kubetest2-kops: use ephemeral discovery store for AWS #17809
Conversation
Signed-off-by: Marko Mudrinić <[email protected]>
Signed-off-by: Arnaud Meukam <[email protected]>
Ensure all the objects of a bucket are deleted before it's deleted. AWS S3 requires the bucket is empty before deletion Signed-off-by: Arnaud Meukam <[email protected]>
5 attempts are done to ensure the public read policy is applied Signed-off-by: Arnaud Meukam <[email protected]>
|
Skipping CI for Draft Pull Request. |
k8s-ci-robot
added
do-not-merge/work-in-progress
|
/test pull-kops-aws-distro-debian13 |
k8s-ci-robot
added
size/L
|
/test pull-kops-aws-distro-debian13 |
|
/test pull-kops-aws-distro-al2023 |
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
@ameukam This needs to be tested with something that enables discovery store. Do we have such job? |
I don't think we have something like that as a presubmit. |
|
/test pull-kops-e2e-cni-cilium |
|
Please ignore the failing tests, let's get the review going first. |
| // Empty the bucket first | ||
| paginator := s3.NewListObjectsV2Paginator(c.s3Client, &s3.ListObjectsV2Input{ | ||
| Bucket: aws.String(bucketName), | ||
| }) |
There was a problem hiding this comment.
It is a good idea, but I would expect that kOps removes all the files from the bucket, otherwise it's a bug.
This approach may hide such issues.
There was a problem hiding this comment.
kOps force delete the S3 buckets at shutdown whether the bucket is empty or not. This is just an extra step to guarantee the bucket is properly deleted.
Potential issues will probably not of the emptiness of the bucket.
Happy to drop this if you think it's unnecessary
| var err error | ||
| backoff := time.Second | ||
| for i := 0; i < 5; i++ { | ||
| _, err = c.s3Client.PutBucketPolicy(ctx, &s3.PutBucketPolicyInput{ | ||
| Bucket: aws.String(bucketName), | ||
| Policy: aws.String(policy), | ||
| }) | ||
| if err == nil { | ||
| return nil | ||
| } | ||
| klog.Infof("Failed to set public read policy on bucket %s, retrying in %v. Error: %v", bucketName, backoff, err) | ||
| time.Sleep(backoff) | ||
| backoff *= 2 |
There was a problem hiding this comment.
I am not sure if exponential backoff is the right approach here:
- it is not a recurring task
- it does not happen concurrently
- we don't expect rate limiting.
I would vote for keeping it simple with some fixed interval and number of retries, making the behaviour more predictable.
There was a problem hiding this comment.
+1. I'll set a time sleep of 10 seconds
tests/e2e/kubetest2-kops/aws/s3.go
Outdated
| BlockPublicAcls: aws.Bool(false), | ||
| IgnorePublicAcls: aws.Bool(false), | ||
| BlockPublicPolicy: aws.Bool(false), | ||
| RestrictPublicBuckets: aws.Bool(false), |
There was a problem hiding this comment.
Should we keep the ACLs to 'true`?
There was a problem hiding this comment.
I was not sure of the ACL requirements of kOps for the service discovery so I went with a simple configuration. We can try what you are suggesting.
| return "" | ||
| } | ||
| d.createBucket = true | ||
| discovery = "s3://" + bucketName |
There was a problem hiding this comment.
I was expecting this to be used somewhere, by being passed to kOps when creating the cluster.
Maybe it's me, but I don't see it used in any of the tests.
There was a problem hiding this comment.
My understanding is that the test will need a discovery bucket by default* and we just want to make sure we don't depends on a static reference of an AWS resource we (sig-k8s-infra) currently don't have control on.
I1211 13:57:27.886490 13618 s3.go:129] Bucket k8s-infra-kops-state-ae62-20251211135010 created successfully
I1211 13:57:28.292397 13618 s3.go:129] Bucket k8s-infra-kops-discovery-ae62-20251211135727 created successfully
I1211 13:57:28.648562 13618 s3.go:146] Public read policy set on bucket k8s-infra-kops-discovery-ae62-20251211135727I1211 14:34:05.635169 13618 s3.go:222] Bucket k8s-infra-kops-state-ae62-20251211135010 deleted
I1211 14:34:05.920863 13618 s3.go:222] Bucket k8s-infra-kops-discovery-ae62-20251211135727 deletedThere was a problem hiding this comment.
kOps requires --discovery-store to be passed to tests needing it (see kubernetes/test-infra#35648 as reference). In the past, due to the static nature of the bucket, it was passed as part of the test definition. As it is dynamically created now, kubetest2-kops needs to pass it to kOps somehow (either as flag or new env var, similar to the state store).
There was a problem hiding this comment.
It's preferable we pass it as a env var in prowjob definition to avoid hard coding it. Setup a dedicated bucket is cheap.
There was a problem hiding this comment.
Sorry, but not sure I understand what you mean. We cannot pass it from prow anymore, as it's dynamically generated.
Ensure public access policies can be disabled when the bucket is public Signed-off-by: Arnaud Meukam <[email protected]>
ameukam
force-pushed
the
test-aws-discovery-store
branch
from
a332cc7 to
aa03eb6
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
4 participants
Retake of #17520
In addition: