support deploy klusterlet outside of managed cluster#172
Conversation
zhujian7
force-pushed
the
klusterlet-outside
branch
2 times, most recently
from
0a51d92 to
0003b05
Compare
zhujian7
force-pushed
the
klusterlet-outside
branch
from
0003b05 to
245592b
Compare
zhujian7
force-pushed
the
klusterlet-outside
branch
3 times, most recently
from
76c52ae to
3b47a08
Compare
|
@qiujian16 @zhiweiyin318 @xuezhaojun @ianzhang366 This PR Is ready for review. but still need to:
|
qiujian16
left a comment
qiujian16
left a comment
There was a problem hiding this comment.
I might think it is a bit complicated with a lot of detachMode check in it.
My suggestion is we should separate the manifests and operations to
- those always put on managed cluster
- those always put on management cluster (it could be still managedcluster)
- those you have to check the mode
| @@ -0,0 +1,13 @@ | |||
| apiVersion: rbac.authorization.k8s.io/v1 | |||
| kind: RoleBinding | |||
There was a problem hiding this comment.
why do we need to separated these. I think the manifests has only nuance with non-detached mode that you can render. Maintaining two lists of manifests would be hard since it is easy to update one and miss another
| // KlusterletNamespace returns the klusterletNamespace to deploy the agents. | ||
| func KlusterletNamespace(mode operatorapiv1.InstallMode, klusterletName, specNamespace string) string { | ||
| if mode == operatorapiv1.InstallModeDetached { | ||
| // return fmt.Sprintf("%s-%s", klusterletName, KlusterletDefaultNamespace) |
There was a problem hiding this comment.
rm this line. Add more comment on this function
| return klusterletName | ||
| } | ||
|
|
||
| if specNamespace == "" { |
There was a problem hiding this comment.
if len(specNamespace) == 0
it is safer
| // resource status will be saved in the relatedResourcesStatuses, and will save the | ||
| // result to the klusterlet status if there is any error. | ||
| func (n *klusterletController) applyStaticFiles(ctx context.Context, klusterletName string, | ||
| staticFiles []string, relatedResourcesStatuses *[]operatorapiv1.RelatedResourceMeta, |
There was a problem hiding this comment.
return relatedResourcesStatuses rathe than adding a pointer
|
|
||
| if detachedMode { | ||
| // In Deatched mode, apply role, rolebinding, service account for registration and work to the management cluster. | ||
| err = n.applyStaticFiles(ctx, klusterletName, detachedStaticResourceFiles, &relatedResources, &config, n.kubeClient, |
There was a problem hiding this comment.
why the apply static files is different from what you did on managed cluster
| } | ||
|
|
||
| // syncSecret forked from resourceapply.SyncSecret, add an addition snippet to support sync secret to another cluster. | ||
| func syncSecret(client, targetClient coreclientv1.SecretsGetter, recorder events.Recorder, |
There was a problem hiding this comment.
put this in the helper. It is better to add ctx as the parameter
There was a problem hiding this comment.
This func was put in the helper. and I'd prefer to add ctx after upgrading openshift/library-go to contain openshift/library-go#1121
| return err | ||
| } | ||
|
|
||
| if detachedMode { |
There was a problem hiding this comment.
this is confused..do we really need to apply any role/rolebinding in this ns?
There was a problem hiding this comment.
need to create service account in this ns
| controllerContext.Recorder(), | ||
| func(name string) ([]byte, error) { | ||
| template, err := manifests.Klusterlet111ManifestFiles.ReadFile(name) | ||
| template, err := manifests.KlusterletManifestFiles.ReadFile(name) |
There was a problem hiding this comment.
I put all klusterlet files in KlusterletManifestFiles to avoid duplication of code
Signed-off-by: zhujian <jiazhu@redhat.com>
Signed-off-by: zhujian <jiazhu@redhat.com>
Signed-off-by: zhujian <jiazhu@redhat.com>
Signed-off-by: zhujian <jiazhu@redhat.com>
zhujian7
force-pushed
the
klusterlet-outside
branch
2 times, most recently
from
468d2ef to
cec4ec8
Compare
|
do we need to add e2e cases for this scenario? like create 2 kind clusters in action and deploy with detach mode? |
zhujian7
force-pushed
the
klusterlet-outside
branch
from
cec4ec8 to
bc5beb1
Compare
Of course, this is what I am doing these days. |
zhujian7
force-pushed
the
klusterlet-outside
branch
from
bc5beb1 to
0a4afbc
Compare
Signed-off-by: zhujian <jiazhu@redhat.com>
zhujian7
force-pushed
the
klusterlet-outside
branch
2 times, most recently
from
f103ad0 to
5922b9a
Compare
Signed-off-by: zhujian <jiazhu@redhat.com>
Signed-off-by: zhujian <jiazhu@redhat.com>
zhujian7
force-pushed
the
klusterlet-outside
branch
2 times, most recently
from
80c0c21 to
d2f4afd
Compare
zhujian7
force-pushed
the
klusterlet-outside
branch
from
d2f4afd to
6c318d9
Compare
Signed-off-by: zhujian <jiazhu@redhat.com>
zhujian7
force-pushed
the
klusterlet-outside
branch
from
6c318d9 to
fe286ee
Compare
|
@qiujian16 all comments have been fixed, PTAL. And the RBAC part needs a focused reviewing, please. |
qiujian16
left a comment
qiujian16
left a comment
There was a problem hiding this comment.
Thanks, I think it looks pretty neat. I still have some comments, but most of the can be done as a followup.
/approve
| OLM_VERSION?=0.16.1 | ||
|
|
||
| KUSTOMIZE?=$(PERMANENT_TMP_GOPATH)/bin/kustomize | ||
| PWD=$(shell pwd) |
There was a problem hiding this comment.
I think we should update makefile in a followup PR.
| } | ||
| klusterlet = klusterlet.DeepCopy() | ||
|
|
||
| detachedMode := klusterlet.Spec.DeployOption.Mode == operatorapiv1.InstallModeDetached |
There was a problem hiding this comment.
can we use eq in the template so we do not need to set this bool var?
| ExternalManagedKubeConfigSecret: helpers.ExternalManagedKubeConfig, | ||
| ExternalManagedKubeConfigRegistrationSecret: helpers.ExternalManagedKubeConfigRegistration, | ||
| ExternalManagedKubeConfigWorkSecret: helpers.ExternalManagedKubeConfigWork, | ||
| DetachedMode: detachedMode, |
| if detachedMode { | ||
| managedClusterClients, err = n.buildManagedClusterClientsDetachedMode(n.kubeClient, config.KlusterletNamespace, config.ExternalManagedKubeConfigSecret) | ||
| if err != nil { | ||
| return err |
There was a problem hiding this comment.
Add a TODO here, you would need to set some status condition as the followup
| if detachedMode { | ||
| // In detached mode, we should ensure the namespace on the managed cluster since | ||
| // some resources(eg:service account) are still deployed on managed cluster. | ||
| err := n.ensureNamespace(ctx, managedClusterClients.kubeClient, klusterletName, config.KlusterletNamespace) |
There was a problem hiding this comment.
should we still need this? OR why we only need to ensure this on detached mode?
There was a problem hiding this comment.
why we only need to ensure this on detached mode?
In detached mode, the managed cluster and management cluster are separated, the namespace in the management cluster has been ensured previously.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: qiujian16, zhujian7 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: zhujian <jiazhu@redhat.com>
zhujian7
force-pushed
the
klusterlet-outside
branch
from
57fa7f2 to
4ca76bb
Compare
… cluster Signed-off-by: zhujian <jiazhu@redhat.com>
|
@qiujian16 all comments have been fixed, and I add another commit(last commit of this PR) to distinguish the RBAC resource names of managed cluster and management cluster, the RBAC resources names are not in conflict now but may conflict in the future, I think it is necessary to separate. PTAL. Thanks. |
|
/hold |
zhujian7
force-pushed
the
klusterlet-outside
branch
from
b639ad6 to
c24a08f
Compare
|
/hold cancel |
| "kind": "Klusterlet", | ||
| "metadata": { | ||
| "name": "klusterlet" | ||
| }, |
There was a problem hiding this comment.
do not need detached klusterlet in alm-examples. this example user can apply directly on operatorhub. so we cannot put 2 klusterlet here.
zhujian7
force-pushed
the
klusterlet-outside
branch
2 times, most recently
from
66c0784 to
c307e35
Compare
|
The makefile and README.md will be updated at a follow-up PR. |
zhujian7
force-pushed
the
klusterlet-outside
branch
2 times, most recently
from
88a626d to
73cf438
Compare
Signed-off-by: zhujian <jiazhu@redhat.com>
Signed-off-by: zhujian <jiazhu@redhat.com>
zhujian7
force-pushed
the
klusterlet-outside
branch
from
c74c9f3 to
3963de0
Compare
|
@zhiweiyin318 csv updated. PTAL. |
|
/lgtm |
4 participants
Related PRs:
related issue: #158