Fixes #193 by adding key tracing logs for internal eventing and reconciliation logic #194
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit adds several
debuglogs for better troubleshooting:Predicatethat logs appropriate details, including a diff between old and new Kubernetes object on Update)Log examples
These examples use a
DatabaseSecretEngineRolenamedtest-evtloggingLogs below are redacted to remove details so that the log flow is more obvious.
Creation
Update
This updates changes the
defaultTTLfield value from0sto60s:<event diff>is a JSON-like string, which, once unescaped, shows the changes that happened to the Kubernetes resource which triggered the event.Example:
&v1alpha1.DatabaseSecretEngineRole{ TypeMeta: {}, ObjectMeta: v1.ObjectMeta{ ... // 3 identical fields SelfLink: "", UID: "887c67ce-5c09-449a-bcda-db560b641933", - ResourceVersion: "2001996", + ResourceVersion: "2002033", - Generation: 1, + Generation: 2, CreationTimestamp: {Time: s"2023-09-15 07:32:39 +0000 UTC"}, ... ManagedFields: []v1.ManagedFieldsEntry{ {Manager: "Go-http-client", Operation: "Update", ...}, ... + { + Manager: "kubectl-edit", + Operation: "Update", + APIVersion: "redhatcop.redhat.io/v1alpha1", + Time: s"2023-09-15 07:32:57 +0000 UTC", + FieldsType: "FieldsV1", + FieldsV1: s`{"f:spec":{"f:defaultTTL":{}}}`, + }, }, }, Spec: v1alpha1.DatabaseSecretEngineRoleSpec{ ... - DefaultTTL: v1.Duration{}, + DefaultTTL: v1.Duration{Duration: s"1m0s"}, MaxTTL: {}, ... }, }, Status: {...}, }<resource diff>is a JSON-like string, which, once unescaped, shows the difference between the object existing in Vault and what is expected from the Kubernetes resource.Example:
<resource diff>is a JSON-like string, which, once unescaped, shows something like:map[string]any{ - "creation_statements": []any{ - string(`CREATE ROLE "{{name}}" WITH LOGIN ...`...), - }, + "creation_statements": []string{ + `CREATE ROLE "{{name}}" WITH LOGIN IN ROLE ...`..., + }, - "credential_type": string("password"), "db_name": string("the-db-name"), - "default_ttl": s"0", + "default_ttl": v1.Duration{Duration: s"1m0s"}, - "max_ttl": s"0", + "max_ttl": v1.Duration{}, - "renew_statements": []any{}, + "renew_statements": []string(nil), - "revocation_statements": []any{string(`DROP ROLE "{{name}}";`)}, + "revocation_statements": []string{`DROP ROLE "{{name}}";`}, - "rollback_statements": []any{}, + "rollback_statements": []string(nil), }Note: an unexpected finding with these logs is that there are Go type differences when comparing the payload returned by Vault and the payload we expect, sometimes leading to unnecessary writes to Vault (for instance, when resync'ing all resources on operator restart or on schedule).
Deletion