HIVE-2302, HIVE-2644: Pass metadata.json through opaquely

[2uasimojo]

Previously any time installer added a field to metadata.json, we would need to evaluate and possibly add a bespoke field and code path for it to make sure it was supplied to the destroyer at deprovision time.

With this change, we're offloading metadata.json verbatim (except in some cases we have to scrub/replace credentials fields -- see HIVE-2804 / #2612) to a new Secret in the ClusterDeployment's namespace, referenced from a new field: ClusterDeployment.Spec.ClusterMetadata.MetadataJSONSecretRef.

For legacy clusters -- those created before this change -- we attempt to retrofit the new Secret based on the legacy fields. This is best effort and may not always work.

This change then adds a new generic destroyer via the (existing) hiveutil deprovision command that consumes this metadata.json to deprovision the cluster.

This new behavior is the default, but we also include an escape hatch to run the platform-specific legacy destroyer by setting the following annotation on the ClusterDeployment:

hive.openshift.io/legacy-deprovision: "true"

[openshift-ci-robot]

@2uasimojo: This pull request references HIVE-2302 which is a valid jira issue.

In response to this:

Well, mostly.

Previously any time installer added a field to metadata.json, we would need to evaluate and possibly add a bespoke field and code path for it to make sure it was supplied to the destroyer at deprovision time.

With this change, we're instead offloading it verbatim to a new Secret in the ClusterDeployment's namespace, referenced from a new field: ClusterDeployment.Spec.ClusterMetadata.MetadataJSONSecretRef.

Instead of building the installer's ClusterMetadata structure for the destroyer with individual fields from the CD's ClusterMetadata, we're unmarshaling it directly from the contents of that Secret.

(Except in some cases we have to scrub/replace credentials fields -- see HIVE-2804 / #2612)

For legacy clusters -- those created before this change -- we attempt to retrofit the new Secret based on the legacy fields. This is best effort and may not always work. If this results in a hanging deprovision due to a missing field, the workaround is to modify the contents of the Secret to add it in; then kill the deprovision pod and the next attempt should pick up the changes. (If the result is a "successful" deprovision with leaked resources, the only workaround is to clean up the infra manually. Sorry.)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@2uasimojo: This pull request references HIVE-2302 which is a valid jira issue.

In response to this:

Well, mostly.

Previously any time installer added a field to metadata.json, we would need to evaluate and possibly add a bespoke field and code path for it to make sure it was supplied to the destroyer at deprovision time.

With this change, we're instead offloading it verbatim to a new Secret in the ClusterDeployment's namespace, referenced from a new field: ClusterDeployment.Spec.ClusterMetadata.MetadataJSONSecretRef.

Instead of building the installer's ClusterMetadata structure for the destroyer with individual fields from the CD's ClusterMetadata, we're unmarshaling it directly from the contents of that Secret.

(Except in some cases we have to scrub/replace credentials fields -- see HIVE-2804 / #2612)

For legacy clusters -- those created before this change -- we attempt to retrofit the new Secret based on the legacy fields. This is best effort and may not always work. If this results in a hanging deprovision due to a missing field, the workaround is to modify the contents of the Secret to add it in; then kill the deprovision pod and the next attempt should pick up the changes. (If the result is a "successful" deprovision with leaked resources, the only workaround is to clean up the infra manually. Sorry.)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: 2uasimojo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [2uasimojo]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[2uasimojo]

TODO: Deprovisioner side

[openshift-ci-robot]

@2uasimojo: This pull request references HIVE-2302 which is a valid jira issue.

In response to this:

Well, mostly.

Previously any time installer added a field to metadata.json, we would need to evaluate and possibly add a bespoke field and code path for it to make sure it was supplied to the destroyer at deprovision time.

With this change, we're offloading metadata.json verbatim (except in some cases we have to scrub/replace credentials fields -- see HIVE-2804 / #2612) to a new Secret in the ClusterDeployment's namespace, referenced from a new field: ClusterDeployment.Spec.ClusterMetadata.MetadataJSONSecretRef.

For legacy clusters -- those created before this change -- we attempt to retrofit the new Secret based on the legacy fields. This is best effort and may not always work.

In the future (but not here!) instead of building the installer's ClusterMetadata structure for the destroyer with individual fields from the CD's ClusterMetadata, we'll unmarshal it directly from the contents of this Secret.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@2uasimojo: This pull request references HIVE-2302 which is a valid jira issue.

In response to this:

Well, mostly.

Previously any time installer added a field to metadata.json, we would need to evaluate and possibly add a bespoke field and code path for it to make sure it was supplied to the destroyer at deprovision time.

With this change, we're offloading metadata.json verbatim (except in some cases we have to scrub/replace credentials fields -- see HIVE-2804 / #2612) to a new Secret in the ClusterDeployment's namespace, referenced from a new field: ClusterDeployment.Spec.ClusterMetadata.MetadataJSONSecretRef.

For legacy clusters -- those created before this change -- we attempt to retrofit the new Secret based on the legacy fields. This is best effort and may not always work.

In the future (but not here!) instead of building the installer's ClusterMetadata structure for the destroyer with individual fields from the CD's ClusterMetadata, we'll unmarshal it directly from the contents of this Secret.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@2uasimojo: This pull request references HIVE-2302 which is a valid jira issue.

This pull request references HIVE-2644 which is a valid jira issue.

In response to this:

Well, mostly.

Previously any time installer added a field to metadata.json, we would need to evaluate and possibly add a bespoke field and code path for it to make sure it was supplied to the destroyer at deprovision time.

With this change, we're offloading metadata.json verbatim (except in some cases we have to scrub/replace credentials fields -- see HIVE-2804 / #2612) to a new Secret in the ClusterDeployment's namespace, referenced from a new field: ClusterDeployment.Spec.ClusterMetadata.MetadataJSONSecretRef.

For legacy clusters -- those created before this change -- we attempt to retrofit the new Secret based on the legacy fields. This is best effort and may not always work.

In the future (but not here!) instead of building the installer's ClusterMetadata structure for the destroyer with individual fields from the CD's ClusterMetadata, we'll unmarshal it directly from the contents of this Secret.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@2uasimojo: This pull request references HIVE-2302 which is a valid jira issue.

This pull request references HIVE-2644 which is a valid jira issue.

In response to this:

Previously any time installer added a field to metadata.json, we would need to evaluate and possibly add a bespoke field and code path for it to make sure it was supplied to the destroyer at deprovision time.

With this change, we're offloading metadata.json verbatim (except in some cases we have to scrub/replace credentials fields -- see HIVE-2804 / #2612) to a new Secret in the ClusterDeployment's namespace, referenced from a new field: ClusterDeployment.Spec.ClusterMetadata.MetadataJSONSecretRef.

For legacy clusters -- those created before this change -- we attempt to retrofit the new Secret based on the legacy fields. This is best effort and may not always work.

This change then adds a new generic destroyer via the (existing) hiveutil deprovision command that consumes this metadata.json to deprovision the cluster.

This new behavior is the default, but we also include an escape hatch to run the platform-specific legacy destroyer by setting the following annotation on the ClusterDeployment:

hive.openshift.io/legacy-deprovision: "true"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[2uasimojo]

/test e2e e2e-azure e2e-gcp e2e-vsphere e2e-openstack

🤞

[2uasimojo]

/test e2e-azure e2e-vsphere

[2uasimojo]

• This is now rebased on HIVE-2908: Remove OVirt (RHV) #2746
• VSphere (hopefully) remedied: metadata.json can be in one of two different shapes depending on pre- or post-zonal. We should now be accounting for both.

/test e2e-vsphere

[2uasimojo]

/hold for moar testings

[codecov]

Codecov Report

❌ Patch coverage is 18.94977% with 355 lines in your changes missing coverage. Please review.
✅ Project coverage is 50.20%. Comparing base (d17bd65) to head (de21622).

Files with missing lines	Patch %	Lines
.../clusterdeployment/clusterdeployment_controller.go	27.70%	100 Missing and 7 partials ⚠️
pkg/install/generate.go	18.18%	95 Missing and 4 partials ⚠️
contrib/pkg/deprovision/deprovision.go	0.00%	45 Missing ⚠️
pkg/clusterresource/builder.go	0.00%	18 Missing and 3 partials ⚠️
contrib/pkg/utils/vsphere/vsphere.go	0.00%	18 Missing ⚠️
contrib/pkg/createcluster/create.go	0.00%	11 Missing ⚠️
contrib/pkg/utils/nutanix/nutanix.go	0.00%	8 Missing ⚠️
pkg/installmanager/installmanager.go	22.22%	7 Missing ⚠️
contrib/pkg/deprovision/azure.go	0.00%	4 Missing ⚠️
contrib/pkg/deprovision/gcp.go	0.00%	4 Missing ⚠️
... and 14 more

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2729      +/-   ##
==========================================
- Coverage   50.45%   50.20%   -0.26%     
==========================================
  Files         284      284              
  Lines       33968    34243     +275     
==========================================
+ Hits        17140    17191      +51     
- Misses      15489    15703     +214     
- Partials     1339     1349      +10     

Files with missing lines	Coverage Δ
pkg/constants/constants.go	100.00% <ø> (ø)
...lusterdeprovision/clusterdeprovision_controller.go	53.40% <100.00%> (+0.17%)	⬆️
pkg/controller/utils/logtagger.go	100.00% <100.00%> (ø)
.../v1/clusterdeployment_validating_admission_hook.go	87.07% <100.00%> (+0.04%)	⬆️
...shift/hive/apis/hive/v1/clusterdeployment_types.go	0.00% <ø> (ø)
...hift/hive/apis/hive/v1/clusterdeprovision_types.go	0.00% <ø> (ø)
contrib/pkg/deprovision/awstagdeprovision.go	0.00% <0.00%> (ø)
contrib/pkg/utils/aws/aws.go	0.00% <0.00%> (ø)
contrib/pkg/utils/azure/azure.go	0.00% <0.00%> (ø)
contrib/pkg/utils/gcp/gcp.go	0.00% <0.00%> (ø)
... and 20 more

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[2uasimojo]

• e2e and e2e-pool: actual tests succeeded; infra timeout flake
• e2e-openstack looks like a flake where the openstack infra was ill
• security was HIVE-2937, since resolved via HIVE-2937: revendor x/crypto for SNYK-GOLANG-GOLANGORGXCRYPTOSSHAGENT-12668891 #2755...

...so I think I'll just rebase to pick up that last one anyway.

...but I might as well wait until #2754 lands.

[2uasimojo]

/assign @dlom

[2uasimojo]

Legacy granny switch validated via #2759 ✓

[2uasimojo]

/retest hive-on-pull-request

[2uasimojo]

/retest hive-mce-26-on-pull-request

[dlom]

/retest hive-on-pull-request

[dlom]

/retest hive-mce-26-on-pull-request

[openshift-ci]

@dlom: The /retest command does not accept any targets.
The following commands are available to trigger required jobs:

/test coverage

/test e2e

/test e2e-azure

/test e2e-gcp

/test e2e-openstack

/test e2e-pool

/test e2e-vsphere

/test images

/test periodic-images

/test security

/test unit

/test verify

Use /test all to run all jobs.

In response to this:

/retest hive-mce-26-on-pull-request

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[2uasimojo]

/test e2e-openstack

Pre-actual-test IPI setup flake

[2uasimojo]

/test e2e-openstack

Same again

[2uasimojo]

/test e2e-openstack

Looks like provision timed out?

[dlom]

I think this is fine, it's readable and makes sense

[2uasimojo]

Ack. But it would jell with how we're getting the correct platform-specific destroyer from the installer -- see LL132 & 137 below. I don't mind leaving it for now though.

[dlom]

The most I would consider would be something like this:

type ConfigureCredsFn func(client.Client)
...
var configureCreds ConfigureCredsFn

[2uasimojo]

What does this gain? I still have to define the funcs with the full param spec, right?

[dlom]

Suggested change

	// If env vars are unset, the destroyer will fail organically.
	ConfigureCreds = func(c client.Client) {
	nutanixutil.ConfigureCreds(c)
	metadata.Nutanix.Username = os.Getenv(constants.NutanixUsernameEnvVar)
	metadata.Nutanix.Password = os.Getenv(constants.NutanixPasswordEnvVar)
	}
	// If env vars are unset, the destroyer will fail organically.
	ConfigureCreds = nutanixutil.ConfigureCreds
	metadata.Nutanix.Username = os.Getenv(constants.NutanixUsernameEnvVar)
	metadata.Nutanix.Password = os.Getenv(constants.NutanixPasswordEnvVar)

[dlom]

I think you can just write it like this. The function is immediately invoked right below

[2uasimojo]

That won't work without some refactoring, because ConfigureCreds is where those env vars get set, for both nutanix and vsphere.

Looking at it again, I think what makes sense is to pass the metadata into ConfigureCreds and set up the user/pass there. They are, after all, Creds that need to be Configured :)

My only objection to that is that I was trying to leave the legacy code path untouched as much as possible. Ultimately -- when we kill the legacy code path -- it'll be clean to do so; but in the meantime it would require me to either pass a dummy metadata is through or add a nil check condition in ConfigureCreds. The latter seems like the lesser evil. But I'm not sure it's worthwhile -- WDYT?

[dlom]

I think adding a metadata parameter and using a nil check to all of the ConfigureCreds implementations is a good compromise, especially if the line count is low (probably no more than +10 per file)

[2uasimojo]

Done, via a separate commit in case we hate it :)

[dlom]

I love it

[huangmingxia]

Hi @2uasimojo I have a question regarding the cleanup of the metadata.json Secret. Please correct me if I missed anything, thank you!

Currently, the OwnerReference of the metadata.json Secret is only set when the cluster installation succeeds. If the installation fails and the Secret has already been created, it has no OwnerReference and will remain in the cluster when the ClusterDeployment is deleted - it won’t be removed automatically.

Regarding the leftover Secret, there is a potential issue:
If an invalid metadata.json Secret already exists before the upgrade, the legacy retrofit path calls ensureMetadataJSONSecret() with forceUpdate=false. In this case, if the Secret already exists, its contents will not be updated even if the metadata in the retrofit has changed. This can cause the cluster deletion to fail. (I think it works with the annotation.)

Would it be possible to set the OwnerReference when creating the Secret? This way, the Secret would be automatically cleaned up regardless of whether the installation succeeds.

As additional context:
I did some tests switching repeatedly between old and new hive versions on the same hub.
When a ClusterDeployment installation failed on the new version, the metadata.json Secret was left behind without cleanup.
After reverting to the old version and creating a successful ClusterDeployment in the same namespace, upgrading hive again caused the existing secret to remain outdated (since forceUpdate=false), resulting in a mismatch between clusterdeprovision data and metadata.json, which led to cluster deletion failure.

[2uasimojo]

That's a great find @huangmingxia!

I'm really not worried about supporting "downgrades". (I think we could also simulate this behavior by creating a dummy Secret of the appropriate name before kicking off the installation with the new build. I'm also not worried about supporting that :) )

However, I agree we should be setting that OwnerReference immediately to avoid the scenario where the Secret is "orphaned" if the installation fails. PR incoming...

[openshift-ci]

@2uasimojo: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.