Bug 1881520: avoid hotlooping on RoleBindings with empty APIGroup

[vrutkovs]

EnsureRoleBinding and EnsureClusterRoleBinding expect RoleRefs to be identical. Some manifests are skipping APIGroup, so CVO keeps attempting to apply those on every sync.

This PR adds CompareRoleRefsv1/CompareRoleRefsv1beta1 functions, which return true ("identical") if required APIGroup is empty and existing APIGroup is "rbac.authorization.k8s.io"

TODO:

• More idiomatic would be ensureRoleRefAPIGroup
• Add test case

[openshift-ci]

@vrutkovs: This pull request references Bugzilla bug 1881520, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.8.0) matches configured target release for branch (4.8.0)
• bug is in the state NEW, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Requesting review from QA contact:
/cc @jianlinliu

Details

In response to this:

Bug 1881520: avoid hotlooping on RoleBindings with empty APIGroup

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci]

@vrutkovs: This pull request references Bugzilla bug 1881520, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.8.0) matches configured target release for branch (4.8.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Requesting review from QA contact:
/cc @jianlinliu

Details

In response to this:

Bug 1881520: avoid hotlooping on RoleBindings with empty APIGroup

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci]

@vrutkovs: This pull request references Bugzilla bug 1881520, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.8.0) matches configured target release for branch (4.8.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Requesting review from QA contact:
/cc @jianlinliu

Details

In response to this:

Bug 1881520: avoid hotlooping on RoleBindings with empty APIGroup

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[wking]

/lgtm

[vrutkovs]

/hold

This needs unit tests

[openshift-ci]

@vrutkovs: This pull request references Bugzilla bug 1881520, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.8.0) matches configured target release for branch (4.8.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Requesting review from QA contact:
/cc @jianlinliu

Details

In response to this:

Bug 1881520: avoid hotlooping on RoleBindings with empty APIGroup

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[vrutkovs]

/test unit

Flake?

[vrutkovs]

/hold cancel

Tests added, ready for review

[wking]

We might actually be able to drop this entirely, with:

$ oc adm release extract --to manifests quay.io/openshift-release-dev/ocp-release:4.8.0-fc.3-x86_64
$ grep -r10 v1beta1 manifests/ | grep ClusterRole
manifests/0000_80_machine-config-operator_03_rbac.yaml-kind: ClusterRoleBinding
manifests/0000_30_baremetal-operator_01_baremetalhost.crd.yaml-kind: ClusterRole

The MCO has since bumped their version and the baremetal manifest doesn't have annotations to be included in any cluster profiles. So I expect we can drop this entirely, instead of fixing v1beta1 hotlooping.

[wking]

Part of dropping v1beta1 RBAC will be:

$ git --no-pager diff -U0 hack
diff --git a/hack/generate-lib-resources.py b/hack/generate-lib-resources.py
index 441e253d..294e9885 100755
--- a/hack/generate-lib-resources.py
+++ b/hack/generate-lib-resources.py
@@ -271 +270,0 @@ if __name__ == '__main__':
-    types['k8s.io/api/rbac/v1beta1'] = types['k8s.io/api/rbac/v1']
@@ -282 +280,0 @@ if __name__ == '__main__':
-        'k8s.io/api/rbac/v1beta1': {'package': 'k8s.io/client-go/kubernetes/typed/rbac/v1beta1', 'type': 'RbacV1beta1Client'},

although you'll also want #552, and you'll need to drop some remaining v1beta1 RBAC code like this resourcemerge stuff by hand.

[vrutkovs]

Good idea, dropped v1beta1

[wking]

No need to mix in v1, v1beta1 has this too:

$ git --no-pager grep 'GroupName =' vendor/k8s.io/api/rbac/v1beta1
vendor/k8s.io/api/rbac/v1beta1/register.go:const GroupName = "rbac.authorization.k8s.io"

[wking]

/lgtm
/retest

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vrutkovs, wking

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [vrutkovs,wking]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[wking]

pods should successfully create sandboxes by other is not a CVO-RoleBinding-management failure.

/override ci/prow/e2e-agnostic-upgrade

[openshift-ci]

@wking: Overrode contexts on behalf of wking: ci/prow/e2e-agnostic-upgrade

Details

In response to this:

pods should successfully create sandboxes by other is not a CVO-RoleBinding-management failure.

/override ci/prow/e2e-agnostic-upgrade

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci]

@vrutkovs: All pull requests linked via external trackers have merged:

• openshift/cluster-version-operator#562

Bugzilla bug 1881520 has been moved to the MODIFIED state.

Details

In response to this:

Bug 1881520: avoid hotlooping on RoleBindings with empty APIGroup

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[vrutkovs]

/cherrypick release-4.7

[openshift-cherrypick-robot]

@vrutkovs: new pull request created: #584

Details

In response to this:

/cherrypick release-4.7

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.