Make dockercfg generation wait for the token secret using shared informer

[mfojtik]

Fixes: #11333
Should fix: https://bugzilla.redhat.com/show_bug.cgi?id=1374091

[mfojtik]

[test]

[mfojtik]

@liggitt @deads2k PTAL

[mfojtik]

[test]

flake: #11381

[mfojtik]

@Kargakis ptal as well

[0xmichalis]

I don't think this deserves its own method. Inline the informer here.

[0xmichalis]

Or if others like it, we should probably do the same for the sa informer.

[mfojtik]

i can move it up, was trying to keep the new function small

[0xmichalis]

Should be Indexed

[mfojtik]

why?

[0xmichalis]

godoc

[mfojtik]

fixed.

[0xmichalis]

Needs a unit test

[deads2k]

This can happen on an Add instead of on a Update if your controller restarts after having been off. See kubernetes/kubernetes#32778

[mfojtik]

AddFunc added

[deads2k]

I don't think this logic should run synchronously.

[mfojtik]

can you elaborate?

[mfojtik]

ok, I think I see what you mean... when I create the dockerPullSecret and now observing the "addFunc", we should detect that and call addSecretToServiceAccount.

[liggitt]

why add a pending annotation we have to remove? why not just annotate this to indicate it was created by / owned by this controller, and we can leave the annotation in place? we can tell if a token is pending by the lack of a token in the data map

[deads2k]

why add a pending annotation we have to remove? why not just annotate this to indicate it was created by / owned by this controller, and we can leave the annotation in place? we can tell if a token is pending by the lack of a token in the data map

Ah controllerRef, how difficult you are. It's owned by this controller, not the controller that fills in the secret? It's owned by both? It's an ownerRef pointing to an object that doesn't exist?

[mfojtik]

@liggitt agree, I don't think we need any annotation as we can just check if the state is pending by looking into secret data map.

[mfojtik]

@deads2k @liggitt I rewrote that add/update logic so the annotation is no longer needed and is is much cleaner now.

[mfojtik]

ok, I was wrong :-) we need that annotation to make sure the pull secret is not created everytime the "handleSecrets" function run, so we don't end up with:

@dev] .../openshift/origin # oc get secrets -n test
NAME                       TYPE                                  DATA      AGE
builder-dockercfg-0sk6b    kubernetes.io/dockercfg               1         1m
builder-dockercfg-8uao3    kubernetes.io/dockercfg               1         1m
builder-dockercfg-c35kr    kubernetes.io/dockercfg               1         1m
builder-dockercfg-n1vzw    kubernetes.io/dockercfg               1         1m
builder-dockercfg-oiv6v    kubernetes.io/dockercfg               1         1m
builder-dockercfg-qpyi1    kubernetes.io/dockercfg               1         1m
builder-dockercfg-tefb1    kubernetes.io/dockercfg               1         1m

[mfojtik]

actually I found that this is because I also generate a lot of tokens (which I think is because changes to syncServiceAccount

[mfojtik]

nvmd. pebkac... I had wrong field selector in the shared informer...

[mfojtik]

@deads2k @liggitt updated and ready for next review :-)

[liggitt]

revert this... needsDockercfgSecret means we have to do work on the service account, even if that work is just copying an existing dockercfg from one list to the other

[mfojtik]

@liggitt i think then I will need new method to ensure the dockercfg was created already

[mfojtik]

fixed.

[liggitt]

this is turning into a rewrite of the controller, which is not what we want

1. track the tokens we've created that are waiting to be populated in a local variable
2. watch service account token secrets

when we decide we need a token for a service account:

1. if we are already waiting for a token and it is not yet populated, return early
2. if we are already waiting for a token and it is populated, continue to build and associate the dockercfg
3. if we are not already waiting for a token, create one and add it to the list we're waiting for

when we see an update to a token in the list we're waiting for, and it is populated, sync the service account again (will trigger case 2 above)

when we see a token get deleted, if it is in the list we're waiting for, remove it from the list and sync the service account again (will trigger case 3 above)

[mfojtik]

@liggitt i think this PR is doing what you're suggesting, I don't know if it is possible without rewriting the controller.

[liggitt]

I would expect the only change to syncServiceAccount to be to short-circuit if createDockerPullSecret says it didn't create the secret:

dockercfgSecret, created, err := e.createDockerPullSecret(serviceAccount)
if err != nil {
  return err
}
if !created  {
  return nil
}

[mfojtik]

will the later population of the token trigger the service account resync?

[liggitt]

exactly, that's why you need the list of token secrets you're waiting on. the secret watcher will resync the relevant service account if one of those secrets gets populated or deleted

[liggitt]

and the only changes to createDockerPullSecret would be to short-circuit if createTokenSecret says it didn't create a populated secret:

tokenSecret, isPopulated, err := e.createTokenSecret(serviceAccount)
if err != nil {
  return nil, false, err
}
if !isPopulated {
  return nil, false, nil
}

and to only return true for created if it makes it to the end of the function

[liggitt]

all the logic changes should be able to be contained to the secret watcher (which should only be watching service account token secrets, and needs to handle secret deletion), and the createTokenSecret function

[mfojtik]

@liggitt the token secret deletion is handled already in separate controller, do we want to get rid of that controller?

[liggitt]

@liggitt the token secret deletion is handled already in separate controller, do we want to get rid of that controller?

no, this observer's job is not to go clean up the dockercfg, it is to react to population and deletion of pending-population tokens

[liggitt]

rather than looking up the service account in the cache, just add to the queue directly?

e.queue.Add(serviceAccountKey)

[liggitt]

if secret.Annotations[api.CreatedByAnnotation] != CreateDockercfgSecretsController

[liggitt]

should we only re-queue if we are observing the update where the old secret is missing the token and the new secret has it?

[liggitt]

enqueue the key directly

[liggitt]

if secret.Annotations[api.CreatedByAnnotation] == CreateDockercfgSecretsController

[liggitt]

pretty sure looking up the token from cache here is a race:

1. service account exists, token exists, dockercfg exists, serviceaccount has reference, caches are populated
2. token gets deleted
3. deleted_token_secrets.go deletes the dockercfg in response
4. deleted_dockercfg_secrets.go removes the reference from the service account in response
5. service account update triggers this controller to resync the service account. this controller's token cache could still show the populated token that was deleted in step 2, and it would re-create a dockercfg secret now containing a defunct token and add it to the serviceaccount

[mfojtik]

@liggitt should we always do a live query then to get the live token?

[liggitt]

live lookups don't do what you'd expect... I think we can do a minimal change in the state machine direction without a complete rewrite

[liggitt]

lower verbosity to 5... this is going to happen every time now

[liggitt]

no need to log here, error gets logged at top level on error returns

[liggitt]

V(4)

[liggitt]

V(5)

[mfojtik]

@liggitt log levels adjusted, manually tested, lets give it one more [test] run

[liggitt]

LGTM but I'd like a second-check from @deads2k

[0xmichalis]

Missing comment

[mfojtik]

fixed.

[0xmichalis]

Don't you need this to be indexed now?

[mfojtik]

not anymore

[0xmichalis]

Secrets for a service account are always in the same namespace. So it seems that you can index by namespace.

[liggitt]

No need, we're looking up by key only (implicit index)

[deads2k]

Under what conditions is this still necessary? Since we have the name of the token secret we created, we ought to be able to use it to back the docker pull secret instead of creating another one right?

[liggitt]

good point

[mfojtik]

yes, I will remove

[deads2k]

One questions/comment. lgtm otherwise.

[mfojtik]

@deads2k @liggitt removed the deletion of secret token [merge]

[openshift-bot]

Evaluated for origin test up to 6744424

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/10599/) (Image: devenv-rhel7_5239)

[openshift-bot]

Evaluated for origin merge up to 6744424

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/10599/) (Base Commit: 66847bb)