VPC: Extend support for SG's #1989
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: cjschaef The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @cjschaef. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
size/XL
✅ Deploy Preview for kubernetes-sigs-cluster-api-ibmcloud ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
cjschaef
force-pushed
the
vpc_reconcile_sgs
branch
from
ece3370
to
d3c3f6a
Compare
cjschaef
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
@dharaneeshvrd please take a look when get some time. Thank you. |
cloud/scope/vpc_cluster.go
Outdated
| // If we don't have an ID at this point, we assume we need to create the Security Group. | ||
| vpcID, err := s.GetVPCID() | ||
| if err != nil { | ||
| return false, fmt.Errorf("error retrieving vpc id for security group creation") |
There was a problem hiding this comment.
I think its better to log the err.
There was a problem hiding this comment.
oops, yes I added the original err to the return value.
| return false, fmt.Errorf("error retrieving vpc id for security group creation") | ||
| } | ||
| resourceGroupID, err := s.GetResourceGroupID() | ||
| if err != nil { |
There was a problem hiding this comment.
same, added the original error.
cloud/scope/vpc_cluster.go
Outdated
| return false, fmt.Errorf("error failed to create security group: %w", err) | ||
| } | ||
| if securityGroupDetails == nil { | ||
| s.V(3).Info("error failed creating security group", "name", securityGroup.Name) |
There was a problem hiding this comment.
In general while logging, Instead of using generic term like "name", If we log key as "securitygroupname" or somthing, In the observability tools it will be easy to filter and debug.
There was a problem hiding this comment.
ah, sorry, missed that. updating the logs that contain generic var names.
cloud/scope/vpc_cluster.go
Outdated
| if securityGroupDetails == nil { | ||
| s.V(3).Info("error failed creating security group", "name", securityGroup.Name) | ||
| return false, fmt.Errorf("error failed creating security group") | ||
| } else if securityGroupDetails.ID == nil { |
There was a problem hiding this comment.
I know its defensive check, But is there any case happening like this ID or CRN being nil with no errors from create call?
There was a problem hiding this comment.
Same situation, seems like a safer method that resulting in go panics.
I'll remove the additional checks of pointer fields.
| // Add a tag to the Security Group for the cluster. | ||
| err = s.TagResource(s.IBMVPCCluster.Name, *securityGroupDetails.CRN) | ||
| if err != nil { | ||
| return false, fmt.Errorf("error failed to tag security group %s: %w", *securityGroupDetails.CRN, err) |
There was a problem hiding this comment.
Just a thought, if tagging fails here, In next reconcile we find id in status and we return, so that resource never being tagged.
May be need to revisit how better we can tag a resource.
There was a problem hiding this comment.
Yes, the same situation occurs for the other resources. I will add the same comment here, that likely a found resource may need to be checked if it should be tagged.....knowing that existing resources may not have been created by CAPI, and thus should not be tagged.
| var securityGroupID *string | ||
| if securityGroup.Name != nil { | ||
| securityGroupID = s.getSecurityGroupIDFromStatus(*securityGroup.Name) | ||
| } else if securityGroup.ID != nil { |
There was a problem hiding this comment.
If ID is set why can't we directly use it, Why do you think we need to iterate over status? If ID is not found in Cloud, In reconcileSecurityGroup func we are returning error.
There was a problem hiding this comment.
I'm unsure why this safety check is bad, as we attempt to confirm the Security Group exists (ID is valid).
At this point with the code path, this is very unlikely, but it is a safety mechanism.
I will remove, but feel like these kind of checks are safer for future changes.
There was a problem hiding this comment.
ok, My point is anyhow we are checking for id in previous step.
cloud/scope/vpc_cluster.go
Outdated
| } | ||
|
|
||
| // If the SecurityGroup has no rules, we have nothing more to do for this Security Group. | ||
| if len(securityGroup.Rules) == 0 { |
There was a problem hiding this comment.
Can we move this check first thing in this function so we can return early
cloud/scope/vpc_cluster.go
Outdated
| } | ||
|
|
||
| // If the Security Group has no Rules at all, we simply create all the Rules | ||
| if existingSecurityGroupRuleIntfs == nil || existingSecurityGroupRuleIntfs.Rules == nil || len(existingSecurityGroupRuleIntfs.Rules) == 0 { |
There was a problem hiding this comment.
is existingSecurityGroupRuleIntfs.Rules == nil required? anyhow we are checking len()?
cloud/scope/vpc_cluster.go
Outdated
| if err != nil { | ||
| return false, fmt.Errorf("error failed creating all security group rule remotes: %w", err) | ||
| } | ||
| s.V(3).Info("Created security group rules") |
There was a problem hiding this comment.
Since its in V(3) level can we include some more info like, security group id or rule?
Add support to reconcile SecurityGroups and SecurityGroupRules for VPC extended Infrastructure support. Related: kubernetes-sigs#1896
cjschaef
force-pushed
the
vpc_reconcile_sgs
branch
from
d3c3f6a
to
a2baa03
Compare
|
Updates made, basic testing appears to be okay. |
|
|
||
| // Option #1: If the SecurityGroupRuleRemoteSecurityGroupReference has a name assigned, we can shortcut and simply check that | ||
| if sgRule.Name != nil && *securityGroupRuleRemote.SecurityGroupName == *sgRule.Name { | ||
| s.V(3).Info("security group rule remote security group name matches", "securityGroupRuleRemoteSecurityGroupName", sgRule.Name) |
There was a problem hiding this comment.
Should this be?
| s.V(3).Info("security group rule remote security group name matches", "securityGroupRuleRemoteSecurityGroupName", sgRule.Name) | |
| s.V(3).Info("security group rule remote security group name matches", "securityGroupRuleRemoteSecurityGroupName", *sgRule.Name) |
| // Option #3. We can compare the Security Group CRN (need ot lookup the CRN for securityGroupRemote) | ||
|
|
||
| // Option #1: If the SecurityGroupRuleRemoteSecurityGroupReference has a name assigned, we can shortcut and simply check that | ||
| if sgRule.Name != nil && *securityGroupRuleRemote.SecurityGroupName == *sgRule.Name { |
There was a problem hiding this comment.
Since your checking for sgRule.Name for nil, may be starting second condition from it would be good.
| if sgRule.Name != nil && *securityGroupRuleRemote.SecurityGroupName == *sgRule.Name { | |
| if sgRule.Name != nil && *sgRule.Name == *securityGroupRuleRemote.SecurityGroupName{ |
| return true, nil | ||
| } | ||
| if *ipRule.Address == infrav1beta2.CIDRBlockAny { | ||
| s.V(3).Info("security group rule remote address matches 0.0.0.0/0") |
There was a problem hiding this comment.
| s.V(3).Info("security group rule remote address matches 0.0.0.0/0") | |
| s.V(3).Info("security group rule remote address matches %s", infrav1beta2.CIDRBlockAny) |
| @@ -299,6 +300,36 @@ func (s *VPCClusterScope) GetResourceGroupID() (string, error) { | |||
| return *resourceGroup.ID, nil | |||
| } | |||
|
|
|||
| // GetSecurityGroupID returns the ID of a security group, provided the name. | |||
| func (s *VPCClusterScope) GetSecurityGroupID(name string) (*string, error) { | |||
There was a problem hiding this comment.
I don't see this func is getting used. Do you need this func?
If you need for future use, you can replace the checking from status part with getSecurityGroupIDFromStatus() to avoid code duplication.
There was a problem hiding this comment.
Yes, I will remove this function.
| // Check the Status if an ID is already available for the Security Group. | ||
| if s.NetworkStatus() != nil && s.NetworkStatus().SecurityGroups != nil { | ||
| if id, ok := s.NetworkStatus().SecurityGroups[*securityGroup.Name]; ok { | ||
| securityGroupID = &id.ID | ||
| } | ||
| } |
There was a problem hiding this comment.
can you call getSecurityGroupIDFromStatus() from here to avoid code duplication?
| } | ||
|
|
||
| // Reconcile each Security Groups's Rules. | ||
| requeue = false |
There was a problem hiding this comment.
if requeue is true, it would have return from prev block, it won't come here. Why do you want to set requeue to false again?
| // Check the Status if an ID is already available for the Security Group. | ||
| if s.NetworkStatus() != nil && s.NetworkStatus().SecurityGroups != nil { | ||
| if id, ok := s.NetworkStatus().SecurityGroups[*securityGroup.Name]; ok { | ||
| securityGroupID = &id.ID |
There was a problem hiding this comment.
Once you found securityGroupID, don't you need to go to line 1187?
There was a problem hiding this comment.
Yes, will refactor this block
| if securityGroupDetails, err := s.VPCClient.GetSecurityGroupByName(*securityGroup.Name); err != nil { | ||
| // If the Security Group was not found, we expect it doesn't exist yet, otherwise result in an error. | ||
| if _, ok := err.(*vpc.SecurityGroupByNameNotFound); !ok { | ||
| return false, fmt.Errorf("error failed lookup of security group by name: %w", err) | ||
| } | ||
| } else if securityGroupDetails != nil && securityGroupDetails.ID != nil { | ||
| securityGroupID = securityGroupDetails.ID | ||
| } |
There was a problem hiding this comment.
If you find id via this, then again checking in cloud for its existence in next block is not making sense to me, since it's already returned by cloud API only.
There was a problem hiding this comment.
Yes, will refactor this block
| s.V(3).Info("Created security group rules", "securityGroupID", securityGroupID, "securityGroupRule", securityGroupRule) | ||
|
|
||
| // Security Group Rules do not have a Status, so we likely don't need to requeue, but for now, will requeue to verify the Security Group Rules | ||
| return true, nil |
There was a problem hiding this comment.
What exactly do you want to verify here?
Requeuing for every SG rule creation will overload the controller.
Not needed IMO.
There was a problem hiding this comment.
SG Rules are created in bulk, for each new SG.
Verifying the SG Rules for an existing SG require more complex logic to try to prevent creating duplicates (this also applies when verifying all SG Rules were created properly, similar to the other resource types).
I'll drop verification of created SG Rules then.
| } | ||
|
|
||
| // Security Group Rules do not have a Status, so we likely don't need to requeue, but for now, will requeue to verify the Security Group Rules | ||
| return true, nil |
There was a problem hiding this comment.
Code will never reach here, please handle the else case here.
There was a problem hiding this comment.
Currently, the code will be reached after a SG Rule is first created.
If we do not wish to follow up SG Rule creation with verification, then this would be unreachable code, and would be refactored.
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
/area provider/ibmcloud
Release note: