search

openshift / external-dns-operator

The ExternalDNS Operator provides simplified ExternalDNS controller management.
Apache License 2.0
22 stars 33 forks source link

Adds annotation in podSpec to trigger re-creation of pods on secret credential update #136

Closed DhritiShikhar closed 2 years ago

DhritiShikhar commented 2 years ago

Changes

[1] Moves the secret checksum annotation from deployment's metadata.annotations to spec.template.annotations [2] Adds an E2E to verify that at first DNS records are not created when wrong secret is supplied. When the wrong secret is updated with the right values, DNS records are created.

alebedev87 commented 2 years ago

/lgtm

alebedev87 commented 2 years ago

/lgtm cancel

alebedev87 commented 2 years ago

LGTM for the code changes. Let's think about the e2e test case for this feature to not fall into the same trap again.

DhritiShikhar commented 2 years ago

/retest

alebedev87 commented 2 years ago

Tests may be failing because the env variable changes (from 2 vars to 1 for the file) are not propagated to the desired deployment. This PR is supposed to fix this: https://github.com/openshift/external-dns-operator/pull/150.

alebedev87 commented 2 years ago

Disregard my previous comment about https://github.com/openshift/external-dns-operator/pull/150 which could help here. I forgot that in your test case you deploy all from scratch, so you should not be impacted by the fix I did in the other PR.

alebedev87 commented 2 years ago

/lgtm /approve

openshift-ci[bot] commented 2 years ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alebedev87, DhritiShikhar

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openshift/external-dns-operator/blob/main/OWNERS)~~ [alebedev87] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
openshift-ci[bot] commented 2 years ago

@DhritiShikhar: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).
alebedev87 commented 2 years ago

Tested manually too:

02:32:58 $ oc -n external-dns get pods
No resources found in external-dns namespace.

02:33:07 $ oc -n external-dns get secret
NAME                       TYPE                                  DATA   AGE
builder-dockercfg-pdf6f    kubernetes.io/dockercfg               1      3h7m
builder-token-pwqlz        kubernetes.io/service-account-token   4      3h7m
builder-token-r2v8x        kubernetes.io/service-account-token   4      3h7m
default-dockercfg-nrgfx    kubernetes.io/dockercfg               1      3h7m
default-token-fvr4j        kubernetes.io/service-account-token   4      3h7m
default-token-tq696        kubernetes.io/service-account-token   4      3h7m
deployer-dockercfg-r8tmw   kubernetes.io/dockercfg               1      3h7m
deployer-token-5887f       kubernetes.io/service-account-token   4      3h7m
deployer-token-brdgr       kubernetes.io/service-account-token   4      3h7m

02:33:14 $ oc apply -f config/samples/aws/operator_v1alpha1_externaldns_openshift.yaml
externaldns.externaldns.olm.openshift.io/sample-aws created

02:33:19 $ oc -n external-dns get secret
NAME                                      TYPE                                  DATA   AGE
builder-dockercfg-pdf6f                   kubernetes.io/dockercfg               1      3h8m
builder-token-pwqlz                       kubernetes.io/service-account-token   4      3h8m
builder-token-r2v8x                       kubernetes.io/service-account-token   4      3h8m
default-dockercfg-nrgfx                   kubernetes.io/dockercfg               1      3h8m
default-token-fvr4j                       kubernetes.io/service-account-token   4      3h8m
default-token-tq696                       kubernetes.io/service-account-token   4      3h8m
deployer-dockercfg-r8tmw                  kubernetes.io/dockercfg               1      3h8m
deployer-token-5887f                      kubernetes.io/service-account-token   4      3h8m
deployer-token-brdgr                      kubernetes.io/service-account-token   4      3h8m
external-dns-credentials-sample-aws       Opaque                                3      3s
external-dns-sample-aws-dockercfg-8gtlk   kubernetes.io/dockercfg               1      3s
external-dns-sample-aws-token-mzc5z       kubernetes.io/service-account-token   4      3s
external-dns-sample-aws-token-s6sdn       kubernetes.io/service-account-token   4      3s

02:33:22 $ oc -n external-dns get pods
NAME                                       READY   STATUS    RESTARTS   AGE
external-dns-sample-aws-7cdcbb8b69-r7sfg   1/1     Running   0          7s

02:33:26 $ oc -n external-dns get pods external-dns-sample-aws-7cdcbb8b69-r7sfg -o yaml
apiVersion: v1
kind: Pod
metadata:
  annotations:
    externaldns.olm.openshift.io/credentials-secret-hash: ca286362386fad85434e29b75dd7a5b1759bdbf5c4d378580c176887547e9ce7

02:33:37 $ oc -n external-dns exec external-dns-sample-aws-7cdcbb8b69-r7sfg -- cat /etc/kubernetes/aws-credentials
[default]
aws_access_key_id = AAAAAAAAAAAAAAAA
aws_secret_access_key = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

2:34:34 $ oc -n external-dns get pods
NAME                                       READY   STATUS    RESTARTS   AGE
external-dns-sample-aws-7cdcbb8b69-r7sfg   1/1     Running   0          84s

02:34:43 $ oc -n external-dns-operator edit secret aws-access-key
error: secrets "aws-access-key" is invalid
secret/aws-access-key edited

02:36:18 $ oc -n external-dns get pods
NAME                                       READY   STATUS    RESTARTS   AGE
external-dns-sample-aws-6dff6959f6-7nx6t   1/1     Running   0          8s

02:36:32 $ oc -n external-dns exec external-dns-sample-aws-6dff6959f6-7nx6t -- cat /etc/kubernetes/aws-credentials
[default]
aws_access_key_id = WRONG
aws_secret_access_key = WRONG

02:39:36 $ oc -n external-dns get pods external-dns-sample-aws-6dff6959f6-7nx6t -o yaml
apiVersion: v1
kind: Pod
metadata:
  annotations:
    externaldns.olm.openshift.io/credentials-secret-hash: edfd61362b1c83fe22a862121cfc8cc0fd86968f5f914001083d715585aef9d7

/label qe-approved

alebedev87 commented 2 years ago

/label docs-approved /label px-approved