OCPBUGS-33600: revert revert and fix for hypershift #305
Conversation
openshift-ci-robot
added
jira/valid-reference
|
@sanchezl: This pull request references Jira Issue OCPBUGS-33600, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/payload-job periodic-ci-openshift-hypershift-release-4.16-periodics-e2e-aws-ovn-conformance |
|
@sanchezl: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/8ad79e00-117f-11ef-8080-22dfebaceee0-0 |
|
/jira refresh |
openshift-ci-robot
added
jira/valid-bug
|
@sanchezl: This pull request references Jira Issue OCPBUGS-33600, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/retest-required |
1 similar comment
|
/retest-required |
sanchezl
changed the title
|
@sanchezl: This pull request references Jira Issue OCPBUGS-33600, which is valid. 3 validation(s) were run on this bug
The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
added
the
approved
|
/label acknowledge-critical-fixes-only |
openshift-ci
bot
added
the
acknowledge-critical-fixes-only
| if err != nil && !errors.IsNotFound(err) { | ||
| // signing key secret exists, skip | ||
| return err | ||
| } |
There was a problem hiding this comment.
Is it safe to make any assumptions one way or the other about the secret's existence based on this information?
There was a problem hiding this comment.
We shouldn't reach here unless the cache has synced. If the secret should exist, but doesn't at this point, I don't see the harm in performing the fallback here, and the regular control loop will eventually pick up the secret and override if needed.
There was a problem hiding this comment.
I think there are 3 cases:
- The secret exists (
err == nil) and the fallback is performed. The regular control loop should eventually catch up. - The secret does not exist (
errors.IsNotFound(err)) and the fallback is performed. Even if the secret is later created, the regular control loop takes over. - Some different error occurred, and the fallback is not performed. This seems like a problem on a cluster that will never have the signing key secret.
There was a problem hiding this comment.
I see it now. Fixed.
| } | ||
|
|
||
| // create a throwaway API token | ||
| expirationSeconds := int64(10 * time.Minute / time.Second) |
There was a problem hiding this comment.
Is this arbitrary? How short can the requested expiration time be?
There was a problem hiding this comment.
This is the minimum allowed.
| if err := c.fallbackKeyIDObservation(ctx); err != nil { | ||
| runtime.HandleError(err) | ||
| } |
There was a problem hiding this comment.
I see in the description "OCM would need to be restarted if the service account signing public key changes," but what if this one-shot attempt fails with a transient error? It sounds like it would not recover on its own.
Does it make sense to do the fallback as part of the controller sync if and only if the signing key secret does not exist?
There was a problem hiding this comment.
The controller sync is triggering on the one secret, a secret that wouldn't exisit to trigger the sync in hypershift, so I don't think I can add the fall back to the controller sync.
I can add a few retries on err.
sanchezl
force-pushed
the
revert-revert
branch
3 times, most recently
from
6f6ef67 to
1b30c4e
Compare
| if err != nil && !errors.IsNotFound(err) { | ||
| // signing key secret exists, skip and let sync handle | ||
| return true, nil | ||
| } | ||
| if err != nil { | ||
| runtime.HandleError(err) | ||
| return false, nil | ||
| } |
There was a problem hiding this comment.
Does this ever need to return true (and stop)?
| if err != nil && !errors.IsNotFound(err) { | |
| // signing key secret exists, skip and let sync handle | |
| return true, nil | |
| } | |
| if err != nil { | |
| runtime.HandleError(err) | |
| return false, nil | |
| } | |
| if err == nil { | |
| // signing key secret exists, skip and let sync handle | |
| return false, nil | |
| } else if !errors.IsNotFound(err) { | |
| // error other than notfound, signing key secret may or may not exist | |
| runtime.HandleError(err) | |
| return false, nil | |
| } |
There was a problem hiding this comment.
If the secret DNE, return true and stop the inner polling loop. runWorker() itself is running in an UntilContext loop.
If there is an error, the inner loop retries every 10 seconds for a minute.
|
/lgtm @sanchezl Do you want to re-run the hypershift payload job? |
openshift-ci
bot
added
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: benluddy, sanchezl, soltysh The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@sanchezl: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/payload-job periodic-ci-openshift-hypershift-release-4.16-periodics-e2e-aws-ovn-conformance |
|
@benluddy: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/058004d0-1234-11ef-9c79-b53ffec4c3e7-0 |
|
/payload 4.16 ci blocking |
|
@sanchezl: trigger 5 job(s) of type blocking for the ci release of OCP 4.16
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/39b901c0-1234-11ef-905a-e5452c9fb821-0 |
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
|
@sanchezl: Jira Issue OCPBUGS-33600: All pull requests linked via external trackers have merged:
Jira Issue OCPBUGS-33600 has been moved to the MODIFIED state. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[ART PR BUILD NOTIFIER] This PR has been included in build ose-openshift-controller-manager-container-v4.17.0-202405151441.p0.g7637f1a.assembly.stream.el9 for distgit ose-openshift-controller-manager. |
|
Fix included in accepted release 4.16.0-0.nightly-2024-05-16-092402 |
6 participants
On Hypershift, the image pull secrets were created, but not properly initialized due to the
image_pull_secret_controllergetting stuck waiting for the existence of the bound-service-account-signing-key secret in the openshift-kube-apiserver namespace.Ideally, Hypershift would prefer to mount the service account signing key as as a volume on OCM pod. This would match what we already do this for the KCM pod. This PR provides an OCM-only fix to get us going until we make the changes to the way hypershift runs OCM.
Since what we need is the just the hash of the service account signing public key, if OCM does not find the bound-service-account-signing-key secret on startup, OCM will create a throwaway API token and extract the service account signing public key's hash from the token.
Currently, on hypershift, the service account signing public key is provided as a CLI option. OCM would need to be restarted if the service account signing public key changes,