-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
core: validate crd name size from admission controller #11233
Conversation
7e40dcf
to
da4b95e
Compare
pkg/operator/ceph/cr_manager.go
Outdated
for _, crd := range o.resources { | ||
var crdNameLength int = len(crd.Name) | ||
if crdNameLength > 38 { | ||
return errors.New("CRD name cannot be bigger than 38 characters") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed, having a single limit for all CRs may break some existing CRs if it's not actually a limit already hit with some K8s error. We may want to just address the original bug for the object store and only add a check for that CR length to start with.
pkg/operator/ceph/cr_manager.go
Outdated
func (o *Operator) startCRDManager(context context.Context, mgrErrorCh chan error) { | ||
logger.Info("check if CRDs name are valid") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to check the CR name lengths in the admission controller. For example, in the object store CR this would be in the ValidateObjectSpec() method.
Checking at operator startup time won't prevent the CRs from being created incorrectly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
right and actually we need to update this method
rook/pkg/apis/ceph.rook.io/v1/object.go
Lines 63 to 68 in ef3f554
func (o *CephObjectStore) ValidateCreate() error { | |
logger.Infof("validate create cephobjectstore %v", o) | |
if err := ValidateObjectSpec(o); err != nil { | |
return err | |
} | |
return nil |
since
ValidateObjectSpec()
is called during validate update
also which will be problem for upgrade.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@subhamkrai why it would be a problem during upgrade
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@travisn >Checking at operator startup time won't prevent the CRs from being created incorrectly.
That right,
I thought this process will reconcile later, but if it is been created at very first then there is no need to add a check,
So updated the validate method
Thanks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@subhamkrai why it would be a problem during upgrade
see here #11233 (comment)
da4b95e
to
563be1a
Compare
pkg/apis/ceph.rook.io/v1/object.go
Outdated
@@ -76,6 +76,9 @@ func ValidateObjectSpec(gs *CephObjectStore) error { | |||
if gs.Namespace == "" { | |||
return errors.New("missing namespace") | |||
} | |||
if len(gs.Name) > 38 { | |||
return errors.New("object store name cannot be bigger than 38 characters") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return errors.New("object store name cannot be bigger than 38 characters") | |
return errors.New("object store name cannot be longer than 38 characters") |
pkg/apis/ceph.rook.io/v1/object.go
Outdated
@@ -76,6 +76,9 @@ func ValidateObjectSpec(gs *CephObjectStore) error { | |||
if gs.Namespace == "" { | |||
return errors.New("missing namespace") | |||
} | |||
if len(gs.Name) > 38 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add a comment here that explains why 38 is the critical number, and maybe show a formula for how it was decided.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added
pkg/apis/ceph.rook.io/v1/object.go
Outdated
@@ -76,6 +76,9 @@ func ValidateObjectSpec(gs *CephObjectStore) error { | |||
if gs.Namespace == "" { | |||
return errors.New("missing namespace") | |||
} | |||
if len(gs.Name) > 38 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's make 38 a const variable on the top
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added the reason in the comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd vote for the const as well, still helpful for code readability.
pkg/apis/ceph.rook.io/v1/object.go
Outdated
if len(gs.Name) > 38 { | ||
return errors.New("object store name cannot be bigger than 38 characters") | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if len(gs.Name) > 38 { | |
return errors.New("object store name cannot be bigger than 38 characters") | |
} | |
if len(gs.Name) > 38 { | |
return errors.New("object store name cannot be bigger than 38 characters") | |
} |
Also, as I mentioned let's move this block to L63 inside ValidateCluster
as this method will trigger during the update also and will cause errors because earlier it was >38 and now webhook will validate with <38 and it will through an error.
@travisn right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This method is called by ValidateCreate()
on L65, so why do we need to move it? I didn't follow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It will not create a problem for upgrade cluster, because a deployment is not possible if the store name exceeded this length
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's discuss this
563be1a
to
43788df
Compare
43788df
to
9582465
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually we should be able to this with a schema length check on the types.go property such as:
+kubebuilder:validation:MaxLength=38
Then we don't need code in the admission controller.
That was very first thing I wanted to do but, objectstore is define as
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That was very first thing I wanted to do but, objectstore is define as
type CephObjectStore struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata"`
metav1.ObjectMeta
json:"metadata"`` contains the name definition of the objectstore and Kubernetes define, which should not be edited, right?
Oh of course, that won't work!
pkg/apis/ceph.rook.io/v1/object.go
Outdated
@@ -76,6 +76,9 @@ func ValidateObjectSpec(gs *CephObjectStore) error { | |||
if gs.Namespace == "" { | |||
return errors.New("missing namespace") | |||
} | |||
if len(gs.Name) > 38 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd vote for the const as well, still helpful for code readability.
9582465
to
877c506
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
build is failing, can you restart and confirm? @parth-gr
8cc0233
to
468747c
Compare
Closes: rook#11212 Signed-off-by: parth-gr <paarora@redhat.com>
468747c
to
7bd863d
Compare
core: validate crd name size from admission controller (backport #11233)
Description of your changes:
Which issue is resolved by this Pull Request:
Resolves ##11212
Checklist:
skip-ci
on the PR.