instancetype: Reject Matcher updates without updating RevisionName #9421
Conversation
kubevirt-bot
added
release-note
kubevirt-bot
added
kind/api-change
| if oldMatcher.GetName() != newMatcher.GetName() && newMatcher.GetRevisionName() != "" { | ||
| return fmt.Errorf("the Matcher Name has been updated without clearing the RevisionName") | ||
| } |
There was a problem hiding this comment.
Change this to
if oldMatcher.GetName() != newMatcher.GetName() && oldMatcher.GetRevisionName() == newMatcher.GetRevisionName() {
return fmt.Errorf("the Matcher Name has been updated without updating the RevisionName")
}
to allow changing to a different matcher with a specific revision in one go?
|
/retest-required |
lyarwood
changed the title
|
/cherrypick release-0.59 |
|
@lyarwood: once the present PR merges, I will cherry-pick it on top of release-0.59 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
| return nil | ||
| } | ||
|
|
||
| func validateMatcherUpdate[M v1.Matcher](oldMatcher M, newMatcher M) error { |
There was a problem hiding this comment.
To save duplicating the logic below between {Instancetype,Preference}Matcher.
There was a problem hiding this comment.
func validateMatcherUpdate(oldMatcher, newMatcher v1.Matcher) error works fine. Can you elaborate?
There was a problem hiding this comment.
@xpivarc hopefully that answered your question, would you mind taking another look?
There was a problem hiding this comment.
func validateMatcherUpdate(oldMatcher, newMatcher v1.Matcher) errorworks fine. Can you elaborate?
facepalm I'll drop this now sorry.
| @@ -125,6 +147,7 @@ var _ = Describe("VirtualMachine Mutator", func() { | |||
|
|
|||
| k8sClient = k8sfake.NewSimpleClientset() | |||
| virtClient.EXPECT().CoreV1().Return(k8sClient.CoreV1()).AnyTimes() | |||
| virtClient.EXPECT().AppsV1().Return(k8sClient.AppsV1()).AnyTimes() | |||
There was a problem hiding this comment.
Good question, the mutation webhook will attempt to lookup any preference related ControllerRevisions but ultimately swallow any errors later in the mutation flow:
kubevirt/pkg/virt-api/webhooks/mutating-webhook/mutators/vm-mutator.go
Lines 136 to 141 in 7d90329
There was a problem hiding this comment.
But it is required for the introduced context and not for this one. So can we move it?
There was a problem hiding this comment.
Yup that's true, I'll move it down.
| return nil | ||
| } | ||
|
|
||
| func validateMatcherUpdate[M v1.Matcher](oldMatcher M, newMatcher M) error { |
There was a problem hiding this comment.
func validateMatcherUpdate(oldMatcher, newMatcher v1.Matcher) error works fine. Can you elaborate?
| @@ -125,6 +147,7 @@ var _ = Describe("VirtualMachine Mutator", func() { | |||
|
|
|||
| k8sClient = k8sfake.NewSimpleClientset() | |||
| virtClient.EXPECT().CoreV1().Return(k8sClient.CoreV1()).AnyTimes() | |||
| virtClient.EXPECT().AppsV1().Return(k8sClient.AppsV1()).AnyTimes() | |||
There was a problem hiding this comment.
But it is required for the introduced context and not for this one. So can we move it?
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: xpivarc The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kubevirt-bot
added
the
approved
| if oldPreferenceMatcher == nil && newPreferenceMatcher == nil { | ||
| return nil | ||
| } | ||
| if err := validateMatcherUpdate(*oldPreferenceMatcher, *newPreferenceMatcher); err != nil { |
There was a problem hiding this comment.
Can you pass the matchers without derefing them?
There was a problem hiding this comment.
edit - Apologies replied to the wrong comment, staticcheck was complaining about something before when I tried this but it's working now. Updated.
| } | ||
|
|
||
| func validatePreferenceMatcherUpdate(oldPreferenceMatcher *v1.PreferenceMatcher, newPreferenceMatcher *v1.PreferenceMatcher) []metav1.StatusCause { | ||
| if oldPreferenceMatcher == nil && newPreferenceMatcher == nil { |
There was a problem hiding this comment.
What happens if only one matcher is nil? Will it panic?
There was a problem hiding this comment.
Yeah good catch, updated the && above, should be || to skip the check when one side isn't provided when they are initially introduced or later dropped.
As set out in issue kubevirt#9132 requests to update the Name of an {Instancetype,Preference}Matcher were always accepted regardless of the RevisionName being cleared or updated. This would result in an older and likely unwanted ControllerRevision being used containing an outdated or completely wrong Instancetype or Preference. With this change the VM mutation webhook will now reject requests to update the target Name of a {Instancetype,Preference}Matcher without also clearing or updating the RevisionName. Signed-off-by: Lee Yarwood <lyarwood@redhat.com>
|
Thanks! /lgtm |
|
@lyarwood: The following test failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest-required |
|
/retest-required |
1 similar comment
|
/retest-required |
|
@lyarwood: new pull request created: #9500 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/area instancetype
What this PR does / why we need it:
As set out in issue #9132 requests to update the
Nameof an{Instancetype,Preference}Matcherwere always accepted regardless of theRevisionNamealso being updated. This would result in an older and likely unwantedControllerRevisionbeing used containing an outdated or completely wrongInstancetypeorPreference.With this change the VM mutation webhook will now reject requests to update the target
Nameof a{Instancetype,Preference}Matcherwithout also updating theRevisionName.Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #9132
Special notes for your reviewer:
Release note: