Skip to content

Bug 1746736: upi/aws/cloudformation/01_vpc: Drop PublicNetworkAcl #2296

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-robot merged 1 commit into from
Aug 31, 2019
Merged

Bug 1746736: upi/aws/cloudformation/01_vpc: Drop PublicNetworkAcl #2296

openshift-merge-robot merged 1 commit into from
Aug 31, 2019

Conversation

@wking
Copy link
Member

@wking wking commented Aug 30, 2019

We've had this since the templates landed in 39a926a (#1408). But our Terraform modules contain no analog using aws_network_acl and their presence in the UPI templates is breaking the ping-based network connectivity test.

@wking
upi/aws/cloudformation/01_vpc: Drop PublicNetworkAcl
a24c67c 
We've had this since the templates landed in 39a926a (Adding
initial user doc/guide & materials for UPI AWS installation,
2019-03-12, openshift#1408).  But our Terraform modules contain no analog using
aws_network_acl [1] and their presence in the UPI templates is
breaking the ping-based network connectivity test [2].

[1]: https://www.terraform.io/docs/providers/aws/r/network_acl.html
[2]: https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test/logs/canary-openshift-ocp-installer-e2e-aws-upi-4.2/28#0:build-log.txt%3A10235
@openshift-ci-robot openshift-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 30, 2019
@wking
Copy link
Member Author

wking commented Aug 30, 2019

CC @kalexand-rh about this CloudFormation template change.

@wking
Copy link
Member Author

wking commented Aug 30, 2019

/test e2e-aws-upi

@abhinavdahiya
Copy link
Contributor

abhinavdahiya commented Aug 30, 2019

LGTM @cuppett ptal

@cuppett
Copy link
Member

cuppett commented Aug 30, 2019

This generates the desired effect (no restrictions via the NACL on the public subnets).

@cuppett
Copy link
Member

cuppett commented Aug 30, 2019

LGTM

@abhinavdahiya
Copy link
Contributor

abhinavdahiya commented Aug 30, 2019

/lgtm

/retest

/hold

Would like to see the UPI pr go green

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 30, 2019
@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Aug 30, 2019
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Aug 30, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abhinavdahiya, wking

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [abhinavdahiya,wking]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@wking
Copy link
Member Author

wking commented Aug 30, 2019

Previous UPI run:

Flaky tests:
[Feature:Platform] Managed cluster should have no crashlooping pods in core namespaces over two minutes [Suite:openshift/conformance/parallel]
[sig-api-machinery] CustomResourcePublishOpenAPI [Feature:CustomResourcePublishOpenAPI] works for CRD with validation schema [Suite:openshift/conformance/parallel] [Suite:k8s]
[sig-cli] Kubectl client [k8s.io] Kubectl client-side validation should create/apply a valid CR with arbitrary-extra properties for CRD with partially-specified validation schema [Suite:openshift/conformance/parallel] [Suite:k8s]

Failing tests:
[Feature:Builds][webhook] TestWebhook [Suite:openshift/conformance/parallel]

So at least we passed Networking should provide Internet connection for containers. And TestWebhook seems generally flaky.

@wking
Copy link
Member Author

wking commented Aug 30, 2019

Ah, TestWebhook issue is timed out waiting for the condition, namespace is empty but is not yet removed.

@wking
Copy link
Member Author

wking commented Aug 30, 2019

AWS UPI is green :). Although I dunno what's up with the tar errors:

2019/08/30 22:26:16 Pod e2e-aws-upi succeeded after 1h30m11s
tar: can't open './installer/sedXk9NiC': Permission denied
tar: can't open './installer/sedtuNq5B': Permission denied
tar: error exit delayed from previous errors
2019/08/30 22:26:33 Copied 286.40Mi of artifacts

@abhinavdahiya
Copy link
Contributor

abhinavdahiya commented Aug 31, 2019

/hold cancel

@openshift-ci-robot openshift-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 31, 2019
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Aug 31, 2019
edited
Loading

@wking: The following tests failed, say /retest to rerun them all:

Test name Commit Details Rerun command
ci/prow/e2e-aws-scaleup-rhel7 a24c67c link /test e2e-aws-scaleup-rhel7
ci/prow/e2e-libvirt a24c67c link /test e2e-libvirt

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@wking
Copy link
Member Author

wking commented Aug 31, 2019

e2e-aws hit a bunch of:

timed out waiting for the condition, namespace is empty but is not yet removed

/test e2e-aws

@openshift-merge-robot openshift-merge-robot merged commit 8c9abe4 into openshift:master Aug 31, 2019
@wking wking deleted the aws-unify-ipi-and-upi-network-acls branch August 31, 2019 21:58
@kalexand-rh
Copy link
Contributor

kalexand-rh commented Sep 2, 2019

Thank you, @wking!

@abhinavdahiya abhinavdahiya changed the title upi/aws/cloudformation/01_vpc: Drop PublicNetworkAcl Bug 1746736: upi/aws/cloudformation/01_vpc: Drop PublicNetworkAcl Sep 3, 2019
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Sep 3, 2019

@wking: All pull requests linked via external trackers have merged. Bugzilla bug 1746736 has been moved to the MODIFIED state.

Details

In response to this:

Bug 1746736: upi/aws/cloudformation/01_vpc: Drop PublicNetworkAcl

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@wking wking mentioned this pull request May 3, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jstuever jstuever Awaiting requested review from jstuever

@patrickdillon patrickdillon Awaiting requested review from patrickdillon

Assignees

@abhinavdahiya abhinavdahiya

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@wking @abhinavdahiya @cuppett @openshift-ci-robot @kalexand-rh @openshift-merge-robot