-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PWX-38512 Skip token refresh verification if host-pid not enabled #1635
Conversation
Do you think we should maybe check for annotation and not validate the actual token, if the annotation is missing, but maybe we should still validate up to the point that the secret exists, at least we will be sure that it gets created? |
f4c4d5a
to
c0db204
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM with few nit comments
pkg/util/test/util.go
Outdated
if err != nil || !pidEnabled { | ||
pxSaSecret, err := coreops.Instance().GetSecret(pxSaTokenSecretName, cluster.Namespace) | ||
if err != nil { | ||
return fmt.Errorf("px serviceaccount token validation failed. Unable to get px serviceaccount secret. Err: %w", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would suggest to print errors like this, from my experience, it helps later on to debug simple things just from logs
return fmt.Errorf("px serviceaccount token validation failed. Unable to get px serviceaccount secret. Err: %w", err) | |
return fmt.Errorf("failed to get px serviceaccount secret [%s] in namespace [%s]. Err: %w", pxSaTokenSecretName, cluster.Namespace, err) |
if err != nil { | ||
return fmt.Errorf("px serviceaccount token validation failed. Unable to get px serviceaccount secret. Err: %w", err) | ||
} | ||
if len(pxSaSecret.Data[core.ServiceAccountTokenKey]) == 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also we can probably just do this, less heavier operation
if len(pxSaSecret.Data[core.ServiceAccountTokenKey]) == 0 { | |
if pxSaSecret.Data[core.ServiceAccountTokenKey] == "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a byte array, not a string, so checking the length would be better in this case?
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #1635 +/- ##
=======================================
Coverage 75.59% 75.59%
=======================================
Files 77 77
Lines 20862 20862
=======================================
Hits 15771 15771
Misses 3967 3967
Partials 1124 1124 ☔ View full report in Codecov by Sentry. |
Signed-off-by: shsun_pure <shsun@purestorage.com>
Signed-off-by: shsun_pure <shsun@purestorage.com>
50170bd
to
f8dc862
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
) * skip token refresh verification if host-pid not enabled Signed-off-by: shsun_pure <shsun@purestorage.com> * validate px serviceaccount token secret created Signed-off-by: shsun_pure <shsun@purestorage.com> * update error message --------- Signed-off-by: shsun_pure <shsun@purestorage.com> Co-authored-by: shsun_pure <shsun@purestorage.com>
) * skip token refresh verification if host-pid not enabled Signed-off-by: shsun_pure <shsun@purestorage.com> * validate px serviceaccount token secret created Signed-off-by: shsun_pure <shsun@purestorage.com> * update error message --------- Signed-off-by: shsun_pure <shsun@purestorage.com> Co-authored-by: shsun_pure <shsun@purestorage.com> Signed-off-by: shsun_pure <shsun@purestorage.com>
) (#1641) * skip token refresh verification if host-pid not enabled * validate px serviceaccount token secret created * update error message --------- Signed-off-by: shsun_pure <shsun@purestorage.com> Co-authored-by: shsun_pure <shsun@purestorage.com>
What this PR does / why we need it:
host-pid is required to run nsenter with runc. nsenter without runc is fine is the reason why other verifications are fine.
Which issue(s) this PR fixes (optional)
Closes PWX-38512
A full set of integration test is being run at https://jenkins.pwx.dev.purestorage.com/job/Operator/view/Operator%20Release%20Dashboard/job/op-basic-hotfix/