OCPBUGS-66943: Validate cluster name against Azure reserved words

[gpei]

Azure prohibits certain reserved words and trademarks in resource names that have accessible endpoints (such as FQDNs). This change adds validation to reject cluster names that violate Azure's reserved word restrictions, preventing deployment failures with ReservedResourceName or DomainNameLabelReserved errors.

The validation implements three types of restrictions based on Azure documentation[1]:

1. Complete reserved words (40): Cannot be used as the exact cluster name
   Examples: ACCESS, AZURE, OFFICE, EXCHANGE, XBOX

   • "access" → rejected
   • "access1" → allowed (substring is OK)

2. Substring forbidden (2): Cannot appear anywhere in the name
   MICROSOFT, WINDOWS

   • "amicrosoft-test" → rejected
   • "windows1" → rejected

3. Prefix forbidden (1): Cannot be used at the start
   LOGIN

   • "login-cluster" → rejected
   • "bloginsystem" → allowed (not at start)

[1]https://learn.microsoft.com/en-us/azure/azure-resource-manager/troubleshooting/error-reserved-resource-name

[openshift-ci-robot]

@gpei: This pull request references Jira Issue OCPBUGS-66943, which is invalid:

• expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Azure prohibits certain reserved words and trademarks in resource names that have accessible endpoints (such as FQDNs). This change adds validation to reject cluster names that violate Azure's reserved word restrictions, preventing deployment failures with ReservedResourceName or DomainNameLabelReserved errors.

The validation implements three types of restrictions based on Azure documentation[1]:

1. Complete reserved words (40): Cannot be used as the exact cluster name
   Examples: ACCESS, AZURE, OFFICE, EXCHANGE, XBOX

   • "access" → rejected
   • "access1" → allowed (substring is OK)

2. Substring forbidden (2): Cannot appear anywhere in the name
   MICROSOFT, WINDOWS

   • "amicrosoft-test" → rejected
   • "windows1" → rejected

3. Prefix forbidden (1): Cannot be used at the start
   LOGIN

   • "login-cluster" → rejected
   • "bloginsystem" → allowed (not at start)

[1]https://learn.microsoft.com/en-us/azure/azure-resource-manager/troubleshooting/error-reserved-resource-name

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[gpei]

/jira refresh

[openshift-ci-robot]

@gpei: This pull request references Jira Issue OCPBUGS-66943, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @jinyunma

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[gpei]

Some local test of the built installer

Cluster Name: login-test
# ./openshift-install create manifests --dir 0114
WARNING Release Image Architecture not detected. Release Image Architecture is unknown 
ERROR failed to fetch Master Machines: failed to load asset "Install Config": failed to create install config: invalid "install-config.yaml" file: metadata.name: Invalid value: "login-test": cluster name must not start with the reserved word "login" 

Cluster Name: MICROSOFT
# ./openshift-install create manifests --dir 0114
WARNING Release Image Architecture not detected. Release Image Architecture is unknown 
ERROR failed to fetch Master Machines: failed to load asset "Install Config": failed to create install config: invalid "install-config.yaml" file: [metadata.name: Invalid value: "MICROSOFT": cluster name must begin with a lower-case letter, metadata.name: Invalid value: "MICROSOFT": cluster name must not contain the reserved word "microsoft"] 

Cluster Name: azure
# ./openshift-install create manifests --dir 0114a
WARNING Release Image Architecture not detected. Release Image Architecture is unknown 
ERROR failed to fetch Master Machines: failed to load asset "Install Config": failed to create install config: invalid "install-config.yaml" file: metadata.name: Invalid value: "azure": cluster name must not be the reserved word "azure" 

[tthvo]

/retest-required
/test e2e-azure-ovn

[tthvo]

/lgtm

[patrickdillon]

/approve

...but I'm not happy I can't name my cluster HOLOLENS!

[patrickdillon]

/lgtm cancel

(Sorry for cancelling Thuan's lgtm, but it makes more sense than removing approve).

I just noticed that the commits need to be squashed. We can actually use tide to squash ALL the commits, and that would be fine in this case (but it doesn't work well if you have a PR where you want to preserve multiple commits).

If you want to use tide, that's fine we can re-add lgtm

Nice work on writing a good commit message

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: patrickdillon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [patrickdillon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gpei]

I just noticed that the commits need to be squashed. We can actually use tide to squash ALL the commits, and that would be fine in this case (but it doesn't work well if you have a PR where you want to preserve multiple commits).

@patrickdillon Thanks for letting me know about this. The last two commits are just fixes, so squashing them all is fine, we can just use Tide to squash the commits.

[tthvo]

/label tide/merge-method-squash

I think this is the right command for squashing 👀

[tthvo]

/lgtm

Happy to reapply the lgtm 👍

[gpei]

Pre-merge verification done on this, the installer works as expected.
/verified by @gpei

[openshift-ci-robot]

@gpei: This PR has been marked as verified by @gpei.

Details

In response to this:

Pre-merge verification done on this, the installer works as expected.
/verified by @gpei

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[gpei]

This should be a small enhancement that could be backported to 4.21. But I'm wondering about timing, with 4.21 about to GA soon and this not being a big issue (we already have docs warning against these reserved words), so should we backport now or wait for 4.21.z releases after GA?

[openshift-ci]

@gpei: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@gpei: Jira Issue Verification Checks: Jira Issue OCPBUGS-66943
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-66943 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Azure prohibits certain reserved words and trademarks in resource names that have accessible endpoints (such as FQDNs). This change adds validation to reject cluster names that violate Azure's reserved word restrictions, preventing deployment failures with ReservedResourceName or DomainNameLabelReserved errors.

The validation implements three types of restrictions based on Azure documentation[1]:

1. Complete reserved words (40): Cannot be used as the exact cluster name
   Examples: ACCESS, AZURE, OFFICE, EXCHANGE, XBOX

   • "access" → rejected
   • "access1" → allowed (substring is OK)

2. Substring forbidden (2): Cannot appear anywhere in the name
   MICROSOFT, WINDOWS

   • "amicrosoft-test" → rejected
   • "windows1" → rejected

3. Prefix forbidden (1): Cannot be used at the start
   LOGIN

   • "login-cluster" → rejected
   • "bloginsystem" → allowed (not at start)

[1]https://learn.microsoft.com/en-us/azure/azure-resource-manager/troubleshooting/error-reserved-resource-name

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tthvo]

This should be a small enhancement that could be backported to 4.21. But I'm wondering about timing, with 4.21 about to GA soon and this not being a big issue (we already have docs warning against these reserved words), so should we backport now or wait for 4.21.z releases after GA?

I guess the "bug" here is really a "user error" and we are helping to guard against it so it's a not a bug in the product that should block 4.21 GA. Looking at the criteria Patrick mentioned the other day, there is no attached customer case, and it's not critical so we can skip backporting it? But if we do, z-stream seems like a good place :D

What do you think Patrick?