Add leader elections flags/values to the deployment manifests

[a-hilaly]

Issue: aws-controllers-k8s/community#1753 (comment)

ACK controllers use k8s-sigs/controller-runtime behind the scenes, which
support leader election. This feature is not properly working due to a
missing configuration LeaderElectionNamespace which is used by the
manager to create k8s.io/coordination Lease objects.

This patch sets the default LeaderElectionNamespace to ack-system
and adds the capability of enabling leader election using helm values.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Co-authored-by: Adam Cornett [email protected]

[a-hilaly]

I was thinking about adding a --leader-election-namespace flag to allow users to set their own.. thoughts?

[acornett21]

I'm not the sure what the use case for this flag is, or what it actually does under the covers. operator-sdk only scaffolds with the below options:

        Scheme:                 scheme,
        MetricsBindAddress:     metricsAddr,
        Port:                   9443,
        HealthProbeBindAddress: probeAddr,
        LeaderElection:         enableLeaderElection,
        LeaderElectionID:       leaderElectionID,

[a-hilaly]

LeaderElectionNamespace is the namespace where the Lease object is created

[a-hilaly]

Without namespace, i'm running into unable to create controller manager {"aws.service": "lambda", "error": "unable to find leader election namespace: not running in-cluster, please specify LeaderElectionNamespace"} - does operator-sdk use leases as well? or maybe configmaps (that's what controller-runtime used before leases introduction)?

[a-hilaly]

Example logs of a controller acquiring leader lease:

I0717 22:07:29.267656  313484 leaderelection.go:248] attempting to acquire leader lease ack-system/lambda.services.k8s.aws...
I0717 22:07:29.282064  313484 leaderelection.go:258] successfully acquired lease ack-system/lambda.services.k8s.aws
2023-07-17T22:07:29.282+0100	DEBUG	events	ma_ca5abb0a-74fe-45a9-85e1-3b0c3a95e9ac became leader	{"type": "Normal", "object": {"kind":"Lease","namespace":"ack-system","name":"lambda.services.k8s.aws","uid":"a68f0032-2021-436a-b4a2-91fb44f297e9","apiVersion":"coordination.k8s.io/v1","resourceVersion":"383697"}, "reason": "LeaderElection"}

Example logs of a controller waiting for leader lease to be freed:

I0717 22:10:32.402053  314991 leaderelection.go:248] attempting to acquire leader lease ack-system/lambda.services.k8s.aws...

[acornett21]

I feel like this change should be duplicated to the kuztomize templates as well.

[a-hilaly]

/retest

[a-hilaly]

/retest

[acornett21]

A few changes to this are needed. Also, we still need the leader-elect RBAC files and changes that I sent as a patch, otherwise this will not work.

[a-hilaly]

/test ecr-controller-test

[acornett21]

I have confirmed that ACK does not need the configmap. This is sort of an either/or thing, where configmap or leases can be used, and the operator developer can choose which to use. For legacy purposes and for operators that might have been developed before leases were created, this is kept in the scaffolding.

Since ACK isn't exposing this flag which allows the choice, we are safe to remove the confimap section from the RBAC.

@a-hilaly I hope all the above makes sense, let me know if there are questions...After this is removed I think we are good to go.

[a-hilaly]

/retest

[a-hilaly]

/hold

need to pin runtime v0.27.1

[acornett21]

@a-hilaly Why did you revert the RBAC changes?

[a-hilaly]

@a-hilaly Why did you revert the RBAC changes?

@acornett21 Looks like it's gonna be a bigger change than we expected.. since the feature is disabled by default, it's safe to go with this now and we will address the RBAC matters in a seperate PR

[a-hilaly]

/test dynamodb-controller-test

[acornett21]

since the feature is disabled by default, it's safe to go with this now and we will address the RBAC matters in a seperate PR

@a-hilaly Can you elaborate on this? If someone goes to enable this, the controller will fail to function and throw errors without RBAC changes present.

[a-hilaly]

@a-hilaly Can you elaborate on this? If someone goes to enable this, the controller will fail to function and throw errors without RBAC changes present.

Yes that's correct.

We wanted to make the release quickly today without RBAC support for few reasons:

• We need to release new images with security patches + fix a panic with controllers running in k8s 1.27
• The current tests with Leases RBACs were failing
• It's a bit hard to know what do with cluster scoped vs namepsaced scoped controllers. (this influences whether a controller will use a role vs clusterRole
• FieldExport currently doesn't come with supported RBAC permissions. Customers set their own (secret/cm) RBACs. Leader election will take similar path at least in the short term.

I still would like to come up with a plan to add those RBACs in a seperate PR, i want to open one as soon as this one is merged.

[a-hilaly]

/test s3-controller-test
/test ecr-controller-test

[a-hilaly]

@acornett21 good points, and thank you for bringing this! I just added few configurations for kustomize and helm chart templates.

[a-hilaly]

/retest

[RedbackThomson]

/lgtm

[RedbackThomson]

/lgtm

[a-hilaly]

/retest

[a-hilaly]

/lgtm cancel

[a-hilaly]

/hold

[a-hilaly]

/unhold

[RedbackThomson]

/lgtm

[ack-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: acornett21, RedbackThomson

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [RedbackThomson]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment