[DEVHAS-53] Use a Kubernetes Job to Generate GitOps Resources

[johnmcollier]

What does this PR do?:

Note: This PR supersedes #231 and #241

This PR updates HAS to use a Kubernetes Job by default to generate GitOps resources.

In all the following is done:

• By default now in HAS, when GitOps resources need to be generated (either base or overlays) during the reconciliation of a Component/SEB, HAS will launch a Kubernetes Job that will execu
  • If the Job fails, HAS will attempt to retrieve the job's logs and report back the error message in the component/seb status. If logs cannot be retrieved, or the job never launched, a separate error message is reported instead
  • The Job will be considered "failed" after a 5 minute timeout, or 5 successive failures.
• If HAS is launched with the DO_LOCAL_GITOPS_GEN environment variable, HAS will instead generate the GitOps resources locally, instead of using a job
• Additionally, if HAS is launched with the ALLOW_LOCAL_GITOPS_GEN environment variable, any Component or SEB with the allowLocalGitOpsGen annotation set to true, will have its GitOps resources generated locally
• The gitops/ package and subpackages have been moved to the new gitops-generator/ submodule.
• Testing:
  • Tests added for the new gitops-generator/ submodule
  • GitHub actions to build and test the new module, along with pushing its image up to quay.io/redhat-appstudio/gitops-generator
  • Controller tests updated to test both generation-locally, and generation-by-job.

Which issue(s)/story(ies) does this PR fixes:

https://issues.redhat.com/projects/DEVHAS/issues/DEVHAS-53?filter=allopenissues

PR acceptance criteria:

• Unit/Functional tests

• Documentation

• Client Impact

How to test changes / Special notes to the reviewer:

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: johnmcollier

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[maysunfaisal]

revert

[johnmcollier]

Oof

[johnmcollier]

Fixed.

[maysunfaisal]

probably pull the latest here

[maysunfaisal]

how come this is removed

[johnmcollier]

That is... a good question. I think it's a holdover from earlier testing. This should be reverted

[johnmcollier]

Fixed.

[maysunfaisal]

If AllowLocalGitopsGen allows certain resources to generate gitops locally then how come we need r.AllowLocalGitopsGen? By this if statement the controller needs r.AllowLocalGitopsGen to be true always irrespective of the annotation. Am I wrong or something? 🤔

[johnmcollier]

Because I didn't want to always allow local GitOps generation, only if we explicitly chose to enable it.

TBH, this is primarily for testing, since suite_test.go sets the fields for Reconcilers, so we can't toggle DoLocalGitopsGen between false/true fort the controller tests

[maysunfaisal]

comments here in these files

[johnmcollier]

Fixed

[maysunfaisal]

Why do we create job in the application service namespace as default?

[johnmcollier]

The GitOps secret & service account are already present in the HAS namespace + avoids using up user quota for resources in the user namespace

[maysunfaisal]

nit: I'd declare this as a const

[johnmcollier]

Yeah, oops. Agreed.

[johnmcollier]

Fixed.

[kim-tsao]

Is it wise to pull in the latest? what if there are breaking changes from the repo? We should probably consider having releases on the gitops-generator repo and pulling in image versions that we know are compatible/tested with HAS eventually

[maysunfaisal]

We need to start doing releases in gitops-generator repo.. But if we dont pull in the latest here, we are going to get some of the errors back we faced in infra-deploy PR 1291!

[kim-tsao]

yes, agreed for now but something to think about once we stabilize

[maysunfaisal]

curious as to why a clientset is being used here, rather than a call with the client, something like:

err = client.List(ctx, jobPodList,
		client.InNamespace(jobNamespace),
		client.MatchingLabels{label: "job-name=" + jobName})

[johnmcollier]

No reason in particular. Figured since I had to use the clientset to get the logs, I might as well be consistent and use it to get the pods too.

[maysunfaisal]

do we need a default here if its empty

[johnmcollier]

Yes, otherwise go linting complains about using it with a channel, but this was the most straightforward approach

[maysunfaisal]

if we return like return r.CleanUpJobAndReturn() then the gitopsjob.WaitForJob() err will be lost

[johnmcollier]

CleanUpJobAndReturn explicitly only logs the error from the deletion, and we return the original error from WaitForJob.

func (r *ComponentReconciler) CleanUpJobAndReturn(log logr.Logger, jobName, jobNamespace string, err error) error {
	delErr := gitopsjob.DeleteJob(context.Background(), r.Client, jobName, jobNamespace)
	if delErr != nil {
		log.Error(err, "unable to delete gitops-generation job")
	}
	return err
}

It's a little clunky but should do the trick

[maysunfaisal]

you need to make this call in GenerateGitopsBase() otherwise we will have a host of temp dirs for every reconcile

[johnmcollier]

Fixed

[maysunfaisal]

🤔 not sure why

[johnmcollier]

Found on a GitHub issue I can no longer find. Without the sleep the tests will sometimes fail to stop at the end of execution.

[johnmcollier]

kubernetes-sigs/controller-runtime#1571

[maysunfaisal]

no delete happening

[johnmcollier]

That's awkward. Oops

[johnmcollier]

Fixed

[maysunfaisal]

do we need to mention the job resource and its verbs here

[johnmcollier]

Not strictly necessary since the component controller specifies them, but I'll add them here to just to be consistent.

[johnmcollier]

Fixed

[openshift-ci]

@johnmcollier: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/images	d24a233	link	true	/test images
ci/prow/application-service-e2e	d24a233	link	true	/test application-service-e2e

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.