Skip to content

Commit

Permalink
Reapply service accounts during operator update (#1515)
Browse files Browse the repository at this point in the history
Summary: We used to filter out service accounts when reapplying the
Vizier YAMLs during an update. This is because infinitely-lived service
tokens would be created every single time as K8s secret, and lead to a
very long list of secrets. However, that has since been phased out in
K8s 1.24 and we want to make sure we properly handle cases where new
service accounts need to be created.
An alternative to this is to still filter out service accounts, but
check which ones exist already. However, that adds more network calls to
the process.

Relevant Issues: N/A

Type of change: /kind bug

Test Plan: Deploy operator with skaffold

Signed-off-by: Michelle Nguyen <[email protected]>
  • Loading branch information
aimichelle authored Jun 16, 2023
1 parent c600265 commit 17b1845
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 17 deletions.
12 changes: 6 additions & 6 deletions src/operator/controllers/node_watcher.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,18 +74,18 @@ type nodeCompatTracker struct {

func (n *nodeCompatTracker) addNode(node *v1.Node) {
n.numNodes++
kVersion := getNodeKernelVersion(node)
n.kernelVersionDist[kVersion]++
if !nodeIsCompatible(kVersion) {
kernelVersion := getNodeKernelVersion(node)
n.kernelVersionDist[kernelVersion]++
if !nodeIsCompatible(kernelVersion) {
n.numIncompatible++
}
}

func (n *nodeCompatTracker) removeNode(node *v1.Node) {
n.numNodes--
kVersion := getNodeKernelVersion(node)
n.kernelVersionDist[kVersion]--
if !nodeIsCompatible(kVersion) {
kernelVersion := getNodeKernelVersion(node)
n.kernelVersionDist[kernelVersion]--
if !nodeIsCompatible(kernelVersion) {
n.numIncompatible--
}
}
Expand Down
11 changes: 0 additions & 11 deletions src/operator/controllers/vizier_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -699,17 +699,6 @@ func (r *VizierReconciler) deployVizierCore(ctx context.Context, namespace strin
return err
}

// If updating, don't reapply service accounts as that will create duplicate service tokens.
if allowUpdate {
filteredResources := make([]*k8s.Resource, 0)
for _, r := range resources {
if r.GVK.Kind != "ServiceAccount" {
filteredResources = append(filteredResources, r)
}
}
resources = filteredResources
}

for _, r := range resources {
err = updateResourceConfiguration(r, vz)
if err != nil {
Expand Down

0 comments on commit 17b1845

Please sign in to comment.