-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change/local only medusaconfig #1267
Conversation
faa8685
to
fe58745
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1267 +/- ##
==========================================
+ Coverage 57.43% 57.56% +0.12%
==========================================
Files 103 103
Lines 10808 10895 +87
==========================================
+ Hits 6208 6272 +64
- Misses 4063 4082 +19
- Partials 537 541 +4
|
I almost have this sorted but I do have one reservation. I've gone through and made all of the MedusaConfigs in the existing tests share a namespace with the K8ssandraCluster. This allows the tests to pass because the webhook doesn't reject the request. However, there is a potential issue here where we're not actually testing the new ReplicatedSecret functionality anywhere, because the tests now all assume the new codepath. I think perhaps we're going to need to have an isolated test which disables the webhook and that will allow MedusaConfigs to be created in a separate namespace to the K8ssandraCluster. |
371cbcb
to
ec6e2ba
Compare
Implemented in this PR so far:
This is far beyond the original scope of the PR, I can create tickets for these for posterity if we want them, but given how much time I’ve spent already I thought I’d just leave it for now unless someone wants them. Not implemented in this PR so far:
If we do want to implement item (2) here, is there anywhere else where we've disabled the webhook for a group of tests? I'll try to avoid creating more new stuff if possible. |
b2606ef
to
16b62b4
Compare
@@ -254,12 +253,12 @@ func (r *K8ssandraClusterReconciler) mergeStorageProperties( | |||
} | |||
storageProperties := &medusaapi.MedusaConfiguration{} | |||
// Deprecated: This code path can be removed at version 1.17, as MedusaConfigs should now always be namespace-local to the K8ssandraCluster referencing them. | |||
configNamespace := utils.FirstNonEmptyString(medusaSpec.MedusaConfigurationRef.Namespace, namespace) | |||
configNamespace := utils.FirstNonEmptyString(medusaSpec.MedusaConfigurationRef.Namespace, desiredKc.Namespace) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On line 42 we use FirstNonEmptyString to pick from two places that can possibly carry the information. That pick would be effective all the way here because of the namespace variable. Now that you removed the variable, there might be a case where the desiredKc won't have the namespace set.
I'm also trying to remember why I put the FirstNonEmptyString in the first place. The strongest memory is that tests needed it (it's really sad that tests require you to alter the actual code). The other option I can think of is a multicluster setup where the cross-namespace reference actually happens.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very nice, it now behaves as I expect it to 👏
The naming of the new replicated secret needs fixing.
scripts/setup-kind-multicluster.sh
Outdated
@@ -42,7 +42,7 @@ EOF | |||
} | |||
|
|||
registry_name='kind-registry' | |||
registry_port='5000' | |||
registry_port='5001' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Issue: this will break other folks setup and we should rather fix our laptops to avoid the conflict.
Could we keep 5000 as default and override it based on an env variable instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why would it break the setups of others? My understanding is that the airplay service on Mac runs on port 5000 and this is consistent across all MacOS machines. I do not know if you can configure this port but I suspect it might take some finagling around relatively deep in the system.
Is there another commonly used service on port 5000 which others in the team are using and which will block this fix from working? I know we can't guarantee that nothing is on 5000 globally, but if there is a service on that port on the most common OS used in the team, trying to use it for the registry seems like a bad idea.
I've just extended the timeout on the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Issue: the original secret (the one referenced by the MedusaConfiguration) gets deleted when a K8ssandraCluster which references the MedusaConfiguration gets deleted.
IIRC, you need to place the "orphan" label on the secret so that it doesn't get deleted.
What's funny is that indeed the replicas of this secret didn't get cleaned up due to I think known bugs in the ReplicatedSecrets API :D
That should not be happening. It is not owned by the K8ssandraCluster. Under what circumstances are you seeing this behaviour, what namespaces are the various resources in? There should now be cleanup of the ReplicatedSecret because it IS owned, any failure to clean up the replicas are going to be out of scope here as this is indeed a rRplicatedSecret issue. EDIT: no that's not it either. This code goes and selects secrets according to their labels. And if you look at the labels on the secret that is getting deleted, it doesn't have the replication labels that should mark it for deletion... |
Ignore this... I figured it out. The ReplicatedSecret's finalizer code must not be taking account of the prefixed secret name. So it is cleaning up the original (which is in the same namespace, which wasn't previously allowed because names would have clashed) and not the replica. EDIT: no that's not it either. The secret deletion happens according to the labels, and this secret doesn't have labels that should mark it for deletion:
|
cac8f02
to
8f8987d
Compare
…Namespace (with a prefix) and also the DC1 namespace.
…Config controller.
…f 20 min at times.
…d only be replicating secrets from their local namespace.
…icated due to having no target prefix.
8f8987d
to
0646413
Compare
CHANGELOG/CHANGELOG-1.14.md
Outdated
* [BUGFIX] [#1266](https://github.com/k8ssandra/k8ssandra-operator/issues/1266) MedusaConfigurations must now be namespace local to the K8ssandraCluster they are attached to. Additionally, ReplicatedSecrets should only pick up secrets from their local namespace to replicate. | ||
* [BUGFIX] [#1217](https://github.com/k8ssandra/k8ssandra-operator/issues/1217) Medusa storage secrets now use a ReplicatedSecret for synchronization, fixing an issue where changes to the secrets were not propagating. Additionally, fix a number of issues with local testing on ARM Macs. | ||
* [BUGFIX] [#1253](https://github.com/k8ssandra/k8ssandra-operator/issues/1253) Medusa storage secrets are now labelled with a unique label. | ||
* [FEATURE] [#1260](https://github.com/k8ssandra/k8ssandra-operator/issues/1260) Update controller-gen to version 0.14.0. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question: Why do we have new entries in both 1.14 and 1.15?
Co-authored-by: Alexander Dejanovski <[email protected]>
Quality Gate passedIssues Measures |
What this PR does:
Deprecates functionality allowing the usage of MedusaConfigurations from remote namespaces within the K8ssandraCluster.
Ensures that the webhook throws an error when one is created.
Replaces the existing secret copy mechanism with the standard ReplicatedSecret replication mechanism, ensuring that the downstream target secret will be updated in future.
Which issue(s) this PR fixes:
Fixes #1266, #1217
Checklist