Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deleting the last BMH using a credentials secret, causes the secret to be also deleted. #1347

Open
raffaelespazzoli opened this issue Aug 30, 2023 · 20 comments
Open

Deleting the last BMH using a credentials secret, causes the secret to be also deleted. #1347

raffaelespazzoli opened this issue Aug 30, 2023 · 20 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. triage/accepted Indicates an issue is ready to be actively worked on.

Comments

@raffaelespazzoli
Copy link

What steps did you take and what happened:
Deleting the last BMH using a credentials secret, causes the secret to be also deleted.
This is not desirable.

What did you expect to happen:
The secret to be left alone.

Anything else you would like to add:
I don't understand what was the intention with using the owner reference in this case. It does seem unnecessary.

Environment:

  • Baremetal Operator version: OCP 4.13
  • Environment (metal3-dev-env or other):

/kind bug
@metal3-io-bot metal3-io-bot added kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue lacks a `triage/foo` label and requires one. labels Aug 30, 2023
@dtantsur
Copy link
Member

@zaneb do you remember the logic behind setting the owner reference?

@Rozzii Rozzii added question Further information is requested triage/needs-information Indicates an issue needs more information in order to work on it. and removed kind/bug Categorizes issue or PR as related to a bug. labels Sep 13, 2023
@zaneb
Copy link
Member

zaneb commented Sep 13, 2023

I think the logic was that we should not leave credentials lying around when they are not used by anything.
Some more information about why it's undesirable would be helpful.

@zaneb
Copy link
Member

zaneb commented Sep 13, 2023

We also user the owner reference as a reverse link from the Secret to the BMH that owns it, so we can easily tell which BMH(s) need to be reconciled when a Secret is modified without having to search all of them. controller-runtime makes this very simple to set up by just calling Owns(&corev1.Secret{}) on the controller manager, so that may have been part of the reason it was used initially.

@raffaelespazzoli
Copy link
Author

the ownership concept in kubernetes generally refers to the fact a controller of resource A has created resource B in response to resource A configuration. So, in a way resource B exists only for the fact that resource A exists and therefore A owns B. The garbage collection logic aligns with this assumption and will delete B on behalf of controller A if A is deleted. This is to avoid writing trivial finalizers.
This is not the case for this BMH controller, you don't create the secret therefore you don't own it. I get that you get some convenient behavior by setting the owner, but what you are doing is conceptually wrong and it is hurting situations where the secret should not be deleted.

@Rozzii
Copy link
Member

Rozzii commented Sep 27, 2023

/cc @kashifest @lentzi90

@Rozzii
Copy link
Member

Rozzii commented Sep 27, 2023

/cc @hardys

@s3rj1k
Copy link
Member

s3rj1k commented Sep 27, 2023

This is not the case for this BMH controller, you don't create the secret therefore you don't own it. I get that you get some convenient behavior by setting the owner, but what you are doing is conceptually wrong and it is hurting situations where the secret should not be deleted.

I agree, but what you propose, changing the behavior would be impactful to other people who already used to this behavior.

I am expecting that this would be configurable at least on global scale via CLI flags for BMO but preferably via annotation on BMH.

@lentzi90
Copy link
Member

I agree that the current behavior is surprising. Perhaps a global flag would be cleanest?

@hardys hardys mentioned this issue Oct 10, 2023
Merged
@Rozzii
Copy link
Member

Rozzii commented Oct 11, 2023

So is there any conclusion as far as I can understand the closest to an acceptable compromise would be to turn this feature into a configurable one right ? @dtantsur @s3rj1k @lentzi90 @raffaelespazzoli @zaneb ?

@hardys
Copy link
Member

hardys commented Oct 11, 2023

This was also recently discussed in relation to networkData secrets - it seems we're not consistently setting ownership of those (and presumably meta/userData) so we might want to consider if there's a common (but configurable) way to solve this?

@zaneb
Copy link
Member

zaneb commented Oct 18, 2023

We do consistently set ownership of user/meta/networkData and BMC Secrets.
We don't set ownership of preprovisioningNetworkData unless we're actually using it, so that's inconsistent.

@zaneb
Copy link
Member

zaneb commented Oct 20, 2023

We do consistently set ownership of user/meta/networkData and BMC Secrets. We don't set ownership of preprovisioningNetworkData unless we're actually using it, so that's inconsistent.

Actually, scratch that. We do not set ownership of user/meta/networkData because it's not required that we trigger a reconcile when these change.

@zaneb
Copy link
Member

zaneb commented Oct 20, 2023

So is there any conclusion as far as I can understand the closest to an acceptable compromise would be to turn this feature into a configurable one right ?

TBH I see this as an Open Source antipattern - the developers, who know and understand the software the best, can't agree so they punt the decision to the person least equipped to make it (in this case the operator of the metal³ deployment).

How can we ask the operator to decide at deployment time between timely responses to changes and keeping unreferenced Secrets around? How would they decide if we can't?

Any end user who wants to keep their unreferenced Secrets around is free to add another owner reference to the Secret that will prevent it being deleted. To my mind that's better than an annotation on the BMH because you can see what it does directly, and there's no bizarre side-effects like changes to the Secret being ignored until they suddenly take effect at unexpected times.

@lentzi90
Copy link
Member

Any end user who wants to keep their unreferenced Secrets around is free to add another owner reference to the Secret that will prevent it being deleted. To my mind that's better than an annotation on the BMH because you can see what it does directly, and there's no bizarre side-effects like changes to the Secret being ignored until they suddenly take effect at unexpected times.

I would rather treat the current behavior as a bug and just change it. Metal3 is not the owner of these secrets and should therefore not put owner references on them. Finalizers on the other hand could make sense to prevent deletion while in use.

@metal3-io-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues will close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@metal3-io-bot metal3-io-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 18, 2024
@Rozzii
Copy link
Member

Rozzii commented Jan 18, 2024

/remove-lifecycle stale

@metal3-io-bot metal3-io-bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 18, 2024
@metal3-io-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues will close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@metal3-io-bot metal3-io-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 17, 2024
@Rozzii
Copy link
Member

Rozzii commented Apr 24, 2024

/remove-lifecycle stale

@metal3-io-bot metal3-io-bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 24, 2024
@Rozzii
Copy link
Member

Rozzii commented Apr 24, 2024

/lifecycle frozen

@metal3-io-bot metal3-io-bot added the lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. label Apr 24, 2024
@Rozzii
Copy link
Member

Rozzii commented Oct 23, 2024
edited
Loading

I think it is clear that this is an issue regardless of what will be the solution.
Calling it a bug might be a bit controversial but I don't know what "kind label" would apply better so in lack of a better option I will flag it as bug.

/kind bug
/triage accepted

@metal3-io-bot metal3-io-bot added kind/bug Categorizes issue or PR as related to a bug. triage/accepted Indicates an issue is ready to be actively worked on. and removed needs-triage Indicates an issue lacks a `triage/foo` label and requires one. labels Oct 23, 2024
@Rozzii Rozzii removed question Further information is requested triage/needs-information Indicates an issue needs more information in order to work on it. labels Oct 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. triage/accepted Indicates an issue is ready to be actively worked on.
Projects
Metal3 - Roadmap
Status: BMO on hold / blocked
Milestone
No milestone
Development

No branches or pull requests
8 participants
@dtantsur @zaneb @hardys @raffaelespazzoli @lentzi90 @s3rj1k @Rozzii @metal3-io-bot