Change resource key logic for k8s #4916
Conversation
ffjlabo
force-pushed
the
change-resource-key-logic-for-k8s
branch
from
1b0b3f7 to
d617a06
Compare
The Overview of the fixrefine the namespace by
remove the logic to determine the namespace from
|
ffjlabo
requested review from
nghialv,
khanhtc1202,
kentakozuka and
t-kikuc
as code owners
|
@khanhtc1202 @t-kikuc |
|
@ffjlabo some testcases are failed 👀 |
|
@khanhtc1202 Sorry, I fixed some of them. 🙏 |
|
/review |
PR AnalysisMain themeEnhancement and Refactoring PR summaryThis PR introduces enhancements and refactoring to various components that interact with Kubernetes resources, such as planners, appliers, and detection mechanisms. It involves propagating the knowledge of namespaced versus non-namespaced resources through the system. Type of PREnhancement, Refactoring PR Feedback:General suggestionsThis PR contains quite a large set of changes across multiple components, focusing on ensuring that the system properly respects namespaced and cluster-wide resources in Kubernetes. While the PR introduces a central mechanism to define whether a Code feedback
Security concerns:no The code changes introduced in this PR do not seem to introduce any obvious security concerns such as SQL injection, XSS, or CSRF vulnerabilities. The updates mostly deal with internal configuration and state management concerning Kubernetes resources. However, the security of the mechanism used to determine the namespaced status of Kubernetes resources should be considered to ensure that it cannot be misused or lead to incorrect assumptions about resource accessibility and isolation. |
|
@ffjlabo Please rebase this PR due to pipedv1 package change 👀 |
ffjlabo
force-pushed
the
change-resource-key-logic-for-k8s
branch
from
f07abcb to
9ac0a78
Compare
|
The failing test is solved by this PR 🙏 #4926 |
| e.LogPersister.Errorf("failed to fetch preferred resources: %v", zap.Error(err)) | ||
| return model.StageStatus_STAGE_FAILURE | ||
| } | ||
| e.LogPersister.Info(fmt.Sprintf("successfully preferred resources that contains for %d groups", len(groupResources))) |
There was a problem hiding this comment.
| e.LogPersister.Info(fmt.Sprintf("successfully preferred resources that contains for %d groups", len(groupResources))) | |
| e.LogPersister.Infof("successfully preferred resources that contains for %d groups", len(groupResources)) |
And remove "fmt" package
| // 1. The namespace set in the application configuration. | ||
| // 2. The namespace set in the manifest. | ||
| // 3. The default namespace. | ||
| func (l *loader) refineNamespace(m *Manifest) error { |
There was a problem hiding this comment.
Should it be named determineResourceNamespace or determineNamespace? 🤔
There was a problem hiding this comment.
Thanks! fixed as determineNamespace 5d22c75
| // determineNamespace fix the namespace of the given manifest. | ||
| // The priority is as follows: | ||
| // If the resource is cluster-scoped, it returns an empty string. | ||
| // Otherwise, it is the namespace-scoped resource and the namespace is determined by the following order: | ||
| // 1. The namespace set in the application configuration. | ||
| // 2. The namespace set in the manifest. | ||
| // 3. The default namespace. | ||
| func (l *loader) determineNamespace(m *Manifest) error { | ||
| namespaced, ok := l.isNamespacedResources[m.u.GroupVersionKind()] | ||
| if !ok { | ||
| return fmt.Errorf("unknown resource kind %s", m.u.GroupVersionKind().String()) | ||
| } | ||
| for i := range manifests { | ||
| manifests[i].Key.Namespace = namespace | ||
|
|
||
| namespace := "" // empty if cluster-scoped resource | ||
|
|
||
| if namespaced { | ||
| namespace = "default" | ||
|
|
||
| if ns := m.u.GetNamespace(); ns != "" { | ||
| namespace = ns | ||
| } | ||
|
|
||
| if l.input.Namespace != "" { | ||
| namespace = l.input.Namespace | ||
| } | ||
| } | ||
|
|
||
| m.Key.Namespace = namespace | ||
| m.u.SetNamespace(namespace) | ||
|
|
||
| return nil | ||
| } |
There was a problem hiding this comment.
📝 Check the current logic
|
I tested it using QuickSync with the scenario below, and it works well. scenario:
I chose and tried them with ClusterRole (cluster scoped) and Deployment (namespaced) resources. checkpoint:
|
| secretDecrypter: sd, | ||
| gitRepos: make(map[string]git.Repo), | ||
| syncStates: make(map[string]model.ApplicationSyncState), | ||
| isNamespacedResources: make(map[schema.GroupVersionKind]bool), |
There was a problem hiding this comment.
nits
isNamespacedResources seems to be an immutable map. After construction, there is no operation to add an element to this map.
In this case, a nil map is enough to express an empty map.
example code
https://go.dev/play/p/A8qeO9dCyuw
There was a problem hiding this comment.
After that, I removed isNamespacedResources from the struct detector because it currently gets it every time it executes the detector's check logic. 🙏
a885bab
ffjlabo
force-pushed
the
change-resource-key-logic-for-k8s
branch
from
a885bab to
3c1a493
Compare
Signed-off-by: Yoshiki Fujikane <ffjlabo@gmail.com>
Details: - [feat] get the resource info from the actual cluster in the deployExecutor.Execute - [faet] implement the loader.refineNamespace to infer the namespace from the manifests and app.pipecd.yaml stored in the git repo - [refactor] fix loader.NewLoader to pass isNamespacedResource - deployExecutor - rollbackExecutor - [refactor] fix to pass isNamespacedResource on detector - [memo] detector checks the diff by 1 minute. It might think about the amount of the traffic to the k8s cluster. - [refactor] fix to pass isNamespacedResource on planner - [refactor] fix to pass isNamespacedResource on planpreview - [refactor] remove the logic to fix the namespace when craeting the resource key on MakeResourceKey - maybe this is the refactoring for livestatestore - [refactor] use the actual resource key, not the annotation's one. Signed-off-by: Yoshiki Fujikane <ffjlabo@gmail.com>
Signed-off-by: Yoshiki Fujikane <ffjlabo@gmail.com>
Signed-off-by: Yoshiki Fujikane <ffjlabo@gmail.com>
Signed-off-by: Yoshiki Fujikane <ffjlabo@gmail.com>
Signed-off-by: Yoshiki Fujikane <ffjlabo@gmail.com>
Signed-off-by: Yoshiki Fujikane <ffjlabo@gmail.com>
Signed-off-by: Yoshiki Fujikane <ffjlabo@gmail.com>
Signed-off-by: Yoshiki Fujikane <ffjlabo@gmail.com>
ffjlabo
force-pushed
the
change-resource-key-logic-for-k8s
branch
from
3c1a493 to
5a83716
Compare
|
Thank you for reviewing 🙏 |
This reverts commit 8129078. Signed-off-by: Yoshiki Fujikane <40124947+ffjlabo@users.noreply.github.com>
What this PR does / why we need it:
This fix will solve the problem that the cluster-scoped resource can't be deleted when we set the namespace in app.pipecd.yaml.
context: #4269 (comment)
expected behavior
livestate side
When reading the manifests from git
spec.input.namespacein app.pipecd.yaml if it is set.defaultif both ofspec.input.namespaceand the namespace are not setCurrently, we use the resource key to identify each k8s resource.
It is created by
MakeResourceKey, and the rule is below.livestate side
defaultwhen the resource obj doesn't have the namespace.When reading the manifests from git
spec.input.namespacein app.pipecd.yaml if it is set.defaultwhen the namespace on the manifest is "".This rule doesn't consider the cluster-scoped resource.
So for example, cluster-scoped resource don't have any namespace, but if we set the
spec.input.namespacein the app.pipecd.yaml, it sets the value as the namespace to the resource key.This causes the problem that can't prune the resource because the resource key can't identify the resource correctly.
So I fixed the the logic like below.
livestate side
When reading the manifests from git
spec.input.namespacein app.pipecd.yaml if it is set.defaultif both ofspec.input.namespaceand the namespace are not setWhich issue(s) this PR fixes:
Part of #4269
Does this PR introduce a user-facing change?:
How are users affected by this change:
Is this breaking change:
How to migrate (if breaking change):