-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reconcile Sub Component Authorino CR #393
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #393 +/- ##
===========================================
- Coverage 80.20% 69.26% -10.94%
===========================================
Files 64 77 +13
Lines 4492 5968 +1476
===========================================
+ Hits 3603 4134 +531
- Misses 600 1512 +912
- Partials 289 322 +33
Flags with carried forward coverage won't be shown. Click here to find out more.
|
Enabled: &tmpFalse, | ||
authorinoKey := client.ObjectKey{Name: common.AuthorinoName, Namespace: kObj.Namespace} | ||
authorino := &authorinov1beta1.Authorino{} | ||
err := r.Client().Get(ctx, authorinoKey, authorino) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm curious, do we have to do this Get? can't we generate the desired authorino CR using a default with values overridden by those set in kObj and let the mutator do the get/update on only the allowed fields?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good question. This has to do with not overriding exist user settings if they are not defined in the kuadrant CR. An example is, the user has set the number of replicas in the Authorino CR before this feature was released. We do not want to over ride these existing setting. If we don't do the Get your questioning, the mutator function will always say there is a difference between the desired and existing. It may be possible to do all this work inside the mutator function but that would meant the desired configuration being past in would not be the whole truth as the mutator function would be able to change the desired configuration on the fly.
I believe it is better to pass the correct desired configuration to the mutator function, over allowing the mutator change the desired configuration on the fly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Aha I see makes sense thanks, precedence is kuadrant CR > existing settings > defaults and it avoids defaults overriding existing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd say we don't need to worry about rolling out changes that override user-defined configs in the Authorino and Limitador CR, especially now that those can be set at the level of the Kuadrant CR.
IMO, the controller should compute the desired state and rely on the ReconcileResource
function (which dry-runs the command once to consider occasional modifications performed at the level of the API server.) Except for the differences enforced by the API server, the state computed by the controller should win over preexisting ones.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry @guicassolato, I have to strongly disagree with you on this. If the user has configuration in the Authorino or Limitador CR, blank values in the Kuadrant CR should not override those values. Because if it does how does the user upgrade without bring down their service? That would be a breaking change to the Users API without any deprecation notice. I know currently today we do not have good support for upgrades but that does not mean we should break customers stuff if it can be avoided.
This behaviour follows what was outlined in the RFC. If this is unwanted behaviour a deprecation notice should be give and the behaviour removed in a later version allow user time to migrate their custom configurations from the sub components CRs to the Kuadrant CR.
For clarity, this only applies to fields the user is currently allow configure. If the Kuadrant operator requires a field to be Y after this change that field will still be Y.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It feels like what you're proposing inverts the relation between controller and controlled resources, IMO – in contrast to API Server >>> Controller >>> Controlled resources.
E.g., should we apply the same policy to Authorino AuthConfigs? One manually sets a field in a AuthConfig resource that is omitted in the AuthPolicy. Should the controller override what's in the AuthConfig or should it honour it? IMO, it should override because, in this case, the AuthPolicy is the API, not the AuthConfig. Similarly, the Kuadrant CRD is the API, not the Authorino one, nor Limitador.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know see what you are getting at. Would you class this as a breaking change then? I would, if the user upgrades to the version here any setting that can now be configured in the Kuadrant CR would override any of the configuration in the sub component CRs. That would be introducing a breaking change without any deprecation notice and no way for the user to upgrade without bring down their service.
I would be happy if this change was added in and a deprecation notice give to say that in the future configuration of in sub components would be removed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, you're right. What I'm proposing would be a breaking change for the end-user.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pkg/kuadranttools/authorino_tools.go
Outdated
return false, fmt.Errorf("existingObj %T is not a *authorinoauthorinov1beta1.Authorino", existingObj) | ||
} | ||
desired, ok := desiredObj.(*authorinov1beta1.Authorino) | ||
if !ok { | ||
return false, fmt.Errorf("desiredObj %T is not a *authorinoauthorinov1beta1.Authorino", desiredObj) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit typo in log:
return false, fmt.Errorf("existingObj %T is not a *authorinoauthorinov1beta1.Authorino", existingObj) | |
} | |
desired, ok := desiredObj.(*authorinov1beta1.Authorino) | |
if !ok { | |
return false, fmt.Errorf("desiredObj %T is not a *authorinoauthorinov1beta1.Authorino", desiredObj) | |
return false, fmt.Errorf("existingObj %T is not a *authorinov1beta1.Authorino", existingObj) | |
} | |
desired, ok := desiredObj.(*authorinov1beta1.Authorino) | |
if !ok { | |
return false, fmt.Errorf("desiredObj %T is not a *authorinov1beta1.Authorino", desiredObj) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Going to blame copy and paste. Will fix.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall the changes here look good - just a couple things:
- Do you think we should add an integration test where kuadrant CR has some authorino spec values applied?
- I'm wondering if we should document the behaviour where items removed from the spec do not result in defaults in the authorino CR. I understand this behaviour is to avoid overriding existing settings but if I'm a new user of Kuadrant and all I want is to set my authorino settings through the Kuadrant CR I would find this confusing - I deploy with defaults and then override them and then remove the setting and I don't end up with defaults again.
controllers/kuadrant_controller.go
Outdated
authorino := &authorinov1beta1.Authorino{} | ||
err := r.Client().Get(ctx, authorinoKey, authorino) | ||
if err != nil { | ||
if apierrors.IsNotFound(err) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe get rid of the else clause.
if apierrors.IsNotFound(err) { | |
if !apierrors.IsNotFound(err) { | |
return err | |
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ya I can make this change. Personal I don't like negative conditionals and my natural instinct is not to use them.
controllers/kuadrant_controller.go
Outdated
}, | ||
}, | ||
Spec: authorinov1beta1.AuthorinoSpec{ | ||
ClusterWide: true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There aren't many use cases for allowing multiple cluster-wide instances and yet do not to expose authConfigLabelSelectors
. I can think of some, but in general it's not recommended.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was part of the existing configuration. I made the assumption that the existing configuration was correct.
controllers/kuadrant_controller.go
Outdated
SupersedingHostSubsets: true, | ||
Listener: authorinov1beta1.Listener{ | ||
Tls: authorinov1beta1.Tls{ | ||
Enabled: &tmpFalse, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can use ptr.To
here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was part of the existing code. Happy to make the change as there are a few other changes needed.
2863177
to
ec7edf2
Compare
ec7edf2
to
e57a091
Compare
77926e7
to
401de53
Compare
@@ -19,6 +19,7 @@ package v1beta1 | |||
import ( | |||
"github.com/go-logr/logr" | |||
"github.com/google/go-cmp/cmp" | |||
authorinov1beta1 "github.com/kuadrant/authorino-operator/api/v1beta1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's make sure we use the latest version of the Authorino
API here: #561
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Once that PR is merged I will make sure to rebase to include it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Merged
| **Field** | **Type** | **Required** | **Description** | | ||
|-----------|----------|:------------:|-----------------------------------------------------------------------------------------------------| | ||
| endpoint | String | Yes | Full endpoint of the OpenTelemetry tracing collector service (e.g. http://jaegar:14268/api/traces). | | ||
| tags | Map | No | Key-value map of fixed tags to add to all OpenTelemetry traces emitted by Authorino. | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ref. #393 (comment)
The latest version of the Authorino
API shall include another field here, insecure
.
2f3b6f3
to
a42aeec
Compare
3885190
to
a7eb7fc
Compare
@Boomatang @guicassolato @adam-cattermole what is the story with this PR is it still relevant or should we close it? |
Rebase to main
If the use sets any value for authorino in the Kuadrant CR all fields that can be managed are managed. This still does allow the user to set fields in the authorino CR that are out of scope of the Kuadrant CR.
a7eb7fc
to
eb909a5
Compare
Yes @maleck13, I do feel that this work is still relevant, it is part of the RFC006. After me being out sick for two months priorities shifted and this work did get left behind a bit. It is now harder to get reviews on the work. If it is decide that this work is not relevant any more then it would make sense for the RFC to be removed and the existing work done around the limitador CR to be reverted. |
Changes in RFC design means that will not be the final approach |
Part of: #307
RFC: https://github.com/Kuadrant/architecture/blob/main/rfcs/0006-kuadrant_sub_components_configurations.md
These changes allow a user to configure settings in the Authorino CR from the Kuadrant CR.
Verification
make local-setup
.kubectl apply -f https://raw.githubusercontent.com/Boomatang/k8s_configs/kuadrant-operator-PR393/manifest/kuadrant_spec_authorino.yaml