new-app: verify if API has required resources enabled

[wozniakjan]

fixes #20002 by checking the kind of each resource

now it fails very early, produces following output if builds are disabled

oc new-app https://github.com/wozniakjan/oc_newapp_expose#env_dot_syntax                  
error: Missing required resources: Build, BuildConfig

ptal @openshift/sig-developer-experience, @mfojtik

[bparees]

one nit on the text and lgtm.

[bparees]

"API server is missing required resources: "

[soltysh]

Hmmm... I'm not sure I want this to fail entirely. Why just not create the BC, the oc new-app is still useful without builds, and in a build-disabled cluster you're making it entirely unusable, yet I can still create an app, just without the build, as in oc new-app openshift/hello-openshift should still create the DC, IS and SVC for me. I don't see any reason that would fail me with information that BC is missing, even if I don't care about one.

[bparees]

maybe. If new-app generated a buildconfig, we definitely want this to fail, we don't want to create some, but not all, of the resources. Creating a DC when the BC that generates the image the DC deploys, doesn't exist, would be bad.

But if you're actually just using new-app to create a DC (oc new-app centos/mysql-56-centos7, or oc new-app -f sometemplatewithoutaBC.yaml) I suppose it's fair to allow that to proceed.

So I think the ideal solution would iterate the objects we are going to attempt to create, ensure those types all exist in the api server, and if not, abort indicating which resources that new-app wanted to create, were not available in the api server (abort before creating any resources).

[soltysh]

Yup, that last sentence is exactly what I'd expect to happen. The current approach fails always, but like Ben said oc new-app centos/mysql-56-centos7 should work.

[bparees]

/cc @openshift/cli-review

[adambkaplan]

based on this our objects are "native" and not namespaced CRD-style Kinds?

[bparees]

we actually have both the legacy apis and the grouped apis. This should probably check to see if either exists, in case we eventually remove the legacy api.

[mfojtik]

I don't think you have to check for the ImageStream resource as there is no way today to disable image apis. So this can be simplified to just check the existence of BuildConfigs.

Also I don't think we support legacy (oapi) in CLI anymore, right @deads2k / @soltysh ?

[deads2k]

Also I don't think we support legacy (oapi) in CLI anymore, right @deads2k / @soltysh ?

No legacy in the CLI.

[wozniakjan]

Thanks, I will mark the PR as [WIP] for now and address the comments when I'm back from PTO next week.

[bparees]

What does "no legacy in the cli" mean? In this case we're simply checking what the api server supports, we're not using these apis to call the server.

[soltysh]

Hmmm... I'm not sure I want this to fail entirely. Why just not create the BC, the oc new-app is still useful without builds, and in a build-disabled cluster you're making it entirely unusable, yet I can still create an app, just without the build, as in oc new-app openshift/hello-openshift should still create the DC, IS and SVC for me. I don't see any reason that would fail me with information that BC is missing, even if I don't care about one.

[wozniakjan]

So I think the ideal solution would iterate the objects we are going to attempt to create, ensure those types all exist in the api server, and if not, abort indicating which resources that new-app wanted to create, were not available in the api server (abort before creating any resources).

@soltysh, @bparees, @adambkaplan I would like to try to obtain a list/map of required resources (the code is in a second commit c0ab188), but I suppose iterating over the result.List.Items from config.Run() is probably incorrect.

origin/pkg/oc/cli/cmd/newapp.go

Lines 171 to 174 in c0ab188

	declaredResources := make(map[schema.GroupVersionKind]bool)
	for _, item := range items {
	declaredResources[item.GetObjectKind().GroupVersionKind()] = true
	}

this appears to only yeild /, Kind=

Should I rather type-switch on the items like it is done here and care only about missing BuildConfig?

origin/pkg/oc/cli/cmd/newapp.go

Lines 400 to 406 in c0ab188

	for _, item := range result.List.Items {
	switch t := item.(type) {
	case *kapi.Pod:
	if t.Annotations[newcmd.GeneratedForJob] == "true" {
	installing = append(installing, t)
	}
	case *buildapi.BuildConfig:

[bparees]

Should I rather type-switch on the items like it is done here and care only about missing BuildConfig?

i'd say that's an acceptable path of least resistance at this point.

[soltysh]

Hold with any actions until after the rebase, there will be some significant changes in the apimachinery that will change some bits of your code.

[wozniakjan]

EDIT: I spent so much time writing below that I missed @soltysh comment. Thanks and will wait!

@bparees, @adambkaplan trying to wrap my head around the comment regarding CRD and this entire issue. Please correct the following, I will try to summarize my understanding here

• there are two ways oc new-app populates the list of objects that are later sent to the API server
  1. oc new-app [input_app_url] - which inspects the input and generates BuildConfigs, Services, DeploymentConfigs, and ImageStreams
  2. oc new-app -f [template].yaml - the above-mentioned objects + any type of object including CRD
• the issue was that when disabling builds in master-config.yaml, we should not create any resources and fail loud and early
• there is no easy way to iterate over the list and generically check that any type of resource is going to be understood by the API because neither oc new-app nor kubernetes during conversions from typed to untyped populate runtime.Object.GetObjectKind().GroupVersionKind(). Maybe this Conversion from typed to unstructured should set GVK kubernetes/kubernetes#59264 and [WIP] add apiversion and kind to list subitems kubernetes/kubernetes#63972 will allow that at some point
• so we will check only for the regular BuildConfig and expect that users understand their [template].yaml and API well enough

@mfojtik shouldn't this rather go to release-3.9 only given #19070 removed the ability to disable Builds?

[bparees]

@mfojtik shouldn't this rather go to release-3.9 only given #19070 removed the ability to disable Builds?

i don't think this is worth backporting.

[wozniakjan]

i don't think this is worth backporting.

in that case, is it even worth having this? Post 3.9 releases don't have the disableFeatures option so now build API gets disabled the same way as any other API afaik, and we currently don't have any nice and elegant way how to generically test if any GroupVersionKind from a list of runtime objects is enabled in the API as mentioned above (the runtime.Object.GetObjectKind().GroupVersionKind() doesn't get populated here)

Rebased, pushed changes as last 'WIP' commit for review. If this is indeed what we would like to have, I will squash all commits into one

[bparees]

can't we attempt to look up the kind/convert it from unstructured?

[soltysh]

and we currently don't have any nice and elegant way how to generically test if any GroupVersionKind from a list of runtime objects is enabled in the API as mentioned above

We do, check HasResource in kubectl's run how this is handled.

[wozniakjan]

We do, check HasResource in kubectl's run how this is handled.

@soltysh but isn't this assuming runtime.Object.GetObjectKind().GroupVersionKind() are populated in the list of resources? They aren't here

origin/pkg/oc/cli/cmd/newapp.go

Lines 349 to 353 in c0ab188

	result, err := config.Run()
	if err := handleError(err, o.BaseName, o.CommandName, o.CommandPath, config, transformRunError); err != nil {
	return err
	}
	if err := checkResources(config.DiscoveryClient, result.List.Items); err != nil {

[soltysh]

@wozniakjan we should be setting those with the current state of oc. If it does not lemme know, I might end up looking into myself.

[wozniakjan]

@soltysh added few debug statements wozniakjan#4 and rebased on current master

$ oc version                           
oc v3.11.0-alpha.0+464544f-212-dirty                
kubernetes v1.11.0+d4cacc0                          
features: Basic-Auth GSSAPI Kerberos SPNEGO         

Server https://127.0.0.1:8443                       
openshift v3.11.0-alpha.0+464544f-212-dirty         
kubernetes v1.11.0+d4cacc0

$ oc new-app https://github.com/wozniakjan/oc_newapp_expose#env_dot_syntax                  
--> Found Docker image bb81a09 (17 months old) from Docker Hub for "openshift/base-centos7"              

    * An image stream tag will be created as "base-centos7:latest" that will track the source image      
    * A Docker build using source code from https://github.com/wozniakjan/oc_newapp_expose#env_dot_syntax will be created                                                                                          
      * The resulting image will be pushed to image stream tag "ocnewappexpose:latest"                   
      * Every time "base-centos7:latest" changes a new build will be triggered                           
    * This image will be deployed in deployment config "ocnewappexpose"                                  
    * Port 8080/tcp will be load balanced by service "ocnewappexpose"                                    
      * Other containers can access this service through the hostname "ocnewappexpose"                   
    * WARNING: Image "openshift/base-centos7" runs as the 'root' user which may not be permitted by your cluster administrator                                                                                     

######### [0xc420094840 0xc420fb9e40 0xc4200d0780 0xc4202cca00 0xc4207f41e0]                             
######### map[/, Kind=:true]                        
error: Missing declared resources: /, Kind=

So I still think it doesn't populate GVK in oc new-app, unless I am missing something terribly obvious

[soltysh]

See wozniakjan#4 (comment) for my answer

[wozniakjan]

@bparees with @soltysh recommendation, it now checks generically all resources and reports if any required are missing. I like this a lot better, a review is greatly appreciated

[bparees]

one message nit and lgtm.

[bparees]

"API server is missing declared resources:"

[wozniakjan]

corrected, thanks!

[wozniakjan]

/retest

FORWARD PARAMETERS TO THE REMOTE HOST

[bparees]

/approve

@soltysh lgty?

[wozniakjan]

@bparees @soltysh rebased on top of master (no actual conflict), let me know if you have any other concerns or if we can get this merged

[wozniakjan]

/test gcp

[wozniakjan]

/test gcp

[bparees]

@wozniakjan appears to be merge conflicted again :(

[wozniakjan]

@bparees thanks, you are faster than our merge bot :)
rebased on top of master, this time no conflict and 3-way merge took care of it

[bparees]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bparees, wozniakjan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/oc/OWNERS [bparees]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-ci-robot]

@wozniakjan: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/openshift-jenkins/verify	26f8b9e	link	/test verify
ci/prow/e2e-gcp	c0ab188	link	/test e2e-gcp

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[deads2k]

@wozniakjan @soltysh I got here because this particular line didn't tolerate partial discovery. All CLI commands should tolerate partial discovery and only fail if they cannot retrieve sufficient information. There may be cases where all of discovery must match, but this isn't one of them.

[deads2k]

As an overall experience with kubectl and oc CLIs, the commands create as much as possible and continue on failures. The commands are idempotent so they can be retried and they are pipeable to delete for cleanup. This change run afoul of those principles. Also, in 3.11 (maybe 3.10 too), the disableFeature that led to this is gone.

I'm reverting this because it's leading to behavioral problems in our CLI.

@wozniakjan @soltysh @juanvallejo @mfojtik

[bparees]

revert is here: #20780

(unless @deads2k also created one)

[bparees]

new revert PR: #20781