WRKLDS-728: controller/apiservice: allow to disable/delete an API service resources

[ingvagabund]

SSIA

Needed by openshift/cluster-openshift-apiserver-operator#532

[openshift-ci-robot]

@ingvagabund: This pull request references WRKLDS-728 which is a valid jira issue.

Details

In response to this:

SSIA

Needed by openshift/cluster-openshift-apiserver-operator#532

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[p0lyn0mial]

why this function couldn't return services that are enabled :) ?

[p0lyn0mial]

also this is not a backward-compatible change which will break users of this function

[p0lyn0mial]

how will you know if an api service is not enabled ?

[ingvagabund]

why this function couldn't return services that are enabled :) ?

The controller needs a list of APIServices that are disabled. So they can be deleted if present.

how will you know if an api service is not enabled ?

Configurable by anyone who consumes the APIService controller. Atm, the OA operator constructs the list based on enabled capabilities.

[p0lyn0mial]

also the title of this pr is a bit misleading for me, are we actually going to delete something?

[p0lyn0mial]

since we are skipping disabled services I would simply return only enabled services in GetAPIServicesToMangeFunc

[ingvagabund]

Both newEndpointPrecondition and checkDiscoveryForByAPIServices can be probably given only a list of enabled services.

[p0lyn0mial]

yes, I would prefer that :)

[p0lyn0mial]

ah, sorry, i was reading top-to-bottom, i think this is the place that will remove an api service

[p0lyn0mial]

have you considered adding a new function which will return services to be removed ?

[p0lyn0mial]

or changing the signature of this method to return enabled []*apiregistrationv1.APIService, disabled []*apiregistrationv1.APIService, error)

[ingvagabund]

That would be an alternative. In any case, still a breaking change.

[p0lyn0mial]

will this field be used by all clients or only for some?

[ingvagabund]

Once such struct is created, it's intended to be used only by the controller.

[p0lyn0mial]

What I wanted to ask was if all operands will be required to provide this information.

In general my preference would be to check how many operators consume this function.
If the number is low then I would change the signature of the method to enabled []*apiregistrationv1.APIService, disabled []*apiregistrationv1.APIService, error).

[ingvagabund]

Based on https://github.com/search?q=org%3Aopenshift%20NewAPIServiceController&type=code NewAPIServiceController is used only once.
Based on https://github.com/search?q=org%3Aopenshift%20WithAPIServiceController&type=code WithAPIServiceController is used only by openshift-apiserver and cluster authentication operators.

[ingvagabund]

What I wanted to ask was if all operands will be required to provide this information.

Yeah. They have to. https://github.com/openshift/cluster-authentication-operator/blob/1b2c022034879e09e324bbdc50b84b78ce8de4ee/pkg/operator/starter.go#L793-L798 builds the list explicitly as well.

[ingvagabund]

An alternative would be to provide a filter function that if not provide will include every api service. On the other hand such a filter will get invoked all over again instead of constructing a list of enabled/disabled service only once at the beginning. The list of enabled/disabled api services is expected to be static or changed very rarely.

[p0lyn0mial]

OK, since there are only two operators using this controller I would:

1. Change the signature of the method to GetAPIServicesToMangeFunc func() (enabled []*apiregistrationv1.APIService, disabled []*apiregistrationv1.APIService, error)
2. Rename precondition to preconditionForEnabledAPIServices
3. Split the sync method into two flows, one for reconciling enabled services and the second for reconciling disabled services.

Does it make sense ?

[ingvagabund]

Done. It looks better now.

[p0lyn0mial]

Thanks, I have added a few more comments/questions, PTAL.

[p0lyn0mial]

How about adding a separate method for reconciling disalbedApiServices and calling it before preconditionForEnabledAPIServices (line 101)?

Having two separate methods would allow us to reconcile enabledApiServices and disabledApiServices independently. I think we always want to reconcile both and aggregate the errors. What do you think ?

[ingvagabund]

Updated

[p0lyn0mial]

I think we should get an APIService from the cache first as that would allow us to put less pressure on the server.
We should issue a live request only when we know the resource must be deleted.
What do you think?

[ingvagabund]

Updated

[p0lyn0mial]

what do you mean by without removing user-created/unmanaged objects ?

[ingvagabund]

Comment updated. The controller needs to avoid deleting APIServices that are not part of the OpenShift API. I.e. the controller needs to explicitly know which APIServices are disabled instead of deleting all not enabled APIServices.

[ingvagabund]

/retest-required

[p0lyn0mial]

isn't that strange that this controller didn't use apiservicelister ?

[ingvagabund]

Probably not taken into account when #667 was reviewed.

[p0lyn0mial]

how about simply calling syncDisabledAPIServices with combined enabledApiServices, disabledApiServices ?

[ingvagabund]

Done

[p0lyn0mial]

should we also consider a case in which a service has been already marked for deletion but hasn't been deleted?
(I think that would require checking the DeletionTimestamp field)

[ingvagabund]

That should be idempotent. Deleting an object that's in the process of deletion should be a no-op. While Get should still return the object without an error.

[p0lyn0mial]

It is idempotent but we will hammer the API unnecessary. Does it make sense?

[ingvagabund]

I agree this will reduce the toll. On the other hand I wonder if checking the DeletionTimestamp is something we already do in other controllers or whether this is a novel improvement. If the latter, I prefer to refactor the code more and implement generic methods like DeleteOnlyIfPresent. Probably automatically generated for all our APIs. So we don't re-invent the check all over the place. Nevertheless, as part of another PR. What do you think?

[p0lyn0mial]

I don't think it is novel approach. For example, it is being used in:

• https://github.com/kubernetes/kubernetes/blob/master/plugin/pkg/auth/authenticator/token/bootstrap/bootstrap.go#L107

• https://github.com/kubernetes/kubernetes/blob/master/pkg/controller/serviceaccount/legacy_serviceaccount_token_cleaner.go#L147

I can try to find more examples if you want.

[ingvagabund]

I was wondering if we have an example in our operators. Nevertheless, checking for the DeletionTimestamp is easy to implement. Will do.

[p0lyn0mial]

what if both syncDisabledAPIServices and preconditionForEnabledAPIServices return some error?
do we want to report errors from syncDisabledAPIServices ?
i think the errors will be ignored (not reported) as it is right now.

[ingvagabund]

If syncDisabledAPIServices returns an error, there are two cases that can happen:

• preconditionForEnabledAPIServices returns err != nil or !ready in which case the APIServicesAvailable condition gets reported as false. Making error returned by syncDisabledAPIServices kinda obsolete since the APIServicesAvailable is already false.
• preconditionForEnabledAPIServices returns err == nil and ready in which case the error returned by syncDisabledAPIServices gets checked. Producing APIServicesAvailable condition set to false. Just with a different error string.

[p0lyn0mial]

Does setting APIServicesAvailable when syncDisabledAPIServices returns some errors make sense ?

If all services were available and we failed to remove one service would you expect to find the error in APIServicesAvailable ? Maybe we should report it as a separate condition? (Especially that we already made distinction between enabled/disabled on the API level)

[ingvagabund]

The current implementation does not make the reported condition worse. Right now it will get reported with Reason: Error. Whether that happens before or after preconditionForEnabledAPIServices makes no difference. Failing to remove or create an APIservice object falls under the same category of an error. If we decide to distinguish between error related to removing and creating an APIService, we should probably introduce a new condition for both Failed to create and Failed to check discovery as well (implemented under syncEnabledAPIServices).

[ingvagabund]

I wonder whether there's a value in reporting non-nil error for return c.syncDisabledAPIServices(ctx, append(enabledApiServices, disabledApiServices...)) through a condition under:

	switch operatorConfigSpec.ManagementState {
		...
	case operatorsv1.Removed:
		enabledApiServices, disabledApiServices, err := c.getAPIServicesToManageFn()
		if err != nil {
			return err
		}
		return c.syncDisabledAPIServices(ctx, append(enabledApiServices, disabledApiServices...))

[p0lyn0mial]

I'm not sure if we want to go Degraded. I think that:

Type:    "APIServicesDeleted",
Status:  operatorv1.ConditionFalse,
Reason:  "DisabledAPIServicesPresent",
Message: err.Error(),

should be fine.

[p0lyn0mial]

Also, We could split the APIServiceController.sync method into two flows for simplicity. I think I would do:

func (c *APIServiceController) sync(ctx context.Context, syncCtx factory.SyncContext) error {
	operatorConfigSpec, _, _, err := c.operatorClient.GetOperatorState()
	if err != nil {
		return err
	}

	switch operatorConfigSpec.ManagementState {
	case operatorsv1.Managed:
	case operatorsv1.Unmanaged:
		return nil
	case operatorsv1.Removed:
		enabledApiServices, disabledApiServices, err := c.getAPIServicesToManageFn()
		if err != nil {
			return err
		}
		return c.syncDisabledAPIServices(ctx, append(enabledApiServices, disabledApiServices...))
	default:
		syncCtx.Recorder().Warningf("ManagementStateUnknown", "Unrecognized operator management state %q", operatorConfigSpec.ManagementState)
		return nil
	}

       var errors []err
       // or if we rename syncDisabledAPIServices to something else then
       // we could call it syncDisabledAPIServices (which would also set the new status)
       err = c.reconcileDisabledServices()
       if err != nil { // append to errors }
       
       err = c.syncEnabledServices()
       if err != nil { // append to errors }

      return errors
}

[ingvagabund]

Would syncEnabledServices include calling the preconditionForEnabledAPIServices as well?

[p0lyn0mial]

yes, I think so :)

[p0lyn0mial]

as an optimisation step we could collect conditions from the individual sync* methods and update the config just once :)

[ingvagabund]

/label tide/merge-method-squash

[ingvagabund]

/unlabel tide/merge-method-squash

[ingvagabund]

/remove-label tide/merge-method-squash

[ingvagabund]

/shrug

[p0lyn0mial]

Technically objects can stuck in deletion (finalisers) for a long time.
Do we want to handle this case somehow (log, set something on the condition) ?

[ingvagabund]

syncEnabledAPIServices returns an error when the corresponding api service Available condition is not ready. Updated the code to return error when a corresponding service is not deleted yet.

[p0lyn0mial]

update: we decided to log instead of returning the error

[p0lyn0mial]

I don't want to complicate the code but it looks like it might be easy to forget which conditions should be updated. I like the way it was done in the workload controller (

library-go/pkg/operator/apiserver/controller/workload/workload.go

Line 182 in c021d42

var updateGenerationFn func(newStatus *operatorv1.OperatorStatus) error

). Maybe we could do something similar here?

I think it boils down to:

1. define conditions with default values
2. register an update function for conditions in the defer statement
3. when you need to end processing, just set the condition and return (it will be updated in the defer statement).

[ingvagabund]

Done. I did not find any use for updateGenerationFn though.

[p0lyn0mial]

I think we should check if for any error or always for simplicity, wdyt?

[p0lyn0mial]

just adjust comment so that it is more generic

[p0lyn0mial]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ingvagabund, p0lyn0mial

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pkg/operator/apiserver/OWNERS [p0lyn0mial]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@ingvagabund: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[p0lyn0mial]

/hold

[p0lyn0mial]

just one more thing, it looks like we are going to always set the new condition, even if the toRemoveServices was empty.

[p0lyn0mial]

just one more thing, it looks like we are going to always set the new condition, even if the toRemoveServices was empty.

it seems that setting the new condition conditionally would make the code more complicated. Besides on clusters with this feature disabled it will always be set to false.

/hold cancel