From 4a11ced6657754731dcac5c5ef976a5528ab362f Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Fri, 22 Nov 2024 16:15:44 +0100 Subject: [PATCH 01/11] Fix in the comparison, and added fetching shoot to minimize runtime recreation --- hack/runtime-migrator/cmd/migration.go | 38 +++++++++++++++++++--- hack/shoot-comparator/pkg/shoot/matcher.go | 1 + 2 files changed, 35 insertions(+), 4 deletions(-) diff --git a/hack/runtime-migrator/cmd/migration.go b/hack/runtime-migrator/cmd/migration.go index 263d38ef..94f82905 100644 --- a/hack/runtime-migrator/cmd/migration.go +++ b/hack/runtime-migrator/cmd/migration.go @@ -4,6 +4,7 @@ import ( "context" "fmt" "github.com/pkg/errors" + k8serrors "k8s.io/apimachinery/pkg/api/errors" "log/slog" "github.com/gardener/gardener/pkg/apis/core/v1beta1" @@ -84,9 +85,14 @@ func (m Migration) Do(ctx context.Context, runtimeIDs []string) error { } run := func(runtimeID string) { - shoot := findShoot(runtimeID, shootList) - if shoot == nil { - reportError(runtimeID, "", "Failed to find shoot", errors.New("no shoot with given runtimeID found")) + shoot, err := m.fetchShoot(ctx, shootList, m.shootClient, runtimeID) + if err != nil { + reportError(runtimeID, "", "Failed to fetch shoot", err) + return + } + + if shootIsBeingDeleted(shoot) { + reportError(runtimeID, shoot.Name, "Runtime is being deleted", nil) return } @@ -158,15 +164,39 @@ main: return nil } -func findShoot(runtimeID string, shootList *v1beta1.ShootList) *v1beta1.Shoot { +func getShoot(runtimeID string, shootList *v1beta1.ShootList) *v1beta1.Shoot { for _, shoot := range shootList.Items { if shoot.Annotations[runtimeIDAnnotation] == runtimeID { return &shoot } } + return nil } +func (m Migration) fetchShoot(ctx context.Context, shootList *v1beta1.ShootList, shootClient gardener_types.ShootInterface, runtimeID string) (*v1beta1.Shoot, error) { + shoot := getShoot(runtimeID, shootList) + if shoot == nil { + return nil, errors.New("shoot was deleted or the runtime ID is incorrect") + } + + // We are fetching the shoot from the gardener to make sure the runtime didn't get deleted during the migration process + refreshedShoot, err := m.shootClient.Get(ctx, shoot.Name, v1.GetOptions{}) + if err != nil { + if k8serrors.IsNotFound(err) { + return nil, errors.New("shoot was deleted") + } + + return nil, err + } + + return refreshedShoot, nil +} + +func shootIsBeingDeleted(shoot *v1beta1.Shoot) bool { + return !shoot.DeletionTimestamp.IsZero() +} + func (m Migration) applyRuntimeCR(runtime runtimev1.Runtime) error { // TODO: This method covers create scenario only, we should implement update as well return m.kcpClient.Create(context.Background(), &runtime) diff --git a/hack/shoot-comparator/pkg/shoot/matcher.go b/hack/shoot-comparator/pkg/shoot/matcher.go index 6bc61c0a..e90105df 100644 --- a/hack/shoot-comparator/pkg/shoot/matcher.go +++ b/hack/shoot-comparator/pkg/shoot/matcher.go @@ -351,6 +351,7 @@ func newKubeAPIServerMatcher(k v1beta1.Kubernetes) types.GomegaMatcher { "DefaultUnreachableTolerationSeconds": gstruct.Ignore(), "EncryptionConfig": gstruct.Ignore(), "StructuredAuthentication": gstruct.Ignore(), + "StructuredAuthorization": gstruct.Ignore(), }, )) } From c7f22d8136e713611eec79644620ceb427db1882 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Fri, 22 Nov 2024 17:18:55 +0100 Subject: [PATCH 02/11] Readme updated --- hack/runtime-migrator/README.md | 60 +++++++++++++------------- hack/runtime-migrator/cmd/migration.go | 5 +-- 2 files changed, 32 insertions(+), 33 deletions(-) diff --git a/hack/runtime-migrator/README.md b/hack/runtime-migrator/README.md index f0874ba4..84fafe7f 100644 --- a/hack/runtime-migrator/README.md +++ b/hack/runtime-migrator/README.md @@ -54,29 +54,29 @@ cat ./runtime-migrator \ ### Output example ``` -2024/11/21 14:53:24 INFO Starting runtime-migrator -2024/11/21 14:53:24 gardener-kubeconfig-path: /Users/myuser/gardener-kubeconfig.yml -2024/11/21 14:53:24 kcp-kubeconfig-path: /Users/myuser/kcp-kubeconfig.yml -2024/11/21 14:53:24 gardener-project-name: kyma-stage -2024/11/21 14:53:24 output-path: /tmp/ -2024/11/21 14:53:24 dry-run: true -2024/11/21 14:53:24 input-type: txt -2024/11/21 14:53:24 input-file-path: /Users/myuser/migrator-input/runtimeIds.txt -2024/11/21 14:53:24 -2024/11/21 14:53:24 INFO Migrating runtimes -2024/11/21 14:53:24 INFO Reading runtimeIds from input file -2024/11/21 14:53:29 INFO Runtime processed successfully runtimeID=1df09b5b-0347-459d-aa0a-715db8fcaad7 -2024/11/21 14:53:32 INFO Runtime processed successfully runtimeID=ea439a5e-aa59-4e3e-8bfb-9bab1b31371e -2024/11/21 14:53:33 INFO Runtime processed successfully runtimeID=d6eeafee-ffd5-4f23-97dc-a1df197b3b30 -2024/11/21 14:53:37 WARN Runtime CR can cause unwanted update in Gardener runtimeID=99a38a99-e8d7-4b98-a6f2-5a54ed389c4d -2024/11/21 14:53:37 ERROR Failed to find shoot: no shoot with given runtimeID found runtimeID=0a61a3c4-0ea8-4e39-860a-7853f0b6d180 -2024/11/21 14:53:40 ERROR Failed to verify runtime runtimeID=6daf5f59-b0ab-44af-bb8e-7735fd609449 -2024/11/21 14:53:40 INFO Migration completed. Successfully migrated runtimes: 3, Failed migrations: 2, Differences detected: 1 -2024/11/21 14:53:40 INFO Migration results saved in: /tmp/migration-2024-11-21T14:53:24+01:00/migration-results.json +2024/11/22 17:05:28 INFO Starting runtime-migrator +2024/11/22 17:05:28 gardener-kubeconfig-path: /Users/i326211/Downloads/kubeconfig-garden-kyma-stage.yaml +2024/11/22 17:05:28 kcp-kubeconfig-path: /Users/i326211/dev/config/sap +2024/11/22 17:05:28 gardener-project-name: kyma-stage +2024/11/22 17:05:28 output-path: /tmp/ +2024/11/22 17:05:28 dry-run: true +2024/11/22 17:05:28 input-type: txt +2024/11/22 17:05:28 input-file-path: /Users/i326211/dev/source/infrastructure-manager/hack/runtime-migrator/input/runtimes-stage-docs.txt +2024/11/22 17:05:28 +2024/11/22 17:05:33 INFO Migrating runtimes +2024/11/22 17:05:33 INFO Reading runtimeIds from input file +2024/11/22 17:05:43 INFO Runtime processed successfully runtimeID=1df09b5b-0347-459d-aa0a-715db8fcaad7 +2024/11/22 17:05:45 INFO Runtime processed successfully runtimeID=ea439a5e-aa59-4e3e-8bfb-9bab1b31371e +2024/11/22 17:05:49 INFO Runtime processed successfully runtimeID=d6eeafee-ffd5-4f23-97dc-a1df197b3b30 +2024/11/22 17:05:52 WARN Runtime CR can cause unwanted update in Gardener runtimeID=99a38a99-e8d7-4b98-a6f2-5a54ed389c4d +2024/11/22 17:05:52 ERROR Failed to fetch shoot: shoot was deleted or the runtime ID is incorrect runtimeID=0a61a3c4-0ea8-4e39-860a-7853f0b6d180 +2024/11/22 17:05:55 ERROR Failed to verify runtime runtimeID=6daf5f59-b0ab-44af-bb8e-7735fd609449 +2024/11/22 17:05:55 INFO Migration completed. Successfully migrated runtimes: 3, Failed migrations: 2, Differences detected: 1 +2024/11/22 17:05:55 INFO Migration results saved in: /tmp/migration-2024-11-22T17:05:33+01:00/migration-results.json ``` -The migration results are saved in the `/tmp/migration-2024-11-21T14:53:24+01:00/migration-results.json` file. -The runtime custom resources are saved in the `/tmp/migration-2024-11-21T14:53:24+01:00/runtimes` directory. +The migration results are saved in the `/tmp/migration-2024-11-22T17:05:33+01:00/migration-results.json` file. +The runtime custom resources are saved in the `/tmp/migration-2024-11-22T17:05:33+01:00/runtimes` directory. The `migration-results.json` file contains the following content: ```json @@ -85,40 +85,40 @@ The `migration-results.json` file contains the following content: "runtimeId": "1df09b5b-0347-459d-aa0a-715db8fcaad7", "shootName": "c-1228ddd", "status": "Success", - "runtimeCRFilePath": "/tmp/migration-2024-11-21T14:53:24+01:00/runtimes/1df09b5b-0347-459d-aa0a-715db8fcaad7.yaml" + "runtimeCRFilePath": "/tmp/migration-2024-11-22T17:05:33+01:00/runtimes/1df09b5b-0347-459d-aa0a-715db8fcaad7.yaml" }, { "runtimeId": "ea439a5e-aa59-4e3e-8bfb-9bab1b31371e", "shootName": "c3a59d5", "status": "Success", - "runtimeCRFilePath": "/tmp/migration-2024-11-21T14:53:24+01:00/runtimes/ea439a5e-aa59-4e3e-8bfb-9bab1b31371e.yaml" + "runtimeCRFilePath": "/tmp/migration-2024-11-22T17:05:33+01:00/runtimes/ea439a5e-aa59-4e3e-8bfb-9bab1b31371e.yaml" }, { "runtimeId": "d6eeafee-ffd5-4f23-97dc-a1df197b3b30", "shootName": "c141da7", "status": "Success", - "runtimeCRFilePath": "/tmp/migration-2024-11-21T14:53:24+01:00/runtimes/d6eeafee-ffd5-4f23-97dc-a1df197b3b30.yaml" + "runtimeCRFilePath": "/tmp/migration-2024-11-22T17:05:33+01:00/runtimes/d6eeafee-ffd5-4f23-97dc-a1df197b3b30.yaml" }, { "runtimeId": "99a38a99-e8d7-4b98-a6f2-5a54ed389c4d", "shootName": "c-71da0f2", "status": "ValidationDetectedUnwantedUpdate", - "errorMessage": "Runtime may cause unwanted update in Gardener", - "runtimeCRFilePath": "/tmp/migration-2024-11-21T14:53:24+01:00/runtimes/99a38a99-e8d7-4b98-a6f2-5a54ed389c4d.yaml", - "comparisonResultDirPath": "/tmp/migration-2024-11-21T14:53:24+01:00/comparison-results/99a38a99-e8d7-4b98-a6f2-5a54ed389c4d" + "errorMessage": "Runtime may cause unwanted update in Gardener. Please verify the runtime CR.", + "runtimeCRFilePath": "/tmp/migration-2024-11-22T17:05:33+01:00/runtimes/99a38a99-e8d7-4b98-a6f2-5a54ed389c4d.yaml", + "comparisonResultDirPath": "/tmp/migration-2024-11-22T17:05:33+01:00/comparison-results/99a38a99-e8d7-4b98-a6f2-5a54ed389c4d" }, { "runtimeId": "0a61a3c4-0ea8-4e39-860a-7853f0b6d180", "shootName": "", "status": "Error", - "errorMessage": "Failed to find shoot: no shoot with given runtimeID found" + "errorMessage": "Failed to fetch shoot: shoot was deleted or the runtime ID is incorrect" }, { "runtimeId": "6daf5f59-b0ab-44af-bb8e-7735fd609449", "shootName": "c-1f810d0", "status": "ValidationError", "errorMessage": "Failed to verify runtime: audit logs configuration not found: missing region: 'australiaeast' for providerType: 'azure'", - "runtimeCRFilePath": "/tmp/migration-2024-11-21T14:53:24+01:00/runtimes/6daf5f59-b0ab-44af-bb8e-7735fd609449.yaml" + "runtimeCRFilePath": "/tmp/migration-2024-11-22T17:05:33+01:00/runtimes/6daf5f59-b0ab-44af-bb8e-7735fd609449.yaml" } ] @@ -126,7 +126,7 @@ The `migration-results.json` file contains the following content: The following problems were detected in the above example: - The runtime with the `0a61a3c4-0ea8-4e39-860a-7853f0b6d180` identifier was not found ; the identifier may be incorrect, or the corresponding shoot was deleted for some reason. - The validation process for the runtime with the `6daf5f59-b0ab-44af-bb8e-7735fd609449` identifier failed. -- The runtime with the `99a38a99-e8d7-4b98-a6f2-5a54ed389c4d` identifier may cause an unwanted update in the Gardener. The comparison results are saved in the `/tmp/migration-2024-11-21T14:53:24+01:00/comparison-results/99a38a99-e8d7-4b98-a6f2-5a54ed389c4d` directory. +- The runtime with the `99a38a99-e8d7-4b98-a6f2-5a54ed389c4d` identifier may cause an unwanted update in the Gardener. The comparison results are saved in the `/tmp/migration-2024-11-22T17:05:33+01:00/comparison-results/99a38a99-e8d7-4b98-a6f2-5a54ed389c4d` directory. The `/tmp/migration-2024-11-21T14:53:24+01:00/comparison-results/99a38a99-e8d7-4b98-a6f2-5a54ed389c4d"` directory contains the following files: diff --git a/hack/runtime-migrator/cmd/migration.go b/hack/runtime-migrator/cmd/migration.go index 94f82905..152c26e3 100644 --- a/hack/runtime-migrator/cmd/migration.go +++ b/hack/runtime-migrator/cmd/migration.go @@ -164,18 +164,17 @@ main: return nil } -func getShoot(runtimeID string, shootList *v1beta1.ShootList) *v1beta1.Shoot { +func findShoot(runtimeID string, shootList *v1beta1.ShootList) *v1beta1.Shoot { for _, shoot := range shootList.Items { if shoot.Annotations[runtimeIDAnnotation] == runtimeID { return &shoot } } - return nil } func (m Migration) fetchShoot(ctx context.Context, shootList *v1beta1.ShootList, shootClient gardener_types.ShootInterface, runtimeID string) (*v1beta1.Shoot, error) { - shoot := getShoot(runtimeID, shootList) + shoot := findShoot(runtimeID, shootList) if shoot == nil { return nil, errors.New("shoot was deleted or the runtime ID is incorrect") } From e5840d30df4daa32f3241598d305804a95e71a96 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Fri, 22 Nov 2024 18:26:19 +0100 Subject: [PATCH 03/11] Added context with timeout for get shoot operation --- hack/runtime-migrator/cmd/migration.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/hack/runtime-migrator/cmd/migration.go b/hack/runtime-migrator/cmd/migration.go index 152c26e3..4ce26e12 100644 --- a/hack/runtime-migrator/cmd/migration.go +++ b/hack/runtime-migrator/cmd/migration.go @@ -179,8 +179,11 @@ func (m Migration) fetchShoot(ctx context.Context, shootList *v1beta1.ShootList, return nil, errors.New("shoot was deleted or the runtime ID is incorrect") } + getCtx, cancel := context.WithTimeout(ctx, timeoutK8sOperation) + defer cancel() + // We are fetching the shoot from the gardener to make sure the runtime didn't get deleted during the migration process - refreshedShoot, err := m.shootClient.Get(ctx, shoot.Name, v1.GetOptions{}) + refreshedShoot, err := m.shootClient.Get(getCtx, shoot.Name, v1.GetOptions{}) if err != nil { if k8serrors.IsNotFound(err) { return nil, errors.New("shoot was deleted") From d82baaeeaec46b8a2328fce1caa7d667cafd3af0 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Fri, 22 Nov 2024 18:57:32 +0100 Subject: [PATCH 04/11] Minor correction --- hack/runtime-migrator/cmd/migration.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/runtime-migrator/cmd/migration.go b/hack/runtime-migrator/cmd/migration.go index 4ce26e12..224eb12a 100644 --- a/hack/runtime-migrator/cmd/migration.go +++ b/hack/runtime-migrator/cmd/migration.go @@ -176,7 +176,7 @@ func findShoot(runtimeID string, shootList *v1beta1.ShootList) *v1beta1.Shoot { func (m Migration) fetchShoot(ctx context.Context, shootList *v1beta1.ShootList, shootClient gardener_types.ShootInterface, runtimeID string) (*v1beta1.Shoot, error) { shoot := findShoot(runtimeID, shootList) if shoot == nil { - return nil, errors.New("shoot was deleted or the runtime ID is incorrect") + return nil, errors.New("shoot was deleted or the runtimeID is incorrect") } getCtx, cancel := context.WithTimeout(ctx, timeoutK8sOperation) From 476e53b5b232bea53a7376ed13d07319418f1372 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Sat, 23 Nov 2024 17:51:01 +0100 Subject: [PATCH 05/11] Updated Shoot Comparator image --- hack/shoot-comparator/scripts/manifests/job.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/shoot-comparator/scripts/manifests/job.yaml b/hack/shoot-comparator/scripts/manifests/job.yaml index 4e0ba739..8bf969e5 100644 --- a/hack/shoot-comparator/scripts/manifests/job.yaml +++ b/hack/shoot-comparator/scripts/manifests/job.yaml @@ -47,7 +47,7 @@ spec: # You can specify a date when the comparison should start from. The date should be in RFC3339 format. - --fromDate - 2024-09-19T00:00:00Z - image: europe-docker.pkg.dev/kyma-project/prod/shoot-comparator:v20240919-26f83162 + image: europe-docker.pkg.dev/kyma-project/prod/shoot-comparator:v20241119-8ab6d328 name: compare-shoots resources: {} securityContext: From 489b630ba3d7b7fe8aad8ab5b054ba85d98ef8da Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Sat, 23 Nov 2024 18:31:15 +0100 Subject: [PATCH 06/11] Removed creating client before getting GardenerClient --- hack/runtime-migrator/cmd/main.go | 16 ++++++++-------- hack/runtime-migrator/cmd/migration.go | 2 +- hack/runtime-migrator/internal/config/config.go | 16 ---------------- .../internal/runtime/migrator.go | 17 ++++++----------- 4 files changed, 15 insertions(+), 36 deletions(-) diff --git a/hack/runtime-migrator/cmd/main.go b/hack/runtime-migrator/cmd/main.go index eb00d060..747eed41 100644 --- a/hack/runtime-migrator/cmd/main.go +++ b/hack/runtime-migrator/cmd/main.go @@ -29,7 +29,7 @@ import ( ) const ( - timeoutK8sOperation = 10 * time.Second + timeoutK8sOperation = 15 * time.Second expirationTime = 60 * time.Minute runtimeIDAnnotation = "kcp.provisioner.kyma-project.io/runtime-id" ) @@ -54,45 +54,45 @@ func main() { kcpClient, err := config.CreateKcpClient(&cfg) if err != nil { - slog.Error("Failed to create kcp client: %v ", slog.Any("error", err)) + slog.Error("Failed to create kcp client", slog.Any("error", err)) os.Exit(1) } gardenerShootClient, err := setupGardenerShootClient(cfg.GardenerKubeconfigPath, gardenerNamespace) if err != nil { - slog.Error("Failed to setup Gardener shoot client: %v", slog.Any("error", err)) + slog.Error("Failed to setup Gardener shoot client", slog.Any("error", err)) os.Exit(1) } auditLogConfig, err := getAuditLogConfig(kcpClient) if err != nil { - slog.Error("Failed to get audit log config: %v", slog.Any("error", err)) + slog.Error("Failed to get audit log config", slog.Any("error", err)) os.Exit(1) } converterConfig, err := getConverterConfig(kcpClient) if err != nil { - slog.Error("Failed to get converter config: %v", slog.Any("error", err)) + slog.Error("Failed to get converter config", slog.Any("error", err)) os.Exit(1) } slog.Info("Migrating runtimes") migrator, err := NewMigration(cfg, converterConfig, auditLogConfig, kubeconfigProvider, kcpClient, gardenerShootClient) if err != nil { - slog.Error("Failed to create migrator: %v", slog.Any("error", err)) + slog.Error("Failed to create migrator", slog.Any("error", err)) os.Exit(1) } slog.Info("Reading runtimeIds from input file") runtimeIds, err := getRuntimeIDsFromInputFile(cfg) if err != nil { - slog.Error("Failed to read runtime Ids from input: %v", slog.Any("error", err)) + slog.Error("Failed to read runtime Ids from input", slog.Any("error", err)) os.Exit(1) } err = migrator.Do(context.Background(), runtimeIds) if err != nil { - slog.Error(fmt.Sprintf("Failed to migrate runtimes: %v", slog.Any("error", err))) + slog.Error("Failed to migrate runtimes", slog.Any("error", err)) os.Exit(1) } } diff --git a/hack/runtime-migrator/cmd/migration.go b/hack/runtime-migrator/cmd/migration.go index 224eb12a..f5d7ea7c 100644 --- a/hack/runtime-migrator/cmd/migration.go +++ b/hack/runtime-migrator/cmd/migration.go @@ -37,7 +37,7 @@ func NewMigration(migratorConfig config2.Config, converterConfig config.Converte } return Migration{ - runtimeMigrator: runtime.NewMigrator(migratorConfig, kubeconfigProvider), + runtimeMigrator: runtime.NewMigrator(migratorConfig, kubeconfigProvider, kcpClient), runtimeVerifier: runtime.NewVerifier(converterConfig, auditLogConfig), kcpClient: kcpClient, shootClient: shootClient, diff --git a/hack/runtime-migrator/internal/config/config.go b/hack/runtime-migrator/internal/config/config.go index 451968a9..edbcdf2f 100644 --- a/hack/runtime-migrator/internal/config/config.go +++ b/hack/runtime-migrator/internal/config/config.go @@ -69,22 +69,6 @@ func addToScheme(s *runtime.Scheme) error { type GetClient = func() (client.Client, error) -func (cfg *Config) Client() (client.Client, error) { - restCfg, err := clientcmd.BuildConfigFromFlags("", cfg.KcpKubeconfigPath) - if err != nil { - return nil, fmt.Errorf("unable to fetch rest config: %w", err) - } - - scheme := runtime.NewScheme() - if err := addToScheme(scheme); err != nil { - return nil, err - } - - return client.New(restCfg, client.Options{ - Scheme: scheme, - }) -} - func CreateKcpClient(cfg *Config) (client.Client, error) { restCfg, err := clientcmd.BuildConfigFromFlags("", cfg.KcpKubeconfigPath) if err != nil { diff --git a/hack/runtime-migrator/internal/runtime/migrator.go b/hack/runtime-migrator/internal/runtime/migrator.go index d63aa723..887d6247 100644 --- a/hack/runtime-migrator/internal/runtime/migrator.go +++ b/hack/runtime-migrator/internal/runtime/migrator.go @@ -28,10 +28,11 @@ type Migrator struct { kcpClient client.Client } -func NewMigrator(cfg migrator.Config, kubeconfigProvider kubeconfig.Provider) Migrator { +func NewMigrator(cfg migrator.Config, kubeconfigProvider kubeconfig.Provider, kcpClient client.Client) Migrator { return Migrator{ cfg: cfg, kubeconfigProvider: kubeconfigProvider, + kcpClient: kcpClient, } } @@ -44,7 +45,7 @@ func (m Migrator) Do(ctx context.Context, shoot v1beta1.Shoot) (v1.Runtime, erro var oidcConfig = getOidcConfig(shoot) var licenceType = shoot.Annotations["kcp.provisioner.kyma-project.io/licence-type"] - labels, err := getAllRuntimeLabels(ctx, shoot, m.cfg.Client) + labels, err := getAllRuntimeLabels(ctx, shoot, m.kcpClient) if err != nil { return v1.Runtime{}, err } @@ -170,16 +171,10 @@ func getOidcConfig(shoot v1beta1.Shoot) v1beta1.OIDCConfig { return oidcConfig } -func getAllRuntimeLabels(ctx context.Context, shoot v1beta1.Shoot, getClient migrator.GetClient) (map[string]string, error) { +func getAllRuntimeLabels(ctx context.Context, shoot v1beta1.Shoot, kcpClient client.Client) (map[string]string, error) { enrichedRuntimeLabels := map[string]string{} var err error - // add agreed labels from the GardenerCluster CR - k8sClient, clientErr := getClient() - - if clientErr != nil { - return map[string]string{}, errors.Wrap(clientErr, fmt.Sprintf("Failed to get GardenerClient for shoot %s - %s\n", shoot.Name, clientErr)) - } gardenerCluster := v1.GardenerCluster{} kymaID, found := shoot.Annotations["kcp.provisioner.kyma-project.io/runtime-id"] @@ -188,7 +183,7 @@ func getAllRuntimeLabels(ctx context.Context, shoot v1beta1.Shoot, getClient mig } gardenerCRKey := types.NamespacedName{Name: kymaID, Namespace: "kcp-system"} - getGardenerCRerr := k8sClient.Get(ctx, gardenerCRKey, &gardenerCluster) + getGardenerCRerr := kcpClient.Get(ctx, gardenerCRKey, &gardenerCluster) if getGardenerCRerr != nil { var errMsg = fmt.Sprintf("Failed to retrieve GardenerCluster CR for shoot %s\n", shoot.Name) return map[string]string{}, errors.Wrap(getGardenerCRerr, errMsg) @@ -202,7 +197,7 @@ func getAllRuntimeLabels(ctx context.Context, shoot v1beta1.Shoot, getClient mig enrichedRuntimeLabels["kyma-project.io/region"] = gardenerCluster.Labels["kyma-project.io/region"] enrichedRuntimeLabels["kyma-project.io/shoot-name"] = gardenerCluster.Labels["kyma-project.io/shoot-name"] enrichedRuntimeLabels["operator.kyma-project.io/kyma-name"] = gardenerCluster.Labels["operator.kyma-project.io/kyma-name"] - // The runtime CR should be controlled by the KIM in dry-run mode + // The runtime CR should be controlled by the Provisioner enrichedRuntimeLabels["kyma-project.io/controlled-by-provisioner"] = "true" // add custom label for the migrator enrichedRuntimeLabels[migratorLabel] = "true" From 620b488429eca6a825faeabecc2607948adf5ad5 Mon Sep 17 00:00:00 2001 From: Rafal Foks Date: Mon, 25 Nov 2024 12:09:58 +0100 Subject: [PATCH 07/11] Restrict the controller to watch only kcp-system namespace --- cmd/main.go | 27 +++++++++++++++++++ config/rbac/cluster_editor_role.yaml | 5 ++-- config/rbac/cluster_viewer_role.yaml | 3 ++- config/rbac/role.yaml | 26 +++--------------- config/rbac/role_binding.yaml | 8 +++--- config/rbac/runtime_editor_role.yaml | 3 ++- config/rbac/runtime_viewer_role.yaml | 3 ++- config/rbac/service_account.yaml | 2 +- .../kubeconfig/gardener_cluster_controller.go | 8 +++--- .../controller/runtime/runtime_controller.go | 6 ++--- 10 files changed, 51 insertions(+), 40 deletions(-) diff --git a/cmd/main.go b/cmd/main.go index cbe7554f..8208221b 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -22,7 +22,9 @@ import ( "flag" "fmt" "io" + corev1 "k8s.io/api/core/v1" "os" + "sigs.k8s.io/controller-runtime/pkg/cache" "time" "github.com/gardener/gardener/pkg/apis/core/v1beta1" @@ -41,6 +43,7 @@ import ( "github.com/kyma-project/infrastructure-manager/pkg/gardener/shoot/extender/auditlogs" "github.com/pkg/errors" rbacv1 "k8s.io/api/rbac/v1" + k8slabels "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime" clientgoscheme "k8s.io/client-go/kubernetes/scheme" @@ -119,6 +122,7 @@ func main() { HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, LeaderElectionID: "f1c68560.kyma-project.io", + Cache: restrictWatchedNamespace(), // LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily // when the Manager ends. This requires the binary to immediately end when the // Manager is stopped, otherwise, this setting is unsafe. Setting this significantly @@ -314,3 +318,26 @@ func refreshRuntimeMetrics(restConfig *rest.Config, logger logr.Logger, metrics metrics.SetRuntimeStates(rt) } } + +func restrictWatchedNamespace() cache.Options { + return cache.Options{ + ByObject: map[client.Object]cache.ByObject{ + &corev1.Secret{}: { + Label: k8slabels.Everything(), + Namespaces: map[string]cache.Config{ + "kcp-system": {}, + }, + }, + &infrastructuremanagerv1.Runtime{}: { + Namespaces: map[string]cache.Config{ + "kcp-system": {}, + }, + }, + &infrastructuremanagerv1.GardenerCluster{}: { + Namespaces: map[string]cache.Config{ + "kcp-system": {}, + }, + }, + }, + } +} diff --git a/config/rbac/cluster_editor_role.yaml b/config/rbac/cluster_editor_role.yaml index 64abe8ce..84dda500 100644 --- a/config/rbac/cluster_editor_role.yaml +++ b/config/rbac/cluster_editor_role.yaml @@ -1,15 +1,16 @@ # permissions for end users to edit clusters. apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: labels: - app.kubernetes.io/name: clusterrole + app.kubernetes.io/name: 1errole app.kubernetes.io/instance: cluster-editor-role app.kubernetes.io/component: rbac app.kubernetes.io/created-by: infrastructure-manager app.kubernetes.io/part-of: infrastructure-manager app.kubernetes.io/managed-by: kustomize name: cluster-editor-role + namespace: kcp-system rules: - apiGroups: - infrastructuremanager.kyma-project.io diff --git a/config/rbac/cluster_viewer_role.yaml b/config/rbac/cluster_viewer_role.yaml index d183607b..43df4e6d 100644 --- a/config/rbac/cluster_viewer_role.yaml +++ b/config/rbac/cluster_viewer_role.yaml @@ -1,6 +1,6 @@ # permissions for end users to view clusters. apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: labels: app.kubernetes.io/name: clusterrole @@ -10,6 +10,7 @@ metadata: app.kubernetes.io/part-of: infrastructure-manager app.kubernetes.io/managed-by: kustomize name: cluster-viewer-role + namespace: kcp-system rules: - apiGroups: - infrastructuremanager.kyma-project.io diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 7681c444..6b06da55 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -1,8 +1,9 @@ --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: name: infrastructure-manager-role + namespace: kcp-system rules: - apiGroups: - "" @@ -19,6 +20,7 @@ rules: - infrastructuremanager.kyma-project.io resources: - gardenerclusters + - runtimes verbs: - create - delete @@ -31,29 +33,7 @@ rules: - infrastructuremanager.kyma-project.io resources: - gardenerclusters/finalizers - verbs: - - update -- apiGroups: - - infrastructuremanager.kyma-project.io - resources: - gardenerclusters/status - verbs: - - update -- apiGroups: - - infrastructuremanager.kyma-project.io - resources: - - runtimes - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - infrastructuremanager.kyma-project.io - resources: - runtimes/finalizers verbs: - update diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml index 60f28ad3..6cd75b05 100644 --- a/config/rbac/role_binding.yaml +++ b/config/rbac/role_binding.yaml @@ -1,8 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: labels: - app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/name: rolebinding app.kubernetes.io/instance: infrastructure-manager-rolebinding app.kubernetes.io/component: rbac app.kubernetes.io/created-by: infrastructure-manager @@ -11,9 +11,9 @@ metadata: name: infrastructure-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: Role name: infrastructure-manager-role subjects: - kind: ServiceAccount name: infrastructure-manager - namespace: system + namespace: kcp-system diff --git a/config/rbac/runtime_editor_role.yaml b/config/rbac/runtime_editor_role.yaml index 014838b7..ceb3ba03 100644 --- a/config/rbac/runtime_editor_role.yaml +++ b/config/rbac/runtime_editor_role.yaml @@ -1,11 +1,12 @@ # permissions for end users to edit runtimes. apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: labels: app.kubernetes.io/name: infrastructure-manager app.kubernetes.io/managed-by: kustomize name: runtime-editor-role + namespace: kcp-system rules: - apiGroups: - infrastructuremanager.kyma-project.io diff --git a/config/rbac/runtime_viewer_role.yaml b/config/rbac/runtime_viewer_role.yaml index d9d0024e..0c5ac175 100644 --- a/config/rbac/runtime_viewer_role.yaml +++ b/config/rbac/runtime_viewer_role.yaml @@ -1,11 +1,12 @@ # permissions for end users to view runtimes. apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: labels: app.kubernetes.io/name: infrastructure-manager app.kubernetes.io/managed-by: kustomize name: runtime-viewer-role + namespace: kcp-system rules: - apiGroups: - infrastructuremanager.kyma-project.io diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml index 5c3330c2..3ddd25a9 100644 --- a/config/rbac/service_account.yaml +++ b/config/rbac/service_account.yaml @@ -9,4 +9,4 @@ metadata: app.kubernetes.io/part-of: infrastructure-manager app.kubernetes.io/managed-by: kustomize name: infrastructure-manager - namespace: system + namespace: kcp-system diff --git a/internal/controller/kubeconfig/gardener_cluster_controller.go b/internal/controller/kubeconfig/gardener_cluster_controller.go index c532e203..87cba31e 100644 --- a/internal/controller/kubeconfig/gardener_cluster_controller.go +++ b/internal/controller/kubeconfig/gardener_cluster_controller.go @@ -77,10 +77,10 @@ type KubeconfigProvider interface { Fetch(ctx context.Context, shootName string) (string, error) } -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;delete -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/finalizers,verbs=update -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/status,verbs=update +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters,verbs=get;list;watch;create;update;patch;delete,namespace=kcp-system +//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;delete,namespace=kcp-system +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/finalizers,verbs=update,namespace=kcp-system +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/status,verbs=update,namespace=kcp-system // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/internal/controller/runtime/runtime_controller.go b/internal/controller/runtime/runtime_controller.go index 1f8eb574..5aa8f530 100644 --- a/internal/controller/runtime/runtime_controller.go +++ b/internal/controller/runtime/runtime_controller.go @@ -41,9 +41,9 @@ type RuntimeReconciler struct { EventRecorder record.EventRecorder } -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/finalizers,verbs=update +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes,verbs=get;list;watch;create;update;patch;delete,namespace=kcp-system +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/status,verbs=get;update;patch,namespace=kcp-system +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/finalizers,verbs=update,namespace=kcp-system var requCounter = 0 // nolint:gochecknoglobals From d9f0b2882a226ec78eaddd57304097f997beb328 Mon Sep 17 00:00:00 2001 From: Rafal Foks Date: Mon, 25 Nov 2024 12:43:10 +0100 Subject: [PATCH 08/11] Fix imports --- cmd/main.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/cmd/main.go b/cmd/main.go index 8208221b..8b74982c 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -22,11 +22,12 @@ import ( "flag" "fmt" "io" - corev1 "k8s.io/api/core/v1" "os" - "sigs.k8s.io/controller-runtime/pkg/cache" "time" + corev1 "k8s.io/api/core/v1" + "sigs.k8s.io/controller-runtime/pkg/cache" + "github.com/gardener/gardener/pkg/apis/core/v1beta1" gardener_apis "github.com/gardener/gardener/pkg/client/core/clientset/versioned/typed/core/v1beta1" gardener_oidc "github.com/gardener/oidc-webhook-authenticator/apis/authentication/v1alpha1" From 90d203d67f7924a7d5281337924c2a28d9fdbc16 Mon Sep 17 00:00:00 2001 From: Rafal Foks Date: Tue, 26 Nov 2024 10:24:14 +0100 Subject: [PATCH 09/11] Revert RBAC changes in favor of different PR --- config/rbac/cluster_editor_role.yaml | 5 ++-- config/rbac/cluster_viewer_role.yaml | 3 +-- config/rbac/role.yaml | 26 ++++++++++++++++--- config/rbac/role_binding.yaml | 8 +++--- config/rbac/runtime_editor_role.yaml | 3 +-- config/rbac/runtime_viewer_role.yaml | 3 +-- config/rbac/service_account.yaml | 2 +- .../kubeconfig/gardener_cluster_controller.go | 8 +++--- .../controller/runtime/runtime_controller.go | 6 ++--- 9 files changed, 40 insertions(+), 24 deletions(-) diff --git a/config/rbac/cluster_editor_role.yaml b/config/rbac/cluster_editor_role.yaml index 84dda500..64abe8ce 100644 --- a/config/rbac/cluster_editor_role.yaml +++ b/config/rbac/cluster_editor_role.yaml @@ -1,16 +1,15 @@ # permissions for end users to edit clusters. apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: labels: - app.kubernetes.io/name: 1errole + app.kubernetes.io/name: clusterrole app.kubernetes.io/instance: cluster-editor-role app.kubernetes.io/component: rbac app.kubernetes.io/created-by: infrastructure-manager app.kubernetes.io/part-of: infrastructure-manager app.kubernetes.io/managed-by: kustomize name: cluster-editor-role - namespace: kcp-system rules: - apiGroups: - infrastructuremanager.kyma-project.io diff --git a/config/rbac/cluster_viewer_role.yaml b/config/rbac/cluster_viewer_role.yaml index 43df4e6d..d183607b 100644 --- a/config/rbac/cluster_viewer_role.yaml +++ b/config/rbac/cluster_viewer_role.yaml @@ -1,6 +1,6 @@ # permissions for end users to view clusters. apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: labels: app.kubernetes.io/name: clusterrole @@ -10,7 +10,6 @@ metadata: app.kubernetes.io/part-of: infrastructure-manager app.kubernetes.io/managed-by: kustomize name: cluster-viewer-role - namespace: kcp-system rules: - apiGroups: - infrastructuremanager.kyma-project.io diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 6b06da55..7681c444 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -1,9 +1,8 @@ --- apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: name: infrastructure-manager-role - namespace: kcp-system rules: - apiGroups: - "" @@ -20,7 +19,6 @@ rules: - infrastructuremanager.kyma-project.io resources: - gardenerclusters - - runtimes verbs: - create - delete @@ -33,7 +31,29 @@ rules: - infrastructuremanager.kyma-project.io resources: - gardenerclusters/finalizers + verbs: + - update +- apiGroups: + - infrastructuremanager.kyma-project.io + resources: - gardenerclusters/status + verbs: + - update +- apiGroups: + - infrastructuremanager.kyma-project.io + resources: + - runtimes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - infrastructuremanager.kyma-project.io + resources: - runtimes/finalizers verbs: - update diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml index 6cd75b05..60f28ad3 100644 --- a/config/rbac/role_binding.yaml +++ b/config/rbac/role_binding.yaml @@ -1,8 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: labels: - app.kubernetes.io/name: rolebinding + app.kubernetes.io/name: clusterrolebinding app.kubernetes.io/instance: infrastructure-manager-rolebinding app.kubernetes.io/component: rbac app.kubernetes.io/created-by: infrastructure-manager @@ -11,9 +11,9 @@ metadata: name: infrastructure-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role + kind: ClusterRole name: infrastructure-manager-role subjects: - kind: ServiceAccount name: infrastructure-manager - namespace: kcp-system + namespace: system diff --git a/config/rbac/runtime_editor_role.yaml b/config/rbac/runtime_editor_role.yaml index ceb3ba03..014838b7 100644 --- a/config/rbac/runtime_editor_role.yaml +++ b/config/rbac/runtime_editor_role.yaml @@ -1,12 +1,11 @@ # permissions for end users to edit runtimes. apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: labels: app.kubernetes.io/name: infrastructure-manager app.kubernetes.io/managed-by: kustomize name: runtime-editor-role - namespace: kcp-system rules: - apiGroups: - infrastructuremanager.kyma-project.io diff --git a/config/rbac/runtime_viewer_role.yaml b/config/rbac/runtime_viewer_role.yaml index 0c5ac175..d9d0024e 100644 --- a/config/rbac/runtime_viewer_role.yaml +++ b/config/rbac/runtime_viewer_role.yaml @@ -1,12 +1,11 @@ # permissions for end users to view runtimes. apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: labels: app.kubernetes.io/name: infrastructure-manager app.kubernetes.io/managed-by: kustomize name: runtime-viewer-role - namespace: kcp-system rules: - apiGroups: - infrastructuremanager.kyma-project.io diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml index 3ddd25a9..5c3330c2 100644 --- a/config/rbac/service_account.yaml +++ b/config/rbac/service_account.yaml @@ -9,4 +9,4 @@ metadata: app.kubernetes.io/part-of: infrastructure-manager app.kubernetes.io/managed-by: kustomize name: infrastructure-manager - namespace: kcp-system + namespace: system diff --git a/internal/controller/kubeconfig/gardener_cluster_controller.go b/internal/controller/kubeconfig/gardener_cluster_controller.go index 87cba31e..c532e203 100644 --- a/internal/controller/kubeconfig/gardener_cluster_controller.go +++ b/internal/controller/kubeconfig/gardener_cluster_controller.go @@ -77,10 +77,10 @@ type KubeconfigProvider interface { Fetch(ctx context.Context, shootName string) (string, error) } -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters,verbs=get;list;watch;create;update;patch;delete,namespace=kcp-system -//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;delete,namespace=kcp-system -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/finalizers,verbs=update,namespace=kcp-system -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/status,verbs=update,namespace=kcp-system +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;delete +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/finalizers,verbs=update +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/status,verbs=update // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/internal/controller/runtime/runtime_controller.go b/internal/controller/runtime/runtime_controller.go index 5aa8f530..1f8eb574 100644 --- a/internal/controller/runtime/runtime_controller.go +++ b/internal/controller/runtime/runtime_controller.go @@ -41,9 +41,9 @@ type RuntimeReconciler struct { EventRecorder record.EventRecorder } -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes,verbs=get;list;watch;create;update;patch;delete,namespace=kcp-system -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/status,verbs=get;update;patch,namespace=kcp-system -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/finalizers,verbs=update,namespace=kcp-system +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/status,verbs=get;update;patch +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/finalizers,verbs=update var requCounter = 0 // nolint:gochecknoglobals From 6b0f498f81f55349a0620a6b0227329e0a8d26f9 Mon Sep 17 00:00:00 2001 From: Rafal Foks Date: Tue, 26 Nov 2024 10:50:17 +0100 Subject: [PATCH 10/11] Fix linter --- cmd/main.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/cmd/main.go b/cmd/main.go index f84901bb..3806bdac 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -25,9 +25,6 @@ import ( "os" "time" - corev1 "k8s.io/api/core/v1" - "sigs.k8s.io/controller-runtime/pkg/cache" - "github.com/gardener/gardener/pkg/apis/core/v1beta1" gardener_apis "github.com/gardener/gardener/pkg/client/core/clientset/versioned/typed/core/v1beta1" gardener_oidc "github.com/gardener/oidc-webhook-authenticator/apis/authentication/v1alpha1" @@ -43,6 +40,7 @@ import ( "github.com/kyma-project/infrastructure-manager/pkg/gardener/kubeconfig" "github.com/kyma-project/infrastructure-manager/pkg/gardener/shoot/extender/auditlogs" "github.com/pkg/errors" + corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" k8slabels "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/runtime" @@ -52,6 +50,7 @@ import ( "k8s.io/client-go/rest" "k8s.io/client-go/util/flowcontrol" ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/cache" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" From 3cce0f2cc427427afac061ac7fd9edaae8f596f0 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Tue, 26 Nov 2024 13:19:06 +0100 Subject: [PATCH 11/11] Fixes to report messages plus timeout increased --- hack/runtime-migrator/README.md | 6 +++--- hack/runtime-migrator/cmd/main.go | 2 +- hack/runtime-migrator/cmd/migration.go | 10 ++++++---- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/hack/runtime-migrator/README.md b/hack/runtime-migrator/README.md index 84fafe7f..be41f54b 100644 --- a/hack/runtime-migrator/README.md +++ b/hack/runtime-migrator/README.md @@ -65,9 +65,9 @@ cat ./runtime-migrator \ 2024/11/22 17:05:28 2024/11/22 17:05:33 INFO Migrating runtimes 2024/11/22 17:05:33 INFO Reading runtimeIds from input file -2024/11/22 17:05:43 INFO Runtime processed successfully runtimeID=1df09b5b-0347-459d-aa0a-715db8fcaad7 -2024/11/22 17:05:45 INFO Runtime processed successfully runtimeID=ea439a5e-aa59-4e3e-8bfb-9bab1b31371e -2024/11/22 17:05:49 INFO Runtime processed successfully runtimeID=d6eeafee-ffd5-4f23-97dc-a1df197b3b30 +2024/11/22 17:05:43 INFO Runtime processed successfully (dry run) runtimeID=1df09b5b-0347-459d-aa0a-715db8fcaad7 +2024/11/22 17:05:45 INFO Runtime processed successfully (dry run) runtimeID=ea439a5e-aa59-4e3e-8bfb-9bab1b31371e +2024/11/22 17:05:49 INFO Runtime processed successfully (dry run) runtimeID=d6eeafee-ffd5-4f23-97dc-a1df197b3b30 2024/11/22 17:05:52 WARN Runtime CR can cause unwanted update in Gardener runtimeID=99a38a99-e8d7-4b98-a6f2-5a54ed389c4d 2024/11/22 17:05:52 ERROR Failed to fetch shoot: shoot was deleted or the runtime ID is incorrect runtimeID=0a61a3c4-0ea8-4e39-860a-7853f0b6d180 2024/11/22 17:05:55 ERROR Failed to verify runtime runtimeID=6daf5f59-b0ab-44af-bb8e-7735fd609449 diff --git a/hack/runtime-migrator/cmd/main.go b/hack/runtime-migrator/cmd/main.go index 747eed41..9cd5eaab 100644 --- a/hack/runtime-migrator/cmd/main.go +++ b/hack/runtime-migrator/cmd/main.go @@ -29,7 +29,7 @@ import ( ) const ( - timeoutK8sOperation = 15 * time.Second + timeoutK8sOperation = 20 * time.Second expirationTime = 60 * time.Minute runtimeIDAnnotation = "kcp.provisioner.kyma-project.io/runtime-id" ) diff --git a/hack/runtime-migrator/cmd/migration.go b/hack/runtime-migrator/cmd/migration.go index f5d7ea7c..7c454857 100644 --- a/hack/runtime-migrator/cmd/migration.go +++ b/hack/runtime-migrator/cmd/migration.go @@ -129,15 +129,17 @@ func (m Migration) Do(ctx context.Context, runtimeIDs []string) error { return } - if !m.isDryRun { + if m.isDryRun { + reportSuccess(runtimeID, shoot.Name, "Runtime processed successfully (dry-run)") + } else { err = m.applyRuntimeCR(runtime) if err != nil { reportError(runtimeID, shoot.Name, "Failed to apply Runtime CR", err) + return } - return - } - reportSuccess(runtimeID, shoot.Name, "Runtime processed successfully") + reportSuccess(runtimeID, shoot.Name, "Runtime have been applied") + } } main: