support to disable auto import of a managed cluster

Signed-off-by: Yang Le <[email protected]>

build/setup-import-controller.sh

@@ -44,7 +44,7 @@ kubectl kustomize $DEPLOY_MANIFESTS \
   | kubectl apply -f -
 
 sleep 5
-${KUBECTL} -n open-cluster-management rollout status deploy managedcluster-import-controller --timeout=120s
+${KUBECTL} -n open-cluster-management rollout status deploy managedcluster-import-controller --timeout=300s
 
 echo "###### prepare auto-import-secret"
 cluster_ip=$(${KUBECTL} get svc kubernetes -n default -o jsonpath="{.spec.clusterIP}")

pkg/constants/constants.go

@@ -81,6 +81,12 @@ const (
 	// In the Hosted mode, this namespace still exists on the managed cluster to contain
 	// necessary resources, like service accounts, roles and rolebindings.
 	KlusterletNamespaceAnnotation string = "import.open-cluster-management.io/klusterlet-namespace"
+
+	// DisableAutoImportAnnotation is used to disable the auto import feature of import controller.
+	// If present, the import controller will not apply either crds.yaml or import.yaml on
+	// the managed cluster and the bootstrap-hub-kubeconfig secret will not be updated as well in
+	// the backup-restore case.
+	DisableAutoImportAnnotation string = "import.open-cluster-management.io/disable-auto-import"
 )
 
 const (

pkg/controller/autoimport/autoimport_controller.go

@@ -82,6 +82,11 @@ func (r *ReconcileAutoImport) Reconcile(ctx context.Context, request reconcile.R
 		return reconcile.Result{}, nil
 	}
 
+	if _, autoImportDisabled := managedCluster.Annotations[constants.DisableAutoImportAnnotation]; autoImportDisabled {
+		// skip if auto import is disabled
+		return reconcile.Result{}, nil
+	}
+
 	autoImportSecret, err := r.informerHolder.AutoImportSecretLister.Secrets(managedClusterName).Get(constants.AutoImportSecretName)
 	if errors.IsNotFound(err) {
 		// the auto import secret could have been deleted, do nothing

pkg/controller/autoimport/autoimport_controller_test.go

@@ -5,10 +5,11 @@ package autoimport
 
 import (
 	"context"
-	operatorv1 "open-cluster-management.io/api/operator/v1"
 	"testing"
 	"time"
 
+	operatorv1 "open-cluster-management.io/api/operator/v1"
+
 	"github.com/stolostron/managedcluster-import-controller/pkg/constants"
 	testinghelpers "github.com/stolostron/managedcluster-import-controller/pkg/helpers/testing"
 	"github.com/stolostron/managedcluster-import-controller/pkg/source"
@@ -115,6 +116,22 @@ func TestReconcile(t *testing.T) {
 			secrets:     []runtime.Object{},
 			expectedErr: false,
 		},
+		{
+			name: "auto import disabled",
+			objs: []client.Object{
+				&clusterv1.ManagedCluster{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: managedClusterName,
+						Annotations: map[string]string{
+							constants.DisableAutoImportAnnotation: "",
+						},
+					},
+				},
+			},
+			works:       []runtime.Object{},
+			secrets:     []runtime.Object{},
+			expectedErr: false,
+		},
 		{
 			name: "no auto-import-secret",
 			objs: []client.Object{

pkg/controller/clusterdeployment/clusterdeployment_controller.go

@@ -98,6 +98,11 @@ func (r *ReconcileClusterDeployment) Reconcile(
 		return reconcile.Result{}, nil
 	}
 
+	if _, autoImportDisabled := managedCluster.Annotations[constants.DisableAutoImportAnnotation]; autoImportDisabled {
+		// skip if auto import is disabled
+		return reconcile.Result{}, nil
+	}
+
 	if !clusterDeployment.Spec.Installed {
 		// cluster deployment is not installed yet, do nothing
 		reqLogger.Info("The hive managed cluster is not installed, skipped", "managedcluster", clusterName)

pkg/controller/clusterdeployment/clusterdeployment_controller_test.go

@@ -85,9 +85,46 @@ func TestReconcile(t *testing.T) {
 			works:   []runtime.Object{},
 			secrets: []runtime.Object{},
 		},
+		{
+			name: "auto import disabled",
+			objs: []client.Object{
+				&clusterv1.ManagedCluster{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "test",
+						Annotations: map[string]string{
+							constants.DisableAutoImportAnnotation: "",
+						},
+					},
+				},
+				&hivev1.ClusterDeployment{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "test",
+						Namespace: "test",
+					},
+					Spec: hivev1.ClusterDeploymentSpec{
+						Installed: true,
+					},
+				},
+			},
+			works: []runtime.Object{},
+			secrets: []runtime.Object{
+				testinghelpers.GetImportSecret("test"),
+				&corev1.Secret{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "auto-import-secret",
+						Namespace: "test",
+					},
+				},
+			},
+		},
 		{
 			name: "clusterdeployment is not installed",
 			objs: []client.Object{
+				&clusterv1.ManagedCluster{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "test",
+					},
+				},
 				&hivev1.ClusterDeployment{
 					ObjectMeta: metav1.ObjectMeta{
 						Name:      "test",
@@ -101,6 +138,11 @@ func TestReconcile(t *testing.T) {
 		{
 			name: "clusterdeployment is not claimed",
 			objs: []client.Object{
+				&clusterv1.ManagedCluster{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "test",
+					},
+				},
 				&hivev1.ClusterDeployment{
 					ObjectMeta: metav1.ObjectMeta{
 						Name:      "test",

pkg/controller/selfmanagedcluster/selfmanagedcluster_controller.go

@@ -82,6 +82,11 @@ func (r *ReconcileLocalCluster) Reconcile(ctx context.Context, request reconcile
 		return reconcile.Result{}, nil
 	}
 
+	if _, autoImportDisabled := managedCluster.Annotations[constants.DisableAutoImportAnnotation]; autoImportDisabled {
+		// skip if auto import is disabled
+		return reconcile.Result{}, nil
+	}
+
 	reqLogger.Info("Reconciling self managed cluster")
 
 	// if there is an auto import secret in the managed cluster namespace, we will use the auto import secret to import

pkg/controller/selfmanagedcluster/selfmanagedcluster_controller_test.go

@@ -106,6 +106,34 @@ func TestReconcile(t *testing.T) {
 				}
 			},
 		},
+		{
+			name: "auto import disabled",
+			objs: []client.Object{
+				&clusterv1.ManagedCluster{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "local-cluster",
+						Labels: map[string]string{
+							"local-cluster": "true",
+						},
+						Annotations: map[string]string{
+							constants.DisableAutoImportAnnotation: "",
+						},
+					},
+				},
+			},
+			works:   []runtime.Object{},
+			secrets: []runtime.Object{},
+			validateFunc: func(t *testing.T, runtimeClient client.Client) {
+				cluster := &clusterv1.ManagedCluster{}
+				err := runtimeClient.Get(context.TODO(), types.NamespacedName{Name: "local-cluster"}, cluster)
+				if err != nil {
+					t.Errorf("unexpected error %v", err)
+				}
+				if len(cluster.Status.Conditions) != 0 {
+					t.Errorf("unexpected condistions")
+				}
+			},
+		},
 		{
 			name: "has auto-import-secret",
 			objs: []client.Object{

test/e2e/autoimport_test.go

@@ -60,6 +60,44 @@ var _ = ginkgo.Describe("Importing a managed cluster with auto-import-secret", f
 		assertAutoImportSecretDeleted(managedClusterName)
 	})
 
+	ginkgo.It("Should not import the cluster if auto-import is disabled", func() {
+		ginkgo.By(fmt.Sprintf("Create auto-import-secret for managed cluster %s with kubeconfig", managedClusterName), func() {
+			secret, err := util.NewAutoImportSecret(hubKubeClient, managedClusterName)
+			gomega.Expect(err).ToNot(gomega.HaveOccurred())
+
+			_, err = hubKubeClient.CoreV1().Secrets(managedClusterName).Create(context.TODO(), secret, metav1.CreateOptions{})
+			gomega.Expect(err).ToNot(gomega.HaveOccurred())
+		})
+
+		ginkgo.By(fmt.Sprintf("Create managed cluster %s and disable auto import", managedClusterName), func() {
+			// using a local cluster to speed up cluster deletion
+			_, err := util.CreateManagedClusterWithAnnotations(
+				hubClusterClient,
+				managedClusterName,
+				map[string]string{
+					constants.DisableAutoImportAnnotation: "",
+				},
+				util.NewLable("local-cluster", "true"))
+
+			gomega.Expect(err).ToNot(gomega.HaveOccurred())
+		})
+
+		assertManagedClusterImportSecretCreated(managedClusterName, "other")
+		assertManagedClusterManifestWorks(managedClusterName)
+		assertManagedClusterImportSecretNotApplied(managedClusterName)
+
+		ginkgo.By(fmt.Sprintf("Update managed cluster %s and enable auto import", managedClusterName), func() {
+			err := util.RemoveManagedClusterAnnotations(hubClusterClient, managedClusterName)
+			gomega.Expect(err).ToNot(gomega.HaveOccurred())
+		})
+
+		assertManagedClusterImportSecretApplied(managedClusterName)
+		assertManagedClusterAvailable(managedClusterName)
+		assertManagedClusterManifestWorksAvailable(managedClusterName)
+
+		assertAutoImportSecretDeleted(managedClusterName)
+	})
+
 	ginkgo.It("Should import the cluster with auto-import-secret with token", func() {
 		ginkgo.By(fmt.Sprintf("Create auto-import-secret for managed cluster %s with token", managedClusterName), func() {
 			secret, err := util.NewAutoImportSecretWithToken(hubKubeClient, hubDynamicClient, managedClusterName)

test/e2e/e2e_suite_test.go

@@ -451,6 +451,33 @@ func assertManagedClusterImportSecretApplied(clusterName string, mode ...operato
 	})
 }
 
+func assertManagedClusterImportSecretNotApplied(clusterName string) {
+	ginkgo.By(fmt.Sprintf("Managed cluster %s should not be imported", clusterName), func() {
+		gomega.Consistently(func() error {
+			cluster, err := hubClusterClient.ClusterV1().ManagedClusters().Get(
+				context.TODO(), clusterName, metav1.GetOptions{})
+			if err != nil {
+				return fmt.Errorf("assert managed cluster %s import secret not applied get cluster error: %v", clusterName, err)
+			}
+
+			util.Logf("assert managed cluster %s import secret not applied cluster conditions: %v",
+				clusterName, cluster.Status.Conditions)
+
+			condition := meta.FindStatusCondition(
+				cluster.Status.Conditions, constants.ConditionManagedClusterImportSucceeded)
+			if condition == nil {
+				return nil
+			}
+
+			if condition.Reason == constants.ConditionReasonManagedClusterWaitForImporting {
+				return nil
+			}
+
+			return fmt.Errorf("assert managed cluster %s import secret not applied failed", clusterName)
+		}, 3*time.Minute, 5*time.Second).Should(gomega.Succeed())
+	})
+}
+
 func assertManagedClusterAvailable(clusterName string) {
 	start := time.Now()
 	defer func() {