CCXDEV-12875: Enable Insight Operator entitlements for multi arch clusters #1066
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@opokornyy: This pull request references CCXDEV-12875 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.19.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
added
the
approved
| ) | ||
|
|
||
| // Mapping of kubernetes architecture labels to the format used by SCA API | ||
| var kubernetesArchMapping = map[string]string{ |
There was a problem hiding this comment.
I am not sure if we can use only the map or if we need a function to return a default value when no value is found.
There was a problem hiding this comment.
Good question. I think it would make sense to use some default value - e.g the arch of node the operator is running on
There was a problem hiding this comment.
Totally agree. Let's add a little function to return the arch from operator's node as default value. That could even help with testing.
|
There is one case I am not exactly sure how to handle: if a secret is already created and a node with a different architecture is added to the cluster, we will have one secret named |
pkg/ocm/sca/sca.go
Outdated
| return | ||
| } | ||
|
|
||
| klog.Infof("%s secret successfully updated", secretName) | ||
| c.StatusController.UpdateStatus(controllerstatus.Summary{ | ||
| klog.Info("sca secret successfully updated") |
There was a problem hiding this comment.
It would be good to keep the secretName in the log message.
There was a problem hiding this comment.
I have moved this log into the createSecret and updateSecret where I can log the secret name easily
| // check & update the secret here | ||
| err = c.checkSecret(ctx, &ocmRes) | ||
| if err != nil { | ||
| klog.Errorf("Error when checking the %s secret: %v", secretName, err) |
There was a problem hiding this comment.
Same here. There's no sca secret right.
pkg/ocm/sca/sca.go
Outdated
| if err != nil { | ||
| klog.Errorf("Unable to decode response: %v", err) | ||
| return true, err | ||
| } |
There was a problem hiding this comment.
I think it would better to move this out of the exponential backoff function call
| architectures, err := c.gatherArchitectures(ctx) | ||
| if err != nil { | ||
| klog.Warningf("Gathering nodes architectures failed: %s", err.Error()) | ||
| } |
There was a problem hiding this comment.
Do we want to continue in case of this error? It seems the architecture will be nil so I am wondering what will happen with the request.
There was a problem hiding this comment.
It will most likely fail on a request to the api with a 400 http return code, so at least it would save one request if we return early here
|
/test e2e-gcp-ovn-techpreview |
|
/test okd-scos-e2e-aws-ovn |
| "ppc": "ppc", | ||
| "ppc64": "ppc64", |
There was a problem hiding this comment.
| "ppc": "ppc", | |
| "ppc64": "ppc64", | |
| "ppc": "ppc", | |
| "ppc64": "ppc64", |
only ppc64le is supported. There are no plans to support Big Endian
There was a problem hiding this comment.
I have used all architectures that are supported by AMS api. But you are right that OCM right now supports only 4 architectures.
It was also discussed here: https://docs.google.com/document/d/1kT8uzjbmTTN2Zyhfo1jhMNR8q3PhkNJ9yGx83FOFL8k/edit?pli=1&disco=AAABZjOhM1A
| "ppc": "ppc", | ||
| "ppc64": "ppc64", |
There was a problem hiding this comment.
Same comment on ppc/ppc64 support
We only support ppc64le
|
|
||
| architectures := make(map[string]struct{}) | ||
| for i := range nodes.Items { | ||
| nodeArch := nodes.Items[i].Status.NodeInfo.Architecture |
There was a problem hiding this comment.
There are some situations where AutoScale MachineSet from zero where the secondary architecture is not present when this code 'could' run.
@aleskandro you might be interested in this and have some insights.
There was a problem hiding this comment.
Autoscale from zero should work and be architecture-aware with AWS, Azure and GCP IPI clusters.
It is not supported on BM infrastructures (IPI included).. I've never looked into the IBM Machine API providers though.
I'll get a better look at this PR asap
Signed-off-by: Ondrej Pokorny <[email protected]>
Signed-off-by: Ondrej Pokorny <[email protected]>
Signed-off-by: Ondrej Pokorny <[email protected]>
Signed-off-by: Ondrej Pokorny <[email protected]>
Signed-off-by: Ondrej Pokorny <[email protected]>
Signed-off-by: Ondrej Pokorny <[email protected]>
Signed-off-by: Ondrej Pokorny <[email protected]>
Signed-off-by: Ondrej Pokorny <[email protected]>
Signed-off-by: Ondrej Pokorny <[email protected]>
opokornyy
force-pushed
the
CCX12875-multi-arch
branch
from
ee43090 to
0e67f85
Compare
|
/test e2e-gcp-ovn-techpreview |
|
/test insights-operator-e2e-tests |
|
@opokornyy: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
I didn't try this, but the changes look good. Thank you! |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: opokornyy, tremes The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This PR implements the gathering of architectures used by nodes and the retrieval of entitlement certificates for each architecture in use. These certificates are then stored in secrets.
If only one architecture is present, the secret is named etc-pki-entitlement.
If multiple architectures are present, secrets are created with names like etc-pki-entitlement-ARCH, where ARCH represents the specific architecture.
Categories
Sample Archive
The archive won't change with this feature
Documentation
No documentation update
Unit Tests
Privacy
Yes. There are no sensitive data in the newly collected information.
Changelog
No
Breaking Changes
Yes/No
References
https://issues.redhat.com/browse/CCXDEV-12875