Adding logic to process BR and BAR deletes. #29
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: brahmaroutu The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
approved
brahmaroutu
force-pushed
the
controller_code_finalizer
branch
2 times, most recently
from
63a2838 to
e62441a
Compare
k8s-ci-robot
added
the
needs-rebase
| @@ -57,13 +58,24 @@ func (b *bucketAccessRequestListener) Add(ctx context.Context, obj *v1alpha1.Buc | |||
| return nil | |||
| } | |||
|
|
|||
| // Update is called in response to a change to BucketAccessRequesst. At this point | |||
| @@ -57,13 +58,24 @@ func (b *bucketAccessRequestListener) Add(ctx context.Context, obj *v1alpha1.Buc | |||
| return nil | |||
| } | |||
|
|
|||
| // Update is called in response to a change to BucketAccessRequesst. At this point | |||
There was a problem hiding this comment.
For L48 do we want to validate that the existing BA is for this BAR?
Update: I see this is not necessary.
| func (b *bucketAccessRequestListener) Update(ctx context.Context, old, new *v1alpha1.BucketAccessRequest) error { | ||
| glog.V(1).Infof("Update called for BucketAccessRequest %v", old.Name) | ||
| if (old.ObjectMeta.DeletionTimestamp == nil) && |
There was a problem hiding this comment.
Is this condition guaranteed by k8s to exist upon delete of the BAR? Is it ever possible to miss the initial delete event but catch the following BAR update and now both timestamps != nil?
There was a problem hiding this comment.
yeah, we should just check if new.DeletionTimestamp != nil
| // Update is called in response to a change to BucketAccessRequesst. At this point | ||
| // BucketAccess cannot be changed once created as the Provisioner might have already acted upon the create BucketAccess and created the backend Bucket Credentials | ||
| // Changes to Protocol, Provisioner, BucketInstanceName, BucketRequest cannot be allowed. Best is to delete and recreate a new BucketAccessRequest | ||
| // Changes to ServiceAccount, PolicyActionsConfigMapData and Parameters should be considered in lieu with sidecar implementation | ||
| func (b *bucketAccessRequestListener) Update(ctx context.Context, old, new *v1alpha1.BucketAccessRequest) error { | ||
| glog.V(1).Infof("Update called for BucketAccessRequest %v", old.Name) |
There was a problem hiding this comment.
Many of these logs only show the BAR name but omit its namespace. Thus the logged name may not be unique.
There was a problem hiding this comment.
I see no change to reflect ns in log msgs.
There was a problem hiding this comment.
I fixed it by using ns/name format.
| // Delete is in response to user deleting a BucketAccessRequest. The call here will respond by deleting a BucketAccess Object. | ||
| func (b *bucketAccessRequestListener) Delete(ctx context.Context, bucketAccessRequest *v1alpha1.BucketAccessRequest) error { | ||
| glog.V(1).Infof("Delete called for BucketAccessRequest %v", bucketAccessRequest.Name) | ||
|
|
There was a problem hiding this comment.
In L92 below do we want to check that the existing BA belongs to this BAR?
There was a problem hiding this comment.
In L97 below should err "IsMissing" be checked. IOW, a non-nil error could be an intermittent API failure and COSI should retry. How it is coded COSI won't retry.
There was a problem hiding this comment.
In L103 below I think we need more robust code here. If we cannot get the BR we don't necessarily have an "invalidBucketRequest". It could be an intermittent API failure and a retry will fix that. It could be that the BR was deleted and we have a problem since the BAR requires a BR. In either case I think we need a more accurate error msg.
There was a problem hiding this comment.
In L112 below is there a max on how long we wait? Is this built into some max value the controller is created with?
There was a problem hiding this comment.
In L92 below do we want to check that the existing BA belongs to this BAR? - Yes
In L97 below should err "IsMissing" be checked. IOW, a non-nil error could be an intermittent API failure and COSI should retry. How it is coded COSI won't retry. - Any error would trigger retry and this error will cause retry
In L103 below - BAR is not present we simply retry until we backoff?
L112 - retry is configurable.
There was a problem hiding this comment.
nit: L99 comment should say BA not found rather than bucket not found.
| @@ -119,7 +131,7 @@ func (b *bucketAccessRequestListener) provisionBucketAccess(ctx context.Context, | |||
| UID: sa.ObjectMeta.UID} | |||
| // bucketaccess.Spec.MintedSecretName - set by the driver | |||
| bucketaccess.Spec.PolicyActionsConfigMapData, err = util.ReadConfigData(b.kubeClient, bucketAccessClass.PolicyActionsConfigMap) | |||
| if err != nil { | |||
| if err != nil && err != util.ErrNilConfigMap { | |||
There was a problem hiding this comment.
Is the CM now optional in the BAC? The KEP says it is required.
There was a problem hiding this comment.
not sure what you meant, should I not check if CM is empty? Nothing guarantees that the CM is populated, we never catch that any other place.
There was a problem hiding this comment.
My point is that if the CM ref pointer is nil then we don't return an error here, which, to me, means that BAC.CM is optional. If a BAC admission controller is ensuring the BAC.CM ref field is filled in then we should should not have to check for a nil CM ref.
| @@ -119,7 +131,7 @@ func (b *bucketAccessRequestListener) provisionBucketAccess(ctx context.Context, | |||
| UID: sa.ObjectMeta.UID} | |||
| // bucketaccess.Spec.MintedSecretName - set by the driver | |||
| bucketaccess.Spec.PolicyActionsConfigMapData, err = util.ReadConfigData(b.kubeClient, bucketAccessClass.PolicyActionsConfigMap) | |||
| if err != nil { | |||
| if err != nil && err != util.ErrNilConfigMap { | |||
| return err | |||
| } | |||
| // bucketaccess.Spec.Principal - set by the driver | |||
There was a problem hiding this comment.
For this and the other set by driver comment -- it's really set by the sidecar, right?
| @@ -131,6 +143,10 @@ func (b *bucketAccessRequestListener) provisionBucketAccess(ctx context.Context, | |||
| return err | |||
| } | |||
|
|
|||
| if !util.CheckFinalizer(bucketAccessRequest, util.BARDeleteFinalizer) { | |||
There was a problem hiding this comment.
In L159 above what about the case of the BA already existing? This would be true in brownfield access.
There was a problem hiding this comment.
brownfield case is not coded yet but my understanding is that brownfield case Bucket exist but BA/BAR works the same.
There was a problem hiding this comment.
The BA was just created so why do we need to check for the delete finalizer here? CheckFInalizer doesn't re-Get the object so we are dealing with the in-memory BA that was just created.
Nevermind. I mis-read the code and I see now that you're checking the BAR finalizer.
| @@ -131,6 +143,10 @@ func (b *bucketAccessRequestListener) provisionBucketAccess(ctx context.Context, | |||
| return err | |||
| } | |||
|
|
|||
| if !util.CheckFinalizer(bucketAccessRequest, util.BARDeleteFinalizer) { | |||
| bucketAccessRequest.ObjectMeta.Finalizers = append(bucketAccessRequest.ObjectMeta.Finalizers, util.BARDeleteFinalizer) | |||
There was a problem hiding this comment.
Does this append work if metadata.Finalizers is nil (empty)?
There was a problem hiding this comment.
should be fine as it is empty array.
| @@ -131,6 +143,10 @@ func (b *bucketAccessRequestListener) provisionBucketAccess(ctx context.Context, | |||
| return err | |||
| } | |||
|
|
|||
| if !util.CheckFinalizer(bucketAccessRequest, util.BARDeleteFinalizer) { | |||
There was a problem hiding this comment.
Why can't the finalizer be added to the bucketAccess.Metadata above, before the Create call? If this works, then you don't need to retry finalizer update block below.
There was a problem hiding this comment.
Finalizers to BA are addressed in the Provisioner as discussed.
| bucketaccess := b.FindBucketAccess(ctx, bucketAccessRequest) | ||
| if bucketaccess == nil { | ||
| // bucketaccess for this BucketAccessRequest is not found | ||
| return util.ErrBucketAccessDoesNotExist |
There was a problem hiding this comment.
Why is this an error? The BA is gone. Or do we want to retry?
There was a problem hiding this comment.
This is a know error that we need not retry.
brahmaroutu
force-pushed
the
controller_code_finalizer
branch
from
e62441a to
b104ba1
Compare
k8s-ci-robot
removed
the
needs-rebase
brahmaroutu
force-pushed
the
controller_code_finalizer
branch
2 times, most recently
from
6700e47 to
7b00219
Compare
|
@brahmaroutu pls fix build errors |
brahmaroutu
force-pushed
the
controller_code_finalizer
branch
from
7b00219 to
3b21a48
Compare
k8s-ci-robot
added
the
needs-rebase
brahmaroutu
force-pushed
the
controller_code_finalizer
branch
from
3b21a48 to
70a3891
Compare
k8s-ci-robot
removed
the
needs-rebase
|
@wlan0 Can you please review |
|
@brahmaroutu: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-rebase
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
k8s-ci-robot
added
the
lifecycle/stale
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close |
|
@k8s-triage-robot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This PR will address BR and BAR deletion using Finalizers that will protect BR and BAR objects until the corresponding backend Bucket and BucketAccess objects are deleted. This will make sure that the clean up is done correctly without leaving any dangling objects.
/assign @wlan0 @rrati
/ping @jeffvance