Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: unsolicited rollout after upgrade from v0.10->v1.0 when pod was using service account #1367

Merged
merged 1 commit into from
Jul 22, 2021

Conversation

jessesuen
Copy link
Member

Partially fixes #1356

Signed-off-by: Jesse Suen [email protected]

@jessesuen jessesuen requested a review from khhirani July 22, 2021 10:23
@sonarcloud
Copy link

sonarcloud bot commented Jul 22, 2021

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
3.7% 3.7% Duplication

@codecov
Copy link

codecov bot commented Jul 22, 2021

Codecov Report

Merging #1367 (e4e39e9) into master (0c559a0) will increase coverage by 0.00%.
The diff coverage is 100.00%.

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #1367   +/-   ##
=======================================
  Coverage   81.27%   81.27%           
=======================================
  Files         108      108           
  Lines       10029    10031    +2     
=======================================
+ Hits         8151     8153    +2     
  Misses       1318     1318           
  Partials      560      560           
Impacted Files Coverage Δ
utils/replicaset/replicaset.go 89.47% <100.00%> (+0.07%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0c559a0...e4e39e9. Read the comment docs.

@huikang
Copy link
Member

huikang commented Jul 22, 2021

Hi, @jessesuen , I am just wondering what if the existing pod has both serviceAccountName and serviceAccount in the template. Will this PR handle the case properly? Thanks.

Copy link
Contributor

@khhirani khhirani left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jessesuen
Copy link
Member Author

jessesuen commented Jul 22, 2021

Hi, @jessesuen , I am just wondering what if the existing pod has both serviceAccountName and serviceAccount in the template. Will this PR handle the case properly? Thanks.

First, serviceAccountName and serviceAccount should always be the same value. I just verified that if you try to create a Deployment with different values, serviceAccount will get overridden with value from serviceAccountName.

Given that, serviceAccountName is the only thing we should care about. Users should be able to modify this field (add/remove/update), and the rollout should properly detect this as a change and perform an update.

However, the serviceAccount field in the pod is safe to ignore completely. It is a deprecated kubernetes field which has special treatment in k8s codebase. AFIK, there is not any other field in the pod spec which has this special treatment. The serviceAccount field is auto-populated in a special way (not by pod spec defaulting) because it derives its value from serviceAccountName. We incorrectly detect the absence of serviceAccount in the desired spec as a change in the pod template, which causes the unsolicited update.

NOTE for this to happen, ComputeHash would have had to have changed meaning from underneath us. Something which I will address in a v1.1 specific PR.

@jessesuen jessesuen merged commit d2753c2 into argoproj:master Jul 22, 2021
@jessesuen jessesuen deleted the issue-1356-podtemplateequals branch July 22, 2021 22:05
jessesuen added a commit to jessesuen/argo-rollouts that referenced this pull request Jul 22, 2021
@huikang
Copy link
Member

huikang commented Jul 22, 2021

Hi, @jessesuen , I am just wondering what if the existing pod has both serviceAccountName and serviceAccount in the template. Will this PR handle the case properly? Thanks.

First, serviceAccountName and serviceAccount should always be the same value. I just verified that if you try to create a Deployment with different values, serviceAccount will get overridden with value from serviceAccountName.

Given that, serviceAccountName is the only thing we should care about. Users should be able to modify this field (add/remove/update), and the rollout should properly detect this as a change and perform an update.

However, the serviceAccount field in the pod is safe to ignore completely. It is a deprecated kubernetes field which has special treatment in k8s codebase. AFIK, there is not any other field in the pod spec which has this special treatment. The serviceAccount field is auto-populated in a special way (not by pod spec defaulting) because it derives its value from serviceAccountName. We incorrectly detect the absence of serviceAccount in the desired spec as a change in the pod template, which causes the unsolicited update.

NOTE for this to happen, ComputeHash would have had to have changed meaning from underneath us. Something which I will address in a v1.1 specific PR.

Thanks for the detailed explanation

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Incorrect pod template change detection after upgrade from v0.10 to v1.0
3 participants