support deploy klusterlet outside of managed cluster #172
Conversation
zhujian7
force-pushed
the
klusterlet-outside
branch
2 times, most recently
from
0a51d92
to
0003b05
Compare
zhujian7
force-pushed
the
klusterlet-outside
branch
from
0003b05
to
245592b
Compare
zhujian7
force-pushed
the
klusterlet-outside
branch
3 times, most recently
from
76c52ae
to
3b47a08
Compare
|
@qiujian16 @zhiweiyin318 @xuezhaojun @ianzhang366 This PR Is ready for review. but still need to:
|
There was a problem hiding this comment.
I might think it is a bit complicated with a lot of detachMode check in it.
My suggestion is we should separate the manifests and operations to
- those always put on managed cluster
- those always put on management cluster (it could be still managedcluster)
- those you have to check the mode
| @@ -0,0 +1,13 @@ | |||
| apiVersion: rbac.authorization.k8s.io/v1 | |||
| kind: RoleBinding | |||
There was a problem hiding this comment.
why do we need to separated these. I think the manifests has only nuance with non-detached mode that you can render. Maintaining two lists of manifests would be hard since it is easy to update one and miss another
pkg/helpers/helpers.go
Outdated
| // KlusterletNamespace returns the klusterletNamespace to deploy the agents. | ||
| func KlusterletNamespace(mode operatorapiv1.InstallMode, klusterletName, specNamespace string) string { | ||
| if mode == operatorapiv1.InstallModeDetached { | ||
| // return fmt.Sprintf("%s-%s", klusterletName, KlusterletDefaultNamespace) |
There was a problem hiding this comment.
rm this line. Add more comment on this function
pkg/helpers/helpers.go
Outdated
| return klusterletName | ||
| } | ||
|
|
||
| if specNamespace == "" { |
There was a problem hiding this comment.
if len(specNamespace) == 0
it is safer
| // resource status will be saved in the relatedResourcesStatuses, and will save the | ||
| // result to the klusterlet status if there is any error. | ||
| func (n *klusterletController) applyStaticFiles(ctx context.Context, klusterletName string, | ||
| staticFiles []string, relatedResourcesStatuses *[]operatorapiv1.RelatedResourceMeta, |
There was a problem hiding this comment.
return relatedResourcesStatuses rathe than adding a pointer
| @@ -310,6 +320,24 @@ func (n *klusterletController) sync(ctx context.Context, controllerContext facto | |||
| return err | |||
| } | |||
|
|
|||
| if detachedMode { | |||
| // In Deatched mode, apply role, rolebinding, service account for registration and work to the management cluster. | |||
| err = n.applyStaticFiles(ctx, klusterletName, detachedStaticResourceFiles, &relatedResources, &config, n.kubeClient, | |||
There was a problem hiding this comment.
why the apply static files is different from what you did on managed cluster
| } | ||
|
|
||
| // syncSecret forked from resourceapply.SyncSecret, add an addition snippet to support sync secret to another cluster. | ||
| func syncSecret(client, targetClient coreclientv1.SecretsGetter, recorder events.Recorder, |
There was a problem hiding this comment.
put this in the helper. It is better to add ctx as the parameter
There was a problem hiding this comment.
This func was put in the helper. and I'd prefer to add ctx after upgrading openshift/library-go to contain openshift/library-go#1121
|
|
||
| if detachedMode { |
There was a problem hiding this comment.
this is confused..do we really need to apply any role/rolebinding in this ns?
There was a problem hiding this comment.
need to create service account in this ns
| controllerContext.Recorder(), | ||
| func(name string) ([]byte, error) { | ||
| template, err := manifests.Klusterlet111ManifestFiles.ReadFile(name) | ||
| template, err := manifests.KlusterletManifestFiles.ReadFile(name) |
There was a problem hiding this comment.
I put all klusterlet files in KlusterletManifestFiles to avoid duplication of code
Signed-off-by: zhujian <jiazhu@redhat.com>
Signed-off-by: zhujian <jiazhu@redhat.com>
Signed-off-by: zhujian <jiazhu@redhat.com>
Signed-off-by: zhujian <jiazhu@redhat.com>
zhujian7
force-pushed
the
klusterlet-outside
branch
2 times, most recently
from
468d2ef
to
cec4ec8
Compare
|
do we need to add e2e cases for this scenario? like create 2 kind clusters in action and deploy with detach mode? |
zhujian7
force-pushed
the
klusterlet-outside
branch
from
cec4ec8
to
bc5beb1
Compare
Of course, this is what I am doing these days. |
zhujian7
force-pushed
the
klusterlet-outside
branch
from
bc5beb1
to
0a4afbc
Compare
Signed-off-by: zhujian <jiazhu@redhat.com>
zhujian7
force-pushed
the
klusterlet-outside
branch
2 times, most recently
from
f103ad0
to
5922b9a
Compare
Signed-off-by: zhujian <jiazhu@redhat.com>
Signed-off-by: zhujian <jiazhu@redhat.com>
zhujian7
force-pushed
the
klusterlet-outside
branch
2 times, most recently
from
80c0c21
to
d2f4afd
Compare
zhujian7
force-pushed
the
klusterlet-outside
branch
from
d2f4afd
to
6c318d9
Compare
Signed-off-by: zhujian <jiazhu@redhat.com>
zhujian7
force-pushed
the
klusterlet-outside
branch
from
6c318d9
to
fe286ee
Compare
|
@qiujian16 all comments have been fixed, PTAL. And the RBAC part needs a focused reviewing, please. |
Makefile
Outdated
| @@ -38,14 +38,16 @@ operatorsdk_gen_dir:=$(dir $(OPERATOR_SDK)) | |||
| OLM_NAMESPACE?=olm | |||
| OLM_VERSION?=0.16.1 | |||
|
|
|||
| KUSTOMIZE?=$(PERMANENT_TMP_GOPATH)/bin/kustomize | |||
| PWD=$(shell pwd) | |||
There was a problem hiding this comment.
I think we should update makefile in a followup PR.
| return nil | ||
| } | ||
| if err != nil { | ||
| return err | ||
| } | ||
| klusterlet = klusterlet.DeepCopy() | ||
|
|
||
| detachedMode := klusterlet.Spec.DeployOption.Mode == operatorapiv1.InstallModeDetached |
There was a problem hiding this comment.
can we use eq in the template so we do not need to set this bool var?
| ExternalManagedKubeConfigSecret: helpers.ExternalManagedKubeConfig, | ||
| ExternalManagedKubeConfigRegistrationSecret: helpers.ExternalManagedKubeConfigRegistration, | ||
| ExternalManagedKubeConfigWorkSecret: helpers.ExternalManagedKubeConfigWork, | ||
| DetachedMode: detachedMode, |
| if detachedMode { | ||
| managedClusterClients, err = n.buildManagedClusterClientsDetachedMode(n.kubeClient, config.KlusterletNamespace, config.ExternalManagedKubeConfigSecret) | ||
| if err != nil { | ||
| return err |
There was a problem hiding this comment.
Add a TODO here, you would need to set some status condition as the followup
| if detachedMode { | ||
| // In detached mode, we should ensure the namespace on the managed cluster since | ||
| // some resources(eg:service account) are still deployed on managed cluster. | ||
| err := n.ensureNamespace(ctx, managedClusterClients.kubeClient, klusterletName, config.KlusterletNamespace) |
There was a problem hiding this comment.
should we still need this? OR why we only need to ensure this on detached mode?
There was a problem hiding this comment.
why we only need to ensure this on detached mode?
In detached mode, the managed cluster and management cluster are separated, the namespace in the management cluster has been ensured previously.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: qiujian16, zhujian7 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: zhujian <jiazhu@redhat.com>
zhujian7
force-pushed
the
klusterlet-outside
branch
from
57fa7f2
to
4ca76bb
Compare
… cluster Signed-off-by: zhujian <jiazhu@redhat.com>
|
@qiujian16 all comments have been fixed, and I add another commit(last commit of this PR) to distinguish the RBAC resource names of managed cluster and management cluster, the RBAC resources names are not in conflict now but may conflict in the future, I think it is necessary to separate. PTAL. Thanks. |
|
/hold |
zhujian7
force-pushed
the
klusterlet-outside
branch
from
b639ad6
to
c24a08f
Compare
|
/hold cancel |
| "kind": "Klusterlet", | ||
| "metadata": { | ||
| "name": "klusterlet" | ||
| }, |
There was a problem hiding this comment.
do not need detached klusterlet in alm-examples. this example user can apply directly on operatorhub. so we cannot put 2 klusterlet here.
zhujian7
force-pushed
the
klusterlet-outside
branch
2 times, most recently
from
66c0784
to
c307e35
Compare
|
The makefile and README.md will be updated at a follow-up PR. |
zhujian7
force-pushed
the
klusterlet-outside
branch
2 times, most recently
from
88a626d
to
73cf438
Compare
Signed-off-by: zhujian <jiazhu@redhat.com>
Signed-off-by: zhujian <jiazhu@redhat.com>
zhujian7
force-pushed
the
klusterlet-outside
branch
from
c74c9f3
to
3963de0
Compare
|
@zhiweiyin318 csv updated. PTAL. |
|
/lgtm |
Related PRs:
related issue: #158