Update validation logic for kubenet network plugin. #1715
Conversation
tombuildsstuff
removed request for
tombuildsstuff,
katbyte,
JunyiYi and
WodansSon
There was a problem hiding this comment.
hi @metacpp
Thanks for this PR. I've left some comments in-line but we need to ensure we test both the optional + specified cases here. In addition since the service_cidr, dns_service_ip and docker_bridge_cidr fields are only applicable to the kubenet network profile - we should document this.
Thanks!
| dnsServiceIP := profile["dns_service_ip"].(string) | ||
| serviceCidr := profile["service_cidr"].(string) | ||
|
|
||
| if dockerBridgeCidr == "" || dnsServiceIP == "" || serviceCidr == "" { |
There was a problem hiding this comment.
we should add this validation back in but ensure that if one of the fields is set then the other fields are set too #Resolved
There was a problem hiding this comment.
They either need to be all empty or all non-empty, this is server side logic. Although we can add it here to improve the experience, but we also introduced the risk to guess the server logic. Anyway, I made the change as you like.
In reply to: 207461949 [](ancestors = 207461949)
| @@ -526,9 +523,6 @@ resource "azurerm_kubernetes_cluster" "test" { | |||
|
|
|||
| network_profile { | |||
| network_plugin = "kubenet" | |||
| dns_service_ip = "10.10.0.10" | |||
| docker_bridge_cidr = "172.18.0.1/16" | |||
| service_cidr = "10.10.0.0/16" | |||
| } | |||
There was a problem hiding this comment.
we should update to make two tests here, one for when this is not specified and one for when this is #Resolved
There was a problem hiding this comment.
Yeah, 2 legacy tests will use different settings: one is all empty, the other is all non-empty.
In reply to: 207462036 [](ancestors = 207462036)
|
|
||
| * `docker_bridge_cidr` - (Optional) IP address (in CIDR notation) used as the Docker bridge IP address on nodes. This is required when `network_plugin` is set to `kubenet`. Changing this forces a new resource to be created. |
There was a problem hiding this comment.
we should add in "This field can only be set when network_plugin is set to kubenet" #Resolved
There was a problem hiding this comment.
There was a problem hiding this comment.
It should also be noted that the docker_bridge_cidr must have the last octet noted or the RP will fail. e.g 172.26.0.1/16 not 172.26.0.0/16 The server side logic is testing for this last octet and will stop the deployment.
Also the logic above for dns_service_ip is incorrect. It is only required is serviceCidr is entered not docker_bride_cidr #WontFix
There was a problem hiding this comment.
We tried this combination:
network_profile {
network_plugin = "kubenet"
dns_service_ip = "10.10.0.10"
docker_bridge_cidr = ""
service_cidr = "10.10.0.0/16"
}It still fails due to not all of 3 are set.
In reply to: 207924196 [](ancestors = 207924196)
There was a problem hiding this comment.
For the octet, I don't quite understand, can you be more specific on the documentation change?
In reply to: 208059432 [](ancestors = 208059432,207924196)
There was a problem hiding this comment.
If someone enters what they normally think of a CIDR address is such as 172.16.0.0/16 the RP will kick back an error saying that docker_bridge_Cidr is not a valid cidr address. It must be the first available address in the space and the prefix number, not the network name and prefix. #WontFix
There was a problem hiding this comment.
Where can we find the these rules? I feel we probably can provide a link to how to define the addresses here instead. Anyway, feel free to send another PR to update this document, that will be more efficient.
In reply to: 208078669 [](ancestors = 208078669)
There was a problem hiding this comment.
|
|
||
| ~> **NOTE:** This range should not be used by any network element on or connected to this VNet. Service address CIDR must be smaller than /12. | ||
|
|
||
| * `dns_service_ip` - (Optional) IP address within the Kubernetes service address range that will be used by cluster service discovery (kube-dns). This is required when `network_plugin` is set to `kubenet`. Changing this forces a new resource to be created. |
There was a problem hiding this comment.
we should add in "This field can only be set when network_plugin is set to kubenet" #Resolved
There was a problem hiding this comment.
|
|
||
| -> **NOTE:** When `network_plugin` is set to `azure` - the `vnet_subnet_id` field in the `agent_pool_profile` block must be set. | ||
|
|
||
| * `service_cidr` - (Optional) The Network Range used by the Kubernetes service. This is required when `network_plugin` is set to `kubenet`. Changing this forces a new resource to be created. | ||
| * `service_cidr` - (Optional) The Network Range used by the Kubernetes service. Changing this forces a new resource to be created. |
There was a problem hiding this comment.
we should add in "This field can only be set when network_plugin is set to kubenet" #Resolved
There was a problem hiding this comment.
| profile := rawProfiles[0].(map[string]interface{}) | ||
| networkPlugin := profile["network_plugin"].(string) | ||
|
|
||
| if networkPlugin == "kubenet" { |
There was a problem hiding this comment.
we can also invert this logic to ensure they're not set when the networkPlugin is "azure" #Resolved
There was a problem hiding this comment.
…profile setting. The docker_bridge_cidr, dns_service_ip, service_cidr should be either all empty or all non-empty. Closes #1648
…ce for AKS. Updated the test confiuration code for data source of AKS to use new refactored functions.
|
@jeffreyCline is added to the review. #Closed |
Fix the formatting error while running gofmt on AKS resource related files.
| return fmt.Errorf("If the `network_plugin` is set to `kubenet` then the fields `docker_bridge_cidr`, `dns_service_ip` and `service_cidr` must not be empty.") | ||
| if !((dockerBridgeCidr == "" && dnsServiceIP == "" && serviceCidr == "") || | ||
| (dockerBridgeCidr != "" && dnsServiceIP != "" && serviceCidr != "")) { | ||
| return fmt.Errorf("`docker_bridge_cidr`, `dns_service_ip` and `service_cidr` should all be empty or neither should be empty.") |
There was a problem hiding this comment.
This is a confusing error msg, could we change it to something like:
docker_bridge_cidr, dns_service_ip and service_cidr should all be empty or all should be set.
#Resolved
There was a problem hiding this comment.
…ofile setting. Change the description of error message to be more readable.
There was a problem hiding this comment.
hey @metacpp
Thanks for pushing the updates - if we can fix the minor refactoring then this otherwise LGTM (I'm assuming the tests pass 😄) 👍
Thanks!
| @@ -410,7 +441,9 @@ resource "azurerm_kubernetes_cluster" "test" { | |||
| `, rInt, location, rInt, rInt, rInt, clientId, clientSecret) | |||
| } | |||
|
|
|||
| func testAccAzureRMKubernetesCluster_advancedNetworkingKubenet(rInt int, clientId string, clientSecret string, location string) string { | |||
| func testAccAzureRMKubernetesCluster_advancedNetworking(rInt int, clientId string, clientSecret string, location string, | |||
There was a problem hiding this comment.
given the values are going to be the same for the dnsServiceIp , dockerBridgeCidr and serviceCidr fields in both Kubenet and Azure in both cases - we can duplicate the test configuration and hard-code the values for both cases? #Resolved
There was a problem hiding this comment.
Thanks for the suggestion.The extra parameters provide functionalities to add more testing combinations, besides all empty or all set. I would like to leave it here.
In reply to: 207946292 [](ancestors = 207946292)
There was a problem hiding this comment.
@metacpp this should be refactored to match the other resources, since the values intentionally shouldn't be set to empty strings if they're unset #Resolved
There was a problem hiding this comment.
I did the refactoring to align with your preference here.
In reply to: 208550336 [](ancestors = 208550336)
| if dockerBridgeCidr == "" || dnsServiceIP == "" || serviceCidr == "" { | ||
| return fmt.Errorf("If the `network_plugin` is set to `kubenet` then the fields `docker_bridge_cidr`, `dns_service_ip` and `service_cidr` must not be empty.") | ||
| if !((dockerBridgeCidr == "" && dnsServiceIP == "" && serviceCidr == "") || | ||
| (dockerBridgeCidr != "" && dnsServiceIP != "" && serviceCidr != "")) { |
There was a problem hiding this comment.
minor / not a blocker we could probably make this more readable by doing:
hasDockerCidr := dockerBridgeCidr != ""
hasServiceIP := dnsServiceIP != ""
hasServiceCidr := serviceCidr != ""
allEmpty := !hasDockerCidr && !hasServiceIP && !hasServiceCidr
allSet := hasDockerCidr && hasServiceIP && hasServiceCidr
if !allEmpty && !allSet {
return fmt.Errorf("...")
}
``` #Resolved
There was a problem hiding this comment.
…p nested code. Use early return to remove deeply nested if-else block.
metacpp
changed the title
TestAzureRMKubernetesCluster_agentPoolName was a unit test, which should not have Acc in the naming.
…ions. Ignore the setting of empty string values.
Updated the arguments to align with new refactored function for configuration.
|
@metacpp heads up that I've pushed a commit to refactor the test case to match the other test cases |
|
Tests pass:
|
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
kubenet,dockerBridgeCidr,dnsServiceIP, andserviceCidr.kubenetscenario.azureandkubenet.The result of related acceptance tests (8/8/2018):