-
Notifications
You must be signed in to change notification settings - Fork 10
Requeue instead of awaiting change #309
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -291,7 +291,7 @@ async fn image_add_reconcile( | |
| } | ||
|
|
||
| let (action, reason) = match handle_new_image(client.clone(), image).await { | ||
| Ok(reason) => (Action::await_change(), reason), | ||
| Ok(reason) => (Action::requeue(Duration::from_secs(300)), reason), | ||
| Err(e) => { | ||
| warn!("PCR computation for {name} failed: {e}"); | ||
| let action = Action::requeue(Duration::from_secs(60)); | ||
|
|
@@ -320,7 +320,7 @@ async fn image_remove_reconcile( | |
| let name = image.metadata.name.as_ref().unwrap_or(&default); | ||
| if cluster.is_none() { | ||
| info!("No TrustedExecutionCluster found, skipping disallow_image for {name}"); | ||
| return Ok(Action::await_change()); | ||
| return Ok(Action::requeue(Duration::from_secs(60))); | ||
| } | ||
| let cluster = cluster.unwrap(); | ||
| let tec_name = cluster.metadata.name.unwrap_or("<no name>".to_string()); | ||
|
|
@@ -329,16 +329,19 @@ async fn image_remove_reconcile( | |
| "TrustedExecutionCluster {tec_name} is being deleted, \ | ||
| skipping disallow_image for {name}" | ||
| ); | ||
| return Ok(Action::await_change()); | ||
| return Ok(Action::requeue(Duration::from_secs(60))); | ||
| } | ||
| disallow_image(client, name).await?; | ||
| Ok(Action::await_change()) | ||
| Ok(Action::requeue(Duration::from_secs(60))) | ||
| } | ||
|
|
||
| pub async fn launch_rv_image_controller(client: Client) { | ||
| let images: Api<ApprovedImage> = Api::default_namespaced(client.clone()); | ||
| let jobs: Api<Job> = Api::default_namespaced(client.clone()); | ||
| let wc = watcher::Config::default().labels(&format!("{JOB_LABEL_KEY}={PCR_COMMAND_NAME}")); | ||
| tokio::spawn( | ||
| Controller::new(images, Default::default()) | ||
| .owns(jobs, wc) | ||
|
Comment on lines
+340
to
+344
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. question (bug_risk): Clarify the implications of restricting owned Jobs via a label selector in the watcher config. Using |
||
| .run(image_reconcile, controller_error_policy, Arc::new(client)) | ||
| .for_each(controller_info), | ||
| ); | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -112,10 +112,10 @@ named_test!( | |
| wait_for_resource_deleted(&deployments_api, REGISTER_SERVER_DEPLOYMENT, timeout).await?; | ||
|
|
||
| let images_api: Api<ApprovedImage> = Api::namespaced(client.clone(), namespace); | ||
| wait_for_resource_deleted(&images_api, APPROVED_IMAGE_NAME, scaled_timeout(120)).await?; | ||
| wait_for_resource_deleted(&images_api, APPROVED_IMAGE_NAME, scaled_timeout(360)).await?; | ||
|
|
||
| wait_for_resource_deleted(&machines, &machine_name, scaled_timeout(120)).await?; | ||
| wait_for_resource_deleted(&attestation_keys, &ak_name, scaled_timeout(120)).await?; | ||
| wait_for_resource_deleted(&machines, &machine_name, scaled_timeout(360)).await?; | ||
| wait_for_resource_deleted(&attestation_keys, &ak_name, scaled_timeout(360)).await?; | ||
| let secrets_api: Api<Secret> = Api::namespaced(client.clone(), namespace); | ||
| wait_for_resource_deleted(&secrets_api, &ak_name, scaled_timeout(120)).await?; | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. suggestion (testing): Consider aligning Secret deletion timeout with the extended 360s timeouts for Machines and AttestationKeys In the TEC cleanup and attestation key lifecycle tests, Machine and AttestationKey deletions were increased to 360s to tolerate missed reconcile events, but Secret deletion remains at 120s. If Secret deletion uses the same controller path, this shorter timeout can still cause intermittent flakes when reconciles are missed. Please consider increasing this to 360s (or centralizing these timeouts) for consistent test behavior. Suggested implementation: wait_for_resource_deleted(&secrets_api, &ak_name, scaled_timeout(360)).await?;If other tests in this file (or module) also use hard-coded deletion timeouts, consider:
|
||
|
|
||
|
|
@@ -328,9 +328,9 @@ async fn test_attestation_key_lifecycle() -> anyhow::Result<()> { | |
| machines.delete(&machine_name, &dp).await?; | ||
| test_ctx.info(format!("Deleted Machine: {machine_name}")); | ||
|
|
||
| wait_for_resource_deleted(&machines, &machine_name, scaled_timeout(120)).await?; | ||
| wait_for_resource_deleted(&machines, &machine_name, scaled_timeout(360)).await?; | ||
| test_ctx.info("Machine successfully deleted"); | ||
| wait_for_resource_deleted(&attestation_keys, &ak_name, scaled_timeout(120)).await?; | ||
| wait_for_resource_deleted(&attestation_keys, &ak_name, scaled_timeout(360)).await?; | ||
| test_ctx.info("AttestationKey successfully deleted"); | ||
| wait_for_resource_deleted(&secrets_api, &ak_name, scaled_timeout(120)).await?; | ||
| test_ctx.info("Secret successfully deleted"); | ||
|
|
@@ -367,7 +367,7 @@ async fn test_nonexistent_approved_image() -> anyhow::Result<()> { | |
| }; | ||
| let done = await_condition(images, "coreos1", is_pending); | ||
| let ctx = "waiting for ApprovedImage coreos1 to be PodPending"; | ||
| timeout(scaled_duration(30), done).await.context(ctx)??; | ||
| timeout(scaled_duration(360), done).await.context(ctx)??; | ||
|
|
||
| test_ctx.cleanup().await?; | ||
| Ok(()) | ||
|
|
@@ -398,7 +398,7 @@ async fn test_approved_image_readoption() -> anyhow::Result<()> { | |
| test_ctx.info(format!("Deleting TrustedExecutionCluster {TEC_NAME}")); | ||
| clusters.delete(TEC_NAME, &Default::default()).await?; | ||
| wait_for_resource_deleted(&configmaps, TRUSTEE_CONFIG_MAP, scaled_timeout(60)).await?; | ||
| wait_for_resource_deleted(&images, APPROVED_IMAGE_NAME, scaled_timeout(60)).await?; | ||
| wait_for_resource_deleted(&images, APPROVED_IMAGE_NAME, scaled_timeout(360)).await?; | ||
| test_ctx.info(format!("Configmap {TRUSTEE_CONFIG_MAP} was removed")); | ||
|
|
||
| let image = ApprovedImage { | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: should we define a macro for the default polling time to highlight when this should be the default behavior?