New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
restore DeepCopy generation #204
restore DeepCopy generation #204
Conversation
78a3ce7
to
32b61a8
Compare
/test e2e-aws |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approach looks good to me.
pkg/aws/actuator/actuator.go
Outdated
} | ||
statement.Condition = out | ||
} | ||
policyDoc.Statement = append(policyDoc.Statement, statement) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Were you able to manually test with this PolicyCondition actually in use?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, with and without it. That's how I figured that I needed to annotate the StatementEntry struct to put the 'omitempty' (otherwise the JSON sent to AWS when there was no policy always included "Condition": null which would cause the AWS API calls to fail).
FWIW, this is a simple example:
spec:
secretRef:
name: my-cred-request-secret
namespace: openshift-cloud-credential-operator
providerSpec:
apiVersion: cloudcredential.openshift.io/v1
kind: AWSProviderSpec
statementEntries:
- effect: Allow
action:
- s3:CreateBucket
- s3:DeleteBucket
resource: "*"
policyCondition:
StringEquals:
aws:userid: "testuser"
Here's a summary of where we stand with runtime.RawExtension being a pointer or not-a-pointer and comparing that to what the object definition is today. Today, the object definition has the PolicyCondition field as a Given that, I have created a new field (
Changing the
Changing it to a non-pointer It is not obvious to me that there is a benefit (or even a change) in choosing between Do we have any API experts who can review/comment on this proposed change? |
@joelddiaz fwiw the machine-api also uses a pointer to runtime.RawExtension (so I was wrong thinking it wasn't): |
/test e2e-aws-upgrade |
@deads2k as one our resident "API people", can you PTAL and see if there are any concerns with this migration from a field which is presently listed as type Our primary concern here is that we don't make any breaking API changes here (specifically the change to |
7251f45
to
41f208c
Compare
89d95b9
to
13ff01c
Compare
Good solve. Looks good to me, but will let @csrwng do the honors once he's had a chance to look. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm, just a question, and you also may want to remove the WIP from the title
verify="${VERIFY:-}" | ||
|
||
valid_gopath=$(realpath $REPO_FULL_PATH/../../../..) | ||
if [[ "$(realpath ${valid_gopath}/src/github.com/openshift/cloud-credential-operator)" == "${REPO_FULL_PATH}" ]]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there a reason you don't just always do the fake go path? It seems to me that there's less chance to have issues with other things in the real gopath if you do have one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was an optimization suggested by @staebler so that we wouldn't have to wait for the various pieces to be downloaded to the GOPATH if your usable GOPATH already had them in there. Works out that the TMP_DIR holds around 174MB of data on disk.
I'll un-WIP and squash some things up and reduce the verbosity of the deepcopy generation in a moment.
Turns out that converting to rawExtension can be considered an API-breaking change if we were to really use the full flexibility of the rawExtension. So preserve the map[string]map[string]interface{} fields. New Makefile targets for generating deepcopy. Scripts for generating/verifying deepcopy. Mark fields so that we don't try to generate deepcopy methods for those that cannot be generated. Create manual deepcopy methods for the fields that need it. Test cases for the manual deep copy implementations. Didn't previously have test coverage for CredentialsRequests that defined the PolicyConditions to be applied. Write up some test cases to validate the behavior. As far as the deepcopy scripts: Rather than always setting up a temp dir so that deepcopy-gen can run in there, see if the repo's directory tree looks like: src/github.com/openshift/cloud-credential-operator If the tree looks that way, then just use that as the GOPATH when generating the deepcopy files. If the tree doesn't look that way, then set up a temp GOPATH directory setup and symlink back to the current repo w/o copying it to the temp dir.
13ff01c
to
88b8dc7
Compare
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: csrwng, joelddiaz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Bring back hooks to update/verify our generated DeepCopy files.
The DeepCopy generator does not work with the current AWSProviderSpec.StatementEntries[].PolicyCondition field being a map[string]map[string]interface{}. Annotate those fields so that there is no attempt to generate the DeepCopy methods, and provide custom DeepCopy methods where needed.