✨ Add Upsync controller #2214
✨ Add Upsync controller #2214
Conversation
bipuladh
added
the
do-not-merge/work-in-progress
|
@bipuladh if a PR was not yet in a reviewable state (which was the case of this PR in its initlal state if I understood correctly what you told me), then you can also created it as a DRAFT PR, which makes it even clearer for other team members. |
ncdc
added
the
area/transparent-multi-cluster
bipuladh
force-pushed
the
1980-storage-upsync-controller-syncer
branch
from
6a4456e to
ea4ec3d
Compare
openshift-merge-robot
added
the
needs-rebase
openshift-ci
bot
added
the
kind/api-change
bipuladh
changed the base branch from
1980-storage-upsync-controller-syncer
to
main
openshift-merge-robot
removed
the
needs-rebase
bipuladh
force-pushed
the
1980-storage-upsync-controller-syncer
branch
2 times, most recently
from
50e77f4 to
c121343
Compare
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
openshift-merge-robot
added
the
needs-rebase
bipuladh
force-pushed
the
1980-storage-upsync-controller-syncer
branch
from
c121343 to
9c282ec
Compare
openshift-merge-robot
removed
the
needs-rebase
bipuladh
force-pushed
the
1980-storage-upsync-controller-syncer
branch
2 times, most recently
from
b3fffbf to
c873af2
Compare
bipuladh
force-pushed
the
1980-storage-upsync-controller-syncer
branch
2 times, most recently
from
1409cc7 to
1e0ceaa
Compare
| resourceVersionDownstream := downstreamResource.GetResourceVersion() | ||
| markedForDeletionDownstream := downstreamResource.GetDeletionTimestamp() != nil | ||
|
|
||
| if upstreamObject == nil && !markedForDeletionDownstream { |
There was a problem hiding this comment.
downstreamObject would match upstreamObject
Signed-off-by: David Festal <dfestal@redhat.com>
Signed-off-by: David Festal <dfestal@redhat.com>
Signed-off-by: David Festal <dfestal@redhat.com>
davidfestal
force-pushed
the
1980-storage-upsync-controller-syncer
branch
from
8fe94d0 to
80a228b
Compare
| var namespaceGVR schema.GroupVersionResource = corev1.SchemeGroupVersion.WithResource("namespaces") | ||
|
|
||
| // NewUpSyncer returns a new controller which upsyncs, through the Usyncer virtual workspace, downstream resources | ||
| // which are part of the upsyncable resource types (fixed limited list for now), and provide |
There was a problem hiding this comment.
question: What are the upsyncable resource types?
There was a problem hiding this comment.
I think upsyncable resources are limited to pods, endpoints and persistentvolumeclaims. Both experimentation and code support my understanding:
There was a problem hiding this comment.
That's right, for now only these 3 resources are upsynced, since they correspond to the use-cases forseeable short-term.
Mid-term / long-term, we should have followup work that would allow customizing this list at the KCP level (and possibly storing it to the Synctarget status), but this still needs further design and discussion, especially to keep security in mind.
We should probably open a dedicated issue for this, to track the first thoughts we had in the regard, and further discuss the details.
There was a problem hiding this comment.
The upsync controller is agnostic which GVRs are upsynced. But we are very opinionated in the wiring into the syncer for the moment. Whether we open that up eventually in some way, we will see.
There was a problem hiding this comment.
Thanks @davidfestal @sttts
We should probably open a dedicated issue for this, to track the first thoughts we had in the regard, and further discuss the details.
I can take care of that.
There was a problem hiding this comment.
Any thoughts on how we could address Crossplane use cases ? (this is a similar use case to the one demoed by @sttts at Kubecon NA 2022 for Kube-bind). In this use case, Crossplane is installed in the physical cluster and Crossplane claims CRDs are imported in the kcp workspace. Crossplane claims typically create connection secrets, which are created in the backend cluster. But to give access to the resources created by those claims, the developer need to have access to the connection secret. Therefore, the connection secret should be up synced to the workspace where the claim lives. I created a PoC for a controller that runs downstream and for each Crossplane connection secret finds the owner (the down-synced claim) and can add the UpsSync label to the connection secret. I was hoping to use this PR to now close the loop and be able to up sync the connection secret. But it looks like with the current restriction that will not be possible unless I create my own fork for the syncer.
There was a problem hiding this comment.
I created the related issue here: /~https://github.com/kcp-dev/kcp/issues/2804
Let's discuss in this new issue.
There was a problem hiding this comment.
Thanks ! I will copy the Crossplane use case description there.
There was a problem hiding this comment.
Thanks for creating the issue @davidfestal you were faster than me 🙇🏻
Signed-off-by: David Festal <dfestal@redhat.com>
Signed-off-by: David Festal <dfestal@redhat.com>
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
Signed-off-by: Bipul Adhikari badhikar@redhat.com
Summary
Adds Upsync controller
Creates resources in the Upstream workspace for labelled resources.