-
Notifications
You must be signed in to change notification settings - Fork 348
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: API requests with single RM and recover from panic during unauthorized autocreate #9573
Conversation
✅ Deploy Preview for determined-ui ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## wksp-namespace-binding #9573 +/- ##
==========================================================
- Coverage 51.75% 51.75% -0.01%
==========================================================
Files 1255 1255
Lines 154074 154076 +2
Branches 3120 3120
==========================================================
- Hits 79747 79746 -1
- Misses 74172 74175 +3
Partials 155 155
Flags with carried forward coverage won't be shown. Click here to find out more.
|
71d5420
to
86f8657
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
cd9b184
to
1ee0bbf
Compare
86f8657
to
aee5f08
Compare
): | ||
auto_create_namespace = args.auto_create_namespace or args.auto_create_namespace_all_clusters | ||
set_namespace = args.namespace or auto_create_namespace | ||
if args.cluster_name and not set_namespace: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I love this change; I think it's really easy to follow!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work. It's easier to understand the intention!
@@ -18,7 +18,7 @@ metadata: | |||
release: {{ .Release.Name }} | |||
rules: | |||
- apiGroups: [""] | |||
resources: ["pods", "pods/status", "pods/log", "configmaps", "namespaces"] | |||
resources: ["pods", "pods/status", "pods/log", "configmaps"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm just curious - does this give master permission to create the resources in the list?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yea! The pods in the master deployment running the master service are authorized as the specified service account when accessing the Kubernetes API and have the permissions granted to the service account in the helm release, among those permissions being the ability to CRUD the listed resources!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, awesome - thanks!!
master/internal/api_workspace.go
Outdated
ClusterName: clusterName, | ||
Namespace: namespace, | ||
namespaceMetaWithAllClusterNames[newClusterName] = &workspacev1.WorkspaceNamespaceMeta{ | ||
ClusterName: clusterName, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be newClusterName
instead of clusterName
here? I guess I'm a little confused that there's a map where the key is newClusterName
but the value has a field where ClusterName = clusterName
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome catch! Yea it should be newClusterName
. Thankss
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Minor suggestion: this PR fixes a couple bugs right? Are there any tests we could add to help confirm the issues are fixed and to ensure they don't pop up again? (If not, that's fine. You know the work better than I do!)
675e5ee
to
0022747
Compare
0022747
to
95a68f0
Compare
|
b4b1ed4
into
wksp-namespace-binding
…orized autocreate (#9573)
Ticket
DET-10385, DET-10386
Description
This PR fixes the following issues:
Test Plan
Spin up a single RM kubernetes EE cluster to execute the test plan.
To test API requests for single RM, run the following commands and make sure that they work:
det w create ws1 --auto-create-namespace
det w create ws2 && det w bindings set ws2 --namespace default
det w create ws3 --namespace default
det w create ws4 && det w bindings set ws4 --auto-create-namespace
To test auto-create panic handled gracefully with an intuitive error message:
license.txt
andpublic.txt
from yourdetermined
directory).det w create ws10 --auto-create-namespace
and verify that we get an error saying that auto create is an EE-only featuredet w create ws11 && det w bindings set ws11 --auto-create-namespace
and verify that we get an error saying that auto create is an EE-only featureTo test namespace auto-creation with workspaces whose names don't match the accepted namespace regex pattern, run
det w create name,of_workspacE --auto-create-namespace
and verify that a Kubernetes namespace is successfully createddet w create ANOTHER,name,of_workspacE && det w bindings set ANOTHER,name,of_workspacE --auto-create-namespace
and verify that a Kubernetes namespace is successfully createdChecklist
docs/release-notes/
See Release Note for details.