Skip SecretHashes update on ansibleLimit-scoped dataplane deployments

[lmiccini]

For servicesOverride deployments, merge SecretHashes into the existing map without resetting it, since all nodes were touched.
For ansibleLimit-scoped deployments, skip the update entirely as not all nodes received the secrets.

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/56ac80bd0e7547ad88350eb0206886b5

✔️ openstack-k8s-operators-content-provider SUCCESS in 3h 18m 47s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 23m 38s
✔️ cifmw-crc-podified-edpm-baremetal SUCCESS in 1h 37m 31s
❌ adoption-standalone-to-crc-ceph-provider FAILURE in 3h 01m 55s
✔️ openstack-operator-tempest-multinode SUCCESS in 1h 51m 23s
❌ openstack-operator-docs-preview POST_FAILURE in 2m 32s

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/db62c9cd33b34a538c7eccf243769b6a

✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 02m 26s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 20m 56s
✔️ cifmw-crc-podified-edpm-baremetal SUCCESS in 1h 36m 03s
❌ adoption-standalone-to-crc-ceph-provider FAILURE in 1h 46m 57s
✔️ openstack-operator-tempest-multinode SUCCESS in 1h 34m 08s
❌ openstack-operator-docs-preview POST_FAILURE in 3m 15s

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/b5d3972863e64857b2da5055f867ef55

✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 20m 43s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 21m 41s
✔️ cifmw-crc-podified-edpm-baremetal SUCCESS in 1h 36m 22s
❌ adoption-standalone-to-crc-ceph-provider FAILURE in 2h 05m 30s
✔️ openstack-operator-tempest-multinode SUCCESS in 1h 43m 01s
✔️ openstack-operator-docs-preview SUCCESS in 3m 14s

[lmiccini]

/retest

[lmiccini]

recheck

[lmiccini]

/test openstack-operator-build-deploy-kuttl-4-18

[lmiccini]

/test functional

[lmiccini]

/test openstack-operator-build-deploy-kuttl-4-18

[lmiccini]

/test openstack-operator-build-deploy-kuttl-4-18

[lmiccini]

/test openstack-operator-build-deploy-kuttl-4-18

[lmiccini]

/test openstack-operator-build-deploy-kuttl-4-18

[rabi]

Why can't infra-operator block deletion of there is mismatch between latest deployment and nodeset secret hashes? I am not sure if we should go this path as it is othrogonal to the original design. Also, users should be discouraged to do secret rotations using ansible_limits. It is there for scenarios where nodes are not reachable for some reason and users are expected to do full deployment across all nodes of the nodeset eventually to keep things in sync.

[lmiccini]

Why can't infra-operator block deletion of there is mismatch between latest deployment and nodeset secret hashes? I am not sure if we should go this path as it is othrogonal to the original design. Also, users should be discouraged to do secret rotations using ansible_limits. It is there for scenarios where nodes are not reachable for some reason and users are expected to do full deployment across all nodes of the nodeset eventually to keep things in sync.

Thanks @rabi . One of the challenges with that approach is that the last deployment may not be representative of the overall status of the nodeset. AFAICU we would have to introspect the deployments to check whether ansible_limits was used and/or if only a subset of the services were deployed, and repeat this pattern not just in infra but other operators that need to know if the dataplane is in sync (keystone for appcred, possibly others?).
I thought having a generic "am I up to date" status field would be in line with the loosely coupled approach we have for the dataplane, plus we would be able to use this for credentials rotation (rabbitmq, appcred, etc) and also to facilitate the cleanup after we migrate from mirrored to quorum queues among others. I am sure there are more use cases we could use this for.

[rabi]

One of the challenges with that approach is that the last deployment may not be representative of the overall status of the nodeset

I am not sure if we need to solve that by adding per-node tracking or by introspecting all deployments. That would start to break the current NodeSet design and make it overly complex IMO.

For this requirement, I think we can keep it simple:

• do not update NodeSet.Status.SecretHashes when ansibleLimit is set, since that deployment did not fully update the NodeSet

• with servicesOverride, the last deployment SecretHashes map is only partial, so it should not fully match the NodeSet SecretHashes. This can be false negative but conservative.

• block deletion whenever NodeSet.Status.SecretHashes and Deployment.Status.SecretHashes differ

With this approach, any scoped deployment, either via ansibleLimit or servicesOverride, keeps deletion blocked. Only a full unscoped deployment across all nodes brings the NodeSet back in sync.

We can add the ansibleLimit guard where SecretHashes are copied back to the NodeSet in internal/controller/dataplane/openstackdataplanenodeset_controller.go.

[lmiccini]

/test functional

[centosinfra-prod-github-app]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/rdo/buildset/44b91fa09db54b80829d1eb5022cd8ba

✔️ openstack-k8s-operators-content-provider SUCCESS in 12m 54s
❌ podified-multinode-edpm-deployment-crc RETRY_LIMIT in 30s
❌ cifmw-crc-podified-edpm-baremetal RETRY_LIMIT in 28s
❌ openstack-operator-tempest-multinode RETRY_LIMIT in 30s
❌ openstack-operator-edpm-baremetal-minor-update RETRY_LIMIT in 28s

[rabi]

This is fine with me, but I think we can still update SecretHashes for servicesOverride deployments without resetting the full map, which is what we do for full deployments today.

[openshift-ci]

@lmiccini: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/openstack-operator-build-deploy-kuttl	1698305	link	true	/test openstack-operator-build-deploy-kuttl
ci/prow/openstack-operator-build-deploy-kuttl-4-18	5761424	link	true	/test openstack-operator-build-deploy-kuttl-4-18

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.