CFE-1133: Watch Infrastructure and update AWS tags #137
Conversation
|
@chiragkyal: This pull request references CFE-1133 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
added
the
jira/valid-reference
chiragkyal
force-pushed
the
aws-tags
branch
3 times, most recently
from
3d5641f
to
f413d74
Compare
|
/test images |
|
/retest-required |
|
/test all |
chiragkyal
force-pushed
the
aws-tags
branch
from
afad1c2
to
deb501d
Compare
|
@chiragkyal: This pull request references CFE-1133 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
chiragkyal
changed the title
chiragkyal
force-pushed
the
aws-tags
branch
2 times, most recently
from
c177a9c
to
48c649a
Compare
|
/retest-required |
- Added watch on Infrastructure object to detect changes in PlatformStatus.AWS.ResourceTags. - Merged tags from AWSLoadBalancerController.Spec.AdditionalResourceTags and PlatformStatus.AWS.ResourceTags, prioritizing operator spec tags. Signed-off-by: chiragkyal <[email protected]>
|
/retest |
|
/assign @alebedev87 |
|
/retest |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest-required |
chiragkyal
force-pushed
the
aws-tags
branch
2 times, most recently
from
54edf38
to
650dd1b
Compare
|
/retest-required |
|
/retest-required |
1 similar comment
|
/retest-required |
Signed-off-by: chiragkyal <[email protected]>
|
/retest-required |
| managed, err := isManagedServiceCluster(context.TODO(), kubeClientSet) | ||
| if err != nil { | ||
| t.Fatalf("failed to check managed cluster %v", err) | ||
| } | ||
| if managed { | ||
| t.Skip("Infrastructure status cannot be directly updated on managed cluster, skipping...") | ||
| } |
There was a problem hiding this comment.
Infrastructure status cannot be directly updated on ROSA clusters. Hence skipping the test.
| func isManagedServiceCluster(ctx context.Context, adminClient kubernetes.Interface) (bool, error) { | ||
| _, err := adminClient.CoreV1().Namespaces().Get(ctx, "openshift-backplane", v1.GetOptions{}) | ||
| if err == nil { | ||
| return true, nil | ||
| } | ||
|
|
||
| if !errors.IsNotFound(err) { | ||
| return false, err | ||
| } | ||
|
|
||
| return false, nil | ||
| } |
There was a problem hiding this comment.
This check is inspired by https://github.com/openshift/origin/pull/29216/files#diff-35a89a7a7362642eebb559fb8564e857b00d6f7dd6322c3adabaf1adbd609d35R2267-R2278 implementation.
xRef: Slack discussion
There was a problem hiding this comment.
Can you please add this link as a comment so that it would be easier to track this later?
There was a problem hiding this comment.
Sure, added the PR link as code comment
| } | ||
|
|
||
| func desiredContainerArgs(controller *albo.AWSLoadBalancerController, clusterName, vpcID string) []string { | ||
| func desiredContainerArgs(controller *albo.AWSLoadBalancerController, platformStatus *configv1.PlatformStatus, clusterName, vpcID string) ([]string, error) { |
There was a problem hiding this comment.
Cluster name and vpcID are still more fundamental inputs for the flags than the resource tags:
| func desiredContainerArgs(controller *albo.AWSLoadBalancerController, platformStatus *configv1.PlatformStatus, clusterName, vpcID string) ([]string, error) { | |
| func desiredContainerArgs(controller *albo.AWSLoadBalancerController, clusterName, vpcID string, platformStatus *configv1.PlatformStatus) ([]string, error) { |
| platformStatus := infraConfig.Status.PlatformStatus | ||
| if platformStatus == nil { | ||
| return ctrl.Result{}, fmt.Errorf("failed to determine infrastructure platform status: status.platformStatus is nil") | ||
| } |
There was a problem hiding this comment.
Can the platform status ever be nil? If it can, I don't think we have to block the reconciliation - we just don't add platform tags in that case.
There was a problem hiding this comment.
platform status should not be nil for clusters deployed on AWS. We need the AWS region as well from the platform status for the operator to function correctly.
aws-load-balancer-operator/main.go
Lines 230 to 233 in 59f0616
So, I think we should block the reconciliation if it is nil
There was a problem hiding this comment.
We need the AWS region as well from the platform status for the operator to function correctly.
Right, that's what we ensure at the startup of the operator. The region is fundamental for the operator, without it the operator cannot function. Unlike resource tags (platform or additional).
I don't see why a cluster may not have any platform resource tags. So, I consider platformStatus==nil as the same use case as "customer didn't set any resource tags during installation".
| // `--default-tags` arg allows a maximum of 24 user tags, but the combination of | ||
| // controller.Spec.AdditionalResourceTags and platformStatus.AWS.ResourceTags can result in more. | ||
| // Ensure a maximum of 24 merged tags are added. | ||
| if len(tags) > 24 { |
There was a problem hiding this comment.
Can this be a constant? And can you please add some links which confirm this number. AWS limitation is 50 tags per resource so I don't quite get where 24 is coming from.
There was a problem hiding this comment.
24 is coming from the validation added for the AdditionalResourceTags field.
aws-load-balancer-operator/api/v1/awsloadbalancercontroller_types.go
Lines 61 to 77 in 59f0616
Since we are now merging these tags with the Infrastructure tags, isn't this number still valid?
| // Add tags from platformStatus.AWS.ResourceTags to the map, only if the key doesn't exist | ||
| if platformStatus.AWS != nil && len(platformStatus.AWS.ResourceTags) > 0 { | ||
| for _, t := range platformStatus.AWS.ResourceTags { | ||
| if len(t.Key) > 0 { |
There was a problem hiding this comment.
platformStatus.AWS.ResourceTags.Key has OpenAPI schema validations which exclude empty value:
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=128
// +kubebuilder:validation:Pattern=`^[0-9A-Za-z_.:/=+-@]+$`
So, this is redundant.
There was a problem hiding this comment.
Thanks for the catch. Removed the if block.
| if tc.platformStatus == nil { | ||
| tc.platformStatus = &configv1.PlatformStatus{} | ||
| } |
There was a problem hiding this comment.
I think we should handle the nil case inside the function. That is, if platformStatus is nil we just don't add platform tags.
There was a problem hiding this comment.
Due to #137 (comment) reason, I think having nil platformStatus won't even start the operator.
| @@ -854,11 +962,15 @@ func TestEnsureDeploymentEnvVars(t *testing.T) { | |||
| VPCID: "test-vpc", | |||
| AWSRegion: testAWSRegion, | |||
| } | |||
| _, err := r.ensureDeployment(context.Background(), tc.serviceAccount, "test-credentials", "test-serving", tc.controller, nil) | |||
| _, err := r.ensureDeployment(context.Background(), tc.serviceAccount, "test-credentials", "test-serving", tc.controller, &configv1.PlatformStatus{}, nil) | |||
There was a problem hiding this comment.
Same comment about nil value being handled inside the function as other args of this function.
There was a problem hiding this comment.
Due to the same reason, I think we won't even reach upto ensureDeployment if platformStatus is nil.
test/e2e/operator_test.go
Outdated
| alb.Spec.AdditionalResourceTags = []albo.AWSResourceTag{ | ||
| {Key: "op-key1", Value: "op-value1"}, | ||
| {Key: "conflict-key1", Value: "op-value2"}, | ||
| {Key: "conflict-key2", Value: "op-value3"}, | ||
| } |
There was a problem hiding this comment.
Can you add this to albcBuilder? Something like withTags(map[string]string).
There was a problem hiding this comment.
I just now observed that there is already a similar function: withResourceTags(map[string]string). I've updated it to use this function instead. Thanks for the suggestion.
|
|
||
| // Check `--default-tags` arg for tags present in alb instance and infra status (initialInfraTags) | ||
| expectedTagValue := "conflict-key1=op-value2,conflict-key2=op-value3,op-key1=op-value1,plat-key1=plat-value1" | ||
| assertContainerArgFromDeployment(t, dep, awsLoadBalancerControllerContainerName, "--default-tags", expectedTagValue) |
There was a problem hiding this comment.
This test is not quite different from the unit tests for desired deployment. We already assure the deployment gets the right flag values. I think the e2e test should check the the result of ALBC's job - load balancers. You can use https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 to check the infrastructure tags are propagated to a load balancer.
There was a problem hiding this comment.
I was thinking differently. The task of the ALBO is to set the flags correctly, next it's the job of ALBC to consume those flags and take necessary actions (adding tags in this case). If we can validate that the --default-tags flag is getting populated correctly, I hope we can trust ALBC to propagate them to a load balancer.
I would expect ALBC's e2e to query the tags using https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2
In case of CIO also, we did a similar check. We're checking whether the operator has correctly set the annotations or not. https://github.com/openshift/cluster-ingress-operator/pull/1148/files#diff-cf4b4e5424070a666a364d1d1b04011478d888d6d3d65c943ca7783333b7a6e4R1356-R1358
There was a problem hiding this comment.
The task of the ALBO is to set the flags correctly, next it's the job of ALBC to consume those flags and take necessary actions (adding tags in this case). If we can validate that the --default-tags flag is getting populated correctly, I hope we can trust ALBC to propagate them to a load balancer.
We don't have much control over what's validated upstream. The e2e tests for our addon operators verify use cases we think are nominal for our customers. And the idea here is to go from one end (API) to the other end (load balancers). That's why all the other e2e tests send real traffic to check the load balancers are in the shape we expect them to be. The validation of the expected values for --default-tags flag is what a unit test can do even without envtest, a fake Kube client would be enough.
I would expect ALBC's e2e to query the tags using https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2
I would expect too. But I don't think we know this for sure.
In case of CIO also, we did a similar check. We're checking whether the operator has correctly set the annotations or not. https://github.com/openshift/cluster-ingress-operator/pull/1148/files#diff-cf4b4e5424070a666a364d1d1b04011478d888d6d3d65c943ca7783333b7a6e4R1356-R1358
C-I-O case is different. The creation of load balancers for Services is out of control of C-I-O, it's not done by anything C-I-O manages or being responsible for.
Frankly speaking, I would be ok if this feature would come with a set of unit tests only. However since you already into the e2e stage, we should be consistent with the rest of the tests and go to very end (AWS).
| func isManagedServiceCluster(ctx context.Context, adminClient kubernetes.Interface) (bool, error) { | ||
| _, err := adminClient.CoreV1().Namespaces().Get(ctx, "openshift-backplane", v1.GetOptions{}) | ||
| if err == nil { | ||
| return true, nil | ||
| } | ||
|
|
||
| if !errors.IsNotFound(err) { | ||
| return false, err | ||
| } | ||
|
|
||
| return false, nil | ||
| } |
There was a problem hiding this comment.
Can you please add this link as a comment so that it would be easier to track this later?
Signed-off-by: chiragkyal <[email protected]>
|
@chiragkyal: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
This PR adds support for AWS user tags specified in the platform status. Tags can be managed centrally in the
PlatformStatusand have them automatically applied to resources managed by the ALBC.Infrastructureobject to detect changes in theplatformStatus.AWS.ResourceTagsfield.AWSLoadBalancerController.Spec.AdditionalResourceTagsand thePlatformStatus.AWS.ResourceTagsinto a single list, prioritizing tags from the operator spec.--default-tagsargument.Implements CFE-1133