CFE-857: Apply user defined tags on created gcp resources #7279
Conversation
openshift-ci
bot
added
do-not-merge/work-in-progress
bharath-b-rh
force-pushed
the
cfe-857
branch
2 times, most recently
from
c6b0254
to
e67b432
Compare
bharath-b-rh
force-pushed
the
cfe-857
branch
2 times, most recently
from
07652d2
to
80da9cd
Compare
openshift-merge-robot
added
the
needs-rebase
bharath-b-rh
force-pushed
the
cfe-857
branch
2 times, most recently
from
0170f96
to
5bd3416
Compare
openshift-merge-robot
removed
the
needs-rebase
|
You will want to separate the go vendoring into a separate commit (like this https://github.com/openshift/installer/blob/master/docs/dev/dependencies.md#go) to make it easier to review |
Thank you for reviewing @patrickdillon! I have split the go mod changes into two for go.mod update and for adding new vendor code. |
openshift-merge-robot
added
the
needs-rebase
bharath-b-rh
force-pushed
the
cfe-857
branch
2 times, most recently
from
5658f2b
to
bfac051
Compare
openshift-merge-robot
removed
the
needs-rebase
bharath-b-rh
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@bharath-b-rh: This pull request references CFE-857 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/remove-hold |
openshift-ci
bot
removed
do-not-merge/hold
|
/retest-required |
|
/cc @bfournie |
| if errors.As(err, &gErr) && (gErr.HTTPCode() == http.StatusNotFound || | ||
| gErr.HTTPCode() == http.StatusForbidden) { | ||
| logrus.Debugf("does not have permission to access %s tag or does not exist", name) |
There was a problem hiding this comment.
Why give an ambiguous message if you can identify the 2 scenarios?
| if errors.As(err, &gErr) && (gErr.HTTPCode() == http.StatusNotFound || | |
| gErr.HTTPCode() == http.StatusForbidden) { | |
| logrus.Debugf("does not have permission to access %s tag or does not exist", name) | |
| if errors.As(err, &gErr) { | |
| switch gErr.HTTPCode() { | |
| case http.StatusNotFound: | |
| logrus.Debugf("tag %s does not exist: %s", name, err.Error()) | |
| case http.StatusForbidden: | |
| logrus.Debugf("permission issues accessing tag %s: %s", name, err.Error()) | |
| } | |
There was a problem hiding this comment.
Error returned by the GCP APIs is also similar. I think it's because RBAC can be defined on each tag key and value, and with a given service account, it won't be possible to say whether the tag exists and is inaccessible or it doesn't exist at all, so thought to keep the same. Below error was returned for a tag value which didn't exist.
User [xyz] does not have permission to access tagValues instance [namespaced] (or it may not exist): Permission denied on resource 'openshift/key/value' (or it may not exist).
There was a problem hiding this comment.
Code updated, new API of cloudresourcemanager package returns StatusForbidden for both non-existent and inaccessible tags.
| // getProcessedTags returns the list user-provided validated tags. | ||
| func getProcessedTags(mgr TagManager, ic *types.InstallConfig) (map[string]string, error) { | ||
| if !processedTags.getState() { | ||
| if err := validateUserTags(mgr, ic); err != nil { |
There was a problem hiding this comment.
It's a bit weird that the definition for validateUserTags lives in the validation.go file and it basically just calls validateAndStoreUserTags which is defined in this file. Also, I don't see why this function has to receive the InstallConfig object if it only needs the project name and the userTags to do its job.
There was a problem hiding this comment.
Yeah, I missed this unnecessary call while incorporating the comments, I will update it.
I thought to pass the InstallConfig object reference and use what's required, instead of passing individual parameters. Please let me know, if needs to be changed.
openshift-merge-robot
added
the
needs-rebase
openshift-merge-robot
removed
the
needs-rebase
| @@ -0,0 +1,83 @@ | |||
| // Code generated by MockGen. DO NOT EDIT. | |||
There was a problem hiding this comment.
This code will be merged with mock code in pkg/asset/installconfig/gcp/mock/gcpclient_generated.go after updating google.golang.org/api/cloudresourcemanager from v1 to v3 in the follow up PR.
| return dupTags | ||
| } | ||
|
|
||
| // getCloudResourceServiceForTags returns the client required for querying resource manager resources. |
There was a problem hiding this comment.
Code will be merged with client code in pkg/asset/installconfig/gcp/client.go after updating google.golang.org/api/cloudresourcemanager from v1 to v3 in the follow up PR.
|
@bharath-b-rh: This pull request references CFE-857 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
LGTM in terms of the code but I haven't tested it myself. I'll leave it to @patrickdillon to give this a last look and tag it. |
|
Generally this looks good to me (but needs a rebase). We are moving away from Terraform and implementing a CAPI-based install pattern (see the enhancement for details). This code is already done so I am fine with merging it, but depending on the progress we make, it is possible we will not be using Terraform for GCP in 4.16. In order to support this feature going forward, it will be necessary for us to implement user tag support in the cluster-api-provider-gcp as it currently does not have support. |
openshift-merge-robot
added
the
needs-rebase
bharath-b-rh
force-pushed
the
cfe-857
branch
from
da46904
to
1363d39
Compare
openshift-merge-robot
removed
the
needs-rebase
|
@bharath-b-rh: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest-required |
Thank you! I have rebased the PR. |
|
/lgtm |
openshift-merge-bot
bot
merged commit 11fb96e
into
openshift:master
PR is for adding user-defined tags to the GCP resources created by installer during cluster creation.
Nameand it needs to be derived using the parametersOrganizationID, UserTag.Key, UserTag.Valuedefined by user in install-config.