Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UPSTREAM: <carry>: add validation for ingress.config.openshift.io component routes #1216

Closed
wants to merge 2 commits into from
Closed

UPSTREAM: <carry>: add validation for ingress.config.openshift.io component routes #1216

wants to merge 2 commits into from

Conversation

deads2k
Copy link

@deads2k deads2k commented Mar 15, 2022

/hold

just a POC, I don't plan to finish it out, but everything is stubbed for network edge.

/assign @candita

@openshift-ci-robot openshift-ci-robot added the backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. label Mar 15, 2022
@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 15, 2022
@openshift-ci-robot
Copy link

@deads2k: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci openshift-ci bot requested review from marun and mfojtik March 15, 2022 15:33
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 15, 2022
@openshift-ci-robot
Copy link

@deads2k: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci openshift-ci bot added the vendor-update Touching vendor dir or related files label Mar 15, 2022
This was referenced Mar 15, 2022
Merged
Closed
@deads2k
Copy link
Author

deads2k commented Mar 15, 2022

I went ahead and finished this off. Nobody wants to stop better API validation. We just need to be sure that we don't leave non-updatable objects in our wake.

/hold cancel
/assign @Miciah @candita

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 15, 2022
@deads2k deads2k removed the backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. label Mar 15, 2022
@deads2k
Copy link
Author

deads2k commented Mar 15, 2022

/retest

Miciah
Miciah reviewed Mar 16, 2022
View reviewed changes
openshift-kube-apiserver/admission/customresourcevalidation/ingress/validate_ingress_test.go Outdated
Comment on lines 47 to 56
t.Fatal(tc.expectedErr)
case len(actual) != 0 && len(tc.expectedErr) == 0:
t.Fatal(actual)
case len(actual) != 0 && len(tc.expectedErr) != 0:
found := false
for _, actualErr := range actual {
found = found || strings.Contains(actualErr.Error(), tc.expectedErr)
}
if !found {
t.Fatal(actual)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If a test fails, the user needs to look closely for brackets or line numbers to figure out whether the printed error is the expected but missing error or an unexpected error.

Suggested change
t.Fatal(tc.expectedErr)
case len(actual) != 0 && len(tc.expectedErr) == 0:
t.Fatal(actual)
case len(actual) != 0 && len(tc.expectedErr) != 0:
found := false
for _, actualErr := range actual {
found = found || strings.Contains(actualErr.Error(), tc.expectedErr)
}
if !found {
t.Fatal(actual)
t.Fatalf("didn't get expected error: %v", tc.expectedErr)
case len(actual) != 0 && len(tc.expectedErr) == 0:
t.Fatalf("unexpected error: %v", actual)
case len(actual) != 0 && len(tc.expectedErr) != 0:
found := false
for _, actualErr := range actual {
found = found || strings.Contains(actualErr.Error(), tc.expectedErr)
}
if !found {
t.Fatalf("got %q, expected %q", actual tc.expectedErr)

openshift-kube-apiserver/admission/customresourcevalidation/ingress/validate_ingress_test.go Outdated
Comment on lines 139 to 148
t.Fatal(tc.expectedErr)
case len(actual) != 0 && len(tc.expectedErr) == 0:
t.Fatal(actual)
case len(actual) != 0 && len(tc.expectedErr) != 0:
found := false
for _, actualErr := range actual {
found = found || strings.Contains(actualErr.Error(), tc.expectedErr)
}
if !found {
t.Fatal(actual)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
t.Fatal(tc.expectedErr)
case len(actual) != 0 && len(tc.expectedErr) == 0:
t.Fatal(actual)
case len(actual) != 0 && len(tc.expectedErr) != 0:
found := false
for _, actualErr := range actual {
found = found || strings.Contains(actualErr.Error(), tc.expectedErr)
}
if !found {
t.Fatal(actual)
t.Fatalf("didn't get expected error: %v", tc.expectedErr)
case len(actual) != 0 && len(tc.expectedErr) == 0:
t.Fatalf("unexpected error: %v", actual)
case len(actual) != 0 && len(tc.expectedErr) != 0:
found := false
for _, actualErr := range actual {
found = found || strings.Contains(actualErr.Error(), tc.expectedErr)
}
if !found {
t.Fatalf("got %q, expected %q", actual tc.expectedErr)

openshift-kube-apiserver/admission/customresourcevalidation/ingress/validate_ingress.go Outdated
plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) {
return customresourcevalidation.NewValidator(
map[schema.GroupResource]bool{
configv1.Resource("Ingresses"): true,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe it doesn't matter, but shouldn't the resource name be lower-case?

Suggested change
configv1.Resource("Ingresses"): true,
configv1.Resource("ingresses"): true,

openshift-kube-apiserver/admission/customresourcevalidation/ingress/validate_ingress.go Outdated
return obj, nil
}

type featureGateV1 struct {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copypasta, or is that name intentional?

openshift-kube-apiserver/admission/customresourcevalidation/ingress/validate_ingress.go Outdated
Comment on lines 53 to 59
var knownFeatureSets = sets.NewString(
"",
string(configv1.TechPreviewNoUpgrade),
string(configv1.CustomNoUpgrade),
string(configv1.IPv6DualStackNoUpgrade),
string(configv1.LatencySensitive),
)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is unused.

openshift-kube-apiserver/admission/customresourcevalidation/ingress/validate_ingress.go Outdated
Comment on lines 66 to 72
if errs := routeapihelpers.ValidateHost(
string(currRoute.Hostname),
"",
field.NewPath("spec.componentRoutes").Index(i).Child("hostname"),
); len(errs) > 0 {
allErrs = append(allErrs, errs...)
}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The length check is superfluous.

Suggested change
if errs := routeapihelpers.ValidateHost(
string(currRoute.Hostname),
"",
field.NewPath("spec.componentRoutes").Index(i).Child("hostname"),
); len(errs) > 0 {
allErrs = append(allErrs, errs...)
}
allErrs = append(allErrs, routeapihelpers.ValidateHost(
string(currRoute.Hostname),
"",
field.NewPath("spec.componentRoutes").Index(i).Child("hostname"),
)...)

openshift-kube-apiserver/admission/customresourcevalidation/ingress/validate_ingress.go
Comment on lines +95 to +99
previousRouteHostName := configv1.Hostname("")
for _, oldRoute := range oldSpec.ComponentRoutes {
if oldRoute.Name == currRoute.Name && oldRoute.Namespace == currRoute.Namespace {
previousRouteHostName = oldRoute.Hostname
break
}
}
// we don't enforce new validation rules if the hostname has not changed
if previousRouteHostName == currRoute.Hostname {
continue
}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This logic allows the following test case to pass; is the test case valid, or should it expect an error?

		{
			name:        "no previous value to empty",
			hostname:    "",
			oldHostname: "nohost",
			noPrevious:  true,
			expectedErr: ``,
		},

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

very well found!

@openshift-ci-robot openshift-ci-robot added the backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. label Mar 16, 2022
@openshift-ci-robot
Copy link

@deads2k: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@Miciah
Copy link

Miciah commented Mar 16, 2022

/lgtm

@openshift-ci
Copy link

openshift-ci bot commented Mar 16, 2022

@deads2k: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-gcp-upgrade 6c87b180e77974bfc8eb3b727914c56a7de472e8 link true /test e2e-gcp-upgrade
ci/prow/k8s-e2e-gcp 6c87b180e77974bfc8eb3b727914c56a7de472e8 link true /test k8s-e2e-gcp
ci/prow/e2e-aws-cgroupsv2 6c87b180e77974bfc8eb3b727914c56a7de472e8 link false /test e2e-aws-cgroupsv2
ci/prow/e2e-agnostic-cmd 6c87b180e77974bfc8eb3b727914c56a7de472e8 link false /test e2e-agnostic-cmd
ci/prow/images 6c87b180e77974bfc8eb3b727914c56a7de472e8 link true /test images
ci/prow/k8s-e2e-conformance-aws 6c87b180e77974bfc8eb3b727914c56a7de472e8 link true /test k8s-e2e-conformance-aws
ci/prow/verify-commits 6c87b180e77974bfc8eb3b727914c56a7de472e8 link true /test verify-commits
ci/prow/e2e-aws-csi 6c87b180e77974bfc8eb3b727914c56a7de472e8 link false /test e2e-aws-csi

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@deads2k deads2k removed the backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. label Mar 16, 2022
@deads2k
Copy link
Author

deads2k commented Mar 16, 2022

Admission validation carry patches are accepted for types that must logically exist before their operators are present.

@openshift-ci-robot openshift-ci-robot added the backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. label Mar 16, 2022
@openshift-ci-robot
Copy link

@deads2k: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@deads2k
Copy link
Author

deads2k commented Mar 16, 2022

diff of diffs is identical. relabeling.

@deads2k deads2k added the lgtm Indicates that a PR is ready to be merged. label Mar 16, 2022
@deads2k deads2k removed the backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. label Mar 16, 2022
@openshift-ci
Copy link

openshift-ci bot commented Mar 16, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, Miciah

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@Miciah
Copy link

Miciah commented Mar 17, 2022

/refresh

candita
candita reviewed Mar 17, 2022
View reviewed changes
openshift-kube-apiserver/admission/customresourcevalidation/ingress/validate_ingress_test.go
{
name: "new validation fails",
hostname: "host",
expectedErr: `spec.componentRoutes[0].hostname: Invalid value: "host": host must conform to DNS 1123 naming conventions: [spec.componentRoutes[0].hostname: Invalid value: "host": should be a domain with at least two segments separated by dots]`,
Copy link

@candita candita Mar 17, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A single label hostname is a valid hostname and should not fail validation

candita
candita reviewed Mar 17, 2022
View reviewed changes
openshift-kube-apiserver/admission/customresourcevalidation/ingress/validate_ingress_test.go
{
name: "change from invalid to valid",
hostname: "host.com",
oldHostname: "host",
Copy link

@candita candita Mar 17, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A single label hostname is a valid hostname and should not fail validation. Here and in other parts of these tests.

@deads2k deads2k mentioned this pull request Mar 17, 2022
Closed
@candita
Copy link

candita commented Mar 17, 2022

/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 17, 2022
@deads2k
Copy link
Author

deads2k commented Mar 17, 2022

/hold

We have to hold this until we can work out whether #1216 (comment) is desired behavior or not. I don't actually know.

cc @Miciah

@deads2k
Copy link
Author

deads2k commented Mar 21, 2022

openshift/api PR was updated to loosen only.

/close

@deads2k deads2k closed this Mar 21, 2022
@Miciah Miciah mentioned this pull request Dec 15, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Miciah Miciah Miciah left review comments

@candita candita candita left review comments

@marun marun Awaiting requested review from marun

@mfojtik mfojtik Awaiting requested review from mfojtik

Assignees

@Miciah Miciah

@candita candita

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm Indicates that a PR is ready to be merged. vendor-update Touching vendor dir or related files
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@deads2k @openshift-ci-robot @Miciah @candita