Make FirewallPolicyARN updatable #25
Conversation
ack-prow
bot
added
the
do-not-merge/work-in-progress
ack-prow
bot
added
the
needs-ok-to-test
|
Hi @kunhwiko. Thanks for your PR. I'm waiting for a aws-controllers-k8s member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
| build_hash: e8df4d5a4b86dea0e227786c2c3d213e5aeda97a | ||
| go_version: go1.22.0 | ||
| version: v0.33.0 | ||
| go_version: go1.21.0 |
There was a problem hiding this comment.
umm...? something I missed :D?
There was a problem hiding this comment.
Nothing critical (for code-gen), we just started using go 1.22.x :)
pkg/resource/firewall/hooks.go
Outdated
| b *resource, | ||
| ) { | ||
| // Sort subnet mappings such that they can be compared in a deterministic way. | ||
| customPreCompareSubnetMappings(a, b) |
There was a problem hiding this comment.
This change doesn't actually have to do anything with making the FirewallPolicyARN updatable. I've noticed the same set of subnet mappings might be detected as "different" during updates because they're arranged in a different order.
There was a problem hiding this comment.
Makes sense! It appears that the AWS Firewall API sorts the resources behind the scenes. Ideally, we should avoid mutating the desired state here to maintain consistency. The common runtime patches back the Spec returned by an sdkUpdate, potentially sorting the SubnetMapping in the desired Spec.
Maybe we could create a new function called equalSubnetMapping and use that to detect if something change, regardless of the order?
There was a problem hiding this comment.
related: aws-controllers-k8s/community#2053
There was a problem hiding this comment.
@a-hilaly Ahh makes sense! If the spec gets patched by sdkUpdate, that might end up in an OutOfSync issue for folks using GitOps.
Hmm problem though is if we don't sort here, the controller ends up picking up a diff later on in the delta function:
The above is code-gened, so I think there's little control over what we can do there...
There was a problem hiding this comment.
What we need to do is to figure out whether the SubnetMapping changed or not without sorting and usinf reflect.DeepEqual. In general we can do:
- Instruct the code-gen delta generator to ignore SubnetMapping using something like: https://github.com/aws-controllers-k8s/dynamodb-controller/blob/main/generator.yaml#L53-L54
- Implement a
equalSubnetMappingsusing something similar to: https://github.com/aws-controllers-k8s/dynamodb-controller/blob/main/pkg/resource/table/hooks_tags.go#L108-L135 - Call
equalSubnetMappingsin thecustomPreCompareto decide whether we want to register a delta forSpec.SubnetMappings
There was a problem hiding this comment.
oh sweet, was not aware of compare.is_ignored. that'll work, thanks!
| pass | ||
| assert cr["status"]["firewall"]["firewallPolicyARN"] == policy_arn | ||
|
|
||
| @pytest.fixture |
There was a problem hiding this comment.
I needed to use this function twice in simple_firewall...so had to stop using this as a fixture
ack-prow
bot
removed
the
do-not-merge/work-in-progress
|
/ok-to-test |
ack-prow
bot
added
ok-to-test
| build_hash: e8df4d5a4b86dea0e227786c2c3d213e5aeda97a | ||
| go_version: go1.22.0 | ||
| version: v0.33.0 | ||
| go_version: go1.21.0 |
There was a problem hiding this comment.
Nothing critical (for code-gen), we just started using go 1.22.x :)
pkg/resource/firewall/hooks.go
Outdated
| b *resource, | ||
| ) { | ||
| // Sort subnet mappings such that they can be compared in a deterministic way. | ||
| customPreCompareSubnetMappings(a, b) |
There was a problem hiding this comment.
Makes sense! It appears that the AWS Firewall API sorts the resources behind the scenes. Ideally, we should avoid mutating the desired state here to maintain consistency. The common runtime patches back the Spec returned by an sdkUpdate, potentially sorting the SubnetMapping in the desired Spec.
Maybe we could create a new function called equalSubnetMapping and use that to detect if something change, regardless of the order?
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: a-hilaly, kunhwiko The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/test all |
Description of changes
The FirewallPolicyARN on the Firewall resource can be updatable through the
AssociateFirewallPolicyAPI. This is something we're doing with our own local copy of this repo.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.