-
Notifications
You must be signed in to change notification settings - Fork 108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-38342: UPSTREAM: <carry>: allow type mutation for specific secrets - revert #2052
base: master
Are you sure you want to change the base?
Conversation
This reverts commit b9c1d7e.
@vrutkovs: This pull request references Jira Issue OCPBUGS-38342, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
@vrutkovs: the contents of this pull request could not be automatically validated. The following commits could not be validated and must be approved by a top-level approver:
Comment |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: vrutkovs The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/cc @atiratree |
@vrutkovs note that some secret could have been created with the old type on 4.16 (for example openshift/library-go#1773 (comment)). Before removing this carry we should ensure that these secrets were migrated to the new type as well. |
Using However controllers should not be using library-go's
So this carry can be safely removed in 4.16+ |
Personally, I would feel more comfortable if we could create a new control loop in KAS-O that produces a metric, which we could then scrape via telemetry, before removing this carry path. What do you think? /cc @tkashem |
@vrutkovs: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
most clusters are disconnected, so we'll miss a lot of clusters. Also, we'd need customers to updated before we can assess the situation - that might take ~year. Another thing I'm concerned are false-positives - cluster admins may accidentally create such secrets in the namespaces and the metric would mistakenly show these secrets |
In my humble opinion, I would feel safer to gather some data before we remove this patch. If we use insight to look at some old clusters that started with 4.6 (i don't remember the exact version) that would give us some confidence, If not through insight, the least we can do is identify some of these clusters, get in touch with the customer and ask them to run a diagnostics we provide. Thoughts? |
It would be incomplete data and would not prevent possible failures. We might as well rely on QE doing 4.6 -> 4.16 upgrade.
We don't limit validation rule to specific secret names, just the namespaces - so if user has created new SecretTypeTLS in the namespaces it would still be converted - and reported. What we would not know is if these secrets are critical to cluster functionality and will cause upgrade failures |
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
This reverts commit b9c1d7e. Drop carry from #1924
This is no longer necessary as all these secrets have been migrated during 4.15 upgrade