AUTH-543: Add optional operand deletion condition

[liouk]

There might be cases (as demonstrated in OCPBUGS-44937) where we might want to gracefully delete the operand workload of the workload controller, and keep the operator status available (instead of unavailable or degraded).

This PR adds an optional way of specifying a deletion condition which will trigger the deletion of the operand gracefully, keeping the operator's status as Available=True. To avoid breaking changes, I've added new setup functions to be used for wiring this particular case.

This is needed in the scope of openshift/cluster-authentication-operator#740.

Proof PRs:

• DO-NOT-MERGE: Prove library-go#1902 cluster-authentication-operator#772 (incl. usage demo for external OIDC usecase)
• DO-NOT-MERGE: Prove library-go#1902 cluster-openshift-apiserver-operator#618

[openshift-ci-robot]

@liouk: This pull request references Jira Issue OCPBUGS-44937, which is invalid:

• expected the bug to target the "4.19.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

There might be cases (as demonstrated in OCPBUGS-44937) where we might want to gracefully delete the operand workload of the workload controller, and keep the operator status available (instead of unavailable or degraded).

This PR adds an optional way of specifying a deletion condition which will trigger the deletion of the operand gracefully, keeping the operator's status as Available=True.

This is needed in the scope of openshift/cluster-authentication-operator#740.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@liouk: This pull request explicitly references no jira issue.

In response to this:

There might be cases (as demonstrated in OCPBUGS-44937) where we might want to gracefully delete the operand workload of the workload controller, and keep the operator status available (instead of unavailable or degraded).

This PR adds an optional way of specifying a deletion condition which will trigger the deletion of the operand gracefully, keeping the operator's status as Available=True.

This is needed in the scope of openshift/cluster-authentication-operator#740.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[everettraven]

Is the Get() call necessary before attempting the Delete() call? What does the extra call buy us?

[liouk]

The Get() happens on the lister (cache), which means that if the deployment has already been deleted, it'll save us an extra API call to Delete(). This will be happening on every sync.

[everettraven]

Ah, I totally missed that the Get() would be on the cache - that makes sense :). Thanks!

[everettraven]

Would it be beneficial to add some unit tests for the new deletion behavior?

[liouk]

The unit tests would end up using mocks for most of the stuff that the deletion does; but on second thought it might be beneficial to test the operator status, so I'll add some 👍

[atiratree]

It would be good to import and use this change in one of the consumers (e.g. cluster-authentication-operator) and show that the CI is passing there.

[everettraven]

Should we include a message in all conditions? I'm not familiar with how these conditions have been constructed in the past, but I have seen logs that say not setting the message in a condition will eventually be fatal:

W1203 04:13:07.671272       1 dynamic_operator_client.go:355] .status.conditions["APIServerDeploymentAvailable"].message is missing; this will eventually be fatal

This was pulled from https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/periodic-ci-openshift-multiarch-master-nightly-4.18-ocp-e2e-ovn-remote-libvirt-s390x/1863791759423705088/artifacts/ocp-e2e-ovn-remote-libvirt-s390x/gather-extra/artifacts/pods/openshift-apiserver-operator_openshift-apiserver-operator-dfc988b89-rsh2n_openshift-apiserver-operator.log

Even though it would be a repetitive message in this case, with ^ in mind maybe it is worth it to future-proof this implementation as much as we can for when that does get flipped to fatal?

[atiratree]

Is there sufficient benefit of creating a 2nd constructor for this? We could just pass the deletion option as nil in the normal use case.

[atiratree]

Still applies, I think we do not need any change in the constructor. Let's drive such logic through the delegate.

[atiratree]

Shouldn't the delegate be responsible for the lifecycle of the Deployment? I am not sure if it makes sense to fragment the logic.

[atiratree]

This still applies, why do we have to manage the deletion in here?

[atiratree]

wouldn't it be better to let the delegate communicate everything as we do with the preconditions?

[atiratree]

if we let delegate controller we do not need another method

[atiratree]

Do we need to split it from the updateOperatorStatus reconciliation logic? It would be nicer to keep the concern in the same place and consider all 4 conditions.

I do not have a problem with calling a util function in updateOperatorStatus if needed though.

[atiratree]

still applies, if we need to manage the status/conditions during scale down of the workload, it would be better to do it in a single place (updateOperatorStatus)

[atiratree]

nit: this isn't a deletion error

[atiratree]

What is the value of preserving these conditions (Available=True, Degraded=False) if no workload exists for them?

Or are we interested in measuring the availability of OIDC provider? Is it possible? And even then this probably isn't the right place to indicate it, right?

[atiratree]

It would be good to import and use this change in one of the consumers (e.g. cluster-authentication-operator) and show that the CI is passing there.

[openshift-ci-robot]

@liouk: This pull request references AUTH-543 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target either version "4.19." or "openshift-4.19.", but it targets "openshift-4.18" instead.

In response to this:

There might be cases (as demonstrated in OCPBUGS-44937) where we might want to gracefully delete the operand workload of the workload controller, and keep the operator status available (instead of unavailable or degraded).

This PR adds an optional way of specifying a deletion condition which will trigger the deletion of the operand gracefully, keeping the operator's status as Available=True. To avoid breaking changes, I've added new setup functions to be used for wiring this particular case.

This is needed in the scope of openshift/cluster-authentication-operator#740.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[liouk]

/jira refresh

[openshift-ci-robot]

@liouk: This pull request references AUTH-543 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target either version "4.19." or "openshift-4.19.", but it targets "openshift-4.18" instead.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[atiratree]

Seems we cannot use SSA for removing conditions, but I am not sure if patch is better than v1helpers.UpdateStatus here. Would be good to add an additional opinion on this.

[liouk]

The advantage of the patch here in my opinion is that we're only adding to the patch the specific conditions that we want to remove, so it's more concise -- we won't have to manage the whole status object to perform the update, so maybe it's less prone to mistakes.

What would you think @bertinatto?

[atiratree]

we should check if workload == nil to make sure the delegate has deleted (and not recreated) the workload

[atiratree]

even the workload should be gone and we should not get any errs, we should at least log them if they passed on by the delegate

[atiratree]

It might make more sense to still consider preconditions even when the workload will be deleted later. Thoughts?

[liouk]

Given that the delete would happen during the delegate's sync, we shouldn't normally reach the point of removing the conditions if preconditions are failing. But you are right, we should safe-guard against this -- I'll add a check before removing conditions.

[atiratree]

This still applies, why do we have to manage the deletion in here?

[atiratree]

Still applies, I think we do not need any change in the constructor. Let's drive such logic through the delegate.

[atiratree]

still applies, if we need to manage the status/conditions during scale down of the workload, it would be better to do it in a single place (updateOperatorStatus)

[atiratree]

The general design looks nice IMO. It just needs a little more polishing.

And a proof PR as menioned by @liouk .

[atiratree]

Is this necessary? Can't we do just

Suggested change

	removeAtIndex := i
	if !jsonPatch.IsEmpty() {
	removeAtIndex = removeAtIndex - removedCount
	}
	removeAtIndex := i - removedCount

[liouk]

Good catch -- that code pre-existed and I just refactored it into a func.

[atiratree]

same question here

[atiratree]

Suggested change

	if operatorStatus == nil {
	if operatorStatus == nil || len(conditionTypesToRemove) == 0 {

[atiratree]

Suggested change

	// errors.
	// of errors.

[atiratree]

it could be also useful to name the return values since we have that many of them

[atiratree]

Let's document the reason behind this part here.

[atiratree]

Maybe we should document that it is preferable to activate WithEmptyVersionRemoval when removeConditions/Generations is used.

[liouk]

Great idea, that's not very obvious.

[atiratree]

looks good, but maybe we could also test the generations while we are at it

[atiratree]

nit: k8s.io group is also below

[atiratree]

Can we distinguish the name x namespace to test they do not get mixed up in the invocation?

[liouk]

Based on the most recent review, I also decided to simplify the generation of multiple json patches by creating a Merge() func instead of injecting the patch to use. This simplifies the usage and error checking around the injected patch, and allows all clients of jsonpatch.PatchSet to leverage the functionality.

[atiratree]

maybe we can then generalize that since the delegate (and this controller) doesn't have to mention the lower level operations done by this controller

Suggested change

	removeConditions bool,
	removeWorkload bool,

[atiratree]

Suggested change

	if len(deletedWorkloadName) > 0 && len(deletedWorkloadNamespace) > 0 && removeConditions {
	if removeWorkload && len(deletedWorkloadName) > 0 && len(deletedWorkloadNamespace) > 0 {

reads better IMO :)

[atiratree]

Suggested change

	// When a workload gets deleted, not only its respective status conditions will removed, but also its
	// When a workload gets deleted, not only its respective status conditions will be removed, but also its

[atiratree]

+1, easier to read in two separate block

[atiratree]

Suggested change

	// generation, a bool indicating whether the operator status conditions must be removed (e.g. in case the
	// generation, a bool indicating whether the workload reference (e.g. conditions, generations) should be removed from operator status (e.g. in case the

[atiratree]

and maybe update the rest a bit to match that?

[atiratree]

Suggested change

	deletedWorkloadName string,
	deletedWorkloadNamespace string,
	removedWorkloadName string,
	removedWorkloadNamespace string,

for consistency with removeWorkload

[liouk]

This naming convention was intentional -- I chose deleted for workload name & namespace as it is the right verb for the resource action, while I chose removeWorkload for the operator status references because we'll be removing elements from lists/fields instead of deleting any resources.

If you still think this is more confusing than helpful, I'm happy to change all to use "remove".

[atiratree]

I chose deleted for workload name & namespace as it is the right verb for the resource action,

I feel like this is more of an implementation detail for the delegate to work out. The workload controller only takes care if the workload is/was present. And if it never was, the delete might have never been called.

[atiratree]

+ elsewhere

[atiratree]

Hm maybe it would be safer to output an error if removeWorkload is true, but name/ns are not present?

[atiratree]

Suggested change

	return kerrors.NewAggregate(append(errs, fmt.Errorf("workload marked as removed but no name and/or namespace provided (name=%s/ns=%s)", removedWorkloadName, removedWorkloadNamespace)))
	return kerrors.NewAggregate(append(errs, fmt.Errorf("workload marked as removed but no name and/or namespace provided (name=%s, ns=%s)", removedWorkloadName, removedWorkloadNamespace)))

This might be confusing when comparing to conventional ns/name keys.

[atiratree]

/lgtm

#1902 (comment) still applies

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: atiratree, liouk
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[liouk]

Proof PRs:

• DO-NOT-MERGE: Prove library-go#1902 cluster-authentication-operator#772
• DO-NOT-MERGE: Prove library-go#1902 cluster-openshift-apiserver-operator#618

/hold cancel

[openshift-ci]

@liouk: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@liouk: This pull request references AUTH-543 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

There might be cases (as demonstrated in OCPBUGS-44937) where we might want to gracefully delete the operand workload of the workload controller, and keep the operator status available (instead of unavailable or degraded).

This PR adds an optional way of specifying a deletion condition which will trigger the deletion of the operand gracefully, keeping the operator's status as Available=True. To avoid breaking changes, I've added new setup functions to be used for wiring this particular case.

This is needed in the scope of openshift/cluster-authentication-operator#740.

Proof PRs:

• DO-NOT-MERGE: Prove library-go#1902 cluster-authentication-operator#772
• DO-NOT-MERGE: Prove library-go#1902 cluster-openshift-apiserver-operator#618

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[liouk]

/jira refresh

[openshift-ci-robot]

@liouk: This pull request references AUTH-543 which is a valid jira issue.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@liouk: This pull request references AUTH-543 which is a valid jira issue.

In response to this:

There might be cases (as demonstrated in OCPBUGS-44937) where we might want to gracefully delete the operand workload of the workload controller, and keep the operator status available (instead of unavailable or degraded).

This PR adds an optional way of specifying a deletion condition which will trigger the deletion of the operand gracefully, keeping the operator's status as Available=True. To avoid breaking changes, I've added new setup functions to be used for wiring this particular case.

This is needed in the scope of openshift/cluster-authentication-operator#740.

Proof PRs:

• DO-NOT-MERGE: Prove library-go#1902 cluster-authentication-operator#772 (incl. usage demo for external OIDC usecase)
• DO-NOT-MERGE: Prove library-go#1902 cluster-openshift-apiserver-operator#618

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.