Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Handle InstallPlan approval based on spec.versions #199

Conversation

JustinKuli
Copy link
Member

When enforcing a policy that specifies which versions should be allowed, the controller will now set the Subscription.InstallPlanApproval to Manual, and will approve only the InstallPlans that match the versions specified in the policy.

The controller now also reports the status of related InstallPlans.

Refs:

@JustinKuli
Copy link
Member Author

I've finally got consistently passing tests here! Sorry for the noise, I think this is ready for review now.

Copy link
Contributor

@JeffeyL JeffeyL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good overall, a few minor comments that are mostly cosmetic in nature.

controllers/operatorpolicy_controller.go Show resolved Hide resolved
phase = ""
}

relObj := policyv1.RelatedObject{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: It might be too messy due to the added phase logic but putting this in a function might match the other implementation patterns better, something like func existingInstallPlanObj(ip unstructured.Unstructured, phase string) (policyv1.RelatedObject) {} or func existingInstallPlanObj(ip unstructured.Unstructured, phase string) (policyv1.RelatedObject, bool, bool) {} if the phase logic needs to be included.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That kind of function would probably be nice for consistency. Because of the other stuff using phase, it's not a huge benefit, but I don't think it would be any messier.

// FUTURE: check policy.spec.statusConfig.upgradesAvailable to determine `compliant`.
// For now this condition assumes it is set to 'NonCompliant'
cond := installPlanUpgradeCond(allUpgradeVersions)
cond.Message += " but not allowed by the specified versions in the policy"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could be better for clarity to just add this as a case within the installPlanUpgradeCond() function unless there may be more future message modifications under the same case

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That would probably be nicer.

// FUTURE: check policy.spec.statusConfig.upgradesAvailable to determine `compliant`.
// For now this condition assumes it is set to 'NonCompliant'
cond := installPlanUpgradeCond(allUpgradeVersions)
cond.Message += " but multiple of those match the versions specified in the policy"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as the message case for len(approvableInstallPlans) == 0

}

// handle some special phases
switch phase {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From my understanding handleCSV didn't need to consider the Failed phase since it took the condition directly from the CSV itself, but in this case should we not report a failed InstallPlan?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I should add a comment for this, because it's a great question.

My thinking was: we don't always want to report NonCompliance if there's a Failed InstallPlan, because InstallPlans can be left over from previous installations or upgrades. So if the "current" InstallPlan is good, reporting NonCompliant for an old Failed one would be bad/confusing.

But right now, this implementation doesn't even report that a current Failed InstallPlan would cause NonCompliance... that's probably not perfect, although I'd expect the Subscription or CSV in this situation would have some status that still causes the policy to be NonCompliant overall. The subscription does point to a current InstallPlan, maybe it can check that one specifically.

"InstallPlan.Name", installPlan.GetName())

// The InstallPlan will be added as unknown
phase = ""
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be worth mentioning in the relevant relatedObj if the phase field wasn't found. A message in the relObj.Reason field looks like a good place to put it, unless this is required for functionality in another place in the controller.

Copy link
Member

@mprahl mprahl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple minor comments that may or may not be actionable but this looks good to me. Nice job!


OpLog := ctrl.LoggerFrom(ctx)
relatedInstallPlans := make([]policyv1.RelatedObject, len(ownedInstallPlans))
ipsRequiringApproval := make([]unstructured.Unstructured, 0)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why this is size 0?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just prefer this to an alternate syntax like ipsRequiringApproval := [] unstructured.Unstructured{}.

It needs to be length 0 to start so that we can append an unknown number of items to it.


err := r.updateStatus(ctx, policy, cond, nonCompObj(foundSub, subResFailed.Reason))
if err != nil {
return nil, fmt.Errorf("error updating the status for a Subscription in ResolutionFailed: %w", err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Optional) I think this could be clearer to include what's being set. Maybe something like:

Suggested change
return nil, fmt.Errorf("error updating the status for a Subscription in ResolutionFailed: %w", err)
return nil, fmt.Errorf("error updating the ResolutionFailed status to false for the Subscription: %w", err)

controllers/operatorpolicy_controller.go Outdated Show resolved Hide resolved
controllers/operatorpolicy_controller.go Outdated Show resolved Hide resolved
Message: "a relevant InstallPlan is actively installing",
}

// installPlansFineCond is a Compliant condition with Reason 'InstallPlansFine'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Fine" is too abstract/non-specific and I feel like it wouldn't be widely understood when translated. Unless this is some alignment with OLM, is there a better word like "Succeeded", "Complete", or "Installed"?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, I had no better ideas when I made it up 😆

I think originally I thought this would need to cover more cases than it does - so I deliberately avoided something like "Succeeded" because I expected it would cover a case where nothing had been installed yet... but now I think this situation is really just "there are no InstallPlans considered for approval", so I can report that as the condition.

When enforcing a policy that specifies which versions should be allowed,
the controller will now set the Subscription.InstallPlanApproval to
Manual, and will approve only the InstallPlans that match the versions
specified in the policy.

The controller now also reports the status of related InstallPlans.

Refs:
 - https://issues.redhat.com/browse/ACM-9286

Signed-off-by: Justin Kulikauskas <jkulikau@redhat.com>
Copy link
Member

@mprahl mprahl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/hold for other reviews

Copy link
Member

@dhaiducek dhaiducek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Copy link

openshift-ci bot commented Feb 14, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dhaiducek, JustinKuli, mprahl, yiraeChristineKim

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [JustinKuli,dhaiducek,mprahl,yiraeChristineKim]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@JustinKuli
Copy link
Member Author

/unhold

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants