Add changes to infrastructure object to contain service endpoints and feature flag added #2078
Conversation
|
Hello @jared-hayes-dev! Some important instructions when contributing to openshift/api: |
openshift-ci
bot
added
the
size/S
openshift-ci
bot
added
size/M
config/v1/types_infrastructure.go
Outdated
| // ServiceEndpoints contains custom endpoints designated to | ||
| // override existing defaults of IBM Cloud Services. |
There was a problem hiding this comment.
The godoc on the status version of this field is different, shall we copy it here?
config/v1/types_infrastructure.go
Outdated
| type IBMCloudPlatformSpec struct { | ||
| // ServiceEndpoints contains custom endpoints designated to | ||
| // override existing defaults of IBM Cloud Services. | ||
| // +listType=atomic |
There was a problem hiding this comment.
Status version is a map type, why would this one be different?
There was a problem hiding this comment.
my bad, unintentionally messed that up when playing with some things - fixed
| @@ -670,4 +670,10 @@ var ( | |||
| enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). | |||
| enhancementPR("https://github.com/openshift/enhancements/pull/1697"). | |||
| mustRegister() | |||
|
|
|||
| FeatureGateDyanmicServiceEndpointIBMCloud = newFeatureGate("DyanmicServiceEndpointIBMCloud"). | |||
There was a problem hiding this comment.
You'll want to include an enableIn and add this to DevPreview and TechPreview initially
There was a problem hiding this comment.
Added, but just to confirm our goal would be to remove these post-dev as we wouldn't want to keep this feature within dev/tech preview long term.
There was a problem hiding this comment.
Correct, once this is dev complete and testing in techpreview shows it's stable, you add the configv1.Default featureSet to enabledIn to promote the feature to the default feature set
config/v1/types_infrastructure.go
Outdated
| type IBMCloudPlatformSpec struct { | ||
| // serviceEndpoints is a list of custom endpoints which will override the default | ||
| // service endpoints of an IBM Cloud service. These endpoints are consumed by | ||
| // components within the cluster to reach the respective IBM Cloud Services. |
There was a problem hiding this comment.
I think we should add some description here of what happens when you add values. They get verified and then copied to status by some controller right? And then consumed by?
openshift-merge-robot
added
the
needs-rebase
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: jared-hayes-dev The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
jared-hayes-dev
force-pushed
the
jh-340
branch
from
e5dceca to
3ee0be4
Compare
openshift-merge-robot
removed
the
needs-rebase
|
/retest-required |
config/v1/types_infrastructure.go
Outdated
| // | ||
| // +required | ||
| // +kubebuilder:validation:Type=string | ||
| // +kubebuilder:validation:XValidation:rule="isURL(self)",message="url must be a valid absolute URL" | ||
| // +kubebuilder:validation:Pattern:=`https:\/\/.*(?:\/(api\/)?v\d+\/{0,1})$` |
There was a problem hiding this comment.
This struct is currently used in both spec and status. Ratcheting validation will work in spec, but there's a bug and it's currently not working for status.
There's two things you can do to move forward.
1.) Wait for the bug to be resolved, I'm working on that actively but don't have a timeline, hopefully not long
2.) Create a separate version of this struct for use in the spec with the improved validation
There was a problem hiding this comment.
Ok thanks for the heads up. Is there a Jira for this that we could track this bug? And if I am to understand correctly the temporary solution is to duplicate the struct for use within the spec?
There was a problem hiding this comment.
The PR to fix the status issue is openshift/kubernetes#2167, I'm hoping to have that merged this week, so potentially hold off on making further changes.
The upstream version of the PR has been merged which was the ask from the o/k team prior to merging this version
config/v1/types_infrastructure.go
Outdated
| // | ||
| // +required | ||
| // +kubebuilder:validation:Type=string | ||
| // +kubebuilder:validation:XValidation:rule="isURL(self)",message="url must be a valid absolute URL" | ||
| // +kubebuilder:validation:Pattern:=`https:\/\/.*(?:\/(api\/)?v\d+\/{0,1})$` |
There was a problem hiding this comment.
I'd suggest using CEL for these validations instead of a pattern
// +kubebuilder:validation:XValidation:rule="isURL(self)",message="url must be a valid URL, including a scheme"
// +kubebuilder:validation:XValidation:rule="url(self).getScheme() == \"https\"",message="url scheme must be https"
// +kubebuilder:validation:XValidation:rule="url(self).getEscapedPath().matches(\"\/(api\/)?v\d+\/{0,1}\")",message="url path must match /v[0,9]+ or /api/v[0,9]+"
You will also need a maximum length on the string to add these validations, choose something sensible, but long enough, perhaps 256 chars? Perhaps a little more to add some headroom for the path? 300?
There was a problem hiding this comment.
Sounds good, 300 chars would work perfectly.
| // +listType=map | ||
| // +listMapKey=name | ||
| // +optional | ||
| ServiceEndpoints []IBMCloudServiceEndpoint `json:"serviceEndpoints,omitempty"` |
There was a problem hiding this comment.
All lists must have a maximum number of items marker, what is the rough number of items you'd expect to be in this list in the worst case scenario?
There was a problem hiding this comment.
We chose to limit the list to 25 - this covers all current uses cases and gives good room for any future additions
There was a problem hiding this comment.
You've added the limit to status only, add to spec as well please
config/v1/types_infrastructure.go
Outdated
| // | ||
| // +required | ||
| // +kubebuilder:validation:Type=string | ||
| // +kubebuilder:validation:XValidation:rule="isURL(self)",message="url must be a valid absolute URL" | ||
| // +kubebuilder:validation:XValidation:rule=`self.matches('https:\/\/.*(?:\/(api\/)?v\d+\/{0,1})$')`,message="Invalid URL pattern for IBM service overrides" |
There was a problem hiding this comment.
Any reason to use matches, over the URL helpers that I had suggested? In theory this could allow the path to be incorrect
E.g. https://a.b.c/my/malicious/path?pretend_that_i_am=/api/v1 passes your regex right now, but is not your intention.
The URL helpers I mentioned previously will accurately return you the escaped path, which you can then match against, and would avoid this kind of issue
There was a problem hiding this comment.
My bad, somehow I misunderstood your comment when I first read it, and missed the portion in which you suggested the exact URL functions. I have updated the field to correctly use them over trying to pattern match the entire field.
config/v1/types_infrastructure.go
Outdated
| // serviceEndpoints is a list of custom endpoints which will override the default | ||
| // service endpoints of an IBM Cloud service. These endpoints are consumed by | ||
| // components within the cluster to reach the respective IBM Cloud Services. | ||
| // Once admitted, the CCCMO will furthger validate the endpoint exists by pinging it |
There was a problem hiding this comment.
| // Once admitted, the CCCMO will furthger validate the endpoint exists by pinging it | |
| // Once admitted, the CCCMO will further validate the endpoint exists by pinging it |
There was a problem hiding this comment.
Addressed below in rewrite
config/v1/types_infrastructure.go
Outdated
| // service endpoints of an IBM Cloud service. These endpoints are consumed by | ||
| // components within the cluster to reach the respective IBM Cloud Services. | ||
| // Once admitted, the CCCMO will furthger validate the endpoint exists by pinging it | ||
| // before processing using the provided endpoints to updates the platform status |
There was a problem hiding this comment.
This line isn't reading well to me, want to just double check the wording here?
There was a problem hiding this comment.
Rewritten to hopefully address the confusing portions
| // +listType=map | ||
| // +listMapKey=name | ||
| // +optional | ||
| ServiceEndpoints []IBMCloudServiceEndpoint `json:"serviceEndpoints,omitempty"` |
There was a problem hiding this comment.
You've added the limit to status only, add to spec as well please
|
@jared-hayes-dev: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| // +kubebuilder:validation:XValidation:rule="url(self).getScheme() == \"https\"",message="url scheme must be https" | ||
| // +kubebuilder:validation:XValidation:rule="url(self).getEscapedPath().matches(\"\/(api\/)?v\d+\/{0,1}\")",message="url path must match /v[0,9]+ or /api/v[0,9]+" | ||
| // +kubebuilder:validation:MaxLength=300 |
There was a problem hiding this comment.
We need to make sure that each of these validations is tested, and in particular, also tested with ratcheting, which is new to the test suite.
You can see some examples of adding ratcheting tests in #2142
You'll have to come up with a patch operation (likely a remove on the path to the maxLength, CEL validations etc) that allows you to persist something not allowed by the new validation, and then show through tests that this does not block writes.
Since this field is new in spec, you'll need to write those ratcheting tests only for the status. That's currently not going to ratchet because of the bug linked to those other tests, I'll let you know when they will pass
| // within the cluster when trying to reach the IBM Cloud Services that have been | ||
| // overriden. The CCCMO reads in the IBMCloudPlatformSpec and validates each | ||
| // endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus | ||
| // are updated to reflect the same custom endpoints. |
There was a problem hiding this comment.
| // are updated to reflect the same custom endpoints. | |
| // are updated to reflect the same custom endpoints. | |
| // A maximum of 25 service endpoints are supported. |
Related Jira: https://issues.redhat.com/browse/OCPCLOUD-2694