-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix kubebuilder validation for SecurityGroup resources #1710
Fix kubebuilder validation for SecurityGroup resources #1710
Conversation
Hi @cjschaef. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
✅ Deploy Preview for kubernetes-sigs-cluster-api-ibmcloud ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
/ok-to-test |
@@ -269,7 +269,7 @@ type PortRange struct { | |||
} | |||
|
|||
// SecurityGroup defines a VPC Security Group that should exist or be created within the specified VPC, with the specified Security Group Rules. | |||
// +kubebuilder:validation:XValidation:rule="!has(self.id) && !has(self.name)",message="either an id or name must be specified" | |||
// +kubebuilder:validation:XValidation:rule="has(self.id) || has(self.name)",message="either an id or name must be specified" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please help me understand this, How it would affect, User should set either id or name right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, a name or an id must be provided.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Karthik-K-N isn't this appropriate !has(self.id) && !has(self.name)
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, Sometimes CEL expressions are confusing but the main logic is, The message will be displayed when the expression evaluates to false, In the above case if we set !has(self.id) && !has(self.name)
, it does not allow us to set either one of id or name.
Example when we set id !true && !false
--> false && true
--> false = either an id or name must be specified
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The expressions can be optimised to provide better error messages to user, But its not a blocking issue but an improvisation and good to have
Either we can add a TODO to fix it later or spend sometime to fix it now itself its upto you.
api/v1beta2/types.go
Outdated
@@ -298,8 +298,7 @@ type SecurityGroup struct { | |||
|
|||
// SecurityGroupRule defines a VPC Security Group Rule for a specified Security Group. | |||
// +kubebuilder:validation:XValidation:rule="(has(self.destination) && !has(self.source)) || (!has(self.destination) && has(self.source))",message="both destination and source cannot be provided" | |||
// +kubebuilder:validation:XValidation:rule="has(self.destination) && self.direction == 'inbound'",message="destinationis not valid for SecurityGroupRuleDirectionInbound direction" | |||
// +kubebuilder:validation:XValidation:rule="has(self.source) && self.direction == 'outbound'",message="source is not valid for SecurityGroupRuleDirectionOutbound direction" | |||
// +kubebuilder:validation:XValidation:rule="(self.direction == 'inbound' && !has(self.destination) && has(self.source)) || (self.direction == 'outbound' && has(self.destination) && !has(self.source))",message="destination is not valid for SecurityGroupRuleDirectionInbound direction and source is not valid for SecruityGroupRuleDirectionOutbound" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have spent some time in understanding validations, Here are my thoughts
The above expression may confuse with very generic error , example
securityGroupRule:
- action: "action"
direction: "inbound"
spec.securityGroupRule[0]: Invalid value: "object": destination is not valid for SecurityGroupRuleDirectionInbound direction and source is not valid for SecruityGroupRuleDirectionOutbound
Instead of combining them into one line expression with combined error messages, It should be split to display appropriate validation failure messages, for example
// +kubebuilder:validation:XValidation:rule="self.direction == 'inbound' ? has(self.source) : true",message="source should be set for SecurityGroupRuleDirectionInbound direction"
// +kubebuilder:validation:XValidation:rule="self.direction == 'inbound' ? (!has(self.destination)) : true",message="destination is not valid for SecurityGroupRuleDirectionInbound direction"
// +kubebuilder:validation:XValidation:rule="self.direction == 'outbound' ? has(self.destination) : true",message="destination should be set for SecruityGroupRuleDirectionOutbound direction"
// +kubebuilder:validation:XValidation:rule="self.direction == 'outbound' ? (!has(self.source)) : true",message="source is not valid for SecruityGroupRuleDirectionOutbound direction"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure I can split the validation logic up.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated, and performed some basic (non-exhaustive) validation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for updating
8ae1d80
to
0189f04
Compare
Some of the kubebuilder validation logic was written inversely and needs to be fixed so validation is done correctly.
0189f04
to
da5d10b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
@cjschaef can you please update the release note section as well in this PR. |
Updated |
/easycla |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cjschaef, Prajyot-Parab The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Some of the kubebuilder validation logic was written inversely and needs to be fixed so validation is done correctly.
What this PR does / why we need it: Some kubebuilder validation is written inversely, or is incorrect, causing issues with valid definitions.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
/area provider/ibmcloud
Release note: