revert trustbundle propagation in sb lifecycle Do

[maschmid]

Fixes #8984

Basically reverts f88d983

Invoking PropagateTrustBundles in sinkbinding Do means it is being invoked per each sinkbinding-bound resource, not just during sinkbinding reconciliation. As the PropagateTrustBundles synchonously gets and updates ConfigMaps, it may also significantly delay the webhook's admission review of the resources. I believe the introduction of PropagateTrustBundles in Do has been a mistake (it should only by invoked during the SinkBinding reconciliation, not in the Do for each bound resource, as that doesn't really make sense)

Additionally, we now pass the configmaps returned from PropagateTrustBundles to the resource adapters in apiserversource and integrationsink , as those invoke PropagateTrustBundles just before listing the configmaps from the lister, so they should now use the current CMs directly.

Proposed Changes

• 🐛 Reverts trustbundle propagation in sinkbinding lifecycle Do

Pre-review Checklist

• At least 80% unit test coverage
• E2E tests for any new behavior

[knative-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: maschmid
Once this PR has been reviewed and has the lgtm label, please assign creydr for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[maschmid]

/test reconciler-tests

[maschmid]

=== CONT TestApiServerSourceSkipPermissionsFeature/Knative_ApiServerSource_-Features-_Permissions_Check/ApiServerSource_skip_permissions_and_pod_has_permissions/Assert/ApiServerSource_adapter_has_FailFast_set_to_true
skip_permissions.go:274: Expected 0 unavailable replica, got: 1

looks relevant. Without the trustbundle propagation in Do, we'd be reverting to being just eventually consistent.

[maschmid]

Let's see if we can moving that logic that passes the CMs from PropagateTrustBundles directly to ApiServerSource reconciliation. Makes sense to use those CMs directly, instead of using stale values from the CM lister cache.

[maschmid]

/hold

If that works for apiserversource, we should check if we should do the same for other sources that propagate bundles at the same time as they create deployments mounting them.

[maschmid]

/unhold

[maschmid]

/test reconciler-tests

[maschmid]

From https://prow.knative.dev/view/gs/knative-prow/pr-logs/pull/knative_eventing/8985/reconciler-tests_eventing_main/2039312118016118784

=== CONT TestApiServerSourceSkipPermissionsFeature/Knative_ApiServerSource_-Features-_Permissions_Check/ApiServerSource_skip_permissions_and_pod_has_permissions/Assert/ApiServerSource_adapter_has_FailFast_set_to_true
skip_permissions.go:270: Expected 1 ready replica, got: 2

Looking at the replicasets of the apiserversource-two-kmrmshbe-e8874f5d64f6d4ffacf50942f8e1b30ae4 Deployment, we see 4 replicasets in total, differing only in trust bundles being removed.

RS1 → RS2 (revision 1 → 2)                                                                                                                                                                                                                                                              
                                                                                                                                                                                                                                                                                          
  Removed trust-bundle-pbgjrpiekne-bundle from the projected volume sources.                                                                                                                                                                                                              
                  
    RS1 volumes sources:                                                                                                                                                                                                                                                                  
      - kn-combined-kne-bundlekne-bundle                                                                                                                                                                                                                                                  
      - knative-eventing-bundlekne-bundle                                                                                                                                                                                                                                                 
      - trust-bundle-enmxarlokne-bundle                                                                                                                                                                                                                                                   
    - trust-bundle-pbgjrpiekne-bundle    ← removed                                                                                                                                                                                                                                        
      - trust-bundle-tslsquugkne-bundle                                                                                                                                                                                                                                                   
                                                                                                                                                                                                                                                                                          
    RS2 volumes sources:                                                                                                                                                                                                                                                                  
      - kn-combined-kne-bundlekne-bundle                                                                                                                                                                                                                                                  
      - knative-eventing-bundlekne-bundle                                                                                                                                                                                                                                                 
      - trust-bundle-enmxarlokne-bundle                                                                                                                                                                                                                                                   
      - trust-bundle-tslsquugkne-bundle                                                                                                                                                                                                                                                   
                                                                                                                                                                                                                                                                                          
  RS2 → RS3 (revision 2 → 3)                                                                                                                                                                                                                                                              
                                                                                                                                                                                                                                                                                          
  Removed trust-bundle-enmxarlokne-bundle from the projected volume sources.                                                                                                                                                                                                              
                  
    RS2 volumes sources:                                                                                                                                                                                                                                                                  
      - kn-combined-kne-bundlekne-bundle                                                                                                                                                                                                                                                  
      - knative-eventing-bundlekne-bundle                                                                                                                                                                                                                                                 
    - trust-bundle-enmxarlokne-bundle    ← removed                                                                                                                                                                                                                                        
      - trust-bundle-tslsquugkne-bundle                                                                                                                                                                                                                                                   
                                                                                                                                                                                                                                                                                          
    RS3 volumes sources:                                                                                                                                                                                                                                                                  
      - kn-combined-kne-bundlekne-bundle                                                                                                                                                                                                                                                  
      - knative-eventing-bundlekne-bundle                                                                                                                                                                                                                                                 
      - trust-bundle-tslsquugkne-bundle                                                                                                                                                                                                                                                   
                                                                                                                                                                                                                                                                                          
  RS3 → RS4 (revision 3 → 4, current)                                                                                                                                                                                                                                                     
                                                                                                                                                                                                                                                                                          
  Removed trust-bundle-tslsquugkne-bundle from the projected volume sources.                                                                                                                                                                                                              
                  
    RS3 volumes sources:                                                                                                                                                                                                                                                                  
      - kn-combined-kne-bundlekne-bundle                                                                                                                                                                                                                                                  
      - knative-eventing-bundlekne-bundle                                                                                                                                                                                                                                                 
    - trust-bundle-tslsquugkne-bundle    ← removed                                                                                                                                                                                                                                        
                                                                                                                                                                                                                                                                                          
    RS4 volumes sources:                                                                                                                                                                                                                                                                  
      - kn-combined-kne-bundlekne-bundle                                                                                                                                                                                                                                                  
      - knative-eventing-bundlekne-bundle                 

As we now reconcile the trustbundle changes faster, it may be that the other tests that add trust-bundles to the system namespace may cause this one to flake (as "Expected 1 ready replica, got: 2" is likely the caused by having two replicasets, differing only by the trust bundle, with the old one still running)

[maschmid]

Anyway, the TestApiServerSourceSkipPermissionsFeature looks like a known flake ( #8903 ) , so let's try fixing that in a separate PR.

[codecov]

Codecov Report

❌ Patch coverage is 62.50000% with 15 lines in your changes missing coverage. Please review.
✅ Project coverage is 51.05%. Comparing base (263a3a5) to head (20e9722).

Files with missing lines	Patch %	Lines
pkg/reconciler/apiserversource/apiserversource.go	68.75%	2 Missing and 3 partials ⚠️
pkg/reconciler/integration/sink/integrationsink.go	68.75%	2 Missing and 3 partials ⚠️
pkg/apis/sources/v1/sinkbinding_lifecycle.go	50.00%	2 Missing ⚠️
pkg/reconciler/sinkbinding/controller.go	0.00%	2 Missing ⚠️
...iler/integration/sink/resources/container_image.go	50.00%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8985   +/-   ##
=======================================
  Coverage   51.04%   51.05%           
=======================================
  Files         409      409           
  Lines       21996    21986   -10     
=======================================
- Hits        11228    11224    -4     
+ Misses       9905     9899    -6     
  Partials      863      863           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[maschmid]

/test reconciler-tests

[knative-prow]

@maschmid: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
reconciler-tests_eventing_main	20e9722	link	true	/test reconciler-tests

Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.