Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP 🌱 Syncer: Cleanup of DNS-related resources #2455

Closed
wants to merge 15 commits into from
Closed

WIP 🌱 Syncer: Cleanup of DNS-related resources #2455

wants to merge 15 commits into from

Conversation

davidfestal
Copy link
Member

@davidfestal davidfestal commented Dec 6, 2022
edited
Loading

Summary

Cleanup of DNS-related resources when no more downstream namespaces exist for a given upstream workspace.

Disclaimer:

Related issue(s)

Fixes kcp-dev/contrib-tmc#80

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 6, 2022
@davidfestal davidfestal changed the title 🌱 Syncer: Cleanup of DNS-related resources WIP 🌱 Syncer: Cleanup of DNS-related resources Dec 6, 2022
@openshift-ci openshift-ci bot requested review from jmprusi and ncdc December 6, 2022 19:28
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 6, 2022
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 6, 2022
@stevekuznetsov
Copy link
Contributor

Can we do this with actual garbage collection and owner refs?

@lionelvillard
Copy link
Contributor

Can we do this with actual garbage collection and owner refs?

I think yes. Namespaced dependents can have cluster-scoped owners (Namespaces in this case).

@davidfestal davidfestal force-pushed the fix-2358 branch 3 times, most recently from baa9643 to 5cd2ce4 Compare December 7, 2022 11:02
@davidfestal
Copy link
Member Author

Can we do this with actual garbage collection and owner refs?

I think yes. Namespaced dependents can have cluster-scoped owners (Namespaces in this case).

Not sure about how you would use garbage collection in the specific case.
Do you mean that every DNS-related resource for a given KCP workspace should have as many owner references as the number of downstream namespaces originating from the given KCP workspace ?

In order to do this, in the EnsureDNSUpAndReady function we would need to:

  • check that every DNS-related resource has the namespace of the currently-synced resource in its owner refs,
  • update every DNS-related resource if necessary to add the namespace owner ref.
    This would be required during every resource sync. I'd rather do more work during cleanup, and keep the resource syncing main reconciliation loop as quick as possible.

Then I assume that the DNS-related resources deletion would be triggered by cascading deletion when all the namespaces related to the given KCP workspace would be deleted. However we wouldn't control when this cleaning would happen, which would make it hard to synchronize this cleaning with the on-the-fly creation of those DNS-related resources when they are necessary (in the EnsureDNSUpAndReady function). Such a synchronization is for now still missing from this PR, but might be necessary and should be thought of.

Last point: when we start implementing the network isolation through NetworkPolicies on the physical cluster, we will need this concept of KCP tenant on downstream (== a originating KCP workspace + related SyncTarget). That seemed quite natural to use it here as well.

So, unless I'm missing something, applying the standard Kubernetes garbage collection and owner refs mechanism here is not as simple as it may seem, and may bring more slowness and complexity.

Let me finally just point to a previous PR comment answer to remind that we are not in the standard Kubernetes case, because everything downstream is finally driven by the individual resources synced from upstream.

@davidfestal
Copy link
Member Author

/test e2e-sharded

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 10, 2022
@ncdc ncdc added the area/transparent-multi-cluster Related to scheduling of workloads into pclusters. label Jan 4, 2023
@ncdc
Copy link
Member

ncdc commented Feb 22, 2023

@davidfestal are you still interested in moving forward with this?

@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 1, 2023
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 10, 2023
@davidfestal
Copy link
Member Author

/hold

on hold until PR #2675 is merged.

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 16, 2023
@davidfestal
Fix review comments
4dcade3 
Signed-off-by: David Festal <[email protected]>
@davidfestal
Using our controller pattern with the committer
b648f4a 
Signed-off-by: David Festal <[email protected]>
@davidfestal
SpecSyncers for upstream and downstream
bd8cfe8 
...

Signed-off-by: David Festal <[email protected]>
@davidfestal
disable service account lookup...
9888336 
... only temporary, before we implement
Syncer service account replication.

Signed-off-by: David Festal <[email protected]>
@davidfestal
Correctly manage unavailable shard URLs
6ec4415 
Signed-off-by: David Festal <[email protected]>
@davidfestal
Multishard Syncer e2e test
f9a5104 
Signed-off-by: David Festal <[email protected]>
@davidfestal
Fix review comment about async controller start
108d93e 
Signed-off-by: David Festal <[email protected]>
@davidfestal
Use 2 distinct shards
1329ae7 
Signed-off-by: David Festal <[email protected]>
@openshift-ci openshift-ci bot added the kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API label Apr 6, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Apr 6, 2023

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ncdc for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 6, 2023
@davidfestal
Copy link
Member Author

/hold

Wait until PRs #2675 and #2946 are merged.

@davidfestal
Syncer: Tenant cleaner...
4dbe261 
... When no more namespaces exist for a given KCP workspace
(== a tenant on the physical cluster side), then
cleanup the related DNS resources
with some delay of course.

Signed-off-by: David Festal <[email protected]>
@kcp-ci-bot kcp-ci-bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 7, 2023
@kcp-ci-bot
Copy link
Contributor

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@kcp-ci-bot
Copy link
Contributor

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@kcp-ci-bot kcp-ci-bot added do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Nov 23, 2023
@ncdc ncdc removed their request for review January 29, 2024 17:40
@mjudeikis
Copy link
Contributor

/close
TMC

@kcp-ci-bot kcp-ci-bot closed this Mar 25, 2024
@kcp-ci-bot
Copy link
Contributor

@mjudeikis: Closed this PR.

In response to this:

/close
TMC

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@mjudeikis mjudeikis mentioned this pull request Mar 25, 2024
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lionelvillard lionelvillard lionelvillard left review comments

@jmprusi jmprusi Awaiting requested review from jmprusi

Assignees
No one assigned
Labels
area/transparent-multi-cluster Related to scheduling of workloads into pclusters. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

DNS objects should be garbage collected when their workspace is "deleted"
7 participants
@davidfestal @stevekuznetsov @lionelvillard @ncdc @kcp-ci-bot @mjudeikis @openshift-merge-robot