Extend ConfigMap to store fwrule names

[csbell]

GLBC users can store a providerUid which is used in lieu of Uid when constructing l7 firewall rule names. This can be leveraged to resolve issues seen in Kubernetes #37306.

Backwards compatibility is retained by using Uid for l7 firewall rules unless providerUid is set.

[k8s-reviewable]

This change is 

[coveralls]

Coverage decreased (-0.03%) to 45.94% when pulling 85a3451 on csbell:fw-name into a8b8967 on kubernetes:master.

[bprashanth]

Made a first pass, I think the structure of the code will change if you have the Get/Put methods take k/v pairs instead of entire maps so I'll wait for you to upload another pr or reply to existing comments before more review.

[bprashanth]

Please avoid "_" in names, https://golang.org/doc/effective_go.html#mixed-cap

[csbell]

done

[bprashanth]

Why eat this error insted of logging it?

[csbell]

done

[bprashanth]

The problem with returning maps is the following:

package main

import (
	"fmt"
	"sync"
	"time"
)

type mapStore struct {
	mapValue map[string]string
	l        sync.Mutex
}

func (m *mapStore) getMap() map[string]string {
	m.l.Lock()
	defer m.l.Unlock()
	return m.mapValue
}

func (m *mapStore) set(k, v string) {
	m.l.Lock()
	defer m.l.Unlock()
	m.mapValue[k] = v
}

func main() {
	m := mapStore{mapValue: map[string]string{"foo": "bar"}}
	retrievedMap := m.getMap()

	var wg sync.WaitGroup
	wg.Add(1)
	go func() {
		for i := 0; i < 1000; i++ {
			fmt.Printf("%v", retrievedMap)
		}
		wg.Done()
	}()

	for i := 0; i < 1000; i++ {
		m.set("foo", fmt.Sprintf("%d", i))
		time.Sleep(10)
	}
	wg.Wait()
	fmt.Printf("%v\n", retrievedMap)
}

running with go run -race main.go reveals a race. Even if the race is not going to impact the actual program, go will complain about it in CI and cause tests to fail, and every programmer reading this code will probably need to convince themselves it's not racy.

Suggest passing the key down into this func, retrieving the string value under a lock and returning the string.

[csbell]

Thanks for the example -- I think the summary is just that we'll be issuing more configmap reads but won't be exposing the map which I think per go is fundamentally not threadsafe.

[bprashanth]

Same thing here, suggest Put(k, v string) if possible, to reduce the risk of a map clobber

[csbell]

map was not being clobbered but we are moving to key->val puts.

[bprashanth]

why is this commendte out?

[csbell]

done

[bprashanth]

Suggest defaulting this to clusterName if firewallName is unset, so we don't inadvertently break non-fed deployments by changing the name of the firewall and leaking it.

[csbell]

done.

[bprashanth]

Yeah batch storing k,v pairs makes it harder to reason about consistency. Ideally the call sites that care about the fw name should only get/update the one key. That way, if there's a conflict, we know we own that keyspace.

[csbell]

ack

[bprashanth]

The comment conflicts with the code a little, i.e we take a random map of any values not just UID and EUID right?

[csbell]

right, fixed.

[bprashanth]

This log line is misleading, it makes me think only the given k/v pair is updated but we actually plug the entire keyval map into the apiObj right?

[csbell]

Right. N/A now with key/val puts

[bprashanth]

s/vaultmap/vaultMap

[csbell]

done

[csbell]

Thanks for the first round of comments -- I've re-pushed the CL. The major differences are key/val-based puts and adding some unit testing.

However, I still plan on holding off until I can adequately integrate this with federation and test out the functionality.

[coveralls]

Coverage increased (+0.04%) to 46.014% when pulling c25aebca924449bdcac34326f309a8166c125e2a on csbell:fw-name into 9bba947 on kubernetes:master.

[csbell]

Kubernetes driver for this is here: kubernetes/kubernetes#41942

PTAL @nicksardo

[coveralls]

Coverage increased (+0.004%) to 46.167% when pulling f498b1c on csbell:fw-name into 592814b on kubernetes:master.

[nicksardo]

NewNamer is only used in tests; perhaps we should add the firewall name there instead of creating NewNamerWithFirewall. Also, the first string type can be omitted.

[csbell]

Done.

[nicksardo]

I'm not a fan of this func name since you're supplying the override and doing nothing flag specific.

Furthermore, I see there's a clusterName flag but not a firewallName flag. Do we want one?

[csbell]

The name reflects the time where there was a flag fore firewallName. Since talking to beeps, there's no need to introduce a new flag since there will be a new configration mechanism coming up over the next few months that will make flags obsolete.

[nicksardo]

This is an master-existing nitpick of mine. Could we reorder the err != nil before the if found?

Thank you for fixing it in the newNamer! https://github.com/kubernetes/ingress/blob/master/controllers/gce/main.go#L269

[csbell]

Yes, done.

[csbell]

PTAL.

[csbell]

The name reflects the time where there was a flag fore firewallName. Since talking to beeps, there's no need to introduce a new flag since there will be a new configration mechanism coming up over the next few months that will make flags obsolete.

[csbell]

Yes, done.

[csbell]

Done.

[nicksardo]

/lgtm

[k8s-ci-robot]

@nicksardo: you can't LGTM a PR unless you are an assignee.

In response to this comment:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[csbell]

Need another lgtm

[nicksardo]

/lgtm

[csbell]

With /approve ?

[nicksardo]

/approve

[coveralls]

Coverage increased (+0.04%) to 45.393% when pulling 68097e9 on csbell:fw-name into f5f9f5e on kubernetes:master.