Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix module reconciler not being able to watch for ConfigMaps error #179

Conversation

mresvanis
Copy link
Contributor

@mresvanis mresvanis commented Dec 2, 2022

This fix adds the watch permission for ConfigMaps to the Module reconciler, in order to be able to successfully client.Get() the build Dockerfile ConfigMap. This client.Get() fails because the contoller-runtime client reads from its cache, instead of directly from the API server. The client needs the watch permission, in order to be able to build its cache.

Signed-off-by: Michail Resvanis [email protected]

This fix adds the watch permission for ConfigMaps to the Module
reconciler, in order to be able to successfully client.Get() the build
Dockerfile ConfigMap. This client.Get() fails because the
contoller-runtime client reads from its cache, instead of directly from
the API server. The client needs the watch permission, in order to be
able to build its cache.

- kubernetes-sigs/controller-runtime#1156

Signed-off-by: Michail Resvanis <[email protected]>
@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Dec 2, 2022
@netlify
Copy link

netlify bot commented Dec 2, 2022

Deploy Preview for kubernetes-sigs-kmm ready!

Name Link
🔨 Latest commit e779f06
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-sigs-kmm/deploys/638a1a40c6386400083bae88
😎 Deploy Preview https://deploy-preview-179--kubernetes-sigs-kmm.netlify.app/
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Dec 2, 2022
@k8s-ci-robot
Copy link
Contributor

Hi @mresvanis. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Dec 2, 2022
@qbarrand
Copy link
Contributor

qbarrand commented Dec 2, 2022

/lgtm
/ok-to-test
/assign @yevgeny-shnaidman

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Dec 2, 2022
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 2, 2022
@yevgeny-shnaidman
Copy link
Contributor

@mresvanis we have an e2e test that is runs the build flow with configmap, and it has been passing successfully since the ConfigMap has been added. What has changed that we need the watch permission ( get and list previously was enough)?

@yevgeny-shnaidman
Copy link
Contributor

@mresvanis we have an e2e test that is runs the build flow with configmap, and it has been passing successfully since the ConfigMap has been added. What has changed that we need the watch permission ( get and list previously was enough)?
I am going to lgtm , but we need to better understand what's going on there: we are not watching ConfigMaps in any of our controllers, only Getting it, but not having permissions to watch interefers with our watch for Builds..

@yevgeny-shnaidman
Copy link
Contributor

/lgtm

@yevgeny-shnaidman
Copy link
Contributor

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mresvanis, yevgeny-shnaidman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 2, 2022
@k8s-ci-robot k8s-ci-robot merged commit dedee81 into kubernetes-sigs:main Dec 2, 2022
@mresvanis mresvanis deleted the fix-watch-configmaps-module-reconciler-error branch December 5, 2022 09:10
@mresvanis
Copy link
Contributor Author

mresvanis commented Dec 5, 2022

@mresvanis we have an e2e test that is runs the build flow with configmap, and it has been passing successfully since the ConfigMap has been added. What has changed that we need the watch permission ( get and list previously was enough)?
I am going to lgtm , but we need to better understand what's going on there: we are not watching ConfigMaps in any of our controllers, only Getting it, but not having permissions to watch interefers with our watch for Builds..

@yevgeny-shnaidman I apologize for the misunderstanding, this PR was about fixing the reconciler error regarding its client's cache watch permission on ConfigMaps. The module build flow is and was working correctly without this PR's change, i.e. without the Module reconciler's watch permission on ConfigMaps.

Context

The cause of this error is based on the internals of the cache of the controller-runtime/client. By default this client when reading resources, e.g. when Get()-ing or List()-ing, tries to read from its cache first. If there is no cache for the resource we're trying to read, then it creates a new cached client and then tries to build the respective cache. The cache setup includes setting up informers for the resource we're trying to read and those informers watch for such resources, in order to keep the cache as fresh as possible.

Possible Solutions

In order to resolve this reconciler cache watch permission error (and only this error, as the build flow is anyway working as expected), we have 2 options:

  1. setup a new client for this ConfigMap client.Get() call, with its cache disabled, so that no informers will be setup and no watch permission is needed
  2. add the watch permission to ConfigMaps, so that the existing client can leverage caching on ConfigMaps

This PR's solution

This PR followed option 2, but we can definitely revisit this if we would like to get rid of the watch permission on ConfigMaps.

Does this help?

@yevgeny-shnaidman
Copy link
Contributor

@mresvanis Thank you for explanation, very helpful

qbarrand added a commit to qbarrand/kernel-module-management that referenced this pull request Jun 2, 2023
…ubernetes-sigs#179) (kubernetes-sigs#225)

This fix adds the watch permission for ConfigMaps to the Module
reconciler, in order to be able to successfully client.Get() the build
Dockerfile ConfigMap. This client.Get() fails because the
contoller-runtime client reads from its cache, instead of directly from
the API server. The client needs the watch permission, in order to be
able to build its cache.

- kubernetes-sigs/controller-runtime#1156

Signed-off-by: Michail Resvanis <[email protected]>

Upstream-Commit: dedee81

Co-authored-by: Michail Resvanis <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants