Creation of CompassManagerMapping CRD after successfull registration Runtime in Compass

[mvshao]

Description

Changes proposed in this pull request:

• reconcile triggers only while the Application Connector module is present in Kyma CR
• changed the way of marking Runtime as connected to Compass from labeling Kyma CR to creating Compass Manager Mapping CRD with all the data needed
• added WhiteSource and Protecode scans for module
• Compass Manager is capable of refreshing Compass one-time token commented -> moved to different PR

Related issue(s)

[akgalwas]

I think the PR is ok, we are close to finalise it.

[akgalwas]

Namespace name for the Compass Manager Mapping is hardcoded. Please consider using namespace name from Kyma CR.

[akgalwas]

I'm wondering whether we should add operator.kyma-project.io/managed-by label with Compass Manager value to determine that Compass Manager controls the CRs lifecycle.

[mvshao]

Good idea, I will add this

[akgalwas]

In the original version of the specification we use kyma-id. This was my mistake, let's consistently use operator.kyma-project.io/kyma-name. Its better to have the same label on Kyma, and Compass Manager to avoid confusion.

[akgalwas]

I think this comment is outdated.

[akgalwas]

Probably we could limit privileges for Compass Manager Mappings to the following: create;get;list;delete

[mvshao]

The watch privilege is required. Because the controller returns an error

[reflector.go:148] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:231: Failed to watch *v1beta1.CompassManagerMapping: unknown (get compassmanagermappings.operator.kyma-project.io)

[akgalwas]

Before registration is done, we should check if the Compass Manager Mapping already exists.

[mvshao]

I have this feature uncommited, but implemetned.

[akgalwas]

I think we could have missed one thing here. As noted in the issue concerning resource watching we should consider setting statuses for operations. As we can't set status on the Kyma resource, CompassManagerMapping seems to be the right place.

Why this is needed?

Let's imagine situation when we have Compass outage. It will we surely visible in the logs, as Compass Manager will constantly retry requests. If we had proper alerting/monitoring we could also be notified that some problem occurred.
I see the following benefits of adding the status property:

• We would get additional insight into the system:
  • We could see how many runtimes that have module enabled cannot be registered due to Compass failures.
  • We could see when Compass Manager noticed module is enabled, and when runtime was registered, and secret with configuration created
• We could add some dashboards

You can see the example of status structures here.

I think this needs some discussions before we decide to implement it. If we decide to go with statuses let's do that in the separate PR.

[akgalwas]

One note: if we decide to provide statuses on the CR we should create it even in case the Compass registration failed. This is just a reminder, I think we should discuss if we go with the status field, and then create a new PR.

[akgalwas]

I'm confused a bit. I though we will implement obtaining token in other PR.

[akgalwas]

I would rename mappingName to kymaName to avoid confusion.

[CLAassistant]

All committers have signed the CLA.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ mvshao
❌ akgalwas
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[mvshao]

/test pre-compass-manager-presubmit-scanner