Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CMP-2525: Implement dynamic scan settings for ROSA #511

Closed
wants to merge 1 commit into from
Closed

CMP-2525: Implement dynamic scan settings for ROSA #511

wants to merge 1 commit into from

Conversation

Vincent056
Copy link

@Vincent056 Vincent056 commented May 1, 2024
edited

Made change to be able to detect what managed cluster we are on using ClusterClaim, through /apis/cluster.open-cluster-management.io/v1alpha1/clusterclaims/product.open-cluster-management.io

oc get clusterclaims product.open-cluster-management.io -v 7 -o json
I0501 09:56:39.390722   70110 loader.go:373] Config loaded from file:  /Users/vincent/.kube/config
I0501 09:56:39.397643   70110 round_trippers.go:463] GET https://api.thb83-r47s4-4hg.6hoh.p3.openshiftapps.com:443/apis/cluster.open-cluster-management.io/v1alpha1/clusterclaims/product.open-cluster-management.io
I0501 09:56:39.397652   70110 round_trippers.go:469] Request Headers:
I0501 09:56:39.397657   70110 round_trippers.go:473]     User-Agent: oc/4.14.0 (darwin/arm64) kubernetes/0c63f9d
I0501 09:56:39.397661   70110 round_trippers.go:473]     Authorization: Bearer <masked>
I0501 09:56:39.397665   70110 round_trippers.go:473]     Accept: application/json
I0501 09:56:39.712622   70110 round_trippers.go:574] Response Status: 200 OK in 314 milliseconds
{
    "apiVersion": "cluster.open-cluster-management.io/v1alpha1",
    "kind": "ClusterClaim",
    "metadata": {
        "creationTimestamp": "2024-05-01T15:29:30Z",
        "generation": 1,
        "labels": {
            "open-cluster-management.io/hub-managed": "",
            "velero.io/exclude-from-backup": "true"
        },
        "name": "product.open-cluster-management.io",
        "resourceVersion": "7268",
        "uid": "6ad67a1c-ecf9-4d8e-87e0-68111bbaf97f"
    },
    "spec": {
        "value": "ROSA"
    }
}

Added ROSA platform type, disable master role if detected running on ROSA

@openshift-ci-robot
Copy link
Collaborator

@Vincent056: This pull request references CMP-2525 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to this:

Made change to be able to detect what managed cluster we are on using ClusterClaim, through /apis/cluster.open-cluster-management.io/v1alpha1/clusterclaims/product.open-cluster-management.io

oc get clusterclaims product.open-cluster-management.io -v 7 -o json
I0501 09:56:39.390722   70110 loader.go:373] Config loaded from file:  /Users/vincent/.kube/config
I0501 09:56:39.397643   70110 round_trippers.go:463] GET https://api.thb83-r47s4-4hg.6hoh.p3.openshiftapps.com:443/apis/cluster.open-cluster-management.io/v1alpha1/clusterclaims/product.open-cluster-management.io
I0501 09:56:39.397652   70110 round_trippers.go:469] Request Headers:
I0501 09:56:39.397657   70110 round_trippers.go:473]     User-Agent: oc/4.14.0 (darwin/arm64) kubernetes/0c63f9d
I0501 09:56:39.397661   70110 round_trippers.go:473]     Authorization: Bearer <masked>
I0501 09:56:39.397665   70110 round_trippers.go:473]     Accept: application/json
I0501 09:56:39.712622   70110 round_trippers.go:574] Response Status: 200 OK in 314 milliseconds
{
   "apiVersion": "cluster.open-cluster-management.io/v1alpha1",
   "kind": "ClusterClaim",
   "metadata": {
       "creationTimestamp": "2024-05-01T15:29:30Z",
       "generation": 1,
       "labels": {
           "open-cluster-management.io/hub-managed": "",
           "velero.io/exclude-from-backup": "true"
       },
       "name": "product.open-cluster-management.io",
       "resourceVersion": "7268",
       "uid": "6ad67a1c-ecf9-4d8e-87e0-68111bbaf97f"
   },
   "spec": {
       "value": "ROSA"
   }
}

Added ROSA platform type, disable master role and default-auto-apply scansetting if detected running on ROSA

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from mrogers950 and xiaojiey May 1, 2024 18:46
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented May 1, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Vincent056

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved label May 1, 2024
@rhmdnd rhmdnd requested review from yuumasato, BhargaviGudi, mkumku and GroceryBoyJr and removed request for mrogers950 May 6, 2024 20:27
rhmdnd
rhmdnd reviewed May 6, 2024
View reviewed changes
cmd/manager/operator.go
} else {
// check the value of the clusterClaim
if clusterClaim.Spec.Value != "" {
pflag = clusterClaim.Spec.Value
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this used consistently across all managed offerings? Can we also rely on this for ARO?

rhmdnd
rhmdnd reviewed May 6, 2024
View reviewed changes
cmd/manager/operator.go
if pflag == "" {
clusterClaim := &clusterv1alpha1.ClusterClaim{}
if err := kubeClient.RESTClient().Get().RequestURI("/apis/cluster.open-cluster-management.io/v1alpha1/clusterclaims/product.open-cluster-management.io").Do(ctx).Into(clusterClaim); err != nil {
setupLog.Info("Couldn't get ClusterClaim. This is not fatal though.")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we're using ClusterClaim as an internal implementation detail, we could say something like:

setupLog.Info("Unable to determine managed offering type.")

Then if readers see the error, but they're using self-managed, they don't really have a reason to be alarmed.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agree, let me fix it

rhmdnd
rhmdnd reviewed May 6, 2024
View reviewed changes
Copy link

@rhmdnd rhmdnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only a couple comments inline. This is looking good, and we just need to get some testing wired up.

Thanks, Vincent!

@xiaojiey
Copy link
Collaborator

xiaojiey commented May 7, 2024

/hold for test

@xiaojiey
Copy link
Collaborator

xiaojiey commented May 9, 2024

@Vincent056 I am not sure if it is an env issue. The operator was installed correctly, and default ss only contains worker role. However, the pb was not created. Could you please help to double check? thanks.

% oc get csv
NAME                         DISPLAY               VERSION   REPLACES   PHASE
compliance-operator.v1.4.0   Compliance Operator   1.4.0                Succeeded
% oc get pod
NAME                                   READY   STATUS    RESTARTS   AGE
compliance-operator-7f68c5fdb4-rgkwc   1/1     Running   0          15s
 % oc get ss
NAME      AGE
default   32s
% oc get ss default -o=jsonpath={.roles}
["worker"]%                                                                                                                                                                                                         % oc get pb
No resources found in openshift-compliance namespace.
% oc get csv -o yaml | grep -i image:
                  image: quay.io/xiyuan/compliance-operator:pr-511
    - image: ghcr.io/complianceascode/openscap-ocp:latest
    - image: quay.io/xiyuan/compliance-operator:pr-511
    - image: ghcr.io/complianceascode/k8scontent:latest
% oc get pod
NAME                                   READY   STATUS    RESTARTS   AGE
compliance-operator-7f68c5fdb4-rgkwc   1/1     Running   0          102s

@rhmdnd
Copy link

rhmdnd commented May 10, 2024

Working to get #515 landed so you have something to test against.

@rhmdnd
Copy link

rhmdnd commented May 11, 2024

/test e2e-rosa

@Vincent056
Copy link
Author

/test e2e-rosa

@Vincent056 Vincent056 force-pushed the rosa_scan branch 3 times, most recently from f1e71bb to 32085ba Compare May 14, 2024 01:50
@Vincent056
Copy link
Author

/test e2e-rosa

1 similar comment
@Vincent056
Copy link
Author

/test e2e-rosa

@rhmdnd
Copy link

rhmdnd commented May 15, 2024

@Vincent056 I am not sure if it is an env issue. The operator was installed correctly, and default ss only contains worker role. However, the pb was not created. Could you please help to double check? thanks.

% oc get csv
NAME                         DISPLAY               VERSION   REPLACES   PHASE
compliance-operator.v1.4.0   Compliance Operator   1.4.0                Succeeded
% oc get pod
NAME                                   READY   STATUS    RESTARTS   AGE
compliance-operator-7f68c5fdb4-rgkwc   1/1     Running   0          15s
 % oc get ss
NAME      AGE
default   32s
% oc get ss default -o=jsonpath={.roles}
["worker"]%                                                                                                                                                                                                         % oc get pb
No resources found in openshift-compliance namespace.
% oc get csv -o yaml | grep -i image:
                  image: quay.io/xiyuan/compliance-operator:pr-511
    - image: ghcr.io/complianceascode/openscap-ocp:latest
    - image: quay.io/xiyuan/compliance-operator:pr-511
    - image: ghcr.io/complianceascode/k8scontent:latest
% oc get pod
NAME                                   READY   STATUS    RESTARTS   AGE
compliance-operator-7f68c5fdb4-rgkwc   1/1     Running   0          102s

I may have a fix for this in #518 - which includes a new platform type for ROSA, and ensure the rhcos4 and ocp4 bundles are supported for that platform type.

@Vincent056
CMP-2525: Implement dynamic scan settings for managed offering instal…
3b1c0c7 
…lations

Made change to be able to detect what managed cluster we are on using ClusterClaim, added ROSA platform type, disable master role if detected running on ROSA
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented May 16, 2024

@Vincent056: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-rosa 3b1c0c7 link true /test e2e-rosa

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@Vincent056
Copy link
Author

close this in favor of #518

@Vincent056 Vincent056 closed this May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rhmdnd rhmdnd rhmdnd left review comments

@xiaojiey xiaojiey Awaiting requested review from xiaojiey

@yuumasato yuumasato Awaiting requested review from yuumasato

@BhargaviGudi BhargaviGudi Awaiting requested review from BhargaviGudi

@mkumku mkumku Awaiting requested review from mkumku

@GroceryBoyJr GroceryBoyJr Awaiting requested review from GroceryBoyJr

Assignees
No one assigned
Labels
approved do-not-merge/hold jira/valid-reference
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@Vincent056 @openshift-ci-robot @xiaojiey @rhmdnd @openshift-merge-robot