Bug 1695244: Correctly determine operand version

[enj]

This change updates the operator deployment to include the operand
version as an environment variable. Since we encode the operator
deployment RV into the operand deployment, we correctly gate on
changing the version until the new version has rolled out.

The VersionForOperand function uses a config map with a version to
image mapping to determine the operand version. It does this by
reversing the mapping (image to version). This has a serious flaw
in that it assumes that all versions point to distinct images
(which is not the case since an image may not change during a
release). Since map iteration order is undefined, this can lead to
the operand version flapping back and forth as the reversed map
changes based on which image value was written last.

Remove version-mapping config map as it is no longer used.

All environment variable names and values are now stored as consts
and vars, respectively (the values are effectively runtime consts as
they cannot change once the operator is running).

Signed-off-by: Monis Khan [email protected]

@openshift/sig-auth
/assign @sallyom

[enj]

/hold

Just so I can carefully review CI output.

[enj]

Looks promising https://openshift-gce-devel.appspot.com/build/origin-ci-test/pr-logs/pull/openshift_cluster-authentication-operator/103/pull-ci-openshift-cluster-authentication-operator-master-e2e-aws-operator/394:

{
    "apiVersion": "config.openshift.io/v1",
    "kind": "ClusterOperator",
    "metadata": {
        "creationTimestamp": "2019-04-02T20:31:10Z",
        "generation": 1,
        "name": "authentication",
        "resourceVersion": "13942",
        "selfLink": "/apis/config.openshift.io/v1/clusteroperators/authentication",
        "uid": "40860c64-5586-11e9-b56e-0ec73cf8fb1c"
    },
    "spec": {},
    "status": {
        "conditions": [ ... ],
        "versions": [
            {
                "name": "integrated-oauth-server",
                "version": "0.0.1-2019-04-02-200340_openshift"
            },
            {
                "name": "operator",
                "version": "0.0.1-2019-04-02-200340"
            }
        ]
    }
}

[enj]

{
    "apiVersion": "extensions/v1beta1",
    "kind": "Deployment",
    "metadata": {
        "annotations": {
            "deployment.kubernetes.io/revision": "1"
        },
        "creationTimestamp": "2019-04-02T20:30:36Z",
        "generation": 1,
        "labels": {
            "app": "origin-cluster-authentication-operator"
        },
        "name": "openshift-authentication-operator",
        "namespace": "openshift-authentication-operator",
        "resourceVersion": "9211",
        "selfLink": "/apis/extensions/v1beta1/namespaces/openshift-authentication-operator/deployments/openshift-authentication-operator",
        "uid": "2c124a6e-5586-11e9-be1d-1282a1ebf0a8"
    },
    "spec": {
        ...
            },
            "spec": {
                "containers": [
                    {
                        "args": [
                            "--config=/var/run/configmaps/config/operator-config.yaml",
                            "-v=2"
                        ],
                        "command": [
                            "authentication-operator",
                            "operator"
                        ],
                        "env": [
                            {
                                "name": "IMAGE",
                                "value": "registry.svc.ci.openshift.org/ci-op-w32ivklf/stable@sha256:cafaf6b1c6ab2c454f10dedb862bff72d75af81baba475ca384b0fc117c9e10d"
                            },
                            {
                                "name": "OPERATOR_IMAGE_VERSION",
                                "value": "0.0.1-2019-04-02-200340"
                            },
                            {
                                "name": "OPERAND_IMAGE_VERSION",
                                "value": "0.0.1-2019-04-02-200340_openshift"
                            },
                            {
                                "name": "POD_NAME",
                                "valueFrom": {
                                    "fieldRef": {
                                        "apiVersion": "v1",
                                        "fieldPath": "metadata.name"
                                    }
                                }
                            }
                        ],
                        "image": "registry.svc.ci.openshift.org/ci-op-w32ivklf/stable@sha256:762c2470d9ec8d1da0cf42d6f0ecf74eec31eed66a9c5a8c10d0bfd8139a44f6",
                        "imagePullPolicy": "IfNotPresent",
                        "name": "operator",
                        "resources": {
                            "requests": {
                                "cpu": "10m",
                                "memory": "50Mi"
                            }
                        },
                        "terminationMessagePath": "/dev/termination-log",
                        "terminationMessagePolicy": "FallbackToLogsOnError",
                        "volumeMounts": [
                            {
                                "mountPath": "/var/run/configmaps/config",
                                "name": "config"
                            }
                        ]
                    }
                ],
                ...
            }
        }
    }
}

[enj]

/hold cancel

OPERAND_IMAGE_VERSION is new to this PR so I am pretty sure this is working.

[sallyom]

/test e2e-aws

[sallyom]

i tested an upgrade w/ this PR, it completed successfully and:

$ oc get clusteroperator authentication -o yaml | grep -A 4 versions
  versions:
  - name: integrated-oauth-server
    version: 0.0.1-2019-04-02-211727_openshift
  - name: operator
    version: 0.0.1-2019-04-02-211727

looks good

[sallyom]

/lgtm

[enj]

/retest

[enj]

/retest

[enj]

/retest

[enj]

/retest

[enj]

/retest

[stlaz]

/retest

[wking]

Wait, what? e2e-aws:

Failing tests:

[k8s.io] Kubelet when scheduling a busybox Pod with hostAliases should write entries to /etc/hosts [NodeConformance] [Conformance] [Suite:openshift/conformance/parallel/minimal] [Suite:k8s]
[sig-storage] In-tree Volumes [Driver: aws] [Testpattern: Dynamic PV (block volmode)] volumeMode should create sc, pod, pv, and pvc, read/write to the pv, and delete all created resources [Suite:openshift/conformance/parallel] [Suite:k8s]
[sig-storage] In-tree Volumes [Driver: nfs] [Testpattern: Pre-provisioned PV (block volmode)] volumeMode should fail to create pod by failing to mount volume [Suite:openshift/conformance/parallel] [Suite:k8s]

I thought openshift/origin#22454 and openshift/origin/pull/22455 were supposed to get those ignored?

[wking]

Maybe try bumping your commit timestamp or something to get a new commit hash to get a new namespace in the CI cluster? You'd need a new /lgtm, but it might unstick whatever's hung up about the e2e-aws suite here.

[stlaz]

/lgtm
I did a rebase of the PR, lets see about the tests now.

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: enj, sallyom, stlaz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [enj,stlaz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ericavonb]

These should be handled in the cmd package along with other configuration.

[ericavonb]

Should we rename osin references while we're at it? It's probably not clear what it is for ppl coming to the codebase post 4.0. oauthServerDeploymentName or whatever would be more descriptive anyways.