Auto update ClusterSet and MemberClusterAnnounce in leader cluster

[hjiajing]

Auto update ClusetSet and MemberClusterAnnounce in the leader cluster.

• When a new member cluster is added to the ClusterSet. The ClusterSet in the leader cluster will update the new member cluster in the spec.members.
• When a member cluster departs the ClusterSet. The MemberClusterAnnounce in the leader cluster will be deleted. The member cluster will be removed from the spec.members.

[hjiajing]

@luolanzone Could you please take a quick review for this WIP PR. Thanks.
I added an annotation "antrea.io/is-member-deleted" in MemberClusterAnnounce because the leader cluster controller need to get ClusterSetID. So the MemberClusterAnnounce will not be deleted by a member cluster.
Once a MemberClusterAnnounce is annotated "deleted", the leader cluster will remove the member in the member list and delete the MemberClusterAnnounce.
In addition, I removed the member check in the webhook. As well as the SA check. I'm concerned about this. If did this, the member will not need SA any more.

[codecov-commenter]

Codecov Report

Merging #3956 (e9b2670) into main (13f470e) will decrease coverage by 0.04%.
The diff coverage is 54.61%.

@@            Coverage Diff             @@
##             main    #3956      +/-   ##
==========================================
- Coverage   64.50%   64.46%   -0.05%     
==========================================
  Files         294      294              
  Lines       43726    43827     +101     
==========================================
+ Hits        28206    28253      +47     
- Misses      13236    13270      +34     
- Partials     2284     2304      +20     

Flag	Coverage Δ
kind-e2e-tests	50.88% <ø> (-0.32%)	⬇️
unit-tests	44.23% <54.61%> (+0.01%)	⬆️

Impacted Files	Coverage Δ
multicluster/cmd/multicluster-controller/leader.go	0.00% <0.00%> (ø)
...llers/multicluster/member_clusterset_controller.go	16.30% <0.00%> (-0.15%)	⬇️
...luster-controller/memberclusterannounce_webhook.go	55.00% <56.09%> (-0.56%)	⬇️
...s/multicluster/memberclusterannounce_controller.go	64.15% <58.02%> (-7.64%)	⬇️
...lers/multicluster/commonarea/remote_common_area.go	27.75% <100.00%> (+0.29%)	⬆️
...agent/flowexporter/connections/deny_connections.go	65.59% <0.00%> (-19.36%)	⬇️
pkg/agent/flowexporter/connections/connections.go	60.60% <0.00%> (-15.16%)	⬇️
pkg/agent/flowexporter/exporter/exporter.go	67.82% <0.00%> (-10.90%)	⬇️
pkg/agent/controller/trafficcontrol/controller.go	81.08% <0.00%> (-2.00%)	⬇️
pkg/controller/grouping/controller.go	65.13% <0.00%> (-1.98%)	⬇️
... and 20 more

[luolanzone]

@hjiajing Could you please fix the unit test failure? https://github.com/antrea-io/antrea/runs/7126092905?check_suite_focus=true

[hjiajing]

@luolanzone Sure. I will fix it now

[luolanzone]

@hjiajing Could you resolve the conflicts? thanks.

[luolanzone]

Maybe you can remove this check and add schema validation like this: https://github.com/antrea-io/antrea/pull/3964/files#diff-d91c75a71bf454b846eb3998698d615fadf6108177e9624428572d6440887962R42-R43,
You can refer to the change to add this refinement to this PR, so it won't have any merge dependency between two commits.

[jianjuns]

And this one?

[jianjuns]

Why we move the error out of the "if" block?

err here should be returned by r.List() at line 131? If so, I do not feel it is relevant to the comment. @luolanzone : could you check?

[luolanzone]

@jianjuns yes, you are right. I feel original comment and logic doesn't handle the case correctly. If all ClusterClaims are deleted, it should be empty list instead of an error. I think it should retry if there is an error. @hjiajing Could you double check and refine this part? we may leave ClusterClaim webhook part in a new PR.

[jianjuns]

We need to handle MemberClusterAnnounce deletion (comments in line 109 are no longer valid?).

[jianjuns]

@luolanzone : I feel we should revisit all these ClusterSet / cluster status code. I have the following question:

1. Do we really need leader cluster ID in the MemberAnnounce?
2. Do we still need all status conditions after we remove election?
3. Add/RemoveMember() need not to be called by ClusterSet changes, after we change to auto-update ClusterSet, but we can start to maintain the timerdata once MemberClusterAnnounce is created?

Could you please look into the code to understand the whole status update logic, and clean up the code?

[jianjuns]

Maybe you can first summarize what conditions we have, and they are set for what cases.

[jianjuns]

@luolanzone : a reminder for you.

[luolanzone]

Sure, I will check this part, thanks for reminding.

[jianjuns]

I do not have further comments for this PR, except for a reminder for adding code comments.

@luolanzone : would you take another look before we can merge?

[jianjuns]

@luolanzone : a reminder for you.

[luolanzone]

@hjiajing Could you rebase the PR? A few questions in the comments

[luolanzone]

Leader is running in a Namespace scope, it's supposed to watch those resources in the same Namespace where the leader controller is running. I didn't see you set the Namespace here.
Do we really need to use no cached client in order to remove the list in the RBAC? I feel it's better to keep the same as other controllers. @jianjuns any comment for this?

[jianjuns]

I do not know all the implication here, but I would watch only in the same Namespace.

Another question - in RBAC configuration, we do not create a "Role" to restrict the permissions to only the “multcluster" Namespace? @luolanzone

[luolanzone]

@jianjuns we defined a 'Role' antrea-mc-controller-role in antrea-multicluster-leader-namespaced.yml, Antrea mc-controller will only be able to watch resources under “antrea-multicluster" Namespace.

[jianjuns]

I do not know all the implication here, but I would watch only in the same Namespace.

Another question - in RBAC configuration, we do not create a "Role" to restrict the permissions to only the “multcluster" Namespace? @luolanzone

[luolanzone]

LGTM overall, a few nits

[luolanzone]

@jianjuns we defined a 'Role' antrea-mc-controller-role in antrea-multicluster-leader-namespaced.yml, Antrea mc-controller will only be able to watch resources under “antrea-multicluster" Namespace.

[luolanzone]

LGTM overall @jianjuns Could you help to take a look if this is ready to merge? thanks.

[jianjuns]

/test-multicluster-e2e
/skip-all

[jianjuns]

LGTM overall @jianjuns Could you help to take a look if this is ready to merge? thanks.

No further comment from me.