feat: Add v1alpha2 for SecretClass, rename experimentalGenerateSamAccountName #634
Conversation
Techassi
moved this from Development: In Progress
to Development: Waiting for Review
in Stackable Engineering
Techassi
changed the title
sbernauer
force-pushed
the
feat/crd-versioning
branch
from
761a56c to
29ccbdf
Compare
|
I can not approve my own PR but LGTM |
sbernauer
moved this from Development: Waiting for Review
to Development: In Review
in Stackable Engineering
|
I'll put this here for lack of a better place now. I tried installing this op version with OLM on OpenShift. OLM of course has the same problem as Helm (see comment above). It tries to create a I manually added the exported CRDs to OLM, but then the operator refuses to start with this error: No idea if this is expected or a bug. My 2 cents: I don't know why you decided to take CRD management out of the hands of package managers because I don't remember discussing it and I find no explanation. But I think one implication of this is that we now have to implement Helm ourselves by having to ensure object creation order at least. |
|
Tests on OKD are 🟢 though no test was added or updated for this PR. I removed Then I ran the test suite: |
All CRDs are now maintained (created and patched) by the operator. They are no longer deplyoed by Helm and as such are removed from the Helm Chart templates. A YAML file is still checked in (extra/crds.yaml) to ensure diffs are visible and tracked by Git. Co-authored-by: Sebastian Bernauer <[email protected]>
Co-authored-by: Sebastian Bernauer <[email protected]
The operator can now handle CRD conversions via a webhook and maintains it's own CRDs via the CRD maintainer. As such, it needs permissions to create and patch CRDs. Co-authored-by: Sebastian Bernauer <[email protected]>
Techassi
force-pushed
the
feat/crd-versioning
branch
from
788dd08 to
7d625cb
Compare
|
@sbernauer just discovered we run into issues when the cluster has more than a single node, because the secret-operator is deployed via a DaemonSet. We at least need to ensure that only one instance of the conversion webhook exists because otherwise the Kubernetes API server is unable to verify the TLS certificate. We will discuss how to move forward on Monday. |
The splits the deployment of the secret-operator as a whole into two parts: - The controller is deployed via a Deployment which ensures only a single instance of the secret-operator in controller mode is running in a Kubernetes cluster. This can potentially lead to perfomance issues and as such should be monitored going forward. - The CSI server is deployed via a DaemonSet (unchanged) as this server is needed on every node to provision requested secret volumes. This refactor is introduced in preparation for #634, in which only a single instance of the CRD conversion webhook must exist as otherwise TLS certificate verification will fail with multiple available certificates.
* refactor: Split into Deployment and DaemonSet The splits the deployment of the secret-operator as a whole into two parts: - The controller is deployed via a Deployment which ensures only a single instance of the secret-operator in controller mode is running in a Kubernetes cluster. This can potentially lead to perfomance issues and as such should be monitored going forward. - The CSI server is deployed via a DaemonSet (unchanged) as this server is needed on every node to provision requested secret volumes. This refactor is introduced in preparation for #634, in which only a single instance of the CRD conversion webhook must exist as otherwise TLS certificate verification will fail with multiple available certificates. * chore: Add changelog entry * chore: Update comment * refactor: Adjust values.yaml file to be closer to listener-operator * chore: Adjust changelog entry
* refactor: Split into Deployment and DaemonSet The splits the deployment of the secret-operator as a whole into two parts: - The controller is deployed via a Deployment which ensures only a single instance of the secret-operator in controller mode is running in a Kubernetes cluster. This can potentially lead to perfomance issues and as such should be monitored going forward. - The CSI server is deployed via a DaemonSet (unchanged) as this server is needed on every node to provision requested secret volumes. This refactor is introduced in preparation for #634, in which only a single instance of the CRD conversion webhook must exist as otherwise TLS certificate verification will fail with multiple available certificates. * chore: Add changelog entry * chore: Update comment * refactor: Adjust values.yaml file to be closer to listener-operator * chore: Adjust changelog entry
|
I ran some tests on a local multi-node kind cluster (one control-plane node and two worker nodes). The integration tests succeeded as expected: I also applied and retrieved a |
|
I also ran the Trino integration tests, they all (but two) passed on the first try. The failing ones passed as well when selectively running them. I wanted to paste the results here, but sadly I lost the results in my terminal buffer. |
|
Famous last words :D |
| # Load the latest CRDs from Nix | ||
| watch_file('result') | ||
| if os.path.exists('result'): | ||
| k8s_yaml('result/crds.yaml') | ||
|
|
There was a problem hiding this comment.
This will come back on the next templating run, until it's removed from there.
| webhook.stackable.tech/conversion: enabled | ||
| {{- include "operator.selectorLabels" . | nindent 4 }} |
There was a problem hiding this comment.
This will get overwritten by templating:
| # We generate a crds.yaml, so that the effect of code changes are visible. | ||
| # The operator will take care of the CRD rollout itself. | ||
| crds: | ||
| mkdir -p deploy/helm/"${OPERATOR_NAME}"/crds | ||
| cargo run --bin stackable-"${OPERATOR_NAME}" -- crd | yq eval '.metadata.annotations["helm.sh/resource-policy"]="keep"' - > "deploy/helm/${OPERATOR_NAME}/crds/crds.yaml" | ||
| mkdir -p extra | ||
| cargo run --bin stackable-"${OPERATOR_NAME}" -- crd > extra/crds.yaml |
There was a problem hiding this comment.
this will be overwritten by templating
| nix/** linguist-generated | ||
| Cargo.nix linguist-generated | ||
| crate-hashes.json linguist-generated | ||
| extra/crds.yaml linguist-generated |
There was a problem hiding this comment.
This will be overwritten by templating
There was a problem hiding this comment.
I think maybe we don't want to hide this as generated (even though it is). It could be handy during reviews to see the changes to the CRDs as a last-line-of-defense.
There was a problem hiding this comment.
Ohhh this is what this is for? Big +1, we should always review the actual CRD change :)
| image.tar | ||
|
|
||
| tilt_options.json | ||
| local_values.yaml |
There was a problem hiding this comment.
this will be overwritten by templating
There was a problem hiding this comment.
I can highly recommend adding _private/ to a global .gitignore, or adding * to _private/.gitignore for local stuff while keeping the branch clean.
|
I will make the operator-templating changes now |
|
|
||
| chart-clean: | ||
| rm -rf "deploy/helm/${OPERATOR_NAME}/configs" | ||
| rm -rf "deploy/helm/${OPERATOR_NAME}/crds" |
There was a problem hiding this comment.
Shouldn't this be kept, but changed to extra?
Techassi
moved this from Development: In Review
to Development: Done
in Stackable Engineering
4 participants
Part of stackabletech/issues#642
Note
Load-balancing over the secret-op DaemonSet Pods did not work on clusters with multiple nodes, see #634 (comment). This has been addressed in #645 and #646.
This PR marks
samAccountNameas non-experimental as per #627. It is the first use of thestackable-versionedmacro as well as the conversion webhook machinery. See #634 (comment) for the release note.Note
This PR makes changes to things that are templated by operator-templating! We are aware of this and will have a diff until we roll this out to all operators and update operator-templating. secret-operator is our guinea-pig