WIP: Rebase 1.32 Pre.1 Diff #161
Conversation
Signed-off-by: Dr. Stefan Schimanski <[email protected]> Co-authored-by: Mangirdas Judeikis <[email protected]> Co-authored-by: Dr. Stefan Schimanski <[email protected]> Signed-off-by: Mangirdas Judeikis <[email protected]>
Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Signed-off-by: Dr. Stefan Schimanski <[email protected]> Co-authored-by: Marvin Beckers <[email protected]> Signed-off-by: Marvin Beckers <[email protected]>
Partially reverting e8b1d7d. kcp's GC controller is event-based for now, and without locks we may miss events during monitor syncs. There are known issues that locking causes: * kubernetes#101078 * kubernetes#127105 On-behalf-of: SAP [email protected] Signed-off-by: Robert Vasek <[email protected]>
Signed-off-by: Dr. Stefan Schimanski <[email protected]> Signed-off-by: Marvin Beckers <[email protected]>
…_quota_controller_patch.go
Ran:
go run ./hack/kcp/resource_quota_controller_patch.go > pkg/controller/resourcequota/resource_quota_controller_patch.go
and modified the resulting file so that imports are in place, and changed
the main wait.UntilWithContext loop into a closure, so that when UpdateMonitors
is called, updating is done exactly once.
On-behalf-of: SAP [email protected]
Signed-off-by: Robert Vasek <[email protected]>
…gecollector_patch.go
Ran:
go run ./hack/kcp/garbage_collector_patch.go > pkg/controller/garbagecollector/garbagecollector_patch.go
and modified the resulting file so that imports are in place, and changed
the main wait.UntilWithContext loop into a closure, so that when ResyncMonitors
is called, syncing is done exactly once.
On-behalf-of: SAP [email protected]
Signed-off-by: Robert Vasek <[email protected]>
Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Co-authored-by: Marvin Beckers <[email protected]> Signed-off-by: Marvin Beckers <[email protected]> Signed-off-by: Dr. Stefan Schimanski <[email protected]>
… pods Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Signed-off-by: Dr. Stefan Schimanski <[email protected]> Co-authored-by: Marvin Beckers <[email protected]> Signed-off-by: Marvin Beckers <[email protected]>
…gin and policy plugin framework Signed-off-by: Marvin Beckers <[email protected]>
Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Signed-off-by: Dr. Stefan Schimanski <[email protected]>
…rge patch Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Co-authored-by: Marvin Beckers <[email protected]> Signed-off-by: Marvin Beckers <[email protected]> Signed-off-by: Dr. Stefan Schimanski <[email protected]>
…ss identities Signed-off-by: Dr. Stefan Schimanski <[email protected]>
…card partial metadata requests Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Co-authored-by: Marvin Beckers <[email protected]> Signed-off-by: Marvin Beckers <[email protected]> Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Co-authored-by: Marvin Beckers <[email protected]> Signed-off-by: Marvin Beckers <[email protected]> Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Signed-off-by: Dr. Stefan Schimanski <[email protected]>
… storage paths Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Co-authored-by: Marvin Beckers <[email protected]> Signed-off-by: Marvin Beckers <[email protected]> Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Co-authored-by: Marvin Beckers <[email protected]> Signed-off-by: Marvin Beckers <[email protected]> Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Co-authored-by: Marvin Beckers <[email protected]> Signed-off-by: Marvin Beckers <[email protected]> Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Co-authored-by: Marvin Beckers <[email protected]> Signed-off-by: Dr. Stefan Schimanski <[email protected]> Signed-off-by: Marvin Beckers <[email protected]>
… control plane Signed-off-by: Marvin Beckers <[email protected]>
Signed-off-by: Marvin Beckers <[email protected]>
…dler patch Signed-off-by: Marvin Beckers <[email protected]>
Signed-off-by: Marvin Beckers <[email protected]>
…ilder Signed-off-by: Marvin Beckers <[email protected]>
Signed-off-by: Marvin Beckers <[email protected]>
…erver Signed-off-by: Dr. Stefan Schimanski <[email protected]>
…in webhooks On-behalf-of: @SAP [email protected]
Signed-off-by: Mangirdas Judeikis <[email protected]> On-behalf-of: SAP [email protected]
Signed-off-by: Dr. Stefan Schimanski <[email protected]>
Signed-off-by: Dr. Stefan Schimanski <[email protected]>
…bal service account Signed-off-by: Dr. Stefan Schimanski <[email protected]>
…pers Signed-off-by: Dr. Stefan Schimanski <[email protected]>
…bal service account fix Signed-off-by: Dr. Stefan Schimanski <[email protected]>
…eign service account tests Signed-off-by: Dr. Stefan Schimanski <[email protected]>
…plify Signed-off-by: Dr. Stefan Schimanski <[email protected]>
On-behalf-of: SAP [email protected] Signed-off-by: Robert Vasek <[email protected]>
…n and policy plugin framework On-behalf-of: SAP [email protected] Signed-off-by: Robert Vasek <[email protected]>
kcp doesn't implement protobuf codec yet, and so we need to disable it in the client code. This commit comments out --prefers-protobuf command line flag when invoking client-gen in update-codegen.sh scripts in various places. TODO: revert once kcp gains protobuf support. On-behalf-of: SAP [email protected] Signed-off-by: Robert Vasek <[email protected]>
Ran:
hack/pin-dependency.sh github.com/kcp-dev/logicalcluster/v3 v3.0.5
hack/pin-dependency.sh github.com/kcp-dev/apimachinery/v2 v2.0.1-0.20250207161408-e1833e4a94f2
hack/pin-dependency.sh github.com/kcp-dev/client-go 5ae6774ab861f24965fc963d61af166c012f1ae0
On-behalf-of: SAP [email protected]
Signed-off-by: Robert Vasek <[email protected]>
Ran:
hack/update-vendor.sh
On-behalf-of: SAP [email protected]
Signed-off-by: Robert Vasek <[email protected]>
Ran:
hack/update-codegen.sh
On-behalf-of: SAP [email protected]
Signed-off-by: Robert Vasek <[email protected]>
| @@ -170,17 +173,33 @@ func (v *legacyValidator) Validate(ctx context.Context, tokenData string, public | |||
| manuallyCreatedTokensTotal.WithContext(ctx).Inc() | |||
| } | |||
|
|
|||
| v.patchSecretWithLastUsedDate(ctx, secret) | |||
| now := time.Now().UTC() | |||
There was a problem hiding this comment.
This looks like could be replaced by the function it replaces. Strange change.
There was a problem hiding this comment.
Indeed, and I've missed it, thanks!
https://github.com/kcp-dev/kubernetes/blob/kcp-1.31.0/pkg/serviceaccount/legacy.go#L176-L191
| if len(txnResp.Responses) == 0 || txnResp.Responses[0].GetResponseDeleteRange() == nil { | ||
| return errors.New(fmt.Sprintf("invalid DeleteRange response: %v", txnResp.Responses)) | ||
| } | ||
| deleteResp := txnResp.Responses[0].GetResponseDeleteRange() | ||
| if deleteResp.Header == nil { | ||
| return errors.New("invalid DeleteRange response - nil header") | ||
| } | ||
| err = decode(s.codec, s.versioner, origState.data, out, deleteResp.Header.Revision, clusterName) | ||
| err = decode(s.codec, s.versioner, origState.data, out, txnResp.Revision, clusterName, shardName) |
There was a problem hiding this comment.
Do we remember why this is different from upstream?
@sttts maybe you recall?
There was a problem hiding this comment.
Upstream's conditionalDelete was the same in v1.31.0 too: https://github.com/kubernetes/kubernetes/blob/v1.31.0/staging/src/k8s.io/apiserver/pkg/storage/etcd3/store.go#L349-L385
Now, instead of explicitly doing Txn-If-Then-Else-Commit, there is a dedicated OptimisticDelete, and so deleteResp is not used anymore. Is this what you meant, @mjudeikis ?
| clusterAware kcpkubernetesclientset.ClusterInterface | ||
| } | ||
|
|
||
| func (h *hack) AdmissionregistrationV1alpha1() admissionregistrationv1alpha1.AdmissionregistrationV1alpha1Interface { |
There was a problem hiding this comment.
im surprised this didn't changed
There was a problem hiding this comment.
The Interface interface seems to still have that method in upstream's v1.32: https://github.com/kubernetes/kubernetes/blob/v1.32.0/staging/src/k8s.io/client-go/kubernetes/clientset.go#L27
Unless you meant something else, @mjudeikis ?
There was a problem hiding this comment.
I mean no new types were added/removed in 1.32.
There was a problem hiding this comment.
git diff kcp-1.31.0..kcp-1.32-pre.7-review -- staging/src/k8s.io/apiserver/pkg/clientsethack/adapter.go says that:
coordinationV1alpha1was replaced bycoordinationV1alpha2, andresourceV1beta1was added
Should I document this somewhere?
pkg/controlplane/apiserver/config.go
Outdated
| @@ -216,23 +209,6 @@ func BuildGenericConfig( | |||
|
|
|||
| ctx := wait.ContextForChannel(genericConfig.DrainedNotify()) | |||
|
|
|||
| // Use protobufs for self-communication. | |||
There was a problem hiding this comment.
TODO: This needs to be reverted once we add protoc support
| if err != nil { | ||
| return nil, fmt.Errorf("failed to create peer endpoint lease controller: %w", err) | ||
| } | ||
|
|
There was a problem hiding this comment.
needs to be dropped. There is no error here anymore.
There was a problem hiding this comment.
Hmm seems to have been added by bf01714 by mistake? There doesn't seem to be anything creating an err there either. Thanks!
| initializersChain := admission.PluginInitializers{genericInitializer} | ||
| initializersChain = append(initializersChain, pluginInitializers...) | ||
|
|
||
| admissionPostStartHook := func(hookContext server.PostStartHookContext) error { |
There was a problem hiding this comment.
Would be good to add comment this this is removed. I think history is bit lost.
There was a problem hiding this comment.
Are there some docs I could link to? Originally removed in 3211e1f , but without details.
| if completed.Authorization != nil { | ||
| completed.Authorization.Complete() | ||
| } |
There was a problem hiding this comment.
Potentially quick upstream change and we can drop this.
There was a problem hiding this comment.
We can actually drop this already, (*BuiltInAuthorizationOptions).Complete() already checks if the receiver is nil.
In v1.31.0, this was indeed not being checked: https://github.com/kubernetes/kubernetes/blob/v1.31.0/pkg/kubeapiserver/options/authorization.go#L87-L91
| @@ -67,13 +67,6 @@ func (a statusStrategy) PrepareForUpdate(ctx context.Context, obj, old runtime.O | |||
| // track changed fields in the status update. | |||
| managedFields := newCustomResourceObject.GetManagedFields() | |||
|
|
|||
| // KCP PATCH START | |||
There was a problem hiding this comment.
The fact this commit is here means we added in some before, and we need to clean and remove them.
This should not exist anymore.
There was a problem hiding this comment.
Seems to have been added in c6b52ef . I'll try to go through it and see if there are any more leftovers from this.
There was a problem hiding this comment.
Squashing this commit, 5c809ee UPSTREAM: <squash>: remove syncer custom code from apiextensions-apiserver into its origin, where this code comes from -- 879e48 UPSTREAM: <carry>: apiextensions-apiserver.
|
|
||
| // kcp: needed for setKCPOriginalAPIVersionAnnotation(). | ||
| // It expects a context with clusterContextKey key set. | ||
| ctx context.Context |
There was a problem hiding this comment.
:'( one more ctx wiring. Maybe we could try to get this upstreamed too as its apiserver code.
|
Here are a couple of other commits that also seem to be squashable: Can you guys pls 👍 if you're ok with these changes? |
UPSTREAM 130180: Make disable lookups of SA related artifacts working
What type of PR is this?
What this PR does / why we need it:
Just a diff for visibility.
branch pre.1 was pushed to fork already.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: