Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ contentmanager: use namespace-scoped informers #1880

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

✨ contentmanager: use namespace-scoped informers #1880

wants to merge 1 commit into from

Conversation

joelanford
Copy link
Member

@joelanford joelanford commented Mar 27, 2025
edited
Loading

Description

This PR changes operator-controller's contentmanager, which is used to establish watches for objects it is lifecycling, so that it uses namespace-scoped informers for namespace-scoped watches. Prior to this PR, contentmanager is using a cluster-scoped watch for all resources, regardless of their scoping.

This is beneficial because it means that the installer user can change its current cluster-wide list/watch permissions into namespace-scoped permissions for each resource in their extension's manifest.

It should be noted that the content manager manages a separate set of informers for each cluster extension due to the use of the cluster extension's service account. So switching from cluster-scoped informers to namespace-scoped informers, in most cases, will not increase the total number of informers that operator-controller has running at a given time. The only scenario where the number of informers increases is if the manifest for a particular cluster extension contains namespace-scoped resources in multiple namespaces.

On main, the number of informers for a cluster extension is: <number of unique resource types>
After this PR merges, the number of informers for a cluster extension is: <number of unique resource type/namespace pairs>.

In almost all cases, these numbers will be the same because extensions almost always install cluster-scoped objects and namespace-scoped objects in a single namespace.

The only case that this would be an issue is if we supported MultiNamespace install mode because that would cause roles and role bindings to be included in the manifest for all of the watched namespaces. We do no support that install mode, and we do not plan to support that install mode, essentially for this exact reason.

Reviewer Checklist

  • API Go Documentation
  • Tests: Unit Tests (and E2E Tests, if appropriate)
  • Comprehensive Commit Messages
  • Links to related GitHub Issue(s)

@joelanford joelanford requested a review from a team as a code owner March 27, 2025 02:38
@netlify Netlify
Copy link

netlify bot commented Mar 27, 2025
edited
Loading

Deploy Preview for olmv1 ready!

Name Link
🔨 Latest commit 2b29265
🔍 Latest deploy log https://app.netlify.com/sites/olmv1/deploys/67e55f5758476500086cd045
😎 Deploy Preview https://deploy-preview-1880--olmv1.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@codecov Codecov
Copy link

codecov bot commented Mar 27, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 88.67925% with 6 lines in your changes missing coverage. Please review.

Project coverage is 68.98%. Comparing base (a2ae8b8) to head (2b29265).
Report is 2 commits behind head on main.

Files with missing lines Patch % Lines
.../operator-controller/contentmanager/cache/cache.go 87.75% 4 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1880      +/-   ##
==========================================
+ Coverage   68.93%   68.98%   +0.05%     
==========================================
  Files          66       66              
  Lines        5243     5252       +9     
==========================================
+ Hits         3614     3623       +9     
  Misses       1397     1397              
  Partials      232      232
Flag Coverage Δ
e2e 50.50% <73.58%> (+0.11%) ⬆️
unit 56.74% <81.13%> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@joelanford joelanford force-pushed the contentmanager-namespace-scoped-informers branch 2 times, most recently from 6558075 to 4fc56e3 Compare March 27, 2025 13:06
everettraven
everettraven previously approved these changes Mar 27, 2025
View reviewed changes
Copy link
Contributor

@everettraven everettraven left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 27, 2025
@joelanford joelanford force-pushed the contentmanager-namespace-scoped-informers branch from 4fc56e3 to 2b29265 Compare March 27, 2025 14:23
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Mar 27, 2025

New changes are detected. LGTM label has been removed.

@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Mar 27, 2025
@joelanford
Copy link
Member Author

@thetechnick and I chatted. Decision for now is to put the PR into draft state and keep it around for if/when we want to scope permissions down further.
Reasoning:

  1. We currently start informers at the cluster-scope, so doing nothing maintains status quo. This is better for users as there is less churn to deal with.
  2. There is no huge push to scope permissions down, just a general sense of "we should"
  3. Scoping informers at the namespace level could make things more difficult for us later.
    • We can't easily undo it, because that would constitute a breaking change (we'd ask ClusterExtension admins for more permissions for a CE that is already working)
    • If we want to use these informers for List operations, there is concern about the complexity of the code necessary to handle that when we need to list across all namespaces.

@joelanford joelanford marked this pull request as draft April 1, 2025 14:51
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@everettraven everettraven everettraven left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@everettraven everettraven

Labels
do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@joelanford @everettraven