Make bootstrap policy setup more robust #10099
Conversation
|
@deads2k PTAL |
|
[test] |
|
yum failure on integration (#8571), re[test] |
| for _, item := range template.Objects { | ||
| switch t := item.(type) { | ||
| case *authorizationapi.Role: | ||
| ctx := kapi.WithNamespace(kapi.NewContext(), t.Namespace) | ||
| if change { | ||
| roleStorage.Delete(ctx, t.Name, nil) | ||
| if _, err := roleStorage.CreateRoleWithEscalation(ctx, t); err != nil { | ||
| if err := kclient.RetryOnConflict(tryTryAgainBackoff, func() error { |
There was a problem hiding this comment.
Thinking on it, is there a reason we don't retry server-side? Seems like it would better meet expectations.
There was a problem hiding this comment.
in create cases, you mean?
There was a problem hiding this comment.
it is weird to retryonconflict from a create call
There was a problem hiding this comment.
it is weird to retryonconflict from a create call
No, I mean in pkg/authorization/registry/role/policybased/virtual_storage.go, detecting a conflict during the policy update and retrying the role update/create/delete in that code.
|
as a test, ran 10 copies of all the ensure functions on an empty etcd simultaneously. no errors reported, all roles, rolebindings, infra sa roles and bindings created successfully. |
| } | ||
| if err := kclient.RetryOnConflict(kclient.DefaultRetry, func() error { | ||
| policy, err := m.PolicyStorage.GetPolicy(ctx, authorizationapi.PolicyName) | ||
| if err != nil && kapierrors.IsNotFound(err) { |
|
comments addressed, will squash down after review |
|
I was expecting a validation update to ensure that role refs didn't change |
|
lgtm other than validation. |
|
Retry role/rolebinding creates/updates/deletes on policy/policybinding conflicts Allow unconditional updates of roles/rolebindings Detect resourceVersion conflicts of roles/rolebindings Don't return AlreadyExists errors from lazy policy/policybinding creates Remove unneeded nil checks Run BeforeUpdate on actual object being updated Remove unnecessary referential checks Avoid mutating original object in Create calls
Aggregate errors but continue to other objects Avoid unnecessary delete/recreates
|
[merge] |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/7389/) (Image: devenv-rhel7_4730) |
|
Evaluated for origin merge up to b5caf24 |
|
Evaluated for origin test up to b5caf24 |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/7389/) |
Makes the virtual storage for role/rolebinding act more like real objects:
Makes the reconcile and bootstrap operations aggregate errors and continue
Makes the AddRole() role-modification operation tolerate a race where the computed rolebinding name already exists when the operation tries to create it
Makes the bootstrap policy overwrite avoid unnecessary deletes/recreates:
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1359900
Fixes #8781