[ExternalNode] Implement SupportBundleCollection on Controller #4184
Conversation
Codecov Report
@@ Coverage Diff @@
## main #4184 +/- ##
==========================================
- Coverage 64.38% 61.87% -2.52%
==========================================
Files 393 389 -4
Lines 55538 55142 -396
==========================================
- Hits 35760 34117 -1643
- Misses 17188 18498 +1310
+ Partials 2590 2527 -63
|
wenyingd
force-pushed
the
supportbundle_internalapi
branch
8 times, most recently
from
f498493
to
038afe2
Compare
wenyingd
force-pushed
the
supportbundle_internalapi
branch
5 times, most recently
from
fa9ba32
to
01b4976
Compare
|
/test-all |
wenyingd
changed the title
wenyingd
force-pushed
the
supportbundle_internalapi
branch
2 times, most recently
from
3318649
to
ae3aba0
Compare
| subjects: | ||
| - kind: ServiceAccount | ||
| name: antrea-controller | ||
| namespace: {{ .Release.Namespace }} |
There was a problem hiding this comment.
By this definition, we expect that the authSecret is under namespace kube-system? If so, we need to at least add some comments for this. Otherwise, controller will get RBAC problem if the namespace defined in the SupportBundleCollection is not kube-system.
There was a problem hiding this comment.
User should modify the namespace for role antrea-read-secrets in the RoleBinding according to his own setup. This is a sample for antrea.
I would like to describe this in a future patch dedicated for documentation.
wenyingd
force-pushed
the
supportbundle_internalapi
branch
2 times, most recently
from
936ed8a
to
88d17fc
Compare
| verbs: | ||
| - update | ||
| --- | ||
| kind: ClusterRole |
There was a problem hiding this comment.
Could we publish these YAMLs with Nephe as they are not needed by Antrea for K8s?
There was a problem hiding this comment.
In this way, the upstream user can not use this feature with on-prem VMs?
There was a problem hiding this comment.
My concern is about adding permissions for controller to read all Secrets. We should not do that for a regular K8s cluster deployment. For non-Nephe use cases, could we just document the role binding requirement?
There was a problem hiding this comment.
I remembered @reachjainrahul said that Nephe would not do much on the support bundle feature, so I doubt maybe it is not a better choice to place to the RBAC changes in Nephe.
If your concern is the impact on regular K8s cluster, I would prefer to move this special ClusterRole/RoleBinding out from the default antrea yaml, but place it to path build/yamls/externalnode/, just like "vm-agent-rbac.yaml". What is your thought?
There was a problem hiding this comment.
Does it mean users (inc. Nephe) need to apply another YAML to use the feature? I am fine with that, but feel easier for Nephe to include it in its YAML.
There was a problem hiding this comment.
Does it mean users (inc. Nephe) need to apply another YAML to use the feature?
Yes. But if we only have it in Nephe but do not maintain it in antrea, the non-Nephe users can not use this feature.
There was a problem hiding this comment.
We can provide a YAML in Antrea too. My question is just should we include the role binding in the Nephe YAML to simplify Nephe deployment.
There was a problem hiding this comment.
In my mind, Nephe is not planned with support bundle collection feature. @reachjainrahul please correct me, and share your thought?
cmd/antrea-controller/controller.go
Outdated
| @@ -168,8 +171,12 @@ func run(o *Options) error { | |||
| groupStore) | |||
|
|
|||
| var externalNodeController *externalnode.ExternalNodeController | |||
| var bundleCollectionController *supportbundlecollection.Controller | |||
There was a problem hiding this comment.
Maybe we should add another feature gate for support bundle collection?
There was a problem hiding this comment.
Sure, I will add it.
pkg/apis/controlplane/types.go
Outdated
| Items []SupportBundleCollection `json:"items" protobuf:"bytes,2,rep,name=items"` | ||
| } | ||
|
|
||
| type BundleFileServer struct { |
There was a problem hiding this comment.
Can we reuse the CRD definition?
There was a problem hiding this comment.
Updated to reuse CRD definition for BundleFileServer.
| Password string | ||
| } | ||
|
|
||
| type BundleServerAuthConfiguration struct { |
There was a problem hiding this comment.
I don't think we can reuse CRD definition for BundleServerAuthConfiguration, because a Secret reference is used in the CRD definition for the authenticator, while in the control plane API, the field is configured with the actual authenticator parsed from the Secret by Controller.
pkg/apis/controlplane/types.go
Outdated
| NodeName string | ||
| // The Namespace of the Node produces the status. It is set only when NodeType is externalNode | ||
| NodeNamespace string | ||
| // The type of the Node that produces the status. The values include Node and ExternalNode. |
There was a problem hiding this comment.
The supported values are "Node" and "ExternalNode". Could we reuse the CRD definition?
There was a problem hiding this comment.
Updated the comment information. I don't think we can use the CRD definition for SupportBundleCollectionNodeStatus: the CRD definition does not provide per Node status, but uses Conditions to describe the summarized SupportBundleCollection status. But for control plane API, we need per Node/ExternalNode to report its own status first, and then aggregated in Controller and update in the CRD status. And some existing fields ( like desiredNodes/succeededNodes) in CRD definition are not suitable for per Node status report.
pkg/controller/supportbundlecollection/store/supportbundlecollection.go
Outdated
Show resolved
Hide resolved
pkg/controller/supportbundlecollection/store/supportbundlecollection.go
Outdated
Show resolved
Hide resolved
pkg/controller/supportbundlecollection/store/supportbundlecollection.go
Outdated
Show resolved
Hide resolved
wenyingd
force-pushed
the
supportbundle_internalapi
branch
4 times, most recently
from
f6b019e
to
8b094ea
Compare
| klog.V(2).InfoS("Processed Node Add event", "name", node.Name) | ||
| } | ||
|
|
||
| func (c *Controller) updateNode(oldObj interface{}, newObj interface{}) { |
There was a problem hiding this comment.
Do we need to handle Node updates? Could we ignore Node updates after CRD is processed for simplicity? Anyway, we have no way to guarantee all Node updates are covered as update events are async.
There was a problem hiding this comment.
I removed updateNode and updateExternalNode.
pkg/apis/controlplane/types.go
Outdated
| type BundleFileServer struct { | ||
| // The URL of the bundle file server. It is set with format: scheme://host[:port][/path], | ||
| // e.g, https://api.example.com:8443/v1/supportbundles/. If scheme is not set, https is used by default. | ||
| URL string `json:"url"` |
There was a problem hiding this comment.
The unversioned structs don't need json tag
| klog.ErrorS(err, "Failed to get authentication defined in the SupportBundleCollection CR", "name", bundle.Name, "authentication", bundle.Spec.Authentication) | ||
| return err | ||
| } | ||
| c.addInternalSupportBundleCollection(bundle, nodeSpan, *authentication, metav1.NewTime(expiredAt)) |
There was a problem hiding this comment.
It seems it never updates started condition to true?
There was a problem hiding this comment.
I moved it to status_controller part #4249 after the internal object is created.
| allowed = false | ||
| } | ||
| if !allowed { | ||
| msg = fmt.Sprintf("SupportBundleCollection %s is started, cannot be updated or deleted", oldObj.Name) |
There was a problem hiding this comment.
should the message be updated? can a started request be deleted?
How do we know it has started here?
wenyingd
force-pushed
the
supportbundle_internalapi
branch
from
060eae1
to
46b3ba5
Compare
pkg/antctl/raw/multicluster/join.go
Outdated
| @@ -217,13 +217,13 @@ func NewJoinCommand() *cobra.Command { | |||
| command.Flags().StringVarP(&joinOpts.LeaderNamespace, "leader-namespace", "", "", "Namespace of the leader cluster") | |||
| command.Flags().StringVarP(&joinOpts.LeaderClusterID, "leader-clusterid", "", "", "Cluster ID of the leader cluster") | |||
| command.Flags().StringVarP(&joinOpts.TokenSecretName, "token-secret-name", "", "", "Name of the Secret resource that contains the member token. "+ | |||
| "Token Secret name takes precedence over token Secret file and the Secret manifest in the join config file") | |||
| "BearerToken Secret name takes precedence over token Secret file and the Secret manifest in the join config file") | |||
There was a problem hiding this comment.
I think this is not an intended change?
There was a problem hiding this comment.
No, it is replaced by IDE automatically, thanks for catching it.
wenyingd
force-pushed
the
supportbundle_internalapi
branch
from
46b3ba5
to
eae14df
Compare
wenyingd
force-pushed
the
supportbundle_internalapi
branch
2 times, most recently
from
f8fc31e
to
f72f7d4
Compare
|
/test-all |
wenyingd
force-pushed
the
supportbundle_internalapi
branch
from
f72f7d4
to
930fd5d
Compare
| return nodeConfigs, externalNodeConfigs | ||
| } | ||
|
|
||
| func TestAddSupportBundleCollection(t *testing.T) { |
There was a problem hiding this comment.
The test seems more complicated than it needs to be. To test addSupportBundleCollection, I think it just needs to check whether the queue contains expected items with specific inputs:
tests := []struct{}{
name string
supportBundleCollection *SupportBundleCollection
expectedItem string
} {
...
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
controller := ...
controller.addSupportBundleCollection(tt.supportBundleCollection)
if tt.expectedItem != "" {
assert.Equal(t, 1, controller.queue.Len())
gotItem := controller.queue.Get()
assert.Equal(tt.expectedItem, gotItem)
} else {
assert.Equal(t, 0, controller.queue.Len())
}
}
}
930fd5d
to
38a3330
Compare
updated. |
|
/test-all |
Add internal objects to sync the suport bundle request from Controller to Agent, and report status from Agent to Controller. Implement support bundle collection on Controller side. Signed-off-by: wenyingd <[email protected]>
wenyingd
force-pushed
the
supportbundle_internalapi
branch
from
38a3330
to
76b96dd
Compare
|
Update commit message only. |
|
/test-all |
…antrea-io#4184) Add internal objects to sync the suport bundle request from Controller to Agent, and report status from Agent to Controller. Implement support bundle collection on Controller side. Signed-off-by: wenyingd <[email protected]>
…antrea-io#4184) Add internal objects to sync the suport bundle request from Controller to Agent, and report status from Agent to Controller. Implement support bundle collection on Controller side. Signed-off-by: wenyingd <[email protected]>
Controller to Agent.
Signed-off-by: wenyingd [email protected]