Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: should resolve SubNamespace conflict when sub-namespace deleted #149

Merged
merged 1 commit into from
Oct 25, 2024

Conversation

erikgb
Copy link
Contributor

@erikgb erikgb commented Oct 22, 2024

Background

Our tenants use GitOps to provision sub-namespaces, and not kubectl-accurate. We run on OpenShift, and OpenShift has a feature allowing users in the self-provisioner cluster role to create namespaces by issuing a ProjectRequest create request. We want to migrate to Accurate, but will still have to support the OpenShift mechanism for a long time.

Problem (solved in this PR)

Recently we've had users pre-creating an OpenShift Project before provisioning the SubNamespace resource that is supposed to control the desired namespace. This will not work, making the subnamespace enter a conflicting state right after creation by the tenant GitOps. The user observes this problem by inspecting the SubNamespace status and other GitOps failures caused by missing RBAC in the target namespace.

The natural thing to do when this happens, is to delete the OpenShift Project resource currently controlling the (empty) target namespace. When the project is deleted, OpenShift will terminate the controlled namespace. So far, so good.

Expected behavior: Accurate detects the namespace deletion and (re)creates the target namespace as sub-namespace, resolving the conflict state on the SubNamespace.

Actual behavior: Accurate eventually acts on the deleted namespace, resolving the conflict state, but this is not happening in a timely fashion. The exact time depends on the resync time initiated regularly by controller-runtime. But we have seen this take several hours, which is not acceptable.

@erikgb erikgb force-pushed the resolve-ns-conflict branch 2 times, most recently from 2e72ce3 to 6e638bd Compare October 22, 2024 17:52
@erikgb erikgb force-pushed the resolve-ns-conflict branch from 6e638bd to a9377a8 Compare October 22, 2024 18:27
@erikgb erikgb changed the title WIP: fix: should resolve SubNamespace conflict when sub-namespace deleted fix: should resolve SubNamespace conflict when sub-namespace deleted Oct 22, 2024
@erikgb erikgb marked this pull request as ready for review October 22, 2024 19:01
@012xx 012xx requested a review from zoetrope October 23, 2024 01:08
Copy link
Member

@zoetrope zoetrope left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!
This is not a problem limited to OpenShift, but a widely useful implementation.

@zoetrope zoetrope merged commit 960ef8f into cybozu-go:main Oct 25, 2024
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants