Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OCPBUGS-38342: UPSTREAM: <carry>: allow type mutation for specific secrets - revert #2052

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

vrutkovs
Copy link
Member

This reverts commit b9c1d7e. Drop carry from #1924

This is no longer necessary as all these secrets have been migrated during 4.15 upgrade

@openshift-ci-robot openshift-ci-robot added backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. labels Aug 12, 2024
@openshift-ci-robot
Copy link

@vrutkovs: This pull request references Jira Issue OCPBUGS-38342, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.18.0) matches configured target version for branch (4.18.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @wangke19

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

This reverts commit b9c1d7e. Drop carry from #1924

This is no longer necessary as all these secrets have been migrated during 4.15 upgrade

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label Aug 12, 2024
@openshift-ci-robot
Copy link

@vrutkovs: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

Copy link

openshift-ci bot commented Aug 12, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: vrutkovs
Once this PR has been reviewed and has the lgtm label, please assign tkashem for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@vrutkovs
Copy link
Member Author

/cc @atiratree

@openshift-ci openshift-ci bot requested a review from atiratree August 12, 2024 11:42
@vrutkovs vrutkovs changed the title OCPBUGS-38342: Revert "UPSTREAM: <carry>: allow type mutation for specific secrets" OCPBUGS-38342: UPSTREAM <carry> allow type mutation for specific secrets - revert Aug 12, 2024
@vrutkovs vrutkovs changed the title OCPBUGS-38342: UPSTREAM <carry> allow type mutation for specific secrets - revert OCPBUGS-38342: UPSTREAM: <carry>: allow type mutation for specific secrets - revert Aug 12, 2024
@p0lyn0mial
Copy link

This is no longer necessary as all these secrets have been migrated during 4.15 upgrade

@vrutkovs note that some secret could have been created with the old type on 4.16 (for example openshift/library-go#1773 (comment)).

Before removing this carry we should ensure that these secrets were migrated to the new type as well.

@vrutkovs
Copy link
Member Author

some secret could have been created with the old type on 4.16

Using SecretTypeTLS is still valid - and you can create those secrets.

However controllers should not be using library-go's applySecret/applyConfigMap when managing those - this would change their type forcibly. This was fixed by several PRs:

  • ensuring all new secrets are created with kubernetes.io/tls type (in etcd and kcm)
  • born-in-4.6 upgraded to 4.15 and have this type changed before upgrading to 4.16+

So this carry can be safely removed in 4.16+

@p0lyn0mial
Copy link

p0lyn0mial commented Aug 12, 2024

Personally, I would feel more comfortable if we could create a new control loop in KAS-O that produces a metric, which we could then scrape via telemetry, before removing this carry path. What do you think?

/cc @tkashem

Copy link

openshift-ci bot commented Aug 12, 2024

@vrutkovs: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ovn-serial 3a5a4c9 link true /test e2e-aws-ovn-serial
ci/prow/verify-commits 3a5a4c9 link true /test verify-commits
ci/prow/e2e-gcp-ovn-upgrade 3a5a4c9 link true /test e2e-gcp-ovn-upgrade

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@vrutkovs
Copy link
Member Author

we could create a new control loop in KAS-O that produces a metric, which we could then scrape via telemetry

most clusters are disconnected, so we'll miss a lot of clusters. Also, we'd need customers to updated before we can assess the situation - that might take ~year. Another thing I'm concerned are false-positives - cluster admins may accidentally create such secrets in the namespaces and the metric would mistakenly show these secrets

@tkashem
Copy link

tkashem commented Aug 13, 2024

most clusters are disconnected, so we'll miss a lot of clusters. Also, we'd need customers to updated before we can assess the situation - that might take ~year. Another thing I'm concerned are false-positives - cluster admins may accidentally create such secrets in the namespaces and the metric would mistakenly show these secrets

  • through insight we will know about the connected clusters, that will be a good piece of data based on which we can decide
  • I don't think we need to be concerned with the false positives, our focus is known secret objects in certain namespaces, right?

In my humble opinion, I would feel safer to gather some data before we remove this patch. If we use insight to look at some old clusters that started with 4.6 (i don't remember the exact version) that would give us some confidence, If not through insight, the least we can do is identify some of these clusters, get in touch with the customer and ask them to run a diagnostics we provide. Thoughts?

@vrutkovs
Copy link
Member Author

that will be a good piece of data

It would be incomplete data and would not prevent possible failures. We might as well rely on QE doing 4.6 -> 4.16 upgrade.

our focus is known secret objects in certain namespaces, right?

We don't limit validation rule to specific secret names, just the namespaces - so if user has created new SecretTypeTLS in the namespaces it would still be converted - and reported. What we would not know is if these secrets are critical to cluster functionality and will cause upgrade failures

@openshift-bot
Copy link

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci openshift-ci bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants