HIVE-2891: Add new HiveConfig field "HiveImagePullSecretRef"

[dlom]

xref: HIVE-2891

/assign @2uasimojo
/cc @huangmingxia

When deploying hive from a private image repository, in addition to supplying an imagePullSecret to the hive operator deployment, users will need to specify this same secret on the HiveConfig. With this change, private image users will be able to provision clusters from any namespace, not just Hive's namespace

[openshift-ci-robot]

@dlom: This pull request references HIVE-2891 which is a valid jira issue.

In response to this:

xref: HIVE-2891

/assign @2uasimojo
/cc @huangmingxia

When deploying hive from a private image repository, in addition to supplying an imagePullSecret to the hive operator deployment, users will need to specify this same secret on the HiveConfig.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dlom

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [dlom]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@dlom: This pull request references HIVE-2891 which is a valid jira issue.

In response to this:

xref: HIVE-2891

/assign @2uasimojo
/cc @huangmingxia

When deploying hive from a private image repository, in addition to supplying an imagePullSecret to the hive operator deployment, users will need to specify this same secret on the HiveConfig. With this change, private image users will be able to provision clusters from any namespace, not just Hive's namespace

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[codecov]

Codecov Report

❌ Patch coverage is 28.57143% with 95 lines in your changes missing coverage. Please review.
✅ Project coverage is 50.03%. Comparing base (717017d) to head (3bf80ae).
⚠️ Report is 6 commits behind head on master.

Files with missing lines	Patch %	Lines
pkg/operator/hive/hive.go	0.00%	68 Missing ⚠️
pkg/install/generate.go	35.71%	9 Missing ⚠️
.../clusterdeployment/clusterdeployment_controller.go	83.33%	2 Missing and 2 partials ⚠️
pkg/controller/utils/utils.go	42.85%	4 Missing ⚠️
pkg/controller/utils/podconfig.go	0.00%	2 Missing ⚠️
pkg/operator/hive/dynamicclient.go	0.00%	2 Missing ⚠️
pkg/operator/hive/hiveadmission.go	0.00%	2 Missing ⚠️
pkg/operator/hive/operatorutils.go	0.00%	2 Missing ⚠️
pkg/operator/hive/sharded_controllers.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2734      +/-   ##
==========================================
- Coverage   50.16%   50.03%   -0.14%     
==========================================
  Files         288      288              
  Lines       34065    34240     +175     
==========================================
+ Hits        17090    17133      +43     
- Misses      15626    15756     +130     
- Partials     1349     1351       +2     

Files with missing lines	Coverage Δ
pkg/constants/constants.go	100.00% <100.00%> (ø)
.../controller/clusterdeployment/clusterprovisions.go	62.35% <100.00%> (+0.07%)	⬆️
pkg/imageset/generate.go	97.64% <100.00%> (+0.05%)	⬆️
pkg/operator/hive/hive_controller.go	0.00% <ø> (ø)
...om/openshift/hive/apis/hive/v1/hiveconfig_types.go	0.00% <ø> (ø)
pkg/controller/utils/podconfig.go	0.00% <0.00%> (ø)
pkg/operator/hive/dynamicclient.go	0.00% <0.00%> (ø)
pkg/operator/hive/hiveadmission.go	0.00% <0.00%> (ø)
pkg/operator/hive/operatorutils.go	0.00% <0.00%> (ø)
pkg/operator/hive/sharded_controllers.go	0.00% <0.00%> (ø)
... and 4 more

... and 6 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[2uasimojo]

I think this PR also needs to touch your previous efforts to reference this secret from the hive-operator pod. We discussed how copying imagePullSecrets across namespaces will end us up with a reference to a dockercfg Secret that doesn't (and shouldn't) exist in the destination namespace. So I think we need to refactor all of those places to simply add the value of hiveConfig.hiveImagePullSecretRef to the imagePullSecrets of controllers, admission, imageset, provision, and deprovision.

We also need to address copying the Secret to the targetNamespace iff that namespace is different from where hive-operator is running.

Once all of that is done, I think we can revert some of your additions that look up the current pod -- they should no longer be needed. (However, I like the way you rolled up sharedPodConfig; I would like to keep that for tolerations/nodeSelector.)

[2uasimojo]

It is not. However, we should parent it to the CD. There is precedent, and a handy helper function. See for example how we do this for the pull secret.

[dlom]

Still haven't figured this one out. Did you link the wrong thing, or am I blind?

[2uasimojo]

Bleh, sorry, correct reference.

As we discussed, "controller reference" is not the same as "owner reference", and I think we want the former. The purpose is for the Secret to automatically get deleted/garbage-collected when the parent (the CD) goes away.

[dlom]

we need to refactor all of those places to simply add the value of hiveConfig.hiveImagePullSecretRef to the imagePullSecrets of controllers, admission, imageset, provision, and deprovision

@2uasimojo after blindly forging ahead on this all day, I don't think this is possible either. The imagePullSecret by definition only refers to local secrets in the same NS. If the required secret is only in the hive NS, it really MUST be copied into the CD's namespace so that the imageset job can run in that NS

[2uasimojo]

we need to refactor all of those places to simply add the value of hiveConfig.hiveImagePullSecretRef to the imagePullSecrets of controllers, admission, imageset, provision, and deprovision

@2uasimojo after blindly forging ahead on this all day, I don't think this is possible either. The imagePullSecret by definition only refers to local secrets in the same NS. If the required secret is only in the hive NS, it really MUST be copied into the CD's namespace so that the imageset job can run in that NS

Per our Meet™, clarified summary:

• HIVE-2891: Make hive able to run as a private image #2725 copies imagePullSecrets (a list of names) from the current pod to the descendant pods. We don't want to do this, because it'll drag along the name of the generated dockercfg Secret. Rather, I think we ignore the current pod's imagePullSecrets and simply inject the value of your new hiveconfig field into the descendant pods' imagePullSecrets. This goes for both "stages": hive-operator => controllers/admission and controllers => imageset/prov/deprov.

• The hive-operator and the controllers/admission aren't necessarily running in the same namespace. HiveConfig.Spec.TargetNamespace defaults to hive, but

  • You might have deployed hive-operator somewhere other than hive; and/or
  • If TargetNamespace is explicitly set, we'll deploy controllers/admission there instead.

  So if this is the case, we need to make sure we're copying the Secret from hive-operator's ns to the TargetNamespace.

• Set controller reference on the copied Secrets as discussed above. (Uhh, I think for the controllers/admission copy, it's probably appropriate to parent to hive-controllers? I think the test would be: Edit HiveConfig.Spec.TargetNamespace, and make sure the Secret disappears from the old ns.)

[dlom]

I've done an initial smoke test on this, with the operator, controllers, and CD all being in different non-default namespaces. The operator uses a label on the controller-level secret to clean up if the controllers move, and the CDs each get an individually named secret copy that is owned by the CD

[dlom]

/test e2e

[2uasimojo]

/test e2e

Actual test succeeded; we flaked afterward.

[2uasimojo]

Is this true, or does it need to live in the namespace with hive-operator?

[2uasimojo]

I think we can DRY these by making the param a meta.Object and using GetName() on it.

(Moot if you copy the Secret down just once with its original name, as noted.)

[2uasimojo]

I don't think this is true either, as it looks like you're naming those Secrets after the cd/deprovision.

Though thinking about it, I think I like this idea better. There's nothing stopping multiple CDs being created in the same namespace, and we would rather have just one copy of this pull secret per namespace.

[2uasimojo]

Two things:

1. Why not do this in the calling func instead of here? I think all the other pieces are being done per-complete*DeprovisionJob() method because they can be different. (If you find otherwise, I would be receptive to a separate PR that pulls them out.) But this should always be the same, yah?
2. This is working because we happen to give the ClusterDeprovision the same name as the ClusterDeployment. But it reads as if we're potentially referencing a different Secret -- and one we haven't copied in. I can see that it would be painful to get the CD down to these funcs, so I'm okay leaving the logic as is, but I would like to see a comment that calls out that it's relying on those two things having the same name. [Later] But moot if we're using the original Secret name as noted above.

[2uasimojo]

Why are we not just using owner references? I guess they would have to be on one of the Deployments/StatefulSets, but that should work, shouldn't it?

[2uasimojo]

Just a thought, if you made the func return the ref instead of just checking for it, you could do something like:

Suggested change

	if hiveConfigHasValidImagePullSecretReference(instance) {
	hiveDeployment.Spec.Template.Spec.ImagePullSecrets = append(hiveDeployment.Spec.Template.Spec.ImagePullSecrets, *instance.Spec.HiveImagePullSecretRef)
	}
	if ref := getImagePullSecretReference(instance); ref != nil {
	hiveDeployment.Spec.Template.Spec.ImagePullSecrets = append(hiveDeployment.Spec.Template.Spec.ImagePullSecrets, ref)
	}

[2uasimojo]

Okay, yeah, let's clean this up.

For the getting, you should be able to use the existing controller-runtime-esque wrapper here. Example Get().

For the creating, you should be able to write a similar Create() wrapper in that file.

The end result should be that you can make this func feel a lot more like it would if r had/was a real c-r client.

[2uasimojo]

...and then all of this goes away.

[openshift-ci]

@dlom: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.