Giter Club home page Giter Club logo

odf-multicluster-orchestrator's Introduction

ODF Multicluster Orchestrator

ODF Multicluster Orchestrator is a combination of Kubernetes Operator and addons that work together to orchestrate OpenShift Data Foundation clusters spread across multiple OpenShift clusters. It leverages Red Hat Advanced Cluster Management for Kubernetes as it's control plane and also uses it's addon framework.

Requirements

odf-multicluster-orchestrator's People

Contributors

agarwal-mudit avatar aruniiird avatar gowthamshanmugam avatar openshift-ci[bot] avatar openshift-merge-bot[bot] avatar openshift-merge-robot avatar raghavendra-talur avatar rexagod avatar rishabhkodes avatar sanjalkatiyar avatar sheetalpamecha avatar sp98 avatar umangachapagain avatar vbnrh avatar weirdwiz avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

umangachapagain madhu-1 rexagod raghavendra-talur sanjalkatiyar vbnrh aruniiird gowthamshanmugam sp98 pkesavap openshift-cherrypick-robot deepshikhaaa weirdwiz rishabhkodes rakshith-r timothyasirjeyasing shyamsundarr rewantsoni sheetalpamecha

odf-multicluster-orchestrator's Issues

`make bundle` fails with go version 1.18

Error: bash: line 1: rhodf/odf-multicluster-operator-bundle-container/odf-multicluster-operator-bundle-container/odf-multicluster-operator-bundle/src/bin/controller-gen: No such file or directory 13:04:15 make: *** [Makefile:38: manifests] Error 127

More graceful logging for main controller 


github.com/red-hat-storage/odf-multicluster-orchestrator/controllers.(*MirrorPeerSecretReconciler).Reconcile
	/workspace/controllers/mirrorpeersecret_controller.go:53
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:298
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:253
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:214
2022-02-24T10:38:51.924Z	ERROR	controller-runtime.manager.controller.secret	Reconciler error	{"reconciler group": "", "reconciler kind": "Secret", "name": "756bd87b55371f0a9a791269d78efdaeb2617fc", "namespace": "spoke-cluster", "error": "namespaces \"openshift-dr-system\" not found"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:253
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:214
2022-02-24T10:38:51.945Z	INFO	controller-runtime.manager.controller.secret	Creating a s3 secret	{"reconciler group": "", "reconciler kind": "Secret", "name": "756bd87b55371f0a9a791269d78efdaeb2617fc", "namespace": "spoke-cluster", "secret": {"metadata":{"name":"756bd87b55371f0a9a791269d78efdaeb2617fc","namespace":"openshift-dr-system","creationTimestamp":null,"labels":{"multicluster.odf.openshift.io/created-by":"mirrorpeersecret"}},"data":{"AWS_ACCESS_KEY_ID":"SE9tMElmQXA1ZDJxVWhhQ1dnUDQ=","AWS_SECRET_ACCESS_KEY":"bXRsK2c3cnA1Vzl6TjlQdmQ3aDlnWEw4SStmQUZqRHgrWDFRM08vaA=="},"type":"Opaque"}}
2022-02-24T10:38:52.000Z	ERROR	controller-runtime.manager.controller.secret	Updating the secret from internal secret is failed	{"reconciler group": "", "reconciler kind": "Secret", "name": "756bd87b55371f0a9a791269d78efdaeb2617fc", "namespace": "spoke-cluster", "controller": "MirrorPeerSecret", "secret": {"kind":"Secret","apiVersion":"v1","metadata":{"name":"756bd87b55371f0a9a791269d78efdaeb2617fc","namespace":"spoke-cluster","uid":"1a612df7-feb2-43e8-97d5-e05b5a6aaa3c","resourceVersion":"308664","creationTimestamp":"2022-02-24T10:38:51Z","labels":{"multicluster.odf.openshift.io/secret-type":"INTERNAL"},"managedFields":[{"manager":"manager","operation":"Update","apiVersion":"v1","time":"2022-02-24T10:38:51Z","fieldsType":"FieldsV1","fieldsV1":{"f:data":{".":{},"f:namespace":{},"f:secret-data":{},"f:secret-origin":{},"f:storage-cluster-name":{}},"f:metadata":{"f:labels":{".":{},"f:multicluster.odf.openshift.io/secret-type":{}}},"f:type":{}}}]},"data":{"namespace":"b3BlbnNoaWZ0LXN0b3JhZ2U=","secret-data":"ey...
github.com/red-hat-storage/odf-multicluster-orchestrator/controllers.(*MirrorPeerSecretReconciler).Reconcile
	/workspace/controllers/mirrorpeersecret_controller.go:53
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:298
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:253
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:214
2022-02-24T10:38:52.000Z	ERROR	controller-runtime.manager.controller.secret	Reconciler error	{"reconciler group": "", "reconciler kind": "Secret", "name": "756bd87b55371f0a9a791269d78efdaeb2617fc", "namespace": "spoke-cluster", "error": "namespaces \"openshift-dr-system\" not found"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:253
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:214
2022-02-24T10:38:52.041Z	INFO	controller-runtime.manager.controller.secret	Creating a s3 secret	{"reconciler group": "", "reconciler kind": "Secret", "name": "756bd87b55371f0a9a791269d78efdaeb2617fc", "namespace": "spoke-cluster", "secret": {"metadata":{"name":"756bd87b55371f0a9a791269d78efdaeb2617fc","namespace":"openshift-dr-system","creationTimestamp":null,"labels":{"multicluster.odf.openshift.io/created-by":"mirrorpeersecret"}},"data":
2022-02-24T10:38:52.098Z	ERROR	controller-runtime.manager.controller.secret	Updating the secret from internal secret is failed	{"reconciler group": "", "reconciler kind": "Secret", "name": "756bd87b55371f0a9a791269d78efdaeb2617fc", "namespace": "spoke-cluster", "controller": "MirrorPeerSecret", "secret": {"kind":"Secret","apiVersion":"v1","metadata":{"name":"756bd87b55371f0a9a791269d78efdaeb2617fc","namespace":"spoke-cluster","uid":"1a612df7-feb2-43e8-97d5-e05b5a6aaa3c","resourceVersion":"308664","creationTimestamp":"2022-02-24T10:38:51Z","labels":{"multicluster.odf.openshift.io/secret-type":"INTERNAL"},"managedFields":[{"manager":"manager","operation":"Update","apiVersion":"v1","time":"2022-02-24T10:38:51Z","fieldsType":"FieldsV1","fieldsV1":{"f:data":{".":{},"f:namespace":{},"f:secret-data":{},"f:secret-origin":{},"f:storage-cluster-name":{}},"f:metadata":{"f:labels":{".":{},"f:multicluster.odf.openshift.io/secret-type":{}}},"f:type":{}}}]},"data":{"namespace":"b3BlbnNoaWZ0LXN0b3JhZ2U=","secret-data":"ey...
github.com/red-hat-storage/odf-multicluster-orchestrator/controllers.(*MirrorPeerSecretReconciler).Reconcile
	/workspace/controllers/mirrorpeersecret_controller.go:53
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:298
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:253
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:214

The main odf controller continously tries to create the s3 secrets and the code fails as the namespace openshift-dr-system is not found .

Need to implement in code to fail gracefully whenever performing crud operations on resources and not pollute the main controller logs

Integrate gosec linter

Configure and integrate gosec linter with the project to avoid accidental logging or revealing secrets in operator logs and detect any other security risks/vulnerabilities in code.

Add error handling to utility function

odf-multicluster-orchestrator/controllers/common/s3-utils.go

Lines 14 to 21 in 384f5ec

func GetCurrentStorageClusterRef(mp *multiclusterv1alpha1.MirrorPeer, spokeClusterName string) *multiclusterv1alpha1.StorageClusterRef {
for _, v := range mp.Spec.Items {
if v.ClusterName == spokeClusterName {
return &v.StorageClusterRef
}
}
return nil
}

In cases when spoke cluster name does not match any managed cluster, we need to return an error and handle it in the caller. Failing to do so will create nil pointer exception and program crashes.

MirrorPeer CR status is always "ExchangedSecret"

In fresh setup, When I tried MirrorPeer CR creation, the secret exchange happened fast and also I can see the status was marked as ExchangedSecret.

When I tried to reproduce this issue: issue 35, the token-exchange-agent was not created and token exchange also failed but mirror peer is status showing "ExchangedSecret".

Token agent pod is not created in managed cluster

In a fresh setup, the happy path is working fine. But when I cleaned and retry things are not working as expected.

Steps to reproduce:

  • Delete MirrorPeer CR.
  • Delete ManagedClusterAddons instances (token exchange addon of managed clusters).
  • Make sure token agent is terminated.
  • Delete all blue and green secrets in the hub on managed-cluster namespaces.
  • Delete secret on the openshift-storage namespace of managed clusters.
  • Recreate MirrorPeer CR.

agents not created on managed cluster openshift-storage namespace.

Cloud credentials in Logs 

2022-02-24T10:38:51.867Z	INFO	controller-runtime.manager.controller.secret	Creating a s3 secret	{"reconciler group": "", "reconciler kind": "Secret", "name": "756bd87b55371f0a9a791269d78efdaeb2617fc", "namespace": "spoke-cluster", "secret": {"metadata":{"name":"756bd87b55371f0a9a791269d78efdaeb2617fc","namespace":"openshift-dr-system","creationTimestamp":null,"labels":{"multicluster.odf.openshift.io/created-by":"mirrorpeersecret"}},"data":{"AWS_ACCESS_KEY_ID":"**************************,"AWS_SECRET_ACCESS_KEY":"*******************"},"type":"Opaque"}}

the cloud api credentials are logged when creating/updating the s3 secret.
This is a huge security risk and needs to be fixed

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.