Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Implement config pod status #3544

Merged
merged 30 commits into from
Oct 11, 2024

Conversation

abhipatnala
Copy link
Contributor

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #2918

Special notes for your reviewer:

@abhipatnala abhipatnala requested a review from a team as a code owner September 14, 2024 03:35
@codecov-commenter
Copy link

codecov-commenter commented Sep 14, 2024

Codecov Report

Attention: Patch coverage is 48.97959% with 125 lines in your changes missing coverage. Please review.

Project coverage is 48.22%. Comparing base (3350319) to head (20cb2ca).
Report is 157 commits behind head on master.

Files with missing lines Patch % Lines
apis/status/v1beta1/zz_generated.deepcopy.go 0.00% 62 Missing ⚠️
...controller/configstatus/configstatus_controller.go 64.47% 17 Missing and 10 partials ⚠️
pkg/controller/config/config_controller.go 66.15% 15 Missing and 7 partials ⚠️
apis/status/v1beta1/configpodstatus_types.go 80.00% 2 Missing and 2 partials ⚠️
pkg/controller/expansion/expansion_controller.go 50.00% 2 Missing and 2 partials ⚠️
...er/constraintstatus/constraintstatus_controller.go 0.00% 1 Missing and 1 partial ⚠️
...platestatus/constrainttemplatestatus_controller.go 0.00% 1 Missing and 1 partial ⚠️
...ller/expansionstatus/expansionstatus_controller.go 0.00% 1 Missing and 1 partial ⚠️

❗ There is a different number of reports uploaded between BASE (3350319) and HEAD (20cb2ca). Click for more details.

HEAD has 1 upload less than BASE
Flag BASE (3350319) HEAD (20cb2ca)
unittests 2 1
Additional details and impacted files
@@            Coverage Diff             @@
##           master    #3544      +/-   ##
==========================================
- Coverage   54.49%   48.22%   -6.28%     
==========================================
  Files         134      221      +87     
  Lines       12329    15371    +3042     
==========================================
+ Hits         6719     7413     +694     
- Misses       5116     7119    +2003     
- Partials      494      839     +345     
Flag Coverage Δ
unittests 48.22% <48.97%> (-6.28%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@abhipatnala abhipatnala force-pushed the add_status_to_config branch 2 times, most recently from 0721779 to a240878 Compare September 19, 2024 18:18
pkg/controller/config/config_controller.go Outdated Show resolved Hide resolved
pkg/controller/config/config_controller.go Show resolved Hide resolved
pkg/controller/configstatus/configstatus_controller.go Outdated Show resolved Hide resolved
pkg/controller/configstatus/configstatus_controller.go Outdated Show resolved Hide resolved
pkg/controller/configstatus/configstatus_controller.go Outdated Show resolved Hide resolved

// PodStatusToConfigMapper correlates a ConfigPodStatus with its corresponding Config.
// `selfOnly` tells the mapper to only map statuses corresponding to the current pod.
func PodStatusToConfigMapper(selfOnly bool) handler.TypedMapFunc[*v1beta1.ConfigPodStatus] {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like selfOnly is not being used. This code was copied from expansion templates, which also did not use selfOnly. This is a bug. Here is an example of proper use of selfOnly in the constraint controller:

err = c.Watch(
source.Kind(mgr.GetCache(), &constraintstatusv1beta1.ConstraintPodStatus{}, handler.TypedEnqueueRequestsFromMapFunc(constraintstatus.PodStatusToConstraintMapper(true, util.EventPackerMapFunc()))))
if err != nil {
return err
}

Here is the basic reasoning:

  • status controllers want to watch all podStatus objects and the primary object because they want to make sure they respond to any changes (i.e. writing status changes, overwriting inappropriate deletes of the status field, etc.)

  • primary controllers want to watch podStatus for the corresponding pod -- if someone deletes a podStatus resource the main object should be re-reconciled to avoid missing state.

As it stands, if a user were to delete the podStatus object, there is a risk that there would be no reconcile.

We should add the appropriate watches to the config and expansion controllers.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we have a PR that fixes this in the other controller?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If selfOnly is always required and true, why is this a variable? when does it need to be set to false?

pkg/controller/configstatus/configstatus_controller.go Outdated Show resolved Hide resolved

// Add creates a new config Status Controller and adds it to the Manager. The Manager will set fields on the Controller
// and Start it when the Manager is Started.
func (a *Adder) Add(mgr manager.Manager) error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It doesn't look like we're gating status controller on whether the status operation is enabled -- this is bad because it means this controller will not run as a singleton, which invites write conflicts particularly as the # of pods scales.

Example of the status gate:

if operations.IsAssigned(operations.Status) {
// statusEvents will be used to receive events from dynamic watches registered
// via the registrar below.
statusEvents := make(chan event.GenericEvent, 1024)
csAdder := constraintstatus.Adder{
CFClient: cfClient,
WatchManager: wm,
ControllerSwitch: cs,
Events: statusEvents,
IfWatching: statusW.IfWatching,
}
if err := csAdder.Add(mgr); err != nil {
return nil, err
}
ctsAdder := constrainttemplatestatus.Adder{
CfClient: cfClient,
WatchManager: wm,
ControllerSwitch: cs,
}
if err := ctsAdder.Add(mgr); err != nil {
return nil, err
}
}

Though a more appropriate code shape for this PR is probably the mutator status gate:

if !operations.IsAssigned(operations.MutationStatus) {
return nil
}

(however we should depend on Status, not MutatorStatus)

We should also fix this for the expansion template status controller (worth verifying it has a similar oversight first).

Long-term a more uniform design pattern for adding status controllers may help avoid similar oversights in the future, but that's beyond the scope of this PR.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated the logic to use status gate

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we create PRs to add it to the other status controllers that do not have a similar gate? This would include expansion template status at the minimum.

Copy link
Contributor

@maxsmythe maxsmythe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

almost there! Minor nits and some follow-up items.

apis/status/v1beta1/configpodstatus_types.go Show resolved Hide resolved
pkg/controller/config/config_controller.go Outdated Show resolved Hide resolved

// Add creates a new config Status Controller and adds it to the Manager. The Manager will set fields on the Controller
// and Start it when the Manager is Started.
func (a *Adder) Add(mgr manager.Manager) error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we create PRs to add it to the other status controllers that do not have a similar gate? This would include expansion template status at the minimum.


// PodStatusToConfigMapper correlates a ConfigPodStatus with its corresponding Config.
// `selfOnly` tells the mapper to only map statuses corresponding to the current pod.
func PodStatusToConfigMapper(selfOnly bool) handler.TypedMapFunc[*v1beta1.ConfigPodStatus] {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we have a PR that fixes this in the other controller?

pkg/controller/configstatus/configstatus_controller.go Outdated Show resolved Hide resolved
pkg/controller/configstatus/configstatus_controller.go Outdated Show resolved Hide resolved
Copy link
Contributor

@maxsmythe maxsmythe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM, pending resolution of either fixing readiness tracker tests in this PR or separating code to separate PR.

pkg/readiness/ready_tracker_unit_test.go Show resolved Hide resolved
@abhipatnala abhipatnala force-pushed the add_status_to_config branch from dabdc7b to eaf85ba Compare October 1, 2024 17:09
Avinash Patnala added 13 commits October 1, 2024 17:10
Signed-off-by: Avinash Patnala <avinashpatnala@google.com>
Signed-off-by: Avinash Patnala <avinashpatnala@google.com>
Signed-off-by: Avinash Patnala <avinashpatnala@google.com>
Signed-off-by: Avinash Patnala <avinashpatnala@google.com>
Signed-off-by: Avinash Patnala <avinashpatnala@google.com>
Signed-off-by: Avinash Patnala <avinashpatnala@google.com>
Signed-off-by: Avinash Patnala <avinashpatnala@google.com>
Signed-off-by: Avinash Patnala <avinashpatnala@google.com>
Signed-off-by: Avinash Patnala <avinashpatnala@google.com>
Signed-off-by: Avinash Patnala <avinashpatnala@google.com>
Signed-off-by: Avinash Patnala <avinashpatnala@google.com>
Signed-off-by: Avinash Patnala <avinashpatnala@google.com>
Signed-off-by: Avinash Patnala <avinashpatnala@google.com>
Avinash Patnala added 10 commits October 1, 2024 17:10
Signed-off-by: Avinash Patnala <avinashpatnala@google.com>
Signed-off-by: Avinash Patnala <avinashpatnala@google.com>
Signed-off-by: Avinash Patnala <avinashpatnala@google.com>
Signed-off-by: Avinash Patnala <avinashpatnala@google.com>
Signed-off-by: Avinash Patnala <avinashpatnala@google.com>
Signed-off-by: Avinash Patnala <avinashpatnala@google.com>
Signed-off-by: Avinash Patnala <avinashpatnala@google.com>
Signed-off-by: Avinash Patnala <avinashpatnala@google.com>
Signed-off-by: Avinash Patnala <avinashpatnala@google.com>
Signed-off-by: Avinash Patnala <avinashpatnala@google.com>
@abhipatnala abhipatnala force-pushed the add_status_to_config branch from eaf85ba to b75a3ea Compare October 1, 2024 17:10
Signed-off-by: Avinash Patnala <avinashpatnala@google.com>
@abhipatnala abhipatnala requested a review from maxsmythe October 1, 2024 18:17
…ntrollers to use operation.status flag

Signed-off-by: Avinash Patnala <avinashpatnala@google.com>
Copy link
Contributor

@maxsmythe maxsmythe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM after final minor fix. Good job!

pkg/controller/mutatorstatus/mutatorstatus_controller.go Outdated Show resolved Hide resolved
Signed-off-by: Avinash Patnala <avinashpatnala@google.com>
@abhipatnala abhipatnala requested a review from maxsmythe October 2, 2024 17:34
Copy link
Contributor

@maxsmythe maxsmythe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@maxsmythe maxsmythe requested a review from a team October 3, 2024 01:27
Copy link
Contributor

@JaydipGabani JaydipGabani left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR! changes looks good to me.

One q:
Issue mentiones adding gatekeeper_config metrics and status tag for the same as well. Do we want to include those changes in this PR or keep the original issue open and follow up with another PR?

@maxsmythe
Copy link
Contributor

Let's make it a separate PR. This one is already sizeable and that's conceptually a different thing. Maybe file a separate issue for metrics and status tag?

Copy link
Contributor

@JaydipGabani JaydipGabani left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

log logr.Logger
}

// +kubebuilder:rbac:groups=config.gatekeeper.sh,resources=*,verbs=get;list;watch;create;update;patch;delete
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think what it does is adds overlapping entries in the role rather than override?

IMO it's safest to just duplicate to avoid accidentally deleting necessary permissions due to code refactors, but not a huge deal either way for me.

Copy link
Member

@ritazh ritazh Oct 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm ok with keeping it. Just wanted to make sure this is what we want as it trumps the old rules.

groups=config.gatekeeper.sh,resources=*,verbs=get;list;watch;create;update;patch;delete

Copy link
Member

@ritazh ritazh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ritazh ritazh merged commit 7d71ba2 into open-policy-agent:master Oct 11, 2024
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add status to config
5 participants