Conversation
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com> Co-authored-by: Mangirdas Judeikis <mangirdas@judeikis.lt> Co-authored-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com> Signed-off-by: Mangirdas Judeikis <mangirdas@judeikis.lt>
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com> Co-authored-by: Marvin Beckers <marvin@kubermatic.com> Signed-off-by: Marvin Beckers <marvin@kubermatic.com>
Partially reverting e8b1d7d. kcp's GC controller is event-based for now, and without locks we may miss events during monitor syncs. There are known issues that locking causes: * kubernetes#101078 * kubernetes#127105 On-behalf-of: SAP robert.vasek@sap.com Signed-off-by: Robert Vasek <robert.vasek@clyso.com>
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com> Signed-off-by: Marvin Beckers <marvin@kubermatic.com>
…_quota_controller_patch.go
Ran:
go run ./hack/kcp/resource_quota_controller_patch.go > pkg/controller/resourcequota/resource_quota_controller_patch.go
and modified the resulting file so that imports are in place, and changed
the main wait.UntilWithContext loop into a closure, so that when UpdateMonitors
is called, updating is done exactly once.
On-behalf-of: SAP robert.vasek@sap.com
Signed-off-by: Robert Vasek <robert.vasek@clyso.com>
…gecollector_patch.go
Ran:
go run ./hack/kcp/garbage_collector_patch.go > pkg/controller/garbagecollector/garbagecollector_patch.go
and modified the resulting file so that imports are in place, and changed
the main wait.UntilWithContext loop into a closure, so that when ResyncMonitors
is called, syncing is done exactly once.
On-behalf-of: SAP robert.vasek@sap.com
Signed-off-by: Robert Vasek <robert.vasek@clyso.com>
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
Co-authored-by: Marvin Beckers <marvin@kubermatic.com> Signed-off-by: Marvin Beckers <marvin@kubermatic.com> Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
… pods Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com> Co-authored-by: Marvin Beckers <marvin@kubermatic.com> Signed-off-by: Marvin Beckers <marvin@kubermatic.com>
…gin and policy plugin framework Signed-off-by: Marvin Beckers <marvin@kubermatic.com>
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
…rge patch Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
Co-authored-by: Marvin Beckers <marvin@kubermatic.com> Signed-off-by: Marvin Beckers <marvin@kubermatic.com> Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
…ss identities Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
…card partial metadata requests Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
Co-authored-by: Marvin Beckers <marvin@kubermatic.com> Signed-off-by: Marvin Beckers <marvin@kubermatic.com> Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
Co-authored-by: Marvin Beckers <marvin@kubermatic.com> Signed-off-by: Marvin Beckers <marvin@kubermatic.com> Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
… storage paths Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
Co-authored-by: Marvin Beckers <marvin@kubermatic.com> Signed-off-by: Marvin Beckers <marvin@kubermatic.com> Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
Co-authored-by: Marvin Beckers <marvin@kubermatic.com> Signed-off-by: Marvin Beckers <marvin@kubermatic.com> Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
Co-authored-by: Marvin Beckers <marvin@kubermatic.com> Signed-off-by: Marvin Beckers <marvin@kubermatic.com> Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
… control plane Signed-off-by: Marvin Beckers <marvin@kubermatic.com>
Signed-off-by: Marvin Beckers <marvin@kubermatic.com>
…dler patch Signed-off-by: Marvin Beckers <marvin@kubermatic.com>
Signed-off-by: Marvin Beckers <marvin@kubermatic.com>
…ilder Signed-off-by: Marvin Beckers <marvin@kubermatic.com>
Signed-off-by: Marvin Beckers <marvin@kubermatic.com>
…erver Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
…in webhooks On-behalf-of: @SAP christoph.mewes@sap.com
On-behalf-of: @SAP christoph.mewes@sap.com
Signed-off-by: Mangirdas Judeikis <Mangirdas@Judeikis.LT> On-behalf-of: SAP mangirdas.judeikis@sap.com
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
…bal service account Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
…pers Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
…bal service account fix Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
…eign service account tests Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
…plify Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
On-behalf-of: SAP robert.vasek@sap.com Signed-off-by: Robert Vasek <robert.vasek@clyso.com>
…n and policy plugin framework On-behalf-of: SAP robert.vasek@sap.com Signed-off-by: Robert Vasek <robert.vasek@clyso.com>
kcp doesn't implement protobuf codec yet, and so we need to disable it in the client code. This commit comments out --prefers-protobuf command line flag when invoking client-gen in update-codegen.sh scripts in various places. TODO: revert once kcp gains protobuf support. On-behalf-of: SAP robert.vasek@sap.com Signed-off-by: Robert Vasek <robert.vasek@clyso.com>
Ran:
hack/pin-dependency.sh github.com/kcp-dev/logicalcluster/v3 v3.0.5
hack/pin-dependency.sh github.com/kcp-dev/apimachinery/v2 v2.0.1-0.20250207161408-e1833e4a94f2
hack/pin-dependency.sh github.com/kcp-dev/client-go 5ae6774ab861f24965fc963d61af166c012f1ae0
On-behalf-of: SAP robert.vasek@sap.com
Signed-off-by: Robert Vasek <robert.vasek@clyso.com>
Ran:
hack/update-vendor.sh
On-behalf-of: SAP robert.vasek@sap.com
Signed-off-by: Robert Vasek <robert.vasek@clyso.com>
Ran:
hack/update-codegen.sh
On-behalf-of: SAP robert.vasek@sap.com
Signed-off-by: Robert Vasek <robert.vasek@clyso.com>
| } | ||
|
|
||
| v.patchSecretWithLastUsedDate(ctx, secret) | ||
| now := time.Now().UTC() |
There was a problem hiding this comment.
This looks like could be replaced by the function it replaces. Strange change.
There was a problem hiding this comment.
Indeed, and I've missed it, thanks!
https://github.com/kcp-dev/kubernetes/blob/kcp-1.31.0/pkg/serviceaccount/legacy.go#L176-L191
| if len(txnResp.Responses) == 0 || txnResp.Responses[0].GetResponseDeleteRange() == nil { | ||
| return errors.New(fmt.Sprintf("invalid DeleteRange response: %v", txnResp.Responses)) | ||
| } | ||
| deleteResp := txnResp.Responses[0].GetResponseDeleteRange() | ||
| if deleteResp.Header == nil { | ||
| return errors.New("invalid DeleteRange response - nil header") | ||
| } | ||
| err = decode(s.codec, s.versioner, origState.data, out, deleteResp.Header.Revision, clusterName) | ||
| err = decode(s.codec, s.versioner, origState.data, out, txnResp.Revision, clusterName, shardName) |
There was a problem hiding this comment.
Do we remember why this is different from upstream?
@sttts maybe you recall?
There was a problem hiding this comment.
Upstream's conditionalDelete was the same in v1.31.0 too: https://github.com/kubernetes/kubernetes/blob/v1.31.0/staging/src/k8s.io/apiserver/pkg/storage/etcd3/store.go#L349-L385
Now, instead of explicitly doing Txn-If-Then-Else-Commit, there is a dedicated OptimisticDelete, and so deleteResp is not used anymore. Is this what you meant, @mjudeikis ?
| clusterAware kcpkubernetesclientset.ClusterInterface | ||
| } | ||
|
|
||
| func (h *hack) AdmissionregistrationV1alpha1() admissionregistrationv1alpha1.AdmissionregistrationV1alpha1Interface { |
There was a problem hiding this comment.
im surprised this didn't changed
There was a problem hiding this comment.
The Interface interface seems to still have that method in upstream's v1.32: https://github.com/kubernetes/kubernetes/blob/v1.32.0/staging/src/k8s.io/client-go/kubernetes/clientset.go#L27
Unless you meant something else, @mjudeikis ?
There was a problem hiding this comment.
I mean no new types were added/removed in 1.32.
There was a problem hiding this comment.
git diff kcp-1.31.0..kcp-1.32-pre.7-review -- staging/src/k8s.io/apiserver/pkg/clientsethack/adapter.go says that:
coordinationV1alpha1was replaced bycoordinationV1alpha2, andresourceV1beta1was added
Should I document this somewhere?
pkg/controlplane/apiserver/config.go
Outdated
|
|
||
| ctx := wait.ContextForChannel(genericConfig.DrainedNotify()) | ||
|
|
||
| // Use protobufs for self-communication. |
There was a problem hiding this comment.
TODO: This needs to be reverted once we add protoc support
| if err != nil { | ||
| return nil, fmt.Errorf("failed to create peer endpoint lease controller: %w", err) | ||
| } | ||
|
|
There was a problem hiding this comment.
needs to be dropped. There is no error here anymore.
There was a problem hiding this comment.
Hmm seems to have been added by bf01714 by mistake? There doesn't seem to be anything creating an err there either. Thanks!
| initializersChain := admission.PluginInitializers{genericInitializer} | ||
| initializersChain = append(initializersChain, pluginInitializers...) | ||
|
|
||
| admissionPostStartHook := func(hookContext server.PostStartHookContext) error { |
There was a problem hiding this comment.
Would be good to add comment this this is removed. I think history is bit lost.
There was a problem hiding this comment.
Are there some docs I could link to? Originally removed in 3211e1f , but without details.
| if completed.Authorization != nil { | ||
| completed.Authorization.Complete() | ||
| } |
There was a problem hiding this comment.
Potentially quick upstream change and we can drop this.
There was a problem hiding this comment.
We can actually drop this already, (*BuiltInAuthorizationOptions).Complete() already checks if the receiver is nil.
In v1.31.0, this was indeed not being checked: https://github.com/kubernetes/kubernetes/blob/v1.31.0/pkg/kubeapiserver/options/authorization.go#L87-L91
| // track changed fields in the status update. | ||
| managedFields := newCustomResourceObject.GetManagedFields() | ||
|
|
||
| // KCP PATCH START |
There was a problem hiding this comment.
The fact this commit is here means we added in some before, and we need to clean and remove them.
This should not exist anymore.
There was a problem hiding this comment.
Seems to have been added in c6b52ef . I'll try to go through it and see if there are any more leftovers from this.
There was a problem hiding this comment.
Squashing this commit, 5c809ee UPSTREAM: <squash>: remove syncer custom code from apiextensions-apiserver into its origin, where this code comes from -- 879e48 UPSTREAM: <carry>: apiextensions-apiserver.
|
|
||
| // kcp: needed for setKCPOriginalAPIVersionAnnotation(). | ||
| // It expects a context with clusterContextKey key set. | ||
| ctx context.Context |
There was a problem hiding this comment.
:'( one more ctx wiring. Maybe we could try to get this upstreamed too as its apiserver code.
|
Here are a couple of other commits that also seem to be squashable: Can you guys pls 👍 if you're ok with these changes? |
UPSTREAM 130180: Make disable lookups of SA related artifacts working
5 participants
What type of PR is this?
What this PR does / why we need it:
Just a diff for visibility.
branch pre.1 was pushed to fork already.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: