Passing security groups by specifying more options in addition to UUIDs on ports #1246
Conversation
✅ Deploy Preview for kubernetes-sigs-cluster-api-openstack ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
k8s-ci-robot
added
cncf-cla: yes
|
/pull-cluster-api-provider-openstack-e2e-test |
|
/pull-cluster-api-provider-openstack-e2e-test |
|
/pull-cluster-api-provider-openstack-e2e-test |
Xenwar
force-pushed
the
sg-by-name
branch
6 times, most recently
from
465ea32 to
634a5dd
Compare
| @@ -153,6 +153,8 @@ | |||
| # Adjust the CPU quota | |||
| openstack quota set --cores 32 demo | |||
| openstack quota set --secgroups 50 demo | |||
| openstack quota set --secgroups 100 demo | |||
There was a problem hiding this comment.
I think you can remove the previous line openstack quota set --secgroups 50 demo, because it will get overridden by this one.
There was a problem hiding this comment.
thanks, will do that after the current test.
| if sg == "" { | ||
| continue | ||
| } | ||
| *securityGroups = append(*securityGroups, sg) |
There was a problem hiding this comment.
How will this handle duplicate security groups? E.g. if the same uuid is specified in portOpts.SecurityGroups and portOpts.SecurityGroupFilters
There was a problem hiding this comment.
Tried duplicates, and it does fail, no check on that.
Thanks, will add the logic to remove the duplicates.
There was a problem hiding this comment.
Done: now duplicates are removed
- securityGroups field
- securityGroupFilter field
- A combination of the two.
Xenwar
force-pushed
the
sg-by-name
branch
2 times, most recently
from
61f52c6 to
50d5ec0
Compare
|
/pull-cluster-api-provider-openstack-e2e-test |
Xenwar
force-pushed
the
sg-by-name
branch
3 times, most recently
from
9e87d0d to
cb0a4f3
Compare
|
/hold We might need to consider deprecating the port.securityGroup in *[]string format |
k8s-ci-robot
added
the
do-not-merge/hold
Xenwar
force-pushed
the
sg-by-name
branch
2 times, most recently
from
ac66f4e to
12c733f
Compare
|
/test pull-cluster-api-provider-openstack-e2e-test |
|
|
||
| securityGroups, err = s.CollectPortSecurityGroups(eventObject, portOpts.SecurityGroups, portOpts.SecurityGroupFilters) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("multiple ports found with name \"%s\"", portName) |
There was a problem hiding this comment.
should we only log the err itself here?
There was a problem hiding this comment.
The error message is wrong, will remove the text.
However, we need to return the error as it tells the absence of the security groups specified in the manifests.
| @@ -244,6 +244,7 @@ func TestFuzzyConversion(t *testing.T) { | |||
| v1alpha5PortOpts.Network = nil | |||
| } | |||
| } | |||
| v1alpha5PortOpts.SecurityGroupFilters = nil | |||
There was a problem hiding this comment.
@bavarianbidi is introducing utilconversion.(Un)MarshalData from Cluster API in #1247 to avoid losing data on a round-trip conversion to v1alpha4 and back to alpha5.
I think it makes sense to also apply this here, though I am not sure about the best process for this, some options:
- wait until ✨ Feature: restrict API Server LB access via IPs #1247 is merged and then rebase ontop
- extract the round-trip setup into a seperate PR and rebase this ontop
- continue as is and do this in a follow up PR once ✨ Feature: restrict API Server LB access via IPs #1247 is merged
There was a problem hiding this comment.
I think doing it in a follow up PR could be good as I am planning the deprecate the securityGroups field. The reason being, the uuid it provides is also provided by the new introduced securityGroupFilter field.
There was a problem hiding this comment.
I'm also fine doing a separate PR as it seems that all conversation unit tests has to be refactored. Already though about but didn't had much time to start the discussion.
| continue | ||
| } | ||
| uids[sg] = 1 | ||
| securityGroupCount++ |
There was a problem hiding this comment.
securityGroupCount is initialized to the number of SGs returned from the filter (line 271). Here you increment it by one for every single security group returned by either the filters, or the explicit id list. In effect, you are double counting the security groups from the filter.
This can be fixed by initializing securityGroupCount := 0 in line 271.
This does not introduce any impacting bugs, only the slice for distinctSecurityGroupIDs will have a backing array that is too large.
There was a problem hiding this comment.
True, but even with securityGroupCount := 0 at 271, we will still have extra space consumed.
The reason is allSecurityGroupIDs could still contain duplicates.
I will add an extra loop to count distinct values.
There was a problem hiding this comment.
Added securityGroupCount := 0 at 271, change the incremental to conditional, thanks.
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jichenjc, Xenwar The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
With
OpenStackMachineTemplateit is possible to specify security groups at both instance and port levels. However, both levels do not have same format, with the instance level having more options. This PR moves the port level format closer to that of the instance level, as shown below.Specifying security groups at port level:
Specifying security groups at port level:
As can be seen above, the instance level setting has more options. This PR the
securityGroupsFiltersfield. The original fieldport.securityGroupsis kept for backward compatibility. However, the old field is redundant due to thesecurityGroupsFiltersalready containing theUUIDfield. Therefore, removing it is more preferable.Fixes #1245
Special notes for your reviewer: