Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add validation of agent flag values for ConfigMap #16014

Merged
merged 1 commit into from May 27, 2021
Merged

Add validation of agent flag values for ConfigMap #16014

merged 1 commit into from May 27, 2021

Conversation

romanspb80
Copy link
Contributor

If the Cilium agent flags are passed via a mounted ConfigMap
(cilium-agent --config-dir=/tmp/cilium/config-map), the default for Helm
deployments, the flag values are not validated. For example if you set
"restore" with invalid value "0SO##ME5_RANDOM" in ConfigMap then Agent
would run with incorrect parameter:
.....
level=info msg=" --restore='0SO##ME5_RANDOM'" subsys=daemon
.....

But if start Agent with CLI then the validation will warn and prevent
starting the agent:
cilium-agent[8654]: invalid argument "0SO##ME5_RANDOM" for "--restore"
flag: strconv.ParseBool: parsing "0SO##ME5_RANDOM": invalid syntax

This commit add agent flag values validation for ConfigMap

Fixes: #13070

Signed-off-by: Roman Ptitcyn romanspb@yahoo.com

@romanspb80 romanspb80 requested a review from a team May 4, 2021 21:47
@romanspb80 romanspb80 requested review from a team as code owners May 4, 2021 21:47
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 4, 2021
errordeveloper
errordeveloper reviewed May 10, 2021
View reviewed changes
Copy link
Contributor

@errordeveloper errordeveloper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think overall it's a good idea to add validation, however we need to discuss whether it's expected that unknown flags are ignored in case of an upgrade or downgrade.

@romanspb80
Copy link
Contributor Author

romanspb80 commented May 17, 2021
edited

I think overall it's a good idea to add validation, however we need to discuss whether it's expected that unknown flags are ignored in case of an upgrade or downgrade.

The validation works for only existing flags. In case of unknown flags Cilium will start with these unknown flags.

anfernee
anfernee reviewed May 17, 2021
View reviewed changes
pkg/option/config.go Outdated Show resolved Hide resolved
pkg/option/config.go Outdated Show resolved Hide resolved
pkg/option/config.go Outdated Show resolved Hide resolved
@romanspb80 romanspb80 force-pushed the agent-flag-validation-for-configmap branch from 8caaf2f to 77722ce Compare May 17, 2021 20:59
@pchaigno pchaigno added the release-note/minor This PR changes functionality that users may find relevant to operating Cilium. label May 17, 2021
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 17, 2021
@romanspb80 romanspb80 force-pushed the agent-flag-validation-for-configmap branch from 77722ce to 228edb7 Compare May 18, 2021 21:05
@romanspb80 romanspb80 requested a review from pchaigno May 18, 2021 21:05
@romanspb80
Copy link
Contributor Author

Thanks for the approve, Paul!

@romanspb80
Copy link
Contributor Author

Guys, could you please start k8s tests?

@pchaigno
Copy link
Member

test-me-please

jibi
jibi approved these changes May 21, 2021
View reviewed changes
pkg/option/config.go Outdated Show resolved Hide resolved
@romanspb80
Add validation of agent flag values for ConfigMap
24f61bb 
If the Cilium agent flags are passed via a mounted ConfigMap
(cilium-agent --config-dir=/tmp/cilium/config-map), the default for Helm
deployments, the flag values are not validated. For example if you set
"restore" with invalid value "0SO##ME5_RANDOM" in ConfigMap then Agent
would run with incorrect parameter:
.....
level=info msg=" --restore='0SO##ME5_RANDOM'" subsys=daemon
.....

But if start Agent with CLI then the validation will warn and prevent
starting the agent:
cilium-agent[8654]: invalid argument "0SO##ME5_RANDOM" for "--restore"
flag: strconv.ParseBool: parsing "0SO##ME5_RANDOM": invalid syntax

This commit add agent flag values validation for ConfigMap

Fixes: cilium#13070

Signed-off-by: Roman Ptitcyn romanspb@yahoo.com
@romanspb80 romanspb80 force-pushed the agent-flag-validation-for-configmap branch from 228edb7 to 24f61bb Compare May 21, 2021 20:55
@errordeveloper
Copy link
Contributor

I think overall it's a good idea to add validation, however we need to discuss whether it's expected that unknown flags are ignored in case of an upgrade or downgrade.

The validation works for only existing flags. In case of unknown flags Cilium will start with these unknown flags.

Thanks for clarifying this, I can see that's also stated in the PR title also. I guess it's still possible for validation to break between versions, as flags are not strongly typed. However, I think the benefit of having validation in place is much greater!

@jibi
Copy link
Member

jibi commented May 24, 2021

test-me-please

@romanspb80
Copy link
Contributor Author

I think overall it's a good idea to add validation, however we need to discuss whether it's expected that unknown flags are ignored in case of an upgrade or downgrade.

The validation works for only existing flags. In case of unknown flags Cilium will start with these unknown flags.

Thanks for clarifying this, I can see that's also stated in the PR title also. I guess it's still possible for validation to break between versions, as flags are not strongly typed. However, I think the benefit of having validation in place is much greater!

Thanks Ilya!

@pchaigno
Copy link
Member

pchaigno commented May 25, 2021
edited

Provisioning issue:
test-1.20-4.19

@pchaigno pchaigno mentioned this pull request May 25, 2021
Closed
nathanjsweet
nathanjsweet requested changes May 25, 2021
View reviewed changes
pkg/option/config.go Show resolved Hide resolved
pkg/option/config.go Show resolved Hide resolved
@pchaigno
Copy link
Member

pchaigno commented May 26, 2021
edited

Provisioning error:
test-1.20-4.19

@pchaigno
Copy link
Member

k8s-1.16-kernel-netnext seems to be failing with known flake #12511 twice. k8s-1.21-kernel-4.9 is failing with known flakes #16237 and #15097. Other tests are passing and all team reviews are covered. Marking as ready to merge.

@pchaigno pchaigno added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label May 26, 2021
@kaworu kaworu merged commit d965f84 into cilium:master May 27, 2021
@sayboras sayboras mentioned this pull request May 26, 2022
Merged
sayboras added a commit to sayboras/cilium that referenced this pull request May 26, 2022
@sayboras
cli: Use custom named map instead of StringToStringVar
4e82fee 
Out of all the flags having string map type, only these two flags are
StringToStringVar type, which failed validation if the passed value is
json format.

```
2022-05-26T12:03:33.817769447Z level=fatal msg="Incorrect config-map flag subnet-tags-filter" error="{\"type\":\"private\"} must be formatted as key=value" subsys=config
```

Relates: cilium#16014
Fixes: cilium#19961
Signed-off-by: Tam Mach <tam.mach@cilium.io>
aanm pushed a commit that referenced this pull request Jun 3, 2022
@sayboras @aanm
cli: Use custom named map instead of StringToStringVar
2d35b95 
Out of all the flags having string map type, only these two flags are
StringToStringVar type, which failed validation if the passed value is
json format.

```
2022-05-26T12:03:33.817769447Z level=fatal msg="Incorrect config-map flag subnet-tags-filter" error="{\"type\":\"private\"} must be formatted as key=value" subsys=config
```

Relates: #16014
Fixes: #19961
Signed-off-by: Tam Mach <tam.mach@cilium.io>
joamaki pushed a commit to joamaki/cilium that referenced this pull request Jun 8, 2022
@sayboras @joamaki
cli: Use custom named map instead of StringToStringVar
1c71315 
[ upstream commit 2d35b95 ]

Out of all the flags having string map type, only these two flags are
StringToStringVar type, which failed validation if the passed value is
json format.

```
2022-05-26T12:03:33.817769447Z level=fatal msg="Incorrect config-map flag subnet-tags-filter" error="{\"type\":\"private\"} must be formatted as key=value" subsys=config
```

Relates: cilium#16014
Fixes: cilium#19961
Signed-off-by: Tam Mach <tam.mach@cilium.io>
Signed-off-by: Jussi Maki <jussi@isovalent.com>
nebril pushed a commit that referenced this pull request Jun 9, 2022
@sayboras @nebril
cli: Use custom named map instead of StringToStringVar
d6a6267 
[ upstream commit 2d35b95 ]

Out of all the flags having string map type, only these two flags are
StringToStringVar type, which failed validation if the passed value is
json format.

```
2022-05-26T12:03:33.817769447Z level=fatal msg="Incorrect config-map flag subnet-tags-filter" error="{\"type\":\"private\"} must be formatted as key=value" subsys=config
```

Relates: #16014
Fixes: #19961
Signed-off-by: Tam Mach <tam.mach@cilium.io>
Signed-off-by: Jussi Maki <jussi@isovalent.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jibi jibi jibi approved these changes

@errordeveloper errordeveloper errordeveloper approved these changes

@nathanjsweet nathanjsweet nathanjsweet approved these changes

@pchaigno pchaigno pchaigno approved these changes

@anfernee anfernee Awaiting requested review from anfernee

Assignees

@anfernee anfernee

Labels
ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

No validation of agent flag values when using mounted ConfigMap
7 participants
@romanspb80 @pchaigno @errordeveloper @jibi @anfernee @nathanjsweet @kaworu