core: validate crd name size from admission controller #11233
Conversation
parth-gr
changed the title
parth-gr
force-pushed
the
crd-length-validation
branch
from
7e40dcf
to
da4b95e
Compare
pkg/operator/ceph/cr_manager.go
Outdated
| for _, crd := range o.resources { | ||
| var crdNameLength int = len(crd.Name) | ||
| if crdNameLength > 38 { | ||
| return errors.New("CRD name cannot be bigger than 38 characters") |
There was a problem hiding this comment.
As discussed, having a single limit for all CRs may break some existing CRs if it's not actually a limit already hit with some K8s error. We may want to just address the original bug for the object store and only add a check for that CR length to start with.
pkg/operator/ceph/cr_manager.go
Outdated
| func (o *Operator) startCRDManager(context context.Context, mgrErrorCh chan error) { | ||
| logger.Info("check if CRDs name are valid") |
There was a problem hiding this comment.
We need to check the CR name lengths in the admission controller. For example, in the object store CR this would be in the ValidateObjectSpec() method.
Checking at operator startup time won't prevent the CRs from being created incorrectly.
There was a problem hiding this comment.
right and actually we need to update this method
rook/pkg/apis/ceph.rook.io/v1/object.go
Lines 63 to 68 in ef3f554
since
ValidateObjectSpec() is called during validate updatealso which will be problem for upgrade.
There was a problem hiding this comment.
@subhamkrai why it would be a problem during upgrade
There was a problem hiding this comment.
@travisn >Checking at operator startup time won't prevent the CRs from being created incorrectly.
That right,
I thought this process will reconcile later, but if it is been created at very first then there is no need to add a check,
So updated the validate method
Thanks.
There was a problem hiding this comment.
@subhamkrai why it would be a problem during upgrade
see here #11233 (comment)
parth-gr
force-pushed
the
crd-length-validation
branch
from
da4b95e
to
563be1a
Compare
pkg/apis/ceph.rook.io/v1/object.go
Outdated
| @@ -76,6 +76,9 @@ func ValidateObjectSpec(gs *CephObjectStore) error { | |||
| if gs.Namespace == "" { | |||
| return errors.New("missing namespace") | |||
| } | |||
| if len(gs.Name) > 38 { | |||
| return errors.New("object store name cannot be bigger than 38 characters") | |||
There was a problem hiding this comment.
| return errors.New("object store name cannot be bigger than 38 characters") | |
| return errors.New("object store name cannot be longer than 38 characters") |
pkg/apis/ceph.rook.io/v1/object.go
Outdated
| @@ -76,6 +76,9 @@ func ValidateObjectSpec(gs *CephObjectStore) error { | |||
| if gs.Namespace == "" { | |||
| return errors.New("missing namespace") | |||
| } | |||
| if len(gs.Name) > 38 { | |||
There was a problem hiding this comment.
Please add a comment here that explains why 38 is the critical number, and maybe show a formula for how it was decided.
pkg/apis/ceph.rook.io/v1/object.go
Outdated
| @@ -76,6 +76,9 @@ func ValidateObjectSpec(gs *CephObjectStore) error { | |||
| if gs.Namespace == "" { | |||
| return errors.New("missing namespace") | |||
| } | |||
| if len(gs.Name) > 38 { | |||
There was a problem hiding this comment.
Let's make 38 a const variable on the top
There was a problem hiding this comment.
Added the reason in the comment
There was a problem hiding this comment.
I'd vote for the const as well, still helpful for code readability.
pkg/apis/ceph.rook.io/v1/object.go
Outdated
| if len(gs.Name) > 38 { | ||
| return errors.New("object store name cannot be bigger than 38 characters") | ||
| } |
There was a problem hiding this comment.
| if len(gs.Name) > 38 { | |
| return errors.New("object store name cannot be bigger than 38 characters") | |
| } | |
| if len(gs.Name) > 38 { | |
| return errors.New("object store name cannot be bigger than 38 characters") | |
| } |
Also, as I mentioned let's move this block to L63 inside ValidateCluster as this method will trigger during the update also and will cause errors because earlier it was >38 and now webhook will validate with <38 and it will through an error.
@travisn right?
There was a problem hiding this comment.
This method is called by ValidateCreate() on L65, so why do we need to move it? I didn't follow.
There was a problem hiding this comment.
It will not create a problem for upgrade cluster, because a deployment is not possible if the store name exceeded this length
parth-gr
force-pushed
the
crd-length-validation
branch
from
563be1a
to
43788df
Compare
parth-gr
force-pushed
the
crd-length-validation
branch
from
43788df
to
9582465
Compare
That was very first thing I wanted to do but, objectstore is define as
|
There was a problem hiding this comment.
That was very first thing I wanted to do but, objectstore is define as
type CephObjectStore struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata"`
metav1.ObjectMetajson:"metadata"`` contains the name definition of the objectstore and Kubernetes define, which should not be edited, right?
Oh of course, that won't work!
pkg/apis/ceph.rook.io/v1/object.go
Outdated
| @@ -76,6 +76,9 @@ func ValidateObjectSpec(gs *CephObjectStore) error { | |||
| if gs.Namespace == "" { | |||
| return errors.New("missing namespace") | |||
| } | |||
| if len(gs.Name) > 38 { | |||
There was a problem hiding this comment.
I'd vote for the const as well, still helpful for code readability.
parth-gr
force-pushed
the
crd-length-validation
branch
from
9582465
to
877c506
Compare
parth-gr
force-pushed
the
crd-length-validation
branch
2 times, most recently
from
8cc0233
to
468747c
Compare
Closes: rook#11212 Signed-off-by: parth-gr <paarora@redhat.com>
parth-gr
force-pushed
the
crd-length-validation
branch
from
468747c
to
7bd863d
Compare
core: validate crd name size from admission controller (backport #11233)
Description of your changes:
Which issue is resolved by this Pull Request:
Resolves ##11212
Checklist:
skip-cion the PR.