Conditional supporting RBAC creation#2128
Conversation
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@copilot apply changes based on the comments in this thread |
Applied the following changes in commit abfca8a:
|
MirahImage
left a comment
There was a problem hiding this comment.
Given that we still need the serviceaccount for vault integration, how complicated the logic ends up being, and the fact that we trigger additional rolling upgrades based on version, I'm not sure this is really worthwhile.
Also, did copilot actually implement the changes it claims? I'm not sure it did?
|
I think it won't require a rolling restart anymore, since we are keeping the service account. The STS modification (to remove the SA reference) is what was causing the rolling restart. I'll test this in a bit. |
Assuming it doesn't cause the rolling restart, and that we get the rbac right after the code generation, I'm good to go with this. It's still a bit fragile, but in a way that it takes the approach that works if it doesn't know. |
Add a helper function to verify if RBAC resources (ServiceAccount, Role, and RoleBinding) should be created based on the RabbitMQ version annotation. The RBAC resources are no longer required for RabbitMQ >= 4.1.0. - Skip adding RBAC resource builders for clusters >= 4.1.0 - Ensure any existing RBAC resources are deleted during reconciliation if the cluster is upgraded to a version that doesn't need them - Conditionally set ServiceAccountName and AutomountServiceAccountToken on the StatefulSet depending on the version - Include unit and integration tests to verify the new behavior Made-with: Cursor
Update newly added tests to use BeTrueBecause and BeFalseBecause for more descriptive error messages when assertions fail. Made-with: Cursor
They are no longer required by the peer discovery plugin in 4.1+ Keeping the Service Account because it is still required for Vault integration.
Agent-Logs-Url: https://github.com/rabbitmq/cluster-operator/sessions/99f20b88-4e9d-460d-8e59-c385360b7b8e Co-authored-by: Zerpet <1515757+Zerpet@users.noreply.github.com>
Because sometimes system tests flake attempting to verify that rabbit has started. From the logs looks like `kubectl` command does not return. By bumping the timeout, we should avoid hammering the CI runner with a pile of pending `kubectl` commands.
e02ccda to
bf74c71
Compare
|
Confirmed the latest additions by Copilot don't cause a rolling restart. The operator initially creates the Role/Binding, because it doesn't know the version of RabbitMQ, but then it deletes them quietly. I also reviewed the Vault example. Indeed we require the SA for correct Vault integration. |
|
The diff might look weird. This is because I rebased and squashed some commits, so the only RBAC change required is adding |
Summary Of Changes
deleteRBAC forRoleandRoleBindingto the Operator ClusterRoleAdditional Context
Related to #1865. Starting in RabbitMQ 4.1, the k8s peer discovery plugin does not require any RBAC in Kubernetes. Earlier versions of this plugin queried k8s API to determine the addresses of its peers. That's not required anymore since 4.1. This PR is an optimisation that removes unnecessary RBACs (SA, Role/Binding).
The annotation based approach has a caveat: since the Operator does not know before hand the version of RabbitMQ, it creates the RBACs, and when it detects that rabbit is
>= 4.1.0, it removes them. This causes a rolling restart, which slightly delays initial rabbit deployment. The same applies when rabbit is upgraded from 3.13 to 4.2. Once rabbit is upgraded to 4.2, and the annotation is updated, RBACs are deleted and the STS is rolled. This happens because the Pod Spec changes, to remove the SA reference.Another downside is that the Operator ClusterRole now requires
deleteonRole,RoleBindingandServiceAccount. This broadens the permissions of the operator with a justified reason, but it feels like the operator is effectively a super-admin-user.I'm ok to not merge this PR, if the ClusterRole change is deemed unacceptable.
Local Testing
Unit and integration tests.
Tested locally the following scenarios: