fix: Enforce NonAdminBackup spec field values #1584
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mateusoliveira43 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
controllers/nonadmin_controller.go
Outdated
| @@ -166,7 +174,7 @@ func ensureRequiredSpecs(deploymentObject *appsv1.Deployment, image string, imag | |||
| Name: nonAdminObjectName, | |||
| Image: image, | |||
| ImagePullPolicy: imagePullPolicy, | |||
| Env: []corev1.EnvVar{namespaceEnvVar}, | |||
| Env: []corev1.EnvVar{namespaceEnvVar, enforceBackupSpecEnvVar}, | |||
There was a problem hiding this comment.
So, goal here is admin user will enforce some NonAdminBackup spec field values through DPA (for example, SnapshotVolumes must be false for every NonAdminBackup created)
During NAC startup, it reads these values admin user has set.
we could read from DPA directly, doing a DPA list call in OADP namespace before here https://github.com/migtools/oadp-non-admin/blob/8d8de636b68c0241b937403a98ab4384616458ba/cmd/main.go#L135 and passing result to NonAdminBackupReconciler. Problems with this approach are:
- need to change NAC RBAC (but easy to fix, just add to NAC role list DPA)
- how to tell NAC deployment to restart when that field changes?
Current implementation idea is passing DPA field value as env var to deployment. On NAC controller, it would Unmarshal the value and use it. Problem with this approach is that we can reach a char limit on env var value.
Any ideas on a third solution? Or how to fix problem 2 of first idea?
There was a problem hiding this comment.
how to tell NAC deployment to restart when that field changes?
if NAC is in a deployment, simply os.Exit() should result in another pod coming up.
There was a problem hiding this comment.
changed logic here
now I save DPA spec.nonAdmin.enforceBackupSpec that created Deployment and compare with current DPA spec.nonAdmin.enforceBackupSpec, only update Deployment when those are different
| return false, errors.New("in order to enable/disable the non-admin feature please set dpa.spec.unsupportedOverrides[tech-preview-ack]: 'true'") | ||
| return false, errors.New("in order to enable the non-admin feature please set dpa.spec.unsupportedOverrides[tech-preview-ack]: 'true'") | ||
| } | ||
| if r.dpa.Spec.NonAdmin.EnforceBackupSpec != nil { |
There was a problem hiding this comment.
added this to avoid headaches with users creating bad configuration
I think this is NAC responsibility, not user. If user can set this, then all NonAdminBackups will fail (or only of a specific namespace)
do you agree with this safety check?
(if yes, other fields should be added here?)
This comment was marked as resolved.
This comment was marked as resolved.
mateusoliveira43
force-pushed
the
fix/enforce-non-admin-bckup-spec-field-values
branch
from
ce46195
to
e170dec
Compare
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
ok.. checking this out.
It's not clear to me how to test: If you can help me understand that, I'll poke at this a bit more. |
|
|
Therefore following should happen
|
|
@weshayutin change for example velero log level. That should restart Velero Pod, but not NAC Pod |
This comment was marked as resolved.
This comment was marked as resolved.
openshift-ci
bot
added
the
do-not-merge/hold
Signed-off-by: Mateus Oliveira <[email protected]>
rework of logic Signed-off-by: Mateus Oliveira <[email protected]>
fix nil pointer Signed-off-by: Mateus Oliveira <[email protected]>
fix comparison check Signed-off-by: Mateus Oliveira <[email protected]>
make update-non-admin-manifests Signed-off-by: Mateus Oliveira <[email protected]>
run make update-non-admin-manifests Signed-off-by: Mateus Oliveira <[email protected]>
mateusoliveira43
force-pushed
the
fix/enforce-non-admin-bckup-spec-field-values
branch
from
e170dec
to
9a7b12d
Compare
|
/unhold |
openshift-ci
bot
removed
the
do-not-merge/hold
|
@mateusoliveira43: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Why the changes were made
Related to migtools/oadp-non-admin#37
This PR adds
EnforceBackupSpecto DPAspec.nonAdmin. With it, admin user can enforce that all NonAdminBackups created have the enforced spec fields with the values admin user configured.How to test the changes made
Follow install-from-source NAC testing documentation, pointing my NAC fork branch
fix/enforce-backup-spec-field-valuesand this branch.Test that:
spec.nonAdmin.enforceBackupSpec, NAC Pod recreates (for new enforcement to take effect)spec.nonAdmin.enforceBackupSpec, NAC Pod does not get recreatedspec.nonAdmin.enforceBackupSpec, NonAdminBackups fail validation if not respecting enforcement