fix(labels): do not remove user added labels from Deployment's spec.template #243
Conversation
laurafitzgerald
force-pushed
the
label-propagation-fix
branch
from
beccb69 to
dce2d8f
Compare
laurafitzgerald
force-pushed
the
label-propagation-fix
branch
from
dce2d8f to
a3ebcd3
Compare
|
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #243 +/- ##
==========================================
+ Coverage 53.40% 53.48% +0.07%
==========================================
Files 10 10
Lines 1380 1408 +28
==========================================
+ Hits 737 753 +16
- Misses 587 596 +9
- Partials 56 59 +3
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
laurafitzgerald
changed the title
laurafitzgerald
force-pushed
the
label-propagation-fix
branch
5 times, most recently
from
f003c58 to
37ae902
Compare
laurafitzgerald
force-pushed
the
label-propagation-fix
branch
from
37ae902 to
6420a79
Compare
laurafitzgerald
force-pushed
the
label-propagation-fix
branch
2 times, most recently
from
eb778eb to
388da4c
Compare
controllers/authorino_controller.go
Outdated
| logger.V(1).Info("existingDeployment", "deployment", existingDeployment) | ||
| // merge existing key/value pairs back into the desiredDeployment Spec Template Labels so as not to overwrite those. | ||
| for existingKey, existingValue := range existingDeployment.Spec.Template.Labels { | ||
| if desiredValue, exists := (desiredDeployment.Spec.Template.Labels)[existingKey]; !exists || desiredValue != existingValue { |
There was a problem hiding this comment.
Do we need this condition? Can't we just iterate over existing and set them all into desired?
There was a problem hiding this comment.
yes, the idea was to not overwrite the desired hardcode values, but due to the fact that k8s api rejects a change to those hard coded ones because they wouldn't match the unmuatable selector.MatchLabels which are all set at creation time, i think it's safe to remove this.
pkg/resources/k8s_deployment.go
Outdated
| objMeta := getObjectMeta(namespace, name, labels) | ||
| authorinoLabels := labelsForAuthorino(name) | ||
| func GetDeployment(name, namespace, saName string, replicas *int32, containers []k8score.Container, vol []k8score.Volume) *k8sapps.Deployment { | ||
| authorinoLabels := defaultAuthorinoLabels(name) |
There was a problem hiding this comment.
There is an issue that was there before this PR, and your PR brought it to the surface. You cannot use the same map to populate metadata.labels, spec.selector and template.metadata.labels. Because maps are references, all those would share (are sharing now actually) the same map, so you change one of them and "magically" all of them are changed at the same time. And spec.selector cannot be changed, hence k8s API server complained.
Build custom maps for each field so they can be safely be updated independently.
There was a problem hiding this comment.
Nice catch. I'll add some additional testing as well to cover this.
There was a problem hiding this comment.
Nice catch, @eguzki! Also, if the selector cannot change, we need to make sure they override the labels for the template after the modification made by the user. I.e., users can add other labels, they can even change existing ones, as long as those labels are not used in the selector. Right?
There was a problem hiding this comment.
if they try to edit the existing values, which have a matching key in the selector, the k8s api will reject that change. i saw it happen in a test where i tried to update that to a bad value. the api rejected the call with error type filevalueinvalid selector does not match template labels on field spec.template.metadata.labels
laurafitzgerald
force-pushed
the
label-propagation-fix
branch
from
388da4c to
1c70554
Compare
Verification Steps
kind create cluster --name authorino-local
make docker-build OPERATOR_IMAGE=quay.io/kuadrant/authorino-operator:eguzki-custom-build-01
make docker-push OPERATOR_IMAGE=quay.io/kuadrant/authorino-operator:eguzki-custom-build-01
make install OPERATOR_IMAGE=quay.io/kuadrant/authorino-operator:eguzki-custom-build-01
make deploy OPERATOR_IMAGE=quay.io/kuadrant/authorino-operator:eguzki-custom-build-01
k create namespace authorino
k apply -n authorino -f - <<EOF
apiVersion: operator.authorino.kuadrant.io/v1beta1
kind: Authorino
metadata:
name: authorino
spec:
listener:
tls:
enabled: false
oidcServer:
tls:
enabled: false
EOF
The result should be the hardcoded ones
kubectl patch deployment -n authorino authorino --type merge --patch '{"spec": {"template": {"metadata": {"labels": {"sidecar.istio.io/inject": "true"}}}}}'
k get pods -n authorino -l authorino-resource=authorino -o yaml | yq e '.items[0].metadata.labels'It should return
Check that authorino operator env var has been updated: The new image should be there: Check that authorino instance is running from the new image: The new image should be: Check that the new authorino instance still has the user defined labels k get pods -n authorino -l authorino-resource=authorino -o yaml | yq e '.items[0].metadata.labels'It should return
kind delete cluster --name authorino-local |
|
@laurafitzgerald - I don't have full context, but am I understanding correctly that this does not propagate labels set on the Authorino CR as was proposed in the original #236? |
You are correct. The user needs to add the labels to deployment pod template. I would also have done the label propagation. 1) Because the user interface is the CR and 2) the deployment of authorino is owned by the operator and should not be updated externally. On the community call, it was decided to do the way this PR implements because if done in the CR, it needs to be decided where to propagate the labels: i.e. to the deployment labels?, pod template labels? services? configmaps? I will keep pushing to have labels propagated from the authorino CR ;) |
Correct. This change allows the user to add the label themselves manually or via some automation. We have spoken with some users (including @bartoszmajsak who opened 236) who are looking for this change who are fine with that. As @eguzki mentioned, we decided to not propagate the labels everywhere for now because the label may have unintended consequences on some of the other k8s resources. This may happen in the future or alternatively there may be some option added in the spec of the cr to do that. For now this change allows the users to add the required label and authorino-operator wont remove it. Please let us know if this does not satisfy your needs. |
@eguzki |
Please help me walk thro some scenarios:
|
There was a problem hiding this comment.
This looks good to me anyway 👍 I'll leave the approval to @eguzki
When we do the next release of authorino operator containing this change, it's probably a good idea to put in the release notes that this change also removes propagating Authorino CR labels to the authorino deployment. While this feature was not advertised in our docs, it's a behaviour change for existing users, so I think it would be good to note this 📝
Yes, correct to this point. I believe you were attempting this via https://github.com/opendatahub-io/opendatahub-operator/pull/1490/files
|
|
@laurafitzgerald @eguzki @guicassolato in terms of (longer term) requirements, I would say our real need is a declarative API to indicate that we want the Authorino deployment to be part of a service mesh (with options to specify which mesh: OSSM, vanilla Istio etc) , so making that an explicit (optional) config in the Authorino CR would be ideal, instead of the indirect label based approach. IMHO its reasonable to expect this as part of the API given Authorino is going be commonly used with envoy based service meshes. |
@lphiri, I see it differently actually. Authorino does not know anything about the client that connects to it. It can be integrated from an Envoy-based proxy, but also from pretty much anything else. It doesn't know it's a gateway, a mesh proxy, Kube's API server (we also have written use cases for this), a client app directly, or anything at all. And I think it should remain ignorant about it. If we want to support propagating a label from the Authorino CR, it should be a generic label, but nothing specific about mesh or sidecar injection. I think the reason why this propagation was kept out of the initial design was because we want to be very surgical about which exact internal objects we propagate the labels to (Service, Deployment, Pod, etc). I hope we can incorporate this second part in a future PR. |
|
@guicassolato I see. That perspective also makes sense. |
|
I agree with @guicassolato. IMHO the implementation details of adding one service (like authorino) to an specific service mesh provider do not belong to the responsibilities of the Authorino Operator. That being said, I have seen worse things, so I would not be against adding some integration between authorino and Istio specifically, something like |
There was a problem hiding this comment.
Changes looks good to me. Before approving, I would like to clarify that we are all ok with removing the label propagation from the Authorino CR to the deployment object (not the deployment pod template field) as pointed out correctly by @KevFan
If we are ok with that, LGTM
Verification steps worked 🟢
laurafitzgerald
force-pushed
the
label-propagation-fix
branch
from
1c70554 to
4ef94c9
Compare
…c.template PR #91 brought the ability to propagate labels defined for Authorino CR down to Deployment. There was some discussion to have those labels propagated to template and therefore pods which are which are part of the deployment. However, for now we decided to add this change which adds the ability for a user added label to not be overwritten by the authorino-operator Signed-off-by: Laura Fitzgerald <[email protected]> Co-authored-by: bartoszmajsak <[email protected]>
laurafitzgerald
force-pushed
the
label-propagation-fix
branch
from
4ef94c9 to
63bac01
Compare
PR #91 brought the ability to propagate labels defined for Authorino CR down to Deployment. However, more often than not, it's more desired to have those labels propagated to template and therefore pods which are part of the deployment. This can simplify e.g. making Authorino part of service mesh, as injection label can be consistently added to relevant resources.
When creating the deployment, instead of having fixed set of labels for Deployment'sspec.templateand objectmeta.lables this change appends Authorino CR labels as well.EDIT: This change will now allow the ability to add a label via your chosen mechanism to the deployment.spec.template.labels without being overwritten by the operator.
As per discussion at https://groups.google.com/a/redhat.com/g/kuadrant-dev/c/rbsY4kDaSnE
Closes #239
Replaces #236