Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

⚠️ Move Workspace.Status.{Cluster, URL} to Spec #2557

Merged
merged 1 commit into from
Jan 6, 2023
Merged

⚠️ Move Workspace.Status.{Cluster, URL} to Spec #2557

merged 1 commit into from
Jan 6, 2023

Conversation

vincepri
Copy link
Contributor

@vincepri vincepri commented Jan 5, 2023

Summary

In order to preserve the URL field, given that Status may be wiped under a number of conditions and most times URL cannot be easily or at all reconstructured, this changeset moves the field under Spec.

In addition, now the admission code also checks that any modification to the URL is performed by a system user.

Signed-off-by: Vince Prignano vince@prigna.com

Related issue(s)

Fixes #

@openshift-ci openshift-ci bot added the kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API label Jan 5, 2023
@vincepri
Copy link
Contributor Author

vincepri commented Jan 6, 2023

/assign @sttts

@vincepri vincepri changed the title ⚠️ Move Workspace.Status.URL to Spec ⚠️ Move Workspace.Status.{Cluster, URL} to Spec Jan 6, 2023
sttts
sttts reviewed Jan 6, 2023
View reviewed changes
pkg/admission/workspace/admission.go Outdated
if old.Status.Cluster != "" && cw.Status.Cluster == "" {
return admission.NewForbidden(a, errors.New("status.cluster cannot be unset"))
if old.Spec.Cluster != "" && cw.Spec.Cluster == "" {
return admission.NewForbidden(a, errors.New("spec.cluster cannot be unset"))
}

if cw.Status.Phase != corev1alpha1.LogicalClusterPhaseScheduling {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is still a pretty hard condition on status. Not sure it leads to problems.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 I'll keep an eye out for errors in the e2e, although this isn't ideal to check for the Phase. We could just remove these checks instead?

sttts
sttts reviewed Jan 6, 2023
View reviewed changes
pkg/admission/workspace/admission_test.go
@@ -374,28 +380,28 @@ func TestValidate(t *testing.T) {
Annotations: map[string]string{"experimental.tenancy.kcp.io/owner": "{}"},
},
Spec: tenancyv1beta1.WorkspaceSpec{
Cluster: "somewhere",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

missing a test that rejects changes for non-privileged users

ncdc
ncdc approved these changes Jan 6, 2023
View reviewed changes
pkg/admission/workspace/admission.go Outdated Show resolved Hide resolved
pkg/admission/workspace/admission.go Outdated Show resolved Hide resolved
pkg/admission/workspace/admission_test.go Outdated Show resolved Hide resolved
pkg/apis/tenancy/v1beta1/types.go Outdated Show resolved Hide resolved
pkg/admission/workspace/admission.go Outdated Show resolved Hide resolved
pkg/admission/workspace/admission.go Outdated Show resolved Hide resolved
pkg/apis/tenancy/v1beta1/types.go Outdated
@@ -58,6 +58,8 @@ type Workspace struct {
}

// WorkspaceSpec holds the desired state of the ClusterWorkspace.
// +kubebuilder:validation:XValidation:rule="!has(oldSelf.URL) || has(self.URL)",message="URL cannot be unset"
// +kubebuilder:validation:XValidation:rule="!has(oldSelf.cluster) || has(self.cluster)",message="cluster is immutable"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// +kubebuilder:validation:XValidation:rule="!has(oldSelf.cluster) || has(self.cluster)",message="cluster is immutable"
// +kubebuilder:validation:XValidation:rule="!has(oldSelf.cluster) || has(self.cluster)",message="cluster cannot be unset"

?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't this one correct? The cannot be unset for URL seems to be meaning that it can't be empty, but it could be potentially be changed. Meanwhile the Cluster is set once?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, it is immutable. This validation doesn't enforce that, though. This passes validation on update if:

  1. old.cluster is empty, or
  2. old.cluster is set and new.cluster is set

There is a separate validation on the Cluster field itself to ensure immutability:

// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="cluster is immutable"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah ok, in this specific validation piece I can see how the message should be different, thanks!

pkg/apis/tenancy/v1beta1/types.go Outdated Show resolved Hide resolved
@openshift-ci openshift-ci bot added lgtm Indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jan 6, 2023
@ncdc
Copy link
Member

ncdc commented Jan 6, 2023

/lgtm cancel

@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Jan 6, 2023
@vincepri
Copy link
Contributor Author

vincepri commented Jan 6, 2023

Flake #2501

@vincepri
⚠️ Move Workspace.Status.{Cluster, URL} to Spec
16dbd76 
In order to preserve the URL field, given that Status may be wiped under
a number of conditions and most times URL cannot be easily or at all
reconstructured, this changeset moves the field under Spec.

In addition, now the admission code also checks that any modification to
the URL is performed by a system user.

Signed-off-by: Vince Prignano <vince@prigna.com>
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 6, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 6, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ncdc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot merged commit 600e3bc into kcp-dev:main Jan 6, 2023
@stevekuznetsov stevekuznetsov mentioned this pull request Jan 9, 2023
Merged
34 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sttts sttts sttts left review comments

@ncdc ncdc ncdc approved these changes

@davidfestal davidfestal Awaiting requested review from davidfestal

@shawn-hurley shawn-hurley Awaiting requested review from shawn-hurley

Assignees

@ncdc ncdc

@sttts sttts

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@vincepri @ncdc @sttts @openshift-merge-robot