fix(controllers) expand TypeMeta population #4767
Conversation
rainest
force-pushed
the
chore/central-meta
branch
from
fee389a
to
b269191
Compare
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #4767 +/- ##
=======================================
- Coverage 78.0% 77.8% -0.2%
=======================================
Files 163 165 +2
Lines 18531 18504 -27
=======================================
- Hits 14458 14401 -57
- Misses 3264 3281 +17
- Partials 809 822 +13
☔ View full report in Codecov by Sentry. |
rainest
force-pushed
the
chore/central-meta
branch
2 times, most recently
from
d0ec5e1
to
ccdad4f
Compare
Add a type-agnostic helper to populate TypeMeta using a scheme with registered types. Populate TypeMeta throughout all controllers and reference filter predicates. Remove feature gate limitations on types added to the manager scheme to simplify its use where config is not readily available.
rainest
force-pushed
the
chore/central-meta
branch
from
ccdad4f
to
1d3a011
Compare
|
https:/Kong/kubernetes-ingress-controller/actions/runs/6399242484/attempts/1?pr=4767 failed, but looks like maybe a flake. Doesn't look like it should be particular to router flavor. Re-running but not staying around to confirm, 🤞 If it works, this is ready for review. |
|
I'm not exactly sure I understand the "why" of this PR 🤔 I can see 2 paragraphs in the PR description
But those don't really explain why would we need this change. Can we elaborate more on the "why" in this PR? Would it be a big effort to work towards the reproduction of the issue that gets fixed here? |
It's in the "What this fixes". If you created a Secret with a credential, it would load into the store initially, but the controller wouldn't actually track updates to it. If you attempted to change a basic-auth password or similar, your old password would continue being valid, and your new one would not work. The test changes reliably fail on existing code. There was a separate issue where having old CRDs would prevent the initial load also. This is the part that I can't replicate reliably. It's odd, and I'd like to understand it, but it has a known fix that you should do anyway (run with the current CRDs). Absent reliable repro steps that unfortunately remains a curiousity. |
rainest
force-pushed
the
chore/central-meta
branch
from
46e8c20
to
918bd0f
Compare
rainest
force-pushed
the
chore/central-meta
branch
from
918bd0f
to
41f921a
Compare
Override Get to populate TypeMeta for the manager client as a whole, rather than at the controller definition level. Rename controllerOpts to managerOpts in manager setup, since that's what it is. Restore meta population and scheme retrieval to object key function. Change a failure condition assert to require in TestConsumerCredential.
What this PR does / why we need it:
Expands TypeMeta population (see earlier work). Predicting where we'll need this isn't always easy, so just stuffing it in every controller to be safe.
Add TypeMeta population to controller reference predicates.
Use a scheme-based helper to populate TypeMeta from a runtime.object instead of local GVK helpers or pre-defined objects.
Adds a test to confirm credentials update properly.
Which issue this PR fixes:
The added test breaks without the predicate changes. Updating a credential Secret (and presumably other referenced Secrets) after its initial load would not modify Kong configuration.
We add referent Secrets directly to the store from reference updaters, This populates the Secret initially, but future updates need to run through the Secret reconciler. The reconciler predicate was not building the reference key properly without TypeMeta and would never reconcile Secrets with references.
Special notes for your reviewer:
Ideally we could centralize TypeMeta injection, but I don't think we can (barring an upstream fix). I initially tried adding it to
store.Add(), but this doesn't work for anything that might need it in the reconciler. AFAIK there's nowhere in controller-runtime that'd let us add a global preprocessing step. Failing that, we can add it in either resource-specific functions or the key generator. The latter is more universal (assuming we don't end up with custom key formats for other types) if a bit cumbersome due to a new error return.Trying to load manager configuration outside the manager results in a package import loop that I'm not particularly inclined to untangle. Removing feature gates for the scheme builder should be fine, since simply being aware of types doesn't do anything on its own.
This came out of research on #4672, but I'm still not fully sure why outdated CRDs trigger this. I suspect that the issue is somewhere in the reference builder store update since the predicate was never working, and that updater is seemingly the only way into the store that bypasses the reconciler.
Sadly, my reproduction steps (disable CRD installation in the test harness,
helm install wat kong/kong --version 2.13.1; helm deleteto get the old CRDs, install consumer group CRD and GWAPI) stopped reproducing the issue after I located this second store insert path, so I wasn't able to explore it fully.PR Readiness Checklist:
Complete these before marking the PR as
ready to review:CHANGELOG.mdrelease notes have been updated to reflect any significant (and particularly user-facing) changes introduced by this PR