-
Notifications
You must be signed in to change notification settings - Fork 578
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🐛: securitygroup: fix comparison of ingress rules sets. #5024
Conversation
Hi @r4f4. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Without this change, I'd see a constant stream of revoke-authorize ingress rules in the debug logs [1]. Now I see the rules authorized once and no revokes (will add logs once I have more signal from openshift CI). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
overall LGTM, very good fix/improvement in the provision phase. 🎉
@r4f4 Do you think we are covered in the ReconcileSecurityGroups
or would be hard to reproduce in new case as revoke is in the same function, and/or would be nice to create a test dedicated to exercise expandIngressRules()
?
Good call. I can, at a minimum, add unit tests for the |
We are comparing sets that are not compatible, so rules will always be revoked and authorized during reconciliation. We need to expand the rules from the spec so there is one rule for each item in cidrBlock/sourceSecurityGroupIds.
Updated: add a few fixes and unit tests. |
Openshift CI results are all green! openshift/installer#8596. Looking at the logs, the only rule being revoked is the one we explicitely removed from the cluster spec:
|
@damdo would you mind enabling tests on this PR? |
/cc @alexander-demicev |
This test checks that target ingress rules that have already been authorized are not revoked and then authorized again.
@mtulio following your suggestion, I've added a unit test to check that we are not revoking ingress rules unnecessarily. |
/lgtm |
@mtulio: changing LGTM is restricted to collaborators In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
/ok-to-test |
Tests are all green here as well! |
/test ? |
@r4f4: The following commands are available to trigger required jobs:
The following commands are available to trigger optional jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
/test pull-cluster-api-provider-aws-e2e pull-cluster-api-provider-aws-e2e-blocking |
/test pull-cluster-api-provider-aws-e2e |
Test from this PRIn the log of this PR no revokes until the cluster is deleted. Test from another PRLooking at an old test log:
So the following rules are being revoked:
Then being authorized as:
|
/test pull-cluster-api-provider-aws-e2e |
1 similar comment
/test pull-cluster-api-provider-aws-e2e |
/assign @nrb Tests look good. This is ready for review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks taking care of this
/lgtm
Thanks @r4f4 /approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: richardcase The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
* Brings in this fix kubernetes-sigs/cluster-api-provider-aws#5024 to avoid unnecessary revoke-authorize of ingress rules.
* Brings in this fix kubernetes-sigs/cluster-api-provider-aws#5024 to avoid unnecessary revoke-authorize of ingress rules.
What type of PR is this?
/kind bug
What this PR does / why we need it:
We are comparing sets that are not compatible, so rules will always be revoked and authorized during reconciliation. We need to expand the rules from the spec so there is one rule for each item in cidrBlock/sourceSecurityGroupIds.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #5023
Special notes for your reviewer:
Checklist:
Release note: