NET-6394 Create/update/delete ServiceAccount on MeshGateway reconcile #3244
Conversation
nathancoleman
added
pr/no-changelog
nathancoleman
force-pushed
the
mesh-gateway-service-account
branch
from
ebd8623 to
d78494f
Compare
control-plane/config-entries/controllersv2/mesh_gateway_controller.go
Outdated
Show resolved
Hide resolved
The MeshGateway is partition-scoped which means that it should never include a namespace in its resource ID
This enables any future merge operations than need to be done before writing the new object, such as setting a value that needs to carry forward from the existing object onto the new object.
There was a problem hiding this comment.
So, the only thing I really see missing here is triggering reconciliation on owned object changes. For that I think you'll probably need to extend
and add some ability to specify additional Owns references (maybe just make a closure for doing additional arbitrary resource watch configuration before calling Complete?), similar to how we do in our current impl:
consul-k8s/control-plane/api-gateway/controllers/gateway_controller.go
Lines 420 to 423 in 6638261
otherwise any changes to the managed ServiceAccount won't re-trigger reconciliation and you'll never hit the ifExists branch and will get configuration drift.
| return errors.New("onDelete not implemented") | ||
| builder := gateways.NewMeshGatewayBuilder(resource) | ||
|
|
||
| deleteOp := func(ctx context.Context, _, object client.Object) error { |
There was a problem hiding this comment.
I'm thinking we can just let the garbage collector clean these up? By setting the owner reference field, if the owner is deleted, these will actually get cleaned up automatically. If we're cool with just letting the GC do its work, then the only thing we have to worry about on deletion is cleaning up any side-effects that we may have done in our controller upsert path.
There was a problem hiding this comment.
My assumption was that there's a reason we do explicit cleanup in our v1 implementation here, but I don't know what that might have been. Any ideas?
Does the GC handle dependency ordering well? For example, the ServiceAccount winds up being referenced by the created Deployment, so we clean them up in reverse order in our v1 implementation.
consul-k8s/control-plane/api-gateway/gatekeeper/gatekeeper.go
Lines 60 to 86 in 671675d
There was a problem hiding this comment.
I've dropped the explicit deletes in favor of allowing the k8s garbage collector to do its thing.
If we discover a reason we need to delete explicitly like we do in the gatekeeper package today, then we can add the explicit deletion back at a later date.
control-plane/config-entries/controllersv2/mesh_gateway_controller.go
Outdated
Show resolved
Hide resolved
|
The enterprise control-plane tests are failing because our self-hosted macos runner doesn't have |
…#3244) * Create/update/delete ServiceAccount on MeshGateway reconcile * Implement owner ref checking for existing objects before create/update * Use builder struct for creating k8s resources * Extend upsert function to handle delete as well * Add unit tests asserting ServiceAccount CRUD w/ ownership enforcement * Update list of TODOs in reconcile handlers * Uncomment call to MeshConfigController.ReconcileEntry * Check error returned by SetControllerReference * Add unit test coverage for MeshGatewayBuilder.serviceAccount() * Omit namespace on MeshGateway's resource ID tenancy The MeshGateway is partition-scoped which means that it should never include a namespace in its resource ID * Provide existing object to operation This enables any future merge operations than need to be done before writing the new object, such as setting a value that needs to carry forward from the existing object onto the new object. * Declare ownership of ServiceAccount when setting up controller * Fix typo * Rely on garbage collector to delete resource instead of deleting explicitly
…#3244) * Create/update/delete ServiceAccount on MeshGateway reconcile * Implement owner ref checking for existing objects before create/update * Use builder struct for creating k8s resources * Extend upsert function to handle delete as well * Add unit tests asserting ServiceAccount CRUD w/ ownership enforcement * Update list of TODOs in reconcile handlers * Uncomment call to MeshConfigController.ReconcileEntry * Check error returned by SetControllerReference * Add unit test coverage for MeshGatewayBuilder.serviceAccount() * Omit namespace on MeshGateway's resource ID tenancy The MeshGateway is partition-scoped which means that it should never include a namespace in its resource ID * Provide existing object to operation This enables any future merge operations than need to be done before writing the new object, such as setting a value that needs to carry forward from the existing object onto the new object. * Declare ownership of ServiceAccount when setting up controller * Fix typo * Rely on garbage collector to delete resource instead of deleting explicitly
Changes proposed in this PR:
When reconciling a
MeshGatewayresource in the v2 API, create/update/delete a correspondingServiceAccount.Notably, we need to ensure we aren't updating or deleting resources that our controller didn't create simply because they have the expected name.
How I've tested this PR:
Added unit test coverage
How I expect reviewers to test this PR:
See above
Checklist: