OBC Controller and Reconcile

[shirady]

Describe the problem

Part of RHSTOR-6230
Continue of PRs red-hat-storage/ocs-operator#3692 by calling the Notify when an OBC is created and deleted.

Explain the changes

1. Register the OBC and OBC types.
   Note: to avoid direct import of lib-bucket-provision, I had to add them manually.
   In case we decide to import it directly, it can be in the same style as others.
2. OBC can be created in all namespaces, so add the needed changes for it.
3. Create the OBC controller, which is running on the client cluster (that doesn't have NooBaa installed and the OBC controller from lib-bucket-provisionser), the controller with predicate so the reconcile loop will be triggered on specific changes only: creation, deletion, and update only by setting the deletion timestamp.
4. In creation - add a finalizer and call Notify.
   Notes:

• On failures, change the status to Failed.
• Decided at this point not to change to Pending.
• To identify the storage client (as there can be a couple of storage clients in the client cluster), we use the ownerReferences from the storageclass.

5. In deletion call Notify and remove finalizer.
6. Adding permission to the controller for the above actions.
7. Changes to RBAC after running make manifests and make bundle.

Testing Instructions:

Manual Test:

1. Set 2 clusters - provider and client, after onboarding. The client cluster with this PR code changes, and the provider cluster with Implement Notify - OBC Created and Deleted ocs-operator#3692 code changes (Notify implementation).
2. On the client cluster, install the OBC CRD manually from noobaa-operator repo: kubectl apply -f ./noobaa-operator/deploy/obc/objectbucket.io_objectbucketclaims_crd.yaml
3. Set the permission manually:

kubectl create clusterrole ocs-client-operator-obc-role \
  --verb=get,list,watch,patch,update \
  --resource=objectbucketclaims.objectbucket.io

# Add the status subresource rule
kubectl patch clusterrole ocs-client-operator-obc-role --type='json' -p='[
  {"op": "add", "path": "/rules/-", "value": {
    "apiGroups": ["objectbucket.io"],
    "resources": ["objectbucketclaims/status"],
    "verbs": ["get", "patch", "update"]
  }}
]'

kubectl create clusterrolebinding ocs-client-operator-obc-rolebinding \
  --clusterrole=ocs-client-operator-obc-role \
  --serviceaccount=openshift-storage-client:ocs-client-operator-controller-manager

5. Add a storage cluster with ownerReferences of the storage client (you can copy from another storage class on the cluster) manually with a temp finalizer (else it is deleted).
   Example of storage class:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: openshift-storage.noobaa.io
  finalizers:
  - ocs-client-operator.ocs.openshift.io/temp
  ownerReferences:
  - apiVersion: ocs.openshift.io/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: StorageClient
    name: storage-client-2202
    uid: 841f7ac8-17cb-4d34-8ee2-7c6ebaf82103
parameters:
  bucketclass: noobaa-default-bucket-class
provisioner: openshift-storage.noobaa.io/obc
reclaimPolicy: Delete
volumeBindingMode: Immediate

6. Creation:

• Client cluster: create OBC on client cluster - should be created without status change.
  Example of OBC:

apiVersion: objectbucket.io/v1alpha1
kind: ObjectBucketClaim
metadata:
  name: shira-obc-2302
  namespace: openshift-storage-client
spec:
  storageClassName: openshift-storage.noobaa.io
  generateBucketName: shira-obc-2302
  additionalConfig: {}

Note: OBC can be created in any namespace, if you want to test on another namespace - create the namespace (kubectl create ns <namespacename>) and change the namespace value in the yaml.

• Provider cluster: check that the OBC on the provider cluster is created and in Bound phase.

7. Deletion:
   Since we do not have the copy mechanism implemented yet, we would test only OBC deletin (without additional resources):

• Manual steps:
  a. Install the OB CRD (kubectl apply -f noobaa-operator/deploy/obc/objectbucket.io_objectbuckets_crd.yaml)
  b. Change the clusterRole (use Ai generated file from the kubebuilder marks).
• Client cluster: delete OBC on client cluster - should be deleted.
• Provider cluster: check that the OBC was deleted (with all related resources).

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: shirady
Once this PR has been reviewed and has the lgtm label, please assign nb-ohad for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[leelavg]

install the OBC CRD manually from noobaa-operator repo

• unless we finalize on how we are bringing these CRDs we can't have this PR in current format, can there be a dynamic caching mechanism for this controller, like, when the PR is merged and client-op is deployed standalone even without OBC CRD client-op will not error out and serve existing cases?

manually with a temp finalizer (else it is deleted).

• why? it gets deleted if the ownerref is wrong or the server doesn't send this resource? I suppose it's the latter and may need a fix, good find.

[leelavg]

didn't review the controller yet as pr is in draft.

[leelavg]

even the returned OB/Secret/Configmap should be watched in other namespaces, isn't it?

[shirady]

The secret and config map should be watched in other namespaces as well, yes -I added the change.
OB is cluster-scoped, so I didn't change.

[shirady]

install the OBC CRD manually from noobaa-operator repo

• unless we finalize on how we are bringing these CRDs we can't have this PR in current format, can there be a dynamic caching mechanism for this controller, like, when the PR is merged and client-op is deployed standalone even without OBC CRD client-op will not error out and serve existing cases?

From what I understand from @nb-ohad for testing we can install the CRD that we need.
If you think that we need to add something specific for the general case, we can add.
The qoute was taken from the manual testing that was done.

manually with a temp finalizer (else it is deleted).

• why? it gets deleted if the ownerref is wrong or the server doesn't send this resource? I suppose it's the latter and may need a fix, good find.

Yes, you are correct. We would need to make changes. As we didn't want to be blocked at this point, it was suggested that we add the finalizer for testing purposes.

[shirady]

@leelavg @rewantsoni, Please take a look

[rewantsoni]

Maybe check if storageClient is onboarded or not. If onboarding succeeded, we should have the consumerUID and the storageProviderEndpoint as well

[shirady]

Do you mean to check if the phase is StorageClientConnected?
But it is not the same as checking those fields, from what I see.
For example, when there was an issue in the cluster:

• phase: Initializing
• oc get storageclient storage-client-2202 -o json | jq .spec.storageProviderEndpoint (output with value)
• oc get storageclient storage-client-2202 -o json | jq .status.consumerID null

The storage client was successfully onboarded in the past.
If I check the phase, it will not be able to create OBCs...

[rewantsoni]

If the storageClient is not Onboarding, we shouldn't be performing any calls

[shirady]

The storageClient is onboarded.
In this example, an unrelated issue caused the phase to change to Initializing.
@rewantsoni Would you like me to remove this condition, or do you have another suggestion?

[rewantsoni]

And I don't think we should be having this check here; this should only return the Storage Client

[rewantsoni]

I am trying to think of a case where the Client will be Connected, but the consumer UID will be empty 🤔

[shirady]

Probably would not happen, it is set as the last step in onboarding.

[rewantsoni]

Please format the imports as

standard
pkg
others

[shirady]

Thanks, I'll look again.

[rewantsoni]

Could you use inline errors?

[shirady]

Yes, thanks.

[rewantsoni]

It would be good if have status updates from a single place. Can you split reconcile into reconcile and reconcilePhases, and update the status towards the end of the reconcile similar to what we are doing for storageclient controller?

[shirady]

I tried to refactor it so we will have the reconcile function, reconcilePhases function (and more functions called inside it), and update the status toward the end of the reconcile.

My only concern with this change is a race condition between the status update and the "Bound" that is patched from outside.
Therefore, I tried to status was saved, and the update will be called only if it was changed (and it changes to Failed only in the creation/update flow).

[rewantsoni]

And I don't think we should be having this check here; this should only return the Storage Client