace
pdb.OwnerReferences = []metav1.OwnerReference{
*metav1.NewControllerRef(policyServer, policiesv1.GroupVersion.WithKind("PolicyServer")),
}
pdb.Spec.Selector = &metav1.LabelSelector{
MatchLabels: map[string]string{
constants.AppLabelKey: policyServer.AppLabel(),
constants.PolicyServerLabelKey: policyServer.GetName(),
},
}
if policyServer.Spec.MinAvailable != nil {
pdb.Spec.MinAvailable = policyServer.Spec.MinAvailable
} else {
pdb.Spec.MaxUnavailable = policyServer.Spec.MaxUnavailable
}
return nil
})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The part where we set the ownerRef can be handled in a nicer way using controllerutil.SetOwnerReference.

For example:

secret := &corev1.Secret{
			TypeMeta: metav1.TypeMeta{
				Kind:       "Secret",
				APIVersion: "v1",
			},
			ObjectMeta: metav1.ObjectMeta{
				Namespace: app.ObjectMeta.Namespace,
				Name:      generatedRuntimeConfigSecretName,
				Labels: map[string]string{
					spinapp.NameLabelKey: app.ObjectMeta.Name,
				},
			},
			Data: map[string][]byte{
				"runtime-config.toml": tomlValue,
			},
		}
		err = controllerutil.SetOwnerReference(app, secret, r.Scheme)
		if err != nil {
			return fmt.Errorf("failed to set runtimeconfig owner reference: %w", err)
		}

		err = r.Client.Create(ctx, secret)

this is taken from here

internal/pkg/constants/constants.go Outdated Show resolved Hide resolved
controllers/policyserver_controller.go Outdated Show resolved Hide resolved
Copy link
Member

@flavio flavio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the RBAC comment must be addressed. It would also be nice to address the other ones

Copy link
Member

@flavio flavio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM now. Thanks for the changes

Copy link
Contributor

@fabriziosestito fabriziosestito left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. we can merge once the linter is happy

Adds two new fields in the PolicyServerSpec: minAvailable and
maxUnavailable. These fields are used to create a PodDisruptionBudget
for the policy server pods. Both fields cannot be set together because
Kubernetes does not allow setting both together in the PDB spec.

Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
@jvanz jvanz merged commit 14e390b into kubewarden:main Apr 4, 2024
9 checks passed
@jvanz jvanz deleted the pod-pdb branch April 4, 2024 12:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Feature Request: allow PolicyServer to have Pod disruption budget
3 participants