-
Notifications
You must be signed in to change notification settings - Fork 392
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-33671, OCPBUGS-34079: fix secret canonicalization #4366
base: master
Are you sure you want to change the base?
OCPBUGS-33671, OCPBUGS-34079: fix secret canonicalization #4366
Conversation
@cheesesashimi: This pull request references Jira Issue OCPBUGS-33671, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Interesting corner case 🤔 Makes sense to me /hold for QE review if needed |
/jira refresh |
@djoshy: This pull request references Jira Issue OCPBUGS-33671, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
36eddc7
to
67429c5
Compare
@cheesesashimi: This pull request references Jira Issue OCPBUGS-34079, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
67429c5
to
e7d82d5
Compare
/test e2e-gcp-op-techpreview These test failures look transient in nature, retrying. |
/test e2e-hypershift |
@cheesesashimi: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
/test e2e-gcp-op-techpreview |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall makes sense to me! Couple of non-blocking questions
|
||
// Creates a canonicalized secret. | ||
func (ctrl *Controller) createCanonicalizedSecret(secret *corev1.Secret) (*corev1.Secret, error) { | ||
if err := validateCanonicalizedSecret(secret); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This call seems redundant as the calling function would have run validateCanonicalizedSecret()
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It may be redundant, though I added it purely as a guard clause because there is no way to distinguish a non-canonicalized corev1.Secret
and a canonicalized one. In the future, introducing another type that represents canonicalized secrets might be a better way forward.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fair enough, that makes sense to me!
@@ -160,6 +160,8 @@ func TestCanonicalizePullSecret(t *testing.T) { | |||
|
|||
if testCase.expectCanonical { | |||
assert.Contains(t, out.Name, "canonical") | |||
assert.True(t, isCanonicalizedSecret(out)) | |||
assert.True(t, hasCanonicalizedSecretLabels(out)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Similar to earlier question, wouldn't isCanonicalizedSecret(out) check for labels too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would. Although in this case, since its a test, the added verbosity is nice as it explicitly validates this particular case.
// secret. | ||
assert.Contains(t, s.Name, canonicalSecretSuffix) | ||
assert.True(t, isCanonicalizedSecret(s)) | ||
assert.True(t, hasCanonicalizedSecretLabels(s)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Happy with Zack's answers, this sounds good to me. Thanks for working on this! /lgtm Holding for QE review: |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cheesesashimi, djoshy The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/jira refresh |
@djoshy: This pull request references Jira Issue OCPBUGS-34079, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/jira refresh |
@djoshy: This pull request references Jira Issue OCPBUGS-34079, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
- What I did
If multiple MachineOSConfigs are created simultaneously (e.g., from multiple
YAML documents in the same file) and each of these MachineOSConfigs references
a legacy pull secret (that is, a pull secret that does not have a top-level
{"auths": {}}
key), only one of the MachineOSBuilds that gets created willactually get a status and begin building.
This is because multiple Goroutines will attempt to create a canonicalized
secret and only one will be able to. In the event that this occurs, the best
thing to do is to just fetch the secret and continue.
This PR also includes fixes for updating the canonicalized pull secrets. Basically, if a legacy-style pull secret is supplied and then changed, it would not be kept up-to-date. Instead, we now set a label which contains the name of the original pull secret and read the original pull secret to determine if an update is required.
- How to verify it
- Description for the changelog
Fix secret canonicalization in on-cluster layering