Handle the broker in the operator

[skitt]

Fixes: #203
Signed-off-by: Stephen Kitt [email protected]

[skitt]

This PR updates subctl so that deploy-broker goes through the operator, but it doesn’t remove all the non-operator-based code — I’m wondering whether we should add a flag to allow broker deployment without the operator, or if we should just forget that and only support the operator.

[mangelajo]

This PR updates subctl so that deploy-broker goes through the operator, but it doesn’t remove all the non-operator-based code — I’m wondering whether we should add a flag to allow broker deployment without the operator, or if we should just forget that and only support the operator.

+1 for operator only for now...

[mangelajo]

Thanks for updating last moment, I just realized you were into this too :/

[mangelajo]

Can we make GlobalNetEnabled an optional/omitempty argument?, same for DefaultGlobalnetClusterSize?, is it possible -an alternative- to provide default values and allow omission?

Is it really necessary?, could it be that "GlobalnetCidrRange == GlobalnetEnabled?" (not sure about it though).

[skitt]

How about making Globalnet a component? I’ll try that in a separate PR... Also, Globalnet can be enabled without a CIDR range, can’t it?

[mangelajo]

Hmm, that'd be rather neat I think @skitt

Without a CIDR range I'm not sure, I guess we need something at least for auto-assignment of clusters. But if you don't want auto-assignment I guess you don't need it @sridhargaddam ^

[sridhargaddam]

Correct, the globalCIDR is required for auto-assignment to clusters while the cluster is joining the Broker. We provide flexibility to users to specify custom globalCIDR, but IMO we should continue to have a default CIDR to support clusters that do not explicitly specify globalCIDR while joining.

[skitt]

The fields are now all optional.

[skitt]

#1102 tracks the componentisation of Globalnet.

[mangelajo]

Some comments

[mangelajo]

Is there a way to allow omission of 'defaultGlobanetClusterSize', and also, provide a default value? I guess that can be done in code.

[skitt]

This is just an example, intended for documentation in the operator when shown in the catalog.

[mangelajo]

I was expecting that the operator would create the RBAC details too, I guess it's not very secure though, but thinking of usability and the concept of doing it on the operator... it's weird that we would need to setup RBAC manually if not doing it with subctl.

[skitt]

We discussed this in the past, and decided to forgo dealing with RBAC in the operator, because it requires granting too many privileges to the operator.

[mangelajo]

I know, I remember, but I start to see issues with our thinking as we move the broker here too, which is different to just "provide RBAC to submariner services", ... now we need to provide RBAC / Accounts to signed up clusters...

We will need to document the RBAC steps unless we change that.

[SteveMattar]

Can we remove the rbac.go in favour of working with embedded yaml files?
The yaml files could be tracked in config/rbac. This way I can use them in the operator bundle.

[skitt]

@SteveMattar this is tracked in #1105.

[mangelajo]

Sorry, the second batch of comments came separate.

[skitt]

This needs #1096 first.

[sridhargaddam]

We might require changes to subctl to prompt the user to provide the GlobalnetCIDR/GlobalnetClusterSize while joining a new Cluster, if there are no defaults configured when Broker is deployed.

[skitt]

This is already the case, I’ll do that in a separate PR. #1103 tracks this.

[mangelajo]

I suggest we do something like:

https://github.com/submariner-io/submariner-operator/blob/devel/apis/submariner/v1alpha1/submariner_types.go#L131

https://github.com/submariner-io/submariner-operator/blob/devel/apis/submariner/v1alpha1/servicediscovery_types.go#L84

[mangelajo]

Well, or may be not, not sure, if they are going through the process of using the operator directly.... may be it's better to let them be explicit

[skitt]

I prefer #1104 ;-)

[mangelajo]

I suggest we do something like:

https://github.com/submariner-io/submariner-operator/blob/devel/apis/submariner/v1alpha1/submariner_types.go#L131

https://github.com/submariner-io/submariner-operator/blob/devel/apis/submariner/v1alpha1/servicediscovery_types.go#L84

[SteveMattar]

What about the broker RBAC? Currently the only way it works is by using subctl.
Should we export these roles to config/rbac?

[SteveMattar]

Do we want to hide this CRD? how do we install the broker when working with the bundle only?

[skitt]

Ah, right, we do want to show the CRD!

[SteveMattar]

I think you can add this function to controllers.AddToManager this is how we usually start a new Reconciler

[skitt]

This is what the operator SDK generated for me...

[SteveMattar]

Sorry @skitt just saw the previous comments

[skitt]

What about the broker RBAC? Currently the only way it works is by using subctl.
Should we export these roles to config/rbac?

This is what I’d asked you about a couple of weeks ago; I couldn’t get the SDK to generate the appropriate role.yaml file, or rather, I could, but it overwrote all the existing RBAC setup that’s in there.

[SteveMattar]

What about the broker RBAC? Currently the only way it works is by using subctl.
Should we export these roles to config/rbac?

This is what I’d asked you about a couple of weeks ago; I couldn’t get the SDK to generate the appropriate role.yaml file, or rather, I could, but it overwrote all the existing RBAC setup that’s in there.

Sorry you might have missed my message on slack... the thread is confusing sometimes :)
I'll just drop my comment here:
"I found the problem... when controller-gen generates the rbac manifests the default output is config/rbac/role.yaml but the +kubebuilder:rbac markers for submariner and servicediscovery never worked... The reason is because there is a missing empty line between those markers and the class definition. That means the role.yaml file was never updated."

[skitt]

What about the broker RBAC? Currently the only way it works is by using subctl.
Should we export these roles to config/rbac?

This is what I’d asked you about a couple of weeks ago; I couldn’t get the SDK to generate the appropriate role.yaml file, or rather, I could, but it overwrote all the existing RBAC setup that’s in there.

Sorry you might have missed my message on slack... the thread is confusing sometimes :)
I'll just drop my comment here:
"I found the problem... when controller-gen generates the rbac manifests the default output is config/rbac/role.yaml but the +kubebuilder:rbac markers for submariner and servicediscovery never worked... The reason is because there is a missing empty line between those markers and the class definition. That means the role.yaml file was never updated."

Right, that’s what I found out too (which is how I disabled the Broker RBAC handling, see the TODO there). I hesitated to re-enable the full RBAC handling because it produces ClusterRoles, not Roles as we currently have...

[tpantelis]

We've been trending from Cidr -> CIDR elsewhere...

Suggested change

	GlobalnetCidrRange string `json:"globalnetCidrRange,omitempty"`
	GlobalnetCIDRRange string `json:"globalnetCIDRRange,omitempty"`

[skitt]

Ah yes, fixed.

[tpantelis]

Do we need to return bool here instead of just err?

[tpantelis]

We really don't need RetryOnConflict as it applies to Update. We could refactor to a loop as per below but not a big deal either way. I can add a CreateAnew function in admiral that does the DeleteIfExistsThenCreate pattern.

Suggested change

	_, err := clientSet.SubmarinerV1alpha1().Brokers(namespace).Create(brokerCR)
	if err == nil {
	return true, nil
	} else if errors.IsAlreadyExists(err) {
	retryErr := retry.RetryOnConflict(retry.DefaultRetry, func() error {
	// We can’t always handle existing resources, and we want to overwrite them anyway, so delete them
	err := clientSet.SubmarinerV1alpha1().Brokers(namespace).Delete(brokerCR.Name, &metav1.DeleteOptions{})
	if err != nil {
	return fmt.Errorf("failed to delete pre-existing cfg %s : %s", brokerCR.Name, err)
	}
	_, err = clientSet.SubmarinerV1alpha1().Brokers(namespace).Create(brokerCR)
	if err != nil {
	return fmt.Errorf("failed to create cfg %s : %s", brokerCR.Name, err)
	}
	return nil
	})
	return false, retryErr
	}
	return false, err
	for {
	_, err := clientSet.SubmarinerV1alpha1().Brokers(namespace).Create(brokerCR)
	if err == nil {
	return nil
	}
	if errors.IsAlreadyExists(err) {
	err := clientSet.SubmarinerV1alpha1().Brokers(namespace).Delete(brokerCR.Name, &metav1.DeleteOptions{})
	if err != nil && !errors.IsNotFound(err) {
	return fmt.Errorf("failed to delete pre-existing Broker instance %q : %v", brokerCR.Name, err)
	}
	continue
	}
	return err
	}
	return nil

[skitt]

Ah yes, a creation can never return an error which RetryOnConflict will recognise as a conflict. We’d really have to loop ourselves, with a backoff...

[skitt]

(I’ll submit an appropriate function for Admiral tomorrow.)

[tpantelis]

I'm actually working on that now 😄

[tpantelis]

submariner-io/admiral#185

[mangelajo]

Why is the crds bool added, where is it used? :-?

[skitt]

Oops, something got lost in a rebase it seems...

[skitt]

Now restored.