New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
⚠️ Remove PortOpts.SecurityGroups #1291
⚠️ Remove PortOpts.SecurityGroups #1291
Conversation
✅ Deploy Preview for kubernetes-sigs-cluster-api-openstack ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
Hi @lentzi90. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/ok-to-test |
a9e43c9
to
70546e0
Compare
api/v1alpha6/types.go
Outdated
SecurityGroupFilters []SecurityGroupParam `json:"securityGroupFilters,omitempty"` | ||
AllowedAddressPairs []AddressPair `json:"allowedAddressPairs,omitempty"` | ||
// The names of the security groups to assign to the port | ||
SecurityGroups *[]SecurityGroupParam `json:"securityGroups,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please check this carefully.
I have copied it from #1257 but I'm unsure if it should be *[]SecurityGroupParam
or []SecurityGroupParam
. Note that the SecurityGroupFilters
used to be []SecurityGroupParam
but now SecurityGroups
is *[]SecurityGroupParam
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to me with some caveats.
- We need to decide if it's useful to specify an explicitly empty list of SecurityGroups.
- Double check we didn't break selection by filter.
and a big one:
I would really like to see us test this with envtests rather than e2e. It's a perfect candidate.
} | ||
if len(portSecurityGroups) > 0 { | ||
securityGroups = &portSecurityGroups | ||
} | ||
} | ||
// inherit port security groups from the instance if not explicitly specified | ||
if securityGroups == nil || len(*securityGroups) == 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The len(*securityGroups) == 0
check looks out of place. The only reason I can think of to specify SecurityGroups as *[]foo
rather than []foo
is to allow the user to differentiate between no value (i.e. use the default) and an explicitly empty list. Combining those 2 cases in this check removes this benefit.
If we're changing this we should decide if we really need this distinction. If not we should simplify the type to []foo
to remove the landmine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure I understand. But I'll give it a go. So the securityGroups == nil
is for checking if the portOps didn't have any security groups specified, right? Then the len(*securityGroups) == 0
would mean that we check if the portOps had an explicit empty list of security groups?
If this is the case, then I agree that combining them is point less. And it makes the check do a different thing than the comment above implies. So the actual current behavior if to inherit the security groups from the instance, no matter if the portOpts had an empty list or nothing specified at all.
I would be happy to simplify this if we get consensus.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A quick check revealed that there are no unit tests that check this at least. Could be something in the e2e tests of course but that seems unlikely.
70546e0
to
8498a17
Compare
if len(SGList) == 0 { | ||
return nil, fmt.Errorf("security group %s not found", sg.Name) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note this change in behavior for GetSecurityGroups!
It used to return an error if none were found. Now it simply returns an empty slice.
If we want to keep the current behavior, we will need a way to tell the difference between "unable to get security groups" (e.g. network errors) and "these params doesn't match anything". Otherwise we have no way of knowing if we should create a new port or retry again later.
/retest |
8498a17
to
815c661
Compare
815c661
to
8934598
Compare
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
8934598
to
de155f5
Compare
de155f5
to
852fb61
Compare
/test pull-cluster-api-provider-openstack-e2e-full-test |
1 similar comment
/test pull-cluster-api-provider-openstack-e2e-full-test |
This turns PortOpts.SecurityGroups in v1alpha6 into *[]SecurityGroupParam instead of *[]string and removes the SecurityGroupFilters field which would contain the same information otherwise. Co-authored-by: Anwar Hassen <anwar.hassen@est.tech>
852fb61
to
1ef5ee1
Compare
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: lentzi90 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This adds conversion tests especially for PortOpts. Both "normal" tests and fuzzy tests are added for v1alpha6. Conversions and tests are updated also for older API versions.
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@lentzi90: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Replaced by #1516 which just drops |
This replaces #1257.
What this PR does / why we need it:
Deprecating and replacing PortOpts.SecurityGroups of *[]string format field from OpenStackMachineTemplate ports and replace is with *[]SecurityGroupParam format. The PortOpts.SecurityGroupFilters of type []SecurityGroupParam is removed.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #1251
Special notes for your reviewer:
I opened a new PR instead of rebasing the existing since there are some issues and I'm unsure how to solve them. This way it will be easier to compare the rebased and original code side by side.We need to provide a conversion function for thePortOpts.SecurityGroups
field that changes from*[]string
in v1alpha5 to*[]SecurityGroupParam
in v1alpha6.The same conversion is needed from v1alpha4 to v1alpha6 and this is where I'm having issues. The required name of the conversion function becomes the same for both v1alpha4 and v1alpha5 because it goes from*[]string
which doesn't have a version.If I add this conversion function to both v1alpha4 and v1alpha5, the generator complains that there is a duplicate.If I instead add the conversion in only one place (e.g. v1alpha5), then the generator will be happy and import the conversion function in the other API version as well! But the compiler does not like this at all. It gets an import error.This wasn't a problem in the original PR since it only needed the conversion from v1alpha4 -> v1alpha5 (so no duplicate function name or import needed).If you have any suggestions on how to solve this, please let me know.
Edit: I think I figured it out! By adding the conversion function in v1alpha6 instead of v1alpha5 and/or v1alpha4, I avoid the issue.
TODOs:
/hold