Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use Listers to fetch data in the Sink #821

Merged
merged 1 commit into from
Nov 9, 2020

Conversation

yaoxiaoqi
Copy link
Member

@yaoxiaoqi yaoxiaoqi commented Nov 2, 2020

Changes

This PR uses Listers to fetch data from EventListeners, Triggers, TriggerBindings, TriggerTemplates, and
ClusterTriggerBindings, rather than directly making calls to the API server. Currently, multiple informers need to be
specified when creating a Sink object.
All Triggers in examples/ work under this change.

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

  • Includes tests (if functionality changed/added)
  • Includes docs (if user facing)
  • Commit messages follow commit message best practices
  • Release notes block has been filled in or deleted (only if no user facing changes)

See the contribution guide for more details.

Release Notes

Use Listers to fetch data in the Sink.

EventListener ServiceAccounts now need to have "list" and "watch" verbs in addition to "get" for all triggers resources. See examples at https://github.com/tektoncd/triggers/blob/master/examples/role-resources/triggerbinding-roles/role.yaml and https://github.com/tektoncd/triggers/blob/master/examples/role-resources/clustertriggerbinding-roles/clusterrole.yaml

@tekton-robot tekton-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Nov 2, 2020
@tekton-robot tekton-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. kind/feature Categorizes issue or PR as related to a new feature. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Nov 2, 2020
@dibyom
Copy link
Member

dibyom commented Nov 2, 2020

This is great! Thank you!

For the build tests, it looks like the issue is:

cmd/triggerrun/cmd/root.go:215:63: Error return value of `(github.com/tektoncd/triggers/pkg/client/clientset/versioned/typed/triggers/v1alpha1.TriggerBindingInterface).List` is not checked (errcheck)
	client.TriggersV1alpha1().TriggerBindings(tri.Namespace).List(context.Background(), metav1.ListOptions{})

So, we should handle the error value instead of ignoring it.

For the integration test failure, looks like the issue has something to do with the serviceAccountName permissions:

        E1102 17:03:24.710120       1 reflector.go:178] k8s.io/[email protected]+incompatible/tools/cache/reflector.go:125: Failed to list *v1alpha1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:arrakis-mlqsq:my-serviceaccount" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
        E1102 17:03:24.711159       1 reflector.go:178] k8s.io/[email protected]+incompatible/tools/cache/reflector.go:125: Failed to list *v1alpha1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:arrakis-mlqsq:my-serviceaccount" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
        E1102 17:03:24.711196       1 reflector.go:178] k8s.io/[email protected]+incompatible/tools/cache/reflector.go:125: Failed to list *v1alpha1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:arrakis-mlqsq:my-serviceaccount" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
        E1102 17:03:24.711256       1 reflector.go:178] k8s.io/[email protected]+incompatible/tools/cache/reflector.go:125: Failed to list *v1alpha1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:arrakis-mlqsq:my-serviceaccount" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
        E1102 17:03:24.711529       1 reflector.go:178] k8s.io/[email protected]+incompatible/tools/cache/reflector.go:125: Failed to list *v1alpha1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:arrakis-mlqsq:my-serviceaccount" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
        E1102 17:03:25.855718       1 reflector.go:178] k8s.io/[email protected]+incompatible/tools/cache/reflector.go:125: Failed to list *v1alpha1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:arrakis-mlqsq:my-serviceaccount" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
        E1102 17:03:25.865745       1 reflector.go:178] k8s.io/[email protected]+incompatible/tools/cache/reflector.go:125: Failed to list *v1alpha1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:arrakis-mlqsq:my-serviceaccount" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
        E1102 17:03:26.046225       1 reflector.go:178] k8s.io/[email protected]+incompatible/tools/cache/reflector.go:125: Failed to list *v1alpha1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:arrakis-mlqsq:my-serviceaccount" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
        E1102 17:03:26.066630       1 reflector.go:178] k8s.io/[email protected]+incompatible/tools/cache/reflector.go:125: Failed to list *v1alpha1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:arrakis-mlqsq:my-serviceaccount" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
        E1102 17:03:26.264850       1 reflector.go:178] k8s.io/[email protected]+incompatible/tools/cache/reflector.go:125: Failed to list *v1alpha1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:arrakis-mlqsq:my-serviceaccount" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
        E1102 17:03:27.569723       1 reflector.go:178] k8s.io/[email protected]+incompatible/tools/cache/reflector.go:125: Failed to list *v1alpha1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:arrakis-mlqsq:my-serviceaccount" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
        E1102 17:03:27.720523       1 reflector.go:178] k8s.io/[email protected]+incompatible/tools/cache/reflector.go:125: Failed to list *v1alpha1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:arrakis-mlqsq:my-serviceaccount" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
        E1102 17:03:27.803859       1 reflector.go:178] k8s.io/[email protected]+incompatible/tools/cache/reflector.go:125: Failed to list *v1alpha1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:arrakis-mlqsq:my-serviceaccount" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
        E1102 17:03:28.150695       1 reflector.go:178] k8s.io/[email protected]+incompatible/tools/cache/reflector.go:125: Failed to list *v1alpha1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:arrakis-mlqsq:my-serviceaccount" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
        E1102 17:03:28.692199       1 reflector.go:178] k8s.io/[email protected]+incompatible/tools/cache/reflector.go:125: Failed to list *v1alpha1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:arrakis-mlqsq:my-serviceaccount" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
        {"level":"error","ts":"2020-11-02T17:03:31.391Z","logger":"eventlistener","caller":"sink/sink.go:80","msg":"Error getting EventListener my-eventlistener in Namespace arrakis-mlqsq: eventlistener.triggers.tekton.dev \"my-eventlistener\" not found","knative.dev/controller":"eventlistener","stacktrace":"github.com/tektoncd/triggers/pkg/sink.Sink.HandleEvent\n\tgithub.com/tektoncd/triggers/pkg/sink/sink.go:80\nnet/http.HandlerFunc.ServeHTTP\n\tnet/http/server.go:2012\nnet/http.(*ServeMux).ServeHTTP\n\tnet/http/server.go:2387\nnet/http.serverHandler.ServeHTTP\n\tnet/http/server.go:2807\nnet/http.(*conn).serve\n\tnet/http/server.go:1895"}
        E1102 17:03:31.608643       1 reflector.go:178] k8s.io/[email protected]+incompatible/tools/cache/reflector.go:125: Failed to list *v1alpha1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:arrakis-mlqsq:my-serviceaccount" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope

The e2e test creates its own ServiceAccount and Roles and uses that in the EventListener that the test creates. Currently, that role only has access to "get" triggers, bindings etc. With this change, it also needs access to "list" these resources: https://github.com/tektoncd/triggers/blob/master/test/eventlistener_test.go#L244

cmd/triggerrun/cmd/root.go Outdated Show resolved Hide resolved
@tekton-robot tekton-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Nov 4, 2020
@yaoxiaoqi yaoxiaoqi force-pushed the use-listers branch 2 times, most recently from 2d6f74b to 9c80de4 Compare November 5, 2020 14:35
@yaoxiaoqi
Copy link
Member Author

/test pull-tekton-triggers-integration-tests

@yaoxiaoqi
Copy link
Member Author

/hold cancel

@tekton-robot tekton-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 5, 2020
Copy link
Member

@dibyom dibyom left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good. Just a couple of minor comments.
/lgtm

@@ -138,4 +138,35 @@ func createServiceAccount(t *testing.T, c *clients, namespace, name string) {
t.Fatalf("Error creating RoleBinding: %s", err)
}

_, err = c.KubeClient.RbacV1().ClusterRoles().Create(context.Background(),
&rbacv1.ClusterRole{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we are creating cluster-scoped resources, we should also delete them in a cleanup function. (By default we delete the namespace which deletes all the namespaced resources but not the cluster ones).

(e.g. we have a cleanup https://github.com/tektoncd/triggers/blob/master/test/eventlistener_test.go#L608 that is then called in the test: https://github.com/tektoncd/triggers/blob/master/test/eventlistener_test.go#L127)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it. Besides, I'm curious about https://github.com/tektoncd/triggers/blob/master/test/eventlistener_test.go#L608. I would like to know why we need to delete eventlistener after the whole namespace is already deleted. It seems that the eventlistener lives along with the namespace.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm, that's a good question 🤔

We probably should just delete the EL first and then the namespace? Or just the namespace.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, if TEST_KEEP_NAMESPACES env var is set, we will not delete the namespace but will delete the EL and the servcie . I wonder if this is intentional behavior.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the explanation. It makes sense. Should I also delete the eventlistener in test/eventlistener_scale_test.go after tear down the namespace? I can open another PR.

Copy link
Member

@dibyom dibyom Nov 11, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, maybe we can just remove the lines that delete the EventListener and instead rely on the cleanup that already deletes the namespace to clean it up (in TestEventListenerCreate)?

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Nov 5, 2020
This commit closes tektoncd#797.

This PR uses Listers to get resources in the Eventlistener Sink, rather than directly making calls to the API server.
Currently, multiple informers need to be setup when creating a Sink object. But the Sink in the cmd/triggerrun still makes the direct
API calls because it only makes the call once when executed, which means Lister cache is not useful in this case.

All examples work under this change.
@tekton-robot tekton-robot removed the lgtm Indicates that a PR is ready to be merged. label Nov 6, 2020
@dibyom
Copy link
Member

dibyom commented Nov 9, 2020

/approve
/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Nov 9, 2020
@tekton-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dibyom

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 9, 2020
@tekton-robot tekton-robot merged commit 1ad55aa into tektoncd:master Nov 9, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants