Skip to content
This repository has been archived by the owner on Jul 11, 2023. It is now read-only.

feat(*): ensure traffic target in dest namespace #4151

Merged
merged 1 commit into from
Sep 27, 2021

Conversation

michelleN
Copy link
Contributor

@michelleN michelleN commented Sep 21, 2021

Description:
feat(*): add traffic target validation

  • Adds a validator for traffic target specifically
    requiring that the namespace of a traffic target matches the
    destination namespace.
  • Updates chart template for validating webhook configuration to optionally enable
    validation of SMI Traffic Targets
  • Adds value for toggling validating SMI traffic target in values.yaml
  • Updates chart README
  • Updates e2es to create traffic targets in destination namespace
  • Adds e2e for SMI traffic target validation

Signed-off-by: Michelle Noorali [email protected]

Testing done:

  • Unit testing
  • Manual testing
  • Update e2es

Affected area:

Functional Area
New Functionality [ ]
CI System [ ]
CLI Tool [ ]
Certificate Management [ ]
Control Plane [ ]
Demo [ ]
Documentation [ ]
Egress [ ]
Ingress [ ]
Install [ ]
Networking [ ]
Observability [ ]
Performance [ ]
SMI Policy [ X]
Security [ ]
Sidecar Injection [ ]
Tests [ ]
Upgrade [ ]
Other [ ]

Please answer the following questions with yes/no.

  1. Does this change contain code from or inspired by another project? No

    • Did you notify the maintainers and provide attribution? N/A
  2. Is this a breaking change? Yes

@@ -201,7 +201,7 @@ func (mc *MeshCatalog) getTCPRouteMatchesFromTrafficTarget(trafficTarget smiAcce

// isValidTrafficTarget checks if the given SMI TrafficTarget object is valid
func isValidTrafficTarget(t *smiAccess.TrafficTarget) bool {
return t != nil && t.Spec.Rules != nil && len(t.Spec.Rules) > 0 && hasValidRulesKind(t.Spec.Rules)
return t != nil && t.Spec.Rules != nil && len(t.Spec.Rules) > 0 && hasValidRulesKind(t.Spec.Rules) && t.Namespace == t.Spec.Destination.Namespace
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if it'd be prudent to move the t != nil && t.Spec.Rules != nil && len(t.Spec.Rules) > 0 checks inside the hasValidRulesKind() function to lower the complexity of this line.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another idea - it might be good to put a log statement here so when everything is good but the namespace is not the destination namespace - then we could Trace log a statement. This may help us debug a problem.

@draychev
Copy link
Contributor

@michelleN Would it make sense to also to a check in our ValidationWebhook (and add it to a more general SMI validation) -- to make sure that the TrafficTarget namespace and destination namespaces match?

One other idea to explore -- when the TrafficTarget namespace and destination namespaces do not match -- we could update the Status field of the TrafficTarget with an error message: #3218

@codecov-commenter
Copy link

codecov-commenter commented Sep 21, 2021

Codecov Report

Merging #4151 (7e642fa) into main (590f52d) will increase coverage by 0.48%.
The diff coverage is 88.88%.

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #4151      +/-   ##
==========================================
+ Coverage   69.34%   69.83%   +0.48%     
==========================================
  Files         212      211       -1     
  Lines       11429    11472      +43     
==========================================
+ Hits         7925     8011      +86     
+ Misses       3451     3408      -43     
  Partials       53       53              
Flag Coverage Δ
unittests 69.83% <88.88%> (+0.48%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
pkg/validator/validators.go 91.80% <87.50%> (-0.65%) ⬇️
pkg/validator/server.go 76.59% <100.00%> (+19.60%) ⬆️
pkg/certificate/rotor/rotor.go 84.37% <0.00%> (-3.13%) ⬇️
pkg/k8s/events/event_pubsub.go 100.00% <0.00%> (ø)
pkg/reconciler/mutating_webhook.go
pkg/injector/webhook.go 93.00% <0.00%> (+0.18%) ⬆️
pkg/providers/kube/client.go 71.68% <0.00%> (+0.88%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 590f52d...7e642fa. Read the comment docs.

@michelleN michelleN changed the title feat(*): ensure traffic target in dest namespace [WIP] feat(*): ensure traffic target in dest namespace Sep 21, 2021
@michelleN michelleN added wip Work-in-Progress do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Sep 21, 2021
@michelleN michelleN force-pushed the traffictarget branch 2 times, most recently from 647b1a9 to d92a61f Compare September 22, 2021 19:28
@michelleN michelleN removed wip Work-in-Progress do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Sep 22, 2021
@michelleN michelleN changed the title [WIP] feat(*): ensure traffic target in dest namespace feat(*): ensure traffic target in dest namespace Sep 22, 2021
@michelleN michelleN marked this pull request as ready for review September 22, 2021 19:31
@michelleN michelleN requested a review from a team as a code owner September 22, 2021 19:31
@michelleN michelleN marked this pull request as draft September 22, 2021 19:35
@michelleN michelleN force-pushed the traffictarget branch 2 times, most recently from 193bbd4 to 7e642fa Compare September 23, 2021 21:19
@michelleN michelleN marked this pull request as ready for review September 23, 2021 21:19
Copy link
Contributor

@draychev draychev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

This is going to save us a lot of headaches!

@@ -202,7 +202,7 @@ var _ = OSMDescribe("Test HTTP traffic with SMI TrafficTarget",

// createPolicyForRoutePath creates an HTTPRouteGroup and TrafficTarget policy for the given source, destination and HTTP path regex
func createPolicyForRoutePath(source, sourceNamespace, destination, destinationNamespace, pathRegex string) (smiSpecs.HTTPRouteGroup, smiAccess.TrafficTarget) {
routeGroupName := "test-route"
routeGroupName := source + "-" + destination
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we use fmt.Sprintf() to follow Go best practices?

Comment on lines +70 to +71
return nil, errors.Errorf("The traffic target namespace (%s) must match spec.Destination.Namespace (%s)",
trafficTarget.Namespace, trafficTarget.Spec.Destination.Namespace)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not opposed returning errors.Errorf, but that would make it hard in the future should we want to differentiate between different types of errors returned by this validator.

I don't know that we have settled on a standard for this repo.
We tend to create an error and place it in the errors.go file in the package.

var ErrTrafficTargetNamespaceMismatch = errors.New("traffic target namespace mismatch")

and then here return nil, ErrTrafficTargetNamespaceMismatch
but also before the return log the full statement

log.Error().Err(ErrTrafficTargetNamespaceMismatch).Msgf("The traffic target namespace (%s) must match spec.Destination.Namespace (%s)", trafficTarget.Namespace, trafficTarget.Spec.Destination.Namespace)`

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@draychev the recommended way to log errors currently is as follows:

  1. For dynamic error messages without error codes, use errors.Errorf(), errors.New().
  2. For static errors messages previously defined in errors.go, define it in pkg/errcode/errcode.go instead so it can be logged similar to other error codes with the ability to publish metrics per error code.

I am not opposed to defining errors in errors.go if they don't need additional data to be encoded in them, though the errcode model should be adopted to get the benefits of tooling we build to inspect error codes instead of error messages.

Copy link
Contributor

@snehachhabria snehachhabria left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just merged #4160 and this is conflicting with the changes I recently checked in

@snehachhabria snehachhabria self-requested a review September 27, 2021 19:41
pkg/validator/patch_test.go Outdated Show resolved Hide resolved
+ Adds a validator for traffic target specifically
requiring that the namespace of a traffic target matches the
destination namespace.
+ Updates chart template for validating webhook configuration to optionally enable
validation of SMI Traffic Targets
+ Adds value for toggling validating SMI traffic target in values.yaml
+ Updates chart README
+ Updates e2es to create traffic targets in destination namespace
+ Adds e2e for SMI traffic target validation
+ Adds validating traffic target rule for scenario when osm-controller is creating/updating validating webhook config

partially resolves openservicemesh#4116

Signed-off-by: Michelle Noorali <[email protected]>
@michelleN michelleN merged commit f262ef5 into openservicemesh:main Sep 27, 2021
@michelleN michelleN deleted the traffictarget branch September 27, 2021 21:24
snehachhabria pushed a commit to snehachhabria/osm that referenced this pull request Sep 27, 2021
+ Adds a validator for traffic target specifically
requiring that the namespace of a traffic target matches the
destination namespace.
+ Updates chart template for validating webhook configuration to optionally enable
validation of SMI Traffic Targets
+ Adds value for toggling validating SMI traffic target in values.yaml
+ Updates chart README
+ Updates e2es to create traffic targets in destination namespace
+ Adds e2e for SMI traffic target validation
+ Adds validating traffic target rule for scenario when osm-controller is creating/updating validating webhook config

partially resolves openservicemesh#4116

Signed-off-by: Michelle Noorali <[email protected]>
michelleN pushed a commit to michelleN/osm that referenced this pull request Sep 28, 2021
Addressing PR comment openservicemesh#4151 (comment)

Signed-off-by: Michelle Noorali <[email protected]>
michelleN pushed a commit to michelleN/osm that referenced this pull request Sep 28, 2021
+ adds var ErrTrafficTargetNamespaceMismatch
+ updates e2e line to use fmt.Sprintf

Addressing PR comment openservicemesh#4151 (comment)
and openservicemesh#4151 (comment)

Signed-off-by: Michelle Noorali <[email protected]>
michelleN pushed a commit to michelleN/osm that referenced this pull request Sep 28, 2021
+ adds var ErrTrafficTargetNamespaceMismatch
+ updates e2e line to use fmt.Sprintf

Addressing PR comment openservicemesh#4151 (comment)
and openservicemesh#4151 (comment)

Signed-off-by: Michelle Noorali <[email protected]>
snehachhabria pushed a commit to snehachhabria/osm that referenced this pull request Oct 14, 2021
+ Adds a validator for traffic target specifically
requiring that the namespace of a traffic target matches the
destination namespace.
+ Updates chart template for validating webhook configuration to optionally enable
validation of SMI Traffic Targets
+ Adds value for toggling validating SMI traffic target in values.yaml
+ Updates chart README
+ Updates e2es to create traffic targets in destination namespace
+ Adds e2e for SMI traffic target validation
+ Adds validating traffic target rule for scenario when osm-controller is creating/updating validating webhook config

partially resolves openservicemesh#4116

Signed-off-by: Michelle Noorali <[email protected]>
Signed-off-by: Sneha Chhabria <[email protected]>
allenlsy pushed a commit to allenlsy/osm that referenced this pull request Dec 28, 2021
+ Adds a validator for traffic target specifically
requiring that the namespace of a traffic target matches the
destination namespace.
+ Updates chart template for validating webhook configuration to optionally enable
validation of SMI Traffic Targets
+ Adds value for toggling validating SMI traffic target in values.yaml
+ Updates chart README
+ Updates e2es to create traffic targets in destination namespace
+ Adds e2e for SMI traffic target validation
+ Adds validating traffic target rule for scenario when osm-controller is creating/updating validating webhook config

partially resolves openservicemesh#4116

Signed-off-by: Michelle Noorali <[email protected]>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants