Introducing Module-NMC controller

[yevgeny-shnaidman]

This PR introduces a new controller, that is responsible for reconciliation of NMC based on the data in Module and Node The following are the main points:

1. It watches for changes in Modules, Nodes (labels, becoming
   schedulable) and Jobs belonging owned by Modules (in order to
   reschedule once Build/Sign job are finished)
2. Per reconciled Module, go over all the nodes in the cluster
   and reconcile their NMCs based on the Module/Node state

Changes in the PR:

1. adding functions to filter package that are resposible for filtering
   the events (nodes. modules, jobs) and finding out which modules
   should be reconciled
2. changing the NMC handler logic a little, adding verification for
   container image presence in case module should be enable.
3. Module-NMC Reconciliation is being done both in case Kernel Mapping
   exists and in case it does not exists ( solves the garbage
   collection flow)

This PR does not include Module status updates based on NMC updates

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: yevgeny-shnaidman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [yevgeny-shnaidman]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[netlify]

✅ Deploy Preview for kubernetes-sigs-kmm ready!

Name	Link
🔨 Latest commit	70b755e
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-sigs-kmm/deploys/64d0eab8559ebb0008d58675
😎 Deploy Preview	https://deploy-preview-503--kubernetes-sigs-kmm.netlify.app/
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[yevgeny-shnaidman]

/assign @ybettan

[yevgeny-shnaidman]

/assign @qbarrand

[ybettan]

Should this one be renamed to nmcAPI to be consistent with the rest of the API passed to it (or to the Module reconciler)?

[yevgeny-shnaidman]

This is a controller, we are not creating/returning an Interface ( API), but the struct itself, as the rest of the reconcilers/controllers, that's why there is no API in the name

[ybettan]

nmcHandler is a public interface. Why don't we call it nmcAPI instead?

[yevgeny-shnaidman]

moved the NMC-Handler API into the controller, since it implements controller logic

[ybettan]

Why do we need to patch nodes?

[yevgeny-shnaidman]

no need, removing

[ybettan]

What is the difference between update and patch?

[yevgeny-shnaidman]

that depends on the action that you execute on the object. I prefer to mention both of them, so that we can execute them in the code without a need to update the rules

[qbarrand]

What's the problem with updating the rules? A new version of the code will come with a new bundle anyway. I would restrict the verbs here to the bare minimum.

[yevgeny-shnaidman]

removed the "update"

[ybettan]

Who says that the reconciled object is a Module? Can't it be a Node? a Job?

[yevgeny-shnaidman]

because this is how this reconciler is defined. It is defined For Module, and for every "watch" it finds the appropriate Module to reconcile

[ybettan]

Suggested change

	return ctrl.Result{}, fmt.Errorf("failed to get the requested %s KMMO CR: %w", req.NamespacedName, err)
	return ctrl.Result{}, fmt.Errorf("failed to get the requested %s KMMO CR: %v", req.NamespacedName, err)

Are we using the wrapped error anywhere?

[yevgeny-shnaidman]

Fixed. We do use wrapped errors , when needed. For example in the KernelMapper, to get the appropriate MLD, if exists

[ybettan]

I meant, "do we use the wrapped error in this case". If you fixed it I assume we were not using it :)

[yevgeny-shnaidman]

yes, in this case it was a mistake

[ybettan]

Why do we need to do that for every node? Can we extract it outside of the loop?

[yevgeny-shnaidman]

because the kernel version of the nodes may differ

[ybettan]

But I don't see node being passed to this function or the implementation depending on the nodes in any way. Am I missing something?

[yevgeny-shnaidman]

the node is used to determine the kernelVersion , and to determine kernel mapping (using kernel version). Then both kernel mapping(mld) and node are passed to the function that determines whether the module needs to run on the node or not

[ybettan]

Aren't you appending nil errors here as well?

[yevgeny-shnaidman]

yes, but errors.Join knows how to handle them and ignore

[ybettan]

Won't it be clearer to only append real errors instead of delegating it to Join?

[yevgeny-shnaidman]

why to add another "if", if there is already code in the Join that takes care of it? This is the purpose of Join function: decide of there are errors in the array of errors , and create the appropriate error

[ybettan]

why to add another "if", if there is already code in the Join that takes care of it?

Because it is not trivial for someone who didn't read the Join doc to understand those are ignored. Everywhere else in the code we are checking if an error is != nil before doing something with it except here.

If you think it is better this way, let's keep it, I just though it is a bit confusing.

[yevgeny-shnaidman]

i am keeping it: if we have a Golang library function in the code, i would expect that developer to read about it and understand

[ybettan]

I am wondering why getRequestedModule isn't a method in the module package and why we don't have a node package that will hold getNodeList as well.

[yevgeny-shnaidman]

As discussed in Slack, i am leaving it here and we can decide on it and the rest of functions in packages in v2.1

[ybettan]

Isn't this function a dup of getRequestedModule in the module_reconciler.go file?

[yevgeny-shnaidman]

As discussed in Slack, i am leaving it here and we can decide on it and the rest of functions in packages in v2.1

[ybettan]

Same here, this function exist (almost) in module_reconciler.go

[yevgeny-shnaidman]

As discussed in Slack, i am leaving it here and we can decide on it and the rest of functions in packages in v2.1

[qbarrand]

Wondering if we need this function at all? In tests, we replace one EXPECT() with another - not sure what is the benefit. I guess that remark is also cvalid for getRequestedModule above.

[yevgeny-shnaidman]

I prefer to set such function in a helper interface, makes it easier to write the unit-tests for the main reconciliation loop, and to check all the corner case in a dedicated unit-test for that specific function.

[qbarrand]

What's the problem with updating the rules? A new version of the code will come with a new bundle anyway. I would restrict the verbs here to the bare minimum.

[qbarrand]

Wondering if we need this function at all? In tests, we replace one EXPECT() with another - not sure what is the benefit. I guess that remark is also cvalid for getRequestedModule above.

[qbarrand]

/test pull-kernel-module-management-unit-tests

[yevgeny-shnaidman]

/test pull-kernel-module-management-unit-tests

[qbarrand]

Can we use Owns instead?

Suggested change

	Watches(
	&batchv1.Job{},
	handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &kmmv1beta1.Module{}, handler.OnlyControllerOwner()),
	builder.WithPredicates(
	filter.ModuleNMCReconcileJobPredicate(),
	),
	).
	Owns(
	&batchv1.Job{},
	builder.WithPredicates(
	filter.ModuleNMCReconcileJobPredicate(),
	),
	).

[yevgeny-shnaidman]

No, Owns defines it own filter and handler. Since i would like to keep the filter, i am still using Watches

[qbarrand]

/lgtm

[qbarrand]

/lgtm