-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
VPC: Extend support for SG's #1989
base: main
Are you sure you want to change the base?
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: cjschaef The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Hi @cjschaef. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
✅ Deploy Preview for kubernetes-sigs-cluster-api-ibmcloud ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
ece3370
to
d3c3f6a
Compare
/ok-to-test |
@dharaneeshvrd please take a look when get some time. Thank you. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
First pass, SG workflow looks bit complicated
cloud/scope/vpc_cluster.go
Outdated
// If we don't have an ID at this point, we assume we need to create the Security Group. | ||
vpcID, err := s.GetVPCID() | ||
if err != nil { | ||
return false, fmt.Errorf("error retrieving vpc id for security group creation") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think its better to log the err.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oops, yes I added the original err to the return value.
return false, fmt.Errorf("error retrieving vpc id for security group creation") | ||
} | ||
resourceGroupID, err := s.GetResourceGroupID() | ||
if err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same, added the original error.
cloud/scope/vpc_cluster.go
Outdated
return false, fmt.Errorf("error failed to create security group: %w", err) | ||
} | ||
if securityGroupDetails == nil { | ||
s.V(3).Info("error failed creating security group", "name", securityGroup.Name) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general while logging, Instead of using generic term like "name", If we log key as "securitygroupname" or somthing, In the observability tools it will be easy to filter and debug.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah, sorry, missed that. updating the logs that contain generic var names.
cloud/scope/vpc_cluster.go
Outdated
if securityGroupDetails == nil { | ||
s.V(3).Info("error failed creating security group", "name", securityGroup.Name) | ||
return false, fmt.Errorf("error failed creating security group") | ||
} else if securityGroupDetails.ID == nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know its defensive check, But is there any case happening like this ID or CRN being nil with no errors from create call?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same situation, seems like a safer method that resulting in go panics.
I'll remove the additional checks of pointer fields.
// Add a tag to the Security Group for the cluster. | ||
err = s.TagResource(s.IBMVPCCluster.Name, *securityGroupDetails.CRN) | ||
if err != nil { | ||
return false, fmt.Errorf("error failed to tag security group %s: %w", *securityGroupDetails.CRN, err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a thought, if tagging fails here, In next reconcile we find id in status and we return, so that resource never being tagged.
May be need to revisit how better we can tag a resource.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the same situation occurs for the other resources. I will add the same comment here, that likely a found resource may need to be checked if it should be tagged.....knowing that existing resources may not have been created by CAPI, and thus should not be tagged.
var securityGroupID *string | ||
if securityGroup.Name != nil { | ||
securityGroupID = s.getSecurityGroupIDFromStatus(*securityGroup.Name) | ||
} else if securityGroup.ID != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If ID is set why can't we directly use it, Why do you think we need to iterate over status? If ID is not found in Cloud, In reconcileSecurityGroup func we are returning error.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm unsure why this safety check is bad, as we attempt to confirm the Security Group exists (ID is valid).
At this point with the code path, this is very unlikely, but it is a safety mechanism.
I will remove, but feel like these kind of checks are safer for future changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, My point is anyhow we are checking for id in previous step.
cloud/scope/vpc_cluster.go
Outdated
} | ||
|
||
// If the SecurityGroup has no rules, we have nothing more to do for this Security Group. | ||
if len(securityGroup.Rules) == 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we move this check first thing in this function so we can return early
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will update.
cloud/scope/vpc_cluster.go
Outdated
} | ||
|
||
// If the Security Group has no Rules at all, we simply create all the Rules | ||
if existingSecurityGroupRuleIntfs == nil || existingSecurityGroupRuleIntfs.Rules == nil || len(existingSecurityGroupRuleIntfs.Rules) == 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is existingSecurityGroupRuleIntfs.Rules == nil
required? anyhow we are checking len()?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will update.
cloud/scope/vpc_cluster.go
Outdated
if err != nil { | ||
return false, fmt.Errorf("error failed creating all security group rule remotes: %w", err) | ||
} | ||
s.V(3).Info("Created security group rules") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since its in V(3) level can we include some more info like, security group id or rule?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will update.
Add support to reconcile SecurityGroups and SecurityGroupRules for VPC extended Infrastructure support. Related: kubernetes-sigs#1896
d3c3f6a
to
a2baa03
Compare
Updates made, basic testing appears to be okay. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Few smaller things, Can be ignored if no other comments from others. Thank you. LGTM.
|
||
// Option #1: If the SecurityGroupRuleRemoteSecurityGroupReference has a name assigned, we can shortcut and simply check that | ||
if sgRule.Name != nil && *securityGroupRuleRemote.SecurityGroupName == *sgRule.Name { | ||
s.V(3).Info("security group rule remote security group name matches", "securityGroupRuleRemoteSecurityGroupName", sgRule.Name) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be?
s.V(3).Info("security group rule remote security group name matches", "securityGroupRuleRemoteSecurityGroupName", sgRule.Name) | |
s.V(3).Info("security group rule remote security group name matches", "securityGroupRuleRemoteSecurityGroupName", *sgRule.Name) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will update
// Option #3. We can compare the Security Group CRN (need ot lookup the CRN for securityGroupRemote) | ||
|
||
// Option #1: If the SecurityGroupRuleRemoteSecurityGroupReference has a name assigned, we can shortcut and simply check that | ||
if sgRule.Name != nil && *securityGroupRuleRemote.SecurityGroupName == *sgRule.Name { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since your checking for sgRule.Name for nil, may be starting second condition from it would be good.
if sgRule.Name != nil && *securityGroupRuleRemote.SecurityGroupName == *sgRule.Name { | |
if sgRule.Name != nil && *sgRule.Name == *securityGroupRuleRemote.SecurityGroupName{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will update
return true, nil | ||
} | ||
if *ipRule.Address == infrav1beta2.CIDRBlockAny { | ||
s.V(3).Info("security group rule remote address matches 0.0.0.0/0") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s.V(3).Info("security group rule remote address matches 0.0.0.0/0") | |
s.V(3).Info("security group rule remote address matches %s", infrav1beta2.CIDRBlockAny) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will update
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall SG related changes look's good to me.
@@ -299,6 +300,36 @@ func (s *VPCClusterScope) GetResourceGroupID() (string, error) { | |||
return *resourceGroup.ID, nil | |||
} | |||
|
|||
// GetSecurityGroupID returns the ID of a security group, provided the name. | |||
func (s *VPCClusterScope) GetSecurityGroupID(name string) (*string, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see this func is getting used. Do you need this func?
If you need for future use, you can replace the checking from status part with getSecurityGroupIDFromStatus()
to avoid code duplication.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I will remove this function.
// Check the Status if an ID is already available for the Security Group. | ||
if s.NetworkStatus() != nil && s.NetworkStatus().SecurityGroups != nil { | ||
if id, ok := s.NetworkStatus().SecurityGroups[*securityGroup.Name]; ok { | ||
securityGroupID = &id.ID | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you call getSecurityGroupIDFromStatus()
from here to avoid code duplication?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will update
} | ||
|
||
// Reconcile each Security Groups's Rules. | ||
requeue = false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if requeue is true, it would have return from prev block, it won't come here. Why do you want to set requeue to false again?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will update
// Check the Status if an ID is already available for the Security Group. | ||
if s.NetworkStatus() != nil && s.NetworkStatus().SecurityGroups != nil { | ||
if id, ok := s.NetworkStatus().SecurityGroups[*securityGroup.Name]; ok { | ||
securityGroupID = &id.ID |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Once you found securityGroupID, don't you need to go to line 1187?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, will refactor this block
if securityGroupDetails, err := s.VPCClient.GetSecurityGroupByName(*securityGroup.Name); err != nil { | ||
// If the Security Group was not found, we expect it doesn't exist yet, otherwise result in an error. | ||
if _, ok := err.(*vpc.SecurityGroupByNameNotFound); !ok { | ||
return false, fmt.Errorf("error failed lookup of security group by name: %w", err) | ||
} | ||
} else if securityGroupDetails != nil && securityGroupDetails.ID != nil { | ||
securityGroupID = securityGroupDetails.ID | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you find id via this, then again checking in cloud for its existence in next block is not making sense to me, since it's already returned by cloud API only.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, will refactor this block
s.V(3).Info("Created security group rules", "securityGroupID", securityGroupID, "securityGroupRule", securityGroupRule) | ||
|
||
// Security Group Rules do not have a Status, so we likely don't need to requeue, but for now, will requeue to verify the Security Group Rules | ||
return true, nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What exactly do you want to verify here?
Requeuing for every SG rule creation will overload the controller.
Not needed IMO.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SG Rules are created in bulk, for each new SG.
Verifying the SG Rules for an existing SG require more complex logic to try to prevent creating duplicates (this also applies when verifying all SG Rules were created properly, similar to the other resource types).
I'll drop verification of created SG Rules then.
} | ||
|
||
// Security Group Rules do not have a Status, so we likely don't need to requeue, but for now, will requeue to verify the Security Group Rules | ||
return true, nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code will never reach here, please handle the else case here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently, the code will be reached after a SG Rule is first created.
If we do not wish to follow up SG Rule creation with verification, then this would be unreachable code, and would be refactored.
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
/area provider/ibmcloud
Release note: