HIVE-2525: privatelink: add privatelink controller unit tests #2520
Conversation
|
@jstuever: This pull request references HIVE-2525 which is a valid jira issue. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
added
the
jira/valid-reference
openshift-ci
bot
added
the
approved
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #2520 +/- ##
==========================================
+ Coverage 46.26% 49.79% +3.52%
==========================================
Files 279 281 +2
Lines 32913 32986 +73
==========================================
+ Hits 15227 16424 +1197
+ Misses 16406 15233 -1173
- Partials 1280 1329 +49
|
jstuever
changed the title
openshift-ci
bot
added
the
do-not-merge/work-in-progress
jstuever
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
jstuever
changed the title
openshift-ci
bot
added
the
do-not-merge/work-in-progress
jstuever
force-pushed
the
HIVE-2525
branch
2 times, most recently
from
f5dd15d to
b82d227
Compare
jstuever
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
/assign @2uasimojo |
pkg/controller/privatelink/actuator/testactuator/testactuator.go
Outdated
Show resolved
Hide resolved
jstuever
force-pushed
the
HIVE-2525
branch
3 times, most recently
from
6829e6e to
2086ed2
Compare
There was a problem hiding this comment.
partial 3/
I've started rolling the code-side issues into https://issues.redhat.com/browse/HIVE-2687 -- feel free to resolve those comments (after confirming that they're correctly represented in the card).
pkg/controller/privatelink/actuator/awsactuator/awshubactuator_test.go
Outdated
Show resolved
Hide resolved
jstuever
force-pushed
the
HIVE-2525
branch
3 times, most recently
from
12ad27e to
e403502
Compare
pkg/controller/privatelink/actuator/awsactuator/awshubactuator_test.go
Outdated
Show resolved
Hide resolved
pkg/controller/privatelink/actuator/awsactuator/awshubactuator_test.go
Outdated
Show resolved
Hide resolved
pkg/controller/privatelink/actuator/awsactuator/awshubactuator_test.go
Outdated
Show resolved
Hide resolved
pkg/controller/privatelink/actuator/awsactuator/awshubactuator_test.go
Outdated
Show resolved
Hide resolved
| }}, | ||
| }, | ||
| expectError: "unable to find an associatedVPC that uses the primary AWS PrivateLink credentials", | ||
| }} |
There was a problem hiding this comment.
Looks like we could use a test case where VPCEndpointID is unset, but getAssociatedVPCs fails.
There was a problem hiding this comment.
I purposely skipped this test case because I found it is an impossible situation. getAssociatedVPCs can only return an error when VPCEndpointID is set.
There was a problem hiding this comment.
Mm, I see. An "unreachable" comment on the code side, then?
pkg/controller/privatelink/actuator/gcpactuator/gcplinkactuator_test.go
Outdated
Show resolved
Hide resolved
jstuever
force-pushed
the
HIVE-2525
branch
4 times, most recently
from
05b0965 to
d6f2766
Compare
| Reason: "ServiceAttachmentSubnetReconcileFailed", | ||
| Message: "googleapi: Error 401: not authorized to GetSubnet, AccessDenied", | ||
| }}, | ||
| expectError: "failed to reconcile the Service Attachment Subnet: googleapi: Error 401: not authorized to GetSubnet, AccessDenied", |
There was a problem hiding this comment.
We don't have coverage for all the paths that fail to SetErrConditionWithRetry. Which I get would be hard to do as currently written. But when we fix that thing up per HIVE-2686 it should become possible. Leaving this note to remind self to follow up on the coverage when that's done.
I will note, however, that some of those paths actually return from the reconciler rather than just logging. Which makes the missing coverage "heavier".
There was a problem hiding this comment.
I agree, let's move this conversation to #2528
jstuever
force-pushed
the
HIVE-2525
branch
4 times, most recently
from
351b11a to
651f14c
Compare
| test.completed = corev1.ConditionFalse | ||
| } | ||
|
|
||
| logger, _ := testlogger.NewLoggerWithHook() |
| }), | ||
| testcd.WithCondition(hivev1.ClusterDeploymentCondition{ | ||
| Type: hivev1.PrivateLinkReadyClusterDeploymentCondition, | ||
| Status: corev1.ConditionFalse, |
There was a problem hiding this comment.
This doesn't match the comment on L474.
I think if the ready condition is true but completed is false, we won't attempt to update the ready condition at all. Which would be inherently covered by changing this and L497 both to ConditionTrue. But we could prove that we don't even attempt to update the ready condition in that path by making the pre-existing condition's reason and/or message different.
...and this behavior seems pretty odd to me. Why would we not want to revert the ready condition from true to false if we call SetReadyCondition with completed==ConditionFalse? But I guess that's for discussion in the fup.
There was a problem hiding this comment.
Good catch... fixed.
As for the ready condition, I'm not exactly sure. I think it limits flapping of the ready condition. When it is called after something is modified (ie, hzModified), then it always uses false. The only time it uses true is in the privatelink.go, and only after all of the actuator reconciles return true. I found that at least one of the awshubactuator functions always returned modified=true, so this would always flap false, and then back to true.
Once we move to the one-change-per-reconcile flow (where I fixed this one function), it might make more sense to flap here. If you think this is still a desired change, we can continue the discussion in the followup.
There was a problem hiding this comment.
Okay, I figured it probably had something to do with preventing flapping. The part that doesn't make sense to me is how the Ready condition could have been set to True in the first place if we haven't actually completed the setup. That would seem to point to a bug somewhere in the code flow, and this odd logic was put in place to paper over it.
Alternatively the question may be: how did we become un ready after having become ready at some point? If that is legitimately possible, I would argue that we should be setting the Ready condition to false in that scenario.
But yeah, let's dig into it some more in the followup.
Good catch... fixed.
A thing I was trying to point out (albeit uneloquently) that this delta still doesn't cover: as written, we can't tell which path we took to end up no-op'ing: either the second branch of the weird anti-flapping condition, or the implicit else of that chunk. Since completed is false, we expect it to be the latter, but nothing about the test case proves that as currently written. My suggestion to remedy that was:
But we could prove that we don't even attempt to update the ready condition in that path by making the pre-existing condition's reason and/or message different.
That is, if the initial Reason was different, the else if path would revert it, but the implicit else path would not. The latter would be proven because we would have to change the Reason in the expected value as well.
There was a problem hiding this comment.
The flapping is happening after a successful reconcile (which sets the condition to true). In an ideal world, this -could- happen if one of the resources were deleted from the cloud provider. A future reconcile would identify that it does not exist and should report the resource as modified, causing a status (message) update.
However, in the code as currently written, ReconcileHostedZoneRecords always returns modified if there is no error. As a result, recordsModified is always true and the status is always updated. Then it is updated again when the reconcile completes successfully.
I think a key point here is that completed != ready. Completed just indicates that we have completed the reconcile successfully and should update to a ready condition. In all other cases, we should just update the status message to match the latest change(s). At no point does not-completed indicate that ready condition should be false.
There was a problem hiding this comment.
Okay, so arguably both of those things are bugs -- which we can discuss in the fup.
For now all I'm asking is to change the Reason and/or Message to prove which code path is being taken.
There was a problem hiding this comment.
Doesn't the implicit completed: False mean it cannot logically be due to else if completed == corev1.ConditionTrue {?
I've added more no change cases to help test/clarify each of the three 1) if, 2) else-if, and 3) implicit else paths of the code.
|
/test e2e e2e-gcp |
|
/lgtm Thanks for the long push and patience. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: 2uasimojo, jstuever The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@jstuever: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/override "Red Hat Konflux / hive-mce-27-on-pull-request" "Red Hat Konflux / hive-on-pull-request" |
|
@jstuever: Overrode contexts on behalf of jstuever: Red Hat Konflux / hive-mce-27-on-pull-request, Red Hat Konflux / hive-on-pull-request In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
openshift-merge-bot
bot
merged commit 425785d
into
openshift:master
No description provided.