Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CNTRLPLANE-71: update cao to manage rolebindingrestriction crd #748

Open
wants to merge 5 commits into
base: master
Choose a base branch
from

Conversation

everettraven
Copy link

@everettraven everettraven commented Jan 7, 2025

Description

Updates the cluster-authentication-operator to manage the RoleBindingRestriction CRD.

More specifically, this PR:

  • Vendors the authorization.openshift.io/RoleBindingRestriction CRD manifest from https://github.com/openshift/api
  • Adds targets to the Makefile to:
    • Copy the RoleBindingRestriction CRD manifests to the bindata/ directory so the manifest can be embedded into the binary using the embed FS.
    • Verify the bindata/ directory is up to date
    • Verify the RoleBindingRestriction CRD manifest in bindata/ is up to date based on the latest vendored manifest.
  • Adds the oauth-openshift/authorization.openshift.io_rolebindingrestrictions.yaml file to the list of manifest files managed by the static resource controller
  • Adds an apiextensions client to support the management of CustomResourceDefinition resources using the static resource controller.

Motivation

Update the cluster-authentication-operator to manage the RoleBindingRestriction CRD, as outlined in openshift/enhancements#1726, to allow for this CRD to be removed from the cluster when the oauth stack is no longer desired.

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 7, 2025
Copy link
Contributor

openshift-ci bot commented Jan 7, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

Copy link
Contributor

openshift-ci bot commented Jan 7, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: everettraven
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 9, 2025
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 22, 2025
@everettraven everettraven changed the title WIP: update cao to manage rolebindingrestriction crd CNTRLPLANE-71: update cao to manage rolebindingrestriction crd Jan 22, 2025
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jan 22, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jan 22, 2025

@everettraven: This pull request references CNTRLPLANE-71 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set.

In response to this:

Description

Updates the cluster-authentication-operator to manage the RoleBindingRestriction CRD.

More specifically, this PR:

  • Vendors the authorization.openshift.io/RoleBindingRestriction CRD manifest from https://github.com/openshift/api
  • Adds targets to the Makefile to:
    • Copy the RoleBindingRestriction CRD manifests to the bindata/ directory so the manifest can be embedded into the binary using the embed FS.
    • Verify the bindata/ directory is up to date
    • Verify the RoleBindingRestriction CRD manifest in bindata/ is up to date based on the latest vendored manifest.
  • Adds the oauth-openshift/authorization.openshift.io_rolebindingrestrictions.yaml file to the list of manifest files managed by the static resource controller
  • Adds an apiextensions client to support the management of CustomResourceDefinition resources using the static resource controller.

Motivation

Update the cluster-authentication-operator to manage the RoleBindingRestriction CRD, as outlined in openshift/enhancements#1726, to allow for this CRD to be removed from the cluster when the oauth stack is no longer desired.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@everettraven everettraven marked this pull request as ready for review January 22, 2025 19:36
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 22, 2025
@openshift-ci openshift-ci bot requested review from ibihim and liouk January 22, 2025 19:38
Signed-off-by: Bryce Palmer <[email protected]>
Signed-off-by: Bryce Palmer <[email protected]>
@@ -142,8 +141,9 @@ func prepareOauthOperator(
"oauth-openshift/oauth-service.yaml",
"oauth-openshift/trust_distribution_role.yaml",
"oauth-openshift/trust_distribution_rolebinding.yaml",
"oauth-openshift/authorization.openshift.io_rolebindingrestrictions.yaml",
Copy link
Member

@liouk liouk Jan 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use a conditional resource (via WithConditionalResources; WithPrecondition might be useful too), to manage when this should be created/deleted and avoid contention.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Launching a cluster with this PR as-is seemed to work just fine and didn't appear to have any contention between this and CVO.

I'm happy to add the conditional resources, but it would essentially be:

  • Create only when the resource is not found or requires updates
  • Delete never

Walking through the underlying logic, this seems to be the exact flow the static resource controller already takes:

I'm not sure it makes much sense to gate this resource on the same conditions that would be done by default from the static resource controller. We will add conditional logic for create/delete in the future based on desired state of the OAuth stack (i.e if the OAuth stack should be removed, this resource should also be removed and vice versa)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

contention between this and CVO

I assumed that since no conditions were written here, you were going to use a separate controller to delete the resource when OAuth stack is removed, hence I was referring to contention with another controller.

Create only when the resource is not found or requires updates
Delete never

No need; I was referring to conditionals for when the OAuth stack gets removed.

We will add conditional logic for create/delete in the future based on desired state of the OAuth stack

OK, I didn't realize you were planning on doing this here at separate PR, that's fine then 🙂 👍

@@ -38,6 +39,8 @@ func runOutputResources(ctx context.Context) (*libraryoutputresources.OutputReso
libraryoutputresources.ExactRoleBinding("openshift-config-managed", "system:openshift:oauth-servercert-trust"),

libraryoutputresources.ExactPDB("openshift-oauth-apiserver", "oauth-apiserver-pdb"),

libraryoutputresources.ExactResource(apiextensionsv1.SchemeGroupVersion.Group, apiextensionsv1.SchemeGroupVersion.Version, "customresourcedefinitions", "", "rolebindingrestrictions.authorization.openshift.io"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

UserWorkloadResources

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be updated in bca7a99

Signed-off-by: Bryce Palmer <[email protected]>
Copy link
Contributor

openshift-ci bot commented Jan 24, 2025

@everettraven: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-operator 3b82ddc link true /test e2e-operator
ci/prow/okd-scos-e2e-aws-ovn 3b82ddc link false /test okd-scos-e2e-aws-ovn
ci/prow/test-operator-integration 3b82ddc link false /test test-operator-integration
ci/prow/e2e-agnostic-upgrade 3b82ddc link true /test e2e-agnostic-upgrade
ci/prow/e2e-aws-single-node 3b82ddc link false /test e2e-aws-single-node

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants