Feat: enable owner references #2688
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…o/postgres-operator into mbegenau-feat-498-ownerReferences
FxKu
requested review from
sdudoladov,
Jan-M,
jopadi,
idanovinda,
hughcapet and
macedigital
as code owners
FxKu
changed the title
FxKu
commented
Jul 19, 2024
|
great |
hughcapet
reviewed
Aug 1, 2024
| @@ -957,9 +970,15 @@ func (c *Cluster) updateSecret( | |||
| userMap[userKey] = pwdUser | |||
| } | |||
|
|
|||
| if !reflect.DeepEqual(secret.ObjectMeta.OwnerReferences, generatedSecret.ObjectMeta.OwnerReferences) { | |||
| updateSecret = true | |||
| updateSecretMsg = fmt.Sprintf("secret %s owner references do not match the current ones", secretName) | |||
There was a problem hiding this comment.
i am wondering, shouldn't we concatenate all the update msgs instead of re-assigning?
There was a problem hiding this comment.
The other cases are mutual exclusive to one another. This line here is the only case that might happen additionally. But given that enabling owner references is probably a one time operation, I don't think it's worth to add more logic.
hughcapet
approved these changes
Aug 9, 2024
|
👍 |
1 similar comment
|
👍 |
|
Thank you for this great work! |
@barthy1 it's already in 1.13.0 and I am testing it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This a follow up to #2199 with some greater changes. The most important part of owner references is the cascaded removal of child resources which bypasses the delete protection offered by our operator.
Quick reminder about delete protection: this checks pre-defined annotations before calling delete code but cannot block the actual kubectl delete call itself. This you could only achieve with a K8s admission controller which, for example, does the same annotation checks.
We use the latter at Zalando, but some folks out there might rely on the protection by the operator. Therefore, we should not enable owner references by default but make it configurable.
#2199 also lacked code to update existing resources once you start using owner references or vice versa remove them. Like with the recently added annotation inheritance, this produced many code extensions. I’ve also found some oversights from #2657 which I’ve fixed along the way. All owner references syncs are done with Update API calls, which requires extending the RBAC.
A new e2e test is added which tests syncing owner references in both directions and deleting the acid-test-cluster cascadingly which was previously done in the multi namespace test. Some unit test were extended, too.
closes #2199
fixes #498