Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CNTRLPLANE-71: update cao to manage rolebindingrestriction crd #748

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

CNTRLPLANE-71: update cao to manage rolebindingrestriction crd #748

wants to merge 3 commits into from

Conversation

everettraven
Copy link

@everettraven everettraven commented Jan 7, 2025
edited
Loading

Description

Updates the cluster-authentication-operator to manage the RoleBindingRestriction CRD.

More specifically, this PR:

  • Vendors the authorization.openshift.io/RoleBindingRestriction CRD manifest from https://github.com/openshift/api
  • Adds targets to the Makefile to:
    • Copy the RoleBindingRestriction CRD manifests to the bindata/ directory so the manifest can be embedded into the binary using the embed FS.
    • Verify the bindata/ directory is up to date
    • Verify the RoleBindingRestriction CRD manifest in bindata/ is up to date based on the latest vendored manifest.
  • Adds the oauth-openshift/authorization.openshift.io_rolebindingrestrictions.yaml file to the list of manifest files managed by the static resource controller
  • Adds an apiextensions client to support the management of CustomResourceDefinition resources using the static resource controller.

Motivation

Update the cluster-authentication-operator to manage the RoleBindingRestriction CRD, as outlined in openshift/enhancements#1726, to allow for this CRD to be removed from the cluster when the oauth stack is no longer desired.

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 7, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jan 7, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jan 7, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: everettraven
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 9, 2025
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 22, 2025
@everettraven everettraven changed the title WIP: update cao to manage rolebindingrestriction crd CNTRLPLANE-71: update cao to manage rolebindingrestriction crd Jan 22, 2025
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jan 22, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jan 22, 2025
edited by openshift-ci bot
Loading

@everettraven: This pull request references CNTRLPLANE-71 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set.

In response to this:

Description

Updates the cluster-authentication-operator to manage the RoleBindingRestriction CRD.

More specifically, this PR:

  • Vendors the authorization.openshift.io/RoleBindingRestriction CRD manifest from https://github.com/openshift/api
  • Adds targets to the Makefile to:
    • Copy the RoleBindingRestriction CRD manifests to the bindata/ directory so the manifest can be embedded into the binary using the embed FS.
    • Verify the bindata/ directory is up to date
    • Verify the RoleBindingRestriction CRD manifest in bindata/ is up to date based on the latest vendored manifest.
  • Adds the oauth-openshift/authorization.openshift.io_rolebindingrestrictions.yaml file to the list of manifest files managed by the static resource controller
  • Adds an apiextensions client to support the management of CustomResourceDefinition resources using the static resource controller.

Motivation

Update the cluster-authentication-operator to manage the RoleBindingRestriction CRD, as outlined in openshift/enhancements#1726, to allow for this CRD to be removed from the cluster when the oauth stack is no longer desired.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@everettraven everettraven marked this pull request as ready for review January 22, 2025 19:36
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 22, 2025
@openshift-ci openshift-ci bot requested review from ibihim and liouk January 22, 2025 19:38
@everettraven
update mom output resources
716fb4b 
Signed-off-by: Bryce Palmer <[email protected]>
@everettraven
update mom test data
f8a439a 
Signed-off-by: Bryce Palmer <[email protected]>
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jan 23, 2025

@everettraven: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/test-operator-integration f8a439a link false /test test-operator-integration
ci/prow/e2e-aws-single-node f8a439a link false /test e2e-aws-single-node
ci/prow/e2e-agnostic-ipv6 f8a439a link false /test e2e-agnostic-ipv6
ci/prow/okd-scos-e2e-aws-ovn f8a439a link false /test okd-scos-e2e-aws-ovn
ci/prow/e2e-agnostic-upgrade f8a439a link true /test e2e-agnostic-upgrade

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

liouk
liouk suggested changes Jan 23, 2025
View reviewed changes
pkg/operator/starter.go
@@ -142,8 +141,9 @@ func prepareOauthOperator(
"oauth-openshift/oauth-service.yaml",
"oauth-openshift/trust_distribution_role.yaml",
"oauth-openshift/trust_distribution_rolebinding.yaml",
"oauth-openshift/authorization.openshift.io_rolebindingrestrictions.yaml",
Copy link
Member

@liouk liouk Jan 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use a conditional resource (via WithConditionalResources; WithPrecondition might be useful too), to manage when this should be created/deleted and avoid contention.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Launching a cluster with this PR as-is seemed to work just fine and didn't appear to have any contention between this and CVO.

I'm happy to add the conditional resources, but it would essentially be:

  • Create only when the resource is not found or requires updates
  • Delete never

Walking through the underlying logic, this seems to be the exact flow the static resource controller already takes:

I'm not sure it makes much sense to gate this resource on the same conditions that would be done by default from the static resource controller. We will add conditional logic for create/delete in the future based on desired state of the OAuth stack (i.e if the OAuth stack should be removed, this resource should also be removed and vice versa)

deads2k
deads2k reviewed Jan 23, 2025
View reviewed changes
pkg/cmd/mom/output_resources_command.go
@@ -38,6 +39,8 @@ func runOutputResources(ctx context.Context) (*libraryoutputresources.OutputReso
libraryoutputresources.ExactRoleBinding("openshift-config-managed", "system:openshift:oauth-servercert-trust"),

libraryoutputresources.ExactPDB("openshift-oauth-apiserver", "oauth-apiserver-pdb"),

libraryoutputresources.ExactResource(apiextensionsv1.SchemeGroupVersion.Group, apiextensionsv1.SchemeGroupVersion.Version, "customresourcedefinitions", "", "rolebindingrestrictions.authorization.openshift.io"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

UserWorkloadResources

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deads2k deads2k deads2k left review comments

@liouk liouk liouk requested changes

@ibihim ibihim Awaiting requested review from ibihim

Assignees
No one assigned
Labels
jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@everettraven @openshift-ci-robot @liouk @deads2k @openshift-merge-robot