OCPBUGS-33787: Tolerate the absence of ingress capability on HyperShift clusters #886
Conversation
|
@alebedev87: This pull request references NE-1319 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set. DetailsIn response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
added
the
jira/valid-reference
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
openshift-merge-robot
added
the
needs-rebase
alebedev87
force-pushed
the
tolerate-ingress-absence
branch
2 times, most recently
from
cc41180 to
5e8103c
Compare
openshift-merge-robot
removed
the
needs-rebase
alebedev87
changed the title
alebedev87
force-pushed
the
tolerate-ingress-absence
branch
from
5e8103c to
8f3a66e
Compare
|
@alebedev87: This pull request references NE-1319 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@alebedev87: This pull request references NE-1319 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
/retest |
jhadvig
left a comment
jhadvig
left a comment
There was a problem hiding this comment.
Thanks @alebedev87
This change does not make the operator to go downgraded when the ingress is disabled but whats basically because you are prematurely exiting all of the updated controllers. I doubt that the console will be working in this state.
Have you tested it ?
|
|
||
| statusHandler := status.NewStatusHandler(c.operatorClient) | ||
|
|
||
| infrastructureConfig, err := c.infrastructureClient.Get(ctx, api.ConfigResourceName, metav1.GetOptions{}) |
There was a problem hiding this comment.
If the ingress can be enabled/disabled during the clusters lifecycle then we need to keep the fetching logic per controller, but we need to use listers rather then client.
If the ingress can be re-enabled then please move the fetching logic starter.go and pass the config to each of the controllers.
There was a problem hiding this comment.
On the standalone OpenShift the Ingress capability will always be enabled. On HyperShift: once enabled it cannot be disabled.
| } | ||
|
|
||
| // Disable the route check for external control plane topology (hypershift) if the ingress capability is disabled. | ||
| if util.IsExternalControlPlaneWithIngressDisabled(infrastructureConfig, clusterVersionConfig) { |
There was a problem hiding this comment.
by doing this you are basically disabling the operator from doing its work by syncing the console routes.
There was a problem hiding this comment.
@jhadvig: From what I see both of the functions used by the route controller (SyncCustomRoute,SyncDefaultRoute) are related to the component route implementation (custom hostname or tls). The component routes are not supported on HyperShift, so I think we are safe to skip them.
@csrwng: can you please confirm that the component routes are not supported on HyperShift?
There was a problem hiding this comment.
That is correct. If you've disabled ingress you are also indirectly disabling component routes, no?
There was a problem hiding this comment.
Right, I put my followup comment into a wrong conversation. Here it is:
Also, in the absence of the ingress operator the required RBAC won't be created for the components (including the console operator): Component routes chapter of the EP.
|
|
||
| // Disable the oauth client update for external control plane topology (hypershift) if the ingress capability is disabled. | ||
| // HyperShift handles the updating of the oauth client for the console. | ||
| if util.IsExternalControlPlaneWithIngressDisabled(infrastructureConfig, clusterVersionConfig) { |
There was a problem hiding this comment.
by doing this you are basically disabling the operator from doing its work by syncing the console oauthclients.
There was a problem hiding this comment.
By "syncing the console oauthclients" you mean adding redirectURI? From what I understand this part will be handled by HyperShift as it takes care of some of the OAuthClients already. I suppose it's because the authentication server is not exposed via a route.
@csrwng: What do you think? If we don't disable the updates of OAuthClient the console operator will go degraded. However it's not yet clear what should be put as the redirectURI in case the ingress is disabled.
There was a problem hiding this comment.
Makes sense to disable updates of the OAuthClient
There was a problem hiding this comment.
The new API has been implemented to support an alternative ingress.
| } | ||
|
|
||
| // Disable the client download check for external control plane topology (hypershift) if the ingress capability is disabled. | ||
| if controllersutil.IsExternalControlPlaneWithIngressDisabled(infrastructureConfig, clusterVersionConfig) { |
There was a problem hiding this comment.
by doing this you are basically disabling the operator from doing its work by syncing the console CLI downloads CRDs.
There was a problem hiding this comment.
Right, oc-cli-downloads contains the links to download the oc client from the download route:
$ oc get consoleclidownloads oc-cli-downloads -o yaml | yq .spec.links[].href
https://downloads-openshift-console.apps.alebedev-0424.devcluster.openshift.com/amd64/linux/oc.tar
https://downloads-openshift-console.apps.alebedev-0424.devcluster.openshift.com/amd64/mac/oc.zip
https://downloads-openshift-console.apps.alebedev-0424.devcluster.openshift.com/amd64/windows/oc.zip
https://downloads-openshift-console.apps.alebedev-0424.devcluster.openshift.com/arm64/linux/oc.tar
https://downloads-openshift-console.apps.alebedev-0424.devcluster.openshift.com/arm64/mac/oc.zip
https://downloads-openshift-console.apps.alebedev-0424.devcluster.openshift.com/ppc64le/linux/oc.tar
https://downloads-openshift-console.apps.alebedev-0424.devcluster.openshift.com/s390x/linux/oc.tar
https://downloads-openshift-console.apps.alebedev-0424.devcluster.openshift.com/oc-licenseSo, the risk is to have the broken links in /command-line-tools path of the console UI.
There was a problem hiding this comment.
@csrwng : can we accept the risk I described above?
There was a problem hiding this comment.
Then we should be also prematurely exiting the DownloadsDeployment controller and remove the deployment itself.
There was a problem hiding this comment.
The new API has been implemented to setup alternative ingress for the downloads.
Yes. You are right, the console is not not working out of the box because the routes are left unserved. I was playing with AWS Load Balancer Operator (ALBO) to find the right
|
|
/retest |
alebedev87
force-pushed
the
tolerate-ingress-absence
branch
from
8f3a66e to
c206e4e
Compare
|
Rebased from |
|
/assign @jhadvig |
|
/retest |
So this case will need to be handle in the service controller, which will then update the service spec accordingly. If I understand it, console itself wont be available though the service if the NodePort is not set? If thats the case I think it needs to be address in this change.
Are these steps documented somewhere? I feel like there is too many gaps - in order to merge this change. What would be the benefit for Hypershift user if he disables the Ingress capability, but the console wont be working? I feel that at minimum we should have a documented way how to make the console work.
|
Should we simply disable console for now if we know it won't work, even with manual load balancer configuration? The console reads the OAuth URLs from the well-known endpoint. If the OAuth metadata can be updated in that document, console should discover the right URL. |
The console is still an important part of HyperShift based offerings like ROSA. The HyperShift engineers prefer the console to be running even without the default ingress (router). The way to expose it is a subject to a discussion, one of the ways to expose the console is described in the doc I added today.
ROSA HCP clusters already have the auth URL which is not an OpenShift route. This makes the authentication from console work smoothly even without the router. |
openshift-merge-robot
added
the
needs-rebase
alebedev87
changed the title
alebedev87
force-pushed
the
tolerate-ingress-absence
branch
from
beb12ae to
47090ae
Compare
|
Always apply nodeport services, to avoid the chicken and egg problem with alternative ingress: |
|
/retest |
alebedev87
force-pushed
the
tolerate-ingress-absence
branch
from
47090ae to
35e503b
Compare
|
|
alebedev87
force-pushed
the
tolerate-ingress-absence
branch
from
35e503b to
24f4886
Compare
|
@alebedev87: This pull request references Jira Issue OCPBUGS-33787, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
As discussed with @jhadvig: create |
…ft clusters - Implement alternative ingress fields from the console operator config API - Skip component route customizations if ingress capability is disabled - Use NodePort type for console and downloads services if ingress capability is disabled - Add document to describe how to implement alternative ingress on ROSA
alebedev87
force-pushed
the
tolerate-ingress-absence
branch
from
24f4886 to
7c4d777
Compare
|
|
|
/retest |
|
/retest CI outage. |
|
|
|
Thanks @alebedev87 for the PR. LGTM |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alebedev87, jhadvig The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
Overriding the TC due to flaking e2e test |
|
@jhadvig: Overrode contexts on behalf of jhadvig: ci/prow/e2e-aws-console DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@alebedev87: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
@alebedev87: Jira Issue OCPBUGS-33787: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-33787 has been moved to the MODIFIED state. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[ART PR BUILD NOTIFIER] This PR has been included in build openshift-enterprise-console-operator-container-v4.17.0-202406101611.p0.gc608dec.assembly.stream.el9 for distgit openshift-enterprise-console-operator. |
|
Fix included in accepted release 4.16.0-0.nightly-2024-07-04-015518 |
8 participants
Part of the implementation of Make Ingress optional for HyperShift EP. Note that this change targets only HyperShift managed deployments and should not impact standalone OpenShift installations.
This PR: