Bug 1918469: Check if VIP IPs overlap with machine CIDR provided during vsphere installation #4754
Conversation
|
@rna-afk: This pull request references Bugzilla bug 1918469, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
bugzilla/severity-low
|
/assign @staebler |
|
/bugzilla refresh |
openshift-ci-robot
added
the
bugzilla/valid-bug
|
@rna-afk: This pull request references Bugzilla bug 1918469, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
Requesting review from QA contact: DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
removed
the
bugzilla/invalid-bug
staebler
left a comment
staebler
left a comment
There was a problem hiding this comment.
Update the PR title and the commit message to reflect that this is for vSphere.
There was a problem hiding this comment.
Networking must never be nil. So rather than ignore a nil, at least add an error for it.
There was a problem hiding this comment.
Overlap is not the right term. Overlap is used for sets. What you want to say is that the machine CIDR must contain the VIP.
| allErrs = append(allErrs, field.Invalid(fldPath.Child("apiVIP"), p.APIVIP, "must overlap with the machine CIDRs provided")) | |
| allErrs = append(allErrs, field.Invalid(fldPath.Child("apiVIP"), p.APIVIP, "must be contained within one of the machine networks")) |
There was a problem hiding this comment.
Do all of this contain checking in validateVIPs. That function is already parsing the string into an IP, albeit within the call to validate.IP.
This makes it a bit more complicated for the call to validateVIPs from ValidateForProvisioning. But I would argue that ValidateForProvisioning should not be doing full validation of the VIPs. It should only be validating that the VIPs have been set. If the VIPs are set, then the full validation would have been done doing the initial validation of the install config. If the VIPs are not set, then validateVIPs will fail and will not have anything more to validate beyond that the VIPs are missing anyway. What do you think, @patrickdillon (#3372)?
There was a problem hiding this comment.
This makes it a bit more complicated for the call to
validateVIPsfromValidateForProvisioning. But I would argue thatValidateForProvisioningshould not be doing full validation of the VIPs. It should only be validating that the VIPs have been set. If the VIPs are set, then the full validation would have been done doing the initial validation of the install config. If the VIPs are not set, thenvalidateVIPswill fail and will not have anything more to validate beyond that the VIPs are missing anyway. What do you think, @patrickdillon (#3372)?
I agree we should move this logic to validateVIPs. And if I understand correctly, I am fine to refactor ValidateForProvisioning so it only checks for the presence of the required VIPs fields and does not do the full validation.
To frame the discussion a bit more for @rna-afk vSphere UPI was released before IPI. When UPI was released VIPs were not required in the platform, but they are required for IPI. We cannot require VIPs in the platform as it would break backwards compatibility with UPI. Therefore we added the check here in ValidateForProvisioning to distinguish the validation only run for IPI.
If I understand @staebler's concern correctly, we want to avoid a slippery slope of allowing validation creeping in here, where it does not really belong.
There was a problem hiding this comment.
Performance is not going to be an issue here (MachineNetwork will be a very small array) so I would opt for readability rather than optimizing performance. I would suggest losing the boolean flags like apiVIPOverlap and creating a helper function that returns bool if the MachineNetwork contains the VIP. You would call this helper function where you check the flags.
rna-afk
changed the title
rna-afk
force-pushed
the
vsphere_apivip_validation
branch
2 times, most recently
from
829b1dc to
cebb327
Compare
There was a problem hiding this comment.
if network == nil {
// add an error and return. This should not happen, so let's not make the function more complex with nested ifs to cover the case.
}
// deal with the happy scenario first
if p.APIVIP != "" {
ip := net.ParseIP(p.APIVIP)
if ip != nil {
if !validateIPInCIDR(ip, network.MachineNetwork) {
// add error
}
} else {
// add error
}
} else {
// add error
}
// repeat for IngressVIP
There was a problem hiding this comment.
This check should not be done here. In ValidateForProvisioning, the two VIPs are required. The suggestion that I was trying to make was to only validate that both VIPs were provided here rather than doing all of the other validation for the VIPs, since the other validation will necessarily have already been done.
| if strings.Join([]string{p.APIVIP, p.IngressVIP}, "") != "" { | |
| allErrs = append(allErrs, validateVIPs(p, network, fldPath)...) | |
| } | |
| if p.APIVIP == "" { | |
| // add error | |
| } | |
| if p.IngressVIP == "" { | |
| // add error | |
| } |
rna-afk
force-pushed
the
vsphere_apivip_validation
branch
from
cebb327 to
679eb89
Compare
There was a problem hiding this comment.
validateIPinCIDR -> ipInNetwork
nit: comment could be be slightly improved `ipInNetwork returns true if the given..."
rna-afk
force-pushed
the
vsphere_apivip_validation
branch
from
679eb89 to
ec46621
Compare
staebler
left a comment
staebler
left a comment
There was a problem hiding this comment.
Sorry to keep piling on with the nits.
There was a problem hiding this comment.
network is unused now.
| func ValidateForProvisioning(p *vsphere.Platform, network *types.Networking, fldPath *field.Path) field.ErrorList { | |
| func ValidateForProvisioning(p *vsphere.Platform, fldPath *field.Path) field.ErrorList { |
There was a problem hiding this comment.
| // ipInNetwork return true if the given ip is within the machine CIDRs. | |
| // ipInNetwork return true if the given ip is within one of the machine networks. |
There was a problem hiding this comment.
| allErrs = append(allErrs, field.Required(fldPath.Child("apiVIP"), "must specify a VIP for API")) | |
| allErrs = append(allErrs, field.Required(fldPath.Child("apiVIP"), "must specify both API and Ingress VIPs when specifying either")) |
There was a problem hiding this comment.
| allErrs = append(allErrs, field.Required(fldPath.Child("ingressVIP"), "must specify a VIP for Ingress")) | |
| allErrs = append(allErrs, field.Required(fldPath.Child("ingressVIP"), "must specify both API and Ingress VIPs when specifying either")) |
rna-afk
force-pushed
the
vsphere_apivip_validation
branch
from
ec46621 to
13a5ba5
Compare
staebler
left a comment
staebler
left a comment
There was a problem hiding this comment.
Looks good. Just need to make the unit test expectations match the reality of the recent changes.
If the machineCIDR is specified by the user during cluster installation in vsphere, the VIP IPs provided must be within the CIDRs provided and the installation fails if they do not. Adding a validation check to see if the CIDR is provided and if so, checks to see if the IPs are within any of the machine CIDRs provided. Changes are local to vsphere.
rna-afk
force-pushed
the
vsphere_apivip_validation
branch
from
13a5ba5 to
5d8bba0
Compare
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: staebler The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
/test e2e-vsphere |
openshift-ci-robot
added
the
do-not-merge/hold
|
/retest |
|
vsphere e2e jobs passed. |
openshift-ci-robot
removed
the
do-not-merge/hold
|
/retest Please review the full test history for this PR and help us cut down flakes. |
11 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
These changes are only for vSphere. |
|
@staebler: Overrode contexts on behalf of staebler: ci/prow/e2e-aws-upgrade DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
5 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
@rna-afk: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
@rna-afk: All pull requests linked via external trackers have merged: Bugzilla bug 1918469 has been moved to the MODIFIED state. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
6 participants
If the machineCIDR is specified by the user, the VIP IPs provided
must overlap with the CIDRs provided and the installation fails
if they do not.
Adding a validation check to see if the CIDR is provided and if so,
checks to see if the IPs are within any of the machine CIDRs provided.