fix for OCPBUGS-55135: userDataSecret.name should be a Required value on AWS #1399
Conversation
openshift-ci-robot
added
jira/severity-low
|
@germanparente: This pull request references Jira Issue OCPBUGS-55135, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
|
/jira refresh |
openshift-ci-robot
added
jira/valid-bug
|
@germanparente: This pull request references Jira Issue OCPBUGS-55135, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
I see that ci/prow/unit I had checked that in other providers, when there's no userDataSecret, it's set to a default one and them I wanted to have the same behaviour in AWS. Should we allow removing it ? |
|
Requiring a field that previously was not required is a breaking change, and would prevent existing MachineSets from spawning new Machines. We need to be very careful here. What exactly is the behaviour today if no name is provided? |
|
@JoelSpeed in fact, when we install from scratch, we have a default userDataSecret what a name. And there's a test failing by removing the full userDataSecret, not only the name: --- FAIL: TestMachineUpdate/with_an_AWS_ProviderSpec,_removing_the_user_data_secret (1.13s) So, it seems that in aws we should allow removing the full userDataSecret but not allow to leave the userDataSecret with name nullified. I will check this and come back with another patch. |
…uired value on AWS
|
Requiring a name where we did not previously is still a breaking change. Even though the default machinesets include a name, this does not mean that all machinesets in all clusters do. If you want to make this change, can we verify from insights data that all recorded AWS machinesets have a |
|
Hmm, looking at the linked bug, it appears that if you do not have this value, then machines cannot be successfully created, if that's the case, we could argue that no one should have a machineset where this value is missing, and therefore, the breaking change here is safe 🤔 |
|
Thanks @JoelSpeed then, I think the current patch is the right one requiring a value for name but not necessarily requiring the full userDaraSecret information that seems can be removed. Since there's a unit test doing this I will check the test failures on Thursday. Thanks for your review |
pkg/webhooks/machine_webhook.go
Outdated
| if providerSpec.UserDataSecret == nil { | ||
| errs = append( | ||
| errs, | ||
| field.Required( | ||
| field.NewPath("providerSpec", "userDataSecret"), | ||
| "expected providerSpec.userDataSecret to be populated", | ||
| ), | ||
| ) |
There was a problem hiding this comment.
I suspect we still want this, and the new validation. Though looking at the new defaulting, can we ever get here?
There was a problem hiding this comment.
Thanks @JoelSpeed
My understanding was that there's a test that is checking that we can remove completely:
userDataSecret:
name: xxxxx
That's why I have switched to validate only that the name cannot be empty if the sctructure exists that is what the ocpbugs states as improvement.
If I re-add those lines and there's a test removing the full userDataSecret information, we will have the failure.
…uired value on AWS
…uired value on AWS
|
Just to clarify, the first time the test has failed because it was expecting this message: "expected providerSpec.userDataSecret to be populated" and my pr was returning instead "userDataSecret must be provided" |
|
/test e2e-metal-ipi-ovn-ipv6 |
pkg/webhooks/machine_webhook.go
Outdated
| ) | ||
| errs = append(errs, field.Required(field.NewPath("providerSpec", "userDataSecret"), "expected providerSpec.userDataSecret to be populated")) | ||
| } else if providerSpec.UserDataSecret.Name == "" { | ||
| errs = append(errs, field.Required(field.NewPath("providerSpec", "userDataSecret", "name"), "name must be provided")) |
There was a problem hiding this comment.
Lets add a test case that checks that this error is produced please
|
unit test added. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JoelSpeed The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
There was a problem hiding this comment.
Thanks a lot @germanparente 🎉
The change looks reasonable to me, as it aligns with GCP and Azure.
Regarding breaking changes behaviour, if the Machine wouldn't come up, I think it is ok to break behaviour as it improves the UX preventing the Provisioning + Failure as it explains why it is invalid.
Left a small fixup suggestion for the unit failure.
Co-authored-by: Damiano Donati <[email protected]>
Co-authored-by: Damiano Donati <[email protected]>
|
@germanparente: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/cherry-pick release-4.19 |
|
@germanparente: once the present PR merges, I will cherry-pick it on top of In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@damdo looks like your changes are addressed, can you LGTM or have you any further feedback? |
|
Heya @germanparente, can we squash down these commits to an atomic one? :) |
openshift-merge-bot
bot
merged commit d977735
into
openshift:main
|
@germanparente: Jira Issue OCPBUGS-55135: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-55135 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@germanparente: new pull request created: #1403 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[ART PR BUILD NOTIFIER] Distgit: ose-machine-api-operator |
aligning the check on webhook side to prevent the userDataSecret name to be empty, as it's already happening in other providers.