Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 Better checks before creating Floating IPs #2261

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

🐛 Better checks before creating Floating IPs #2261

wants to merge 2 commits into from
+97 −4

Conversation

EmilienM
Copy link
Contributor

@EmilienM EmilienM commented Nov 19, 2024
edited
Loading

What this PR does / why we need it:

When a floating is created, we need to make sure that
OpenStackCluster.Spec.DisableExternalNetwork is not set to True.
Otherwise, we'll have a nil pointer error.

  • Add a check in reconcileBastion to check that external network is
    not disabled before creating the floating IP for the bastion.
  • Add a check in reconcileControlPlaneEndpoint and
    reconcileAPIServerLoadBalancer to check that external
    network is not disabled (alongside the DisableAPIServerFloatingIP
    check) before creating the floating IP for the API server endpoint.
  • Add a safeguard in GetOrCreateFloatingIP to return a proper error
    (instead of a nil pointer error) when
    openStackCluster.Status.ExternalNetwork is nil.

Also includes a change to the webhooks:

  • Don't allow a bastion to have a floating IP if external network is
    disabled.
  • Don't allow the APIserver to have a floating IP if external network is
    disabled.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #2260

@EmilienM
Better conditions for creating Floating IPs
9afbf5d 
When a floating is created, we need to make sure that
`OpenStackCluster.Spec.DisableExternalNetwork` is not set to `True`.
Otherwise, we'll have a nil pointer error.

* Add a check in `reconcileBastion` to check that external network is
  not disabled before creating the floating IP for the bastion.
* Add a check in `reconcileControlPlaneEndpoint` and
  `reconcileAPIServerLoadBalancer` to check that external
  network is not disabled (alongside the DisableAPIServerFloatingIP
  check) before creating the floating IP for the API server endpoint.
* Add a safeguard in `GetOrCreateFloatingIP` to return a proper error
  (instead of a nil pointer error) when
  `openStackCluster.Status.ExternalNetwork` is nil.
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from emilienm. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Nov 19, 2024
@netlify Netlify
Copy link

netlify bot commented Nov 19, 2024
edited
Loading

Deploy Preview for kubernetes-sigs-cluster-api-openstack ready!

Name Link
🔨 Latest commit c746a8a
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-sigs-cluster-api-openstack/deploys/673cf66b1200280008eb5c95
😎 Deploy Preview https://deploy-preview-2261--kubernetes-sigs-cluster-api-openstack.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@EmilienM
Copy link
Contributor Author

/cc mdbooth

@EmilienM EmilienM changed the title 🐛 Better conditions for creating Floating IPs 🐛 Better checks for creating Floating IPs Nov 19, 2024
@EmilienM EmilienM changed the title 🐛 Better checks for creating Floating IPs 🐛 Better checks before creating Floating IPs Nov 19, 2024
@EmilienM
Copy link
Contributor Author

I initially wanted to do some webhook to just disallow DisableExternalNetwork to be True without also setting DisableAPIServerFloatingIP to True but it's not backward compatible and sucks for our users, so I did that.

@EmilienM
Copy link
Contributor Author

/test pull-cluster-api-provider-openstack-e2e-test
flake

@EmilienM
Copy link
Contributor Author

/cherry-pick release-0.11

@k8s-infra-cherrypick-robot
Copy link

@EmilienM: once the present PR merges, I will cherry-pick it on top of release-0.11 in a new PR and assign it to you.

In response to this:

/cherry-pick release-0.11

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

mdbooth
mdbooth reviewed Nov 19, 2024
View reviewed changes
Copy link
Contributor

@mdbooth mdbooth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Any idea how far back we need to backport this? 0.11 at least.

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 19, 2024
@EmilienM
Copy link
Contributor Author

EmilienM commented Nov 19, 2024
edited
Loading

/lgtm

Any idea how far back we need to backport this? 0.11 at least.

I'll investigate.
EDIT: backport is clean \o/

@EmilienM
Copy link
Contributor Author

On this one I want an eye from @lentzi90.

@EmilienM
Copy link
Contributor Author

/cherry-pick release-0.10

@k8s-infra-cherrypick-robot
Copy link

@EmilienM: once the present PR merges, I will cherry-pick it on top of release-0.10 in a new PR and assign it to you.

In response to this:

/cherry-pick release-0.10

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

lentzi90
lentzi90 reviewed Nov 19, 2024
View reviewed changes
Copy link
Contributor

@lentzi90 lentzi90 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I initially wanted to do some webhook to just disallow DisableExternalNetwork to be True without also setting DisableAPIServerFloatingIP to True but it's not backward compatible and sucks for our users

Sure not backwards compatible, but do you mean that it is actually possible to use that configuration? I'm thinking it is ok to break backwards compatibility if all it was doing was cause nil pointer exceptions.

controllers/openstackcluster_controller.go
Comment on lines +398 to +402
if !ptr.Deref(openStackCluster.Spec.DisableExternalNetwork, false) {
return bastionAddFloatingIP(openStackCluster, clusterResourceName, port, networkingService)
}

return nil, nil
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think about doing this the other way? If disabled -> log something and return. Otherwise continue and add it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIUC what you're proposing is

...
if ptr.Deref(openStackCluster.Spec.DisableExternalNetwork, false) {
        // log something? what exactly?
	return nil, nil
}
return bastionAddFloatingIP(openStackCluster, clusterResourceName, port, networkingService)

If yes, I think it's functionally the same and is fairly consistent with other Deref calls for that field. No strong opinion here, happy to make the change.

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 19, 2024
@k8s-ci-robot
Copy link
Contributor

New changes are detected. LGTM label has been removed.

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Nov 19, 2024
@EmilienM
webhook: add validations for external network & floating IPs
c746a8a 
* Don't allow a bastion to have a floating IP if external network is
  disabled.
* Don't allow the APIserver to have a floating IP if external network is
  disabled.
@k8s-ci-robot k8s-ci-robot removed the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Nov 19, 2024
@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Nov 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lentzi90 lentzi90 lentzi90 left review comments

@mdbooth mdbooth mdbooth left review comments

@jichenjc jichenjc Awaiting requested review from jichenjc

Assignees

@mdbooth mdbooth

Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
CAPO Roadmap
Status: Inbox
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

panic when setting disableExternalNetwork: true
5 participants
@EmilienM @k8s-ci-robot @k8s-infra-cherrypick-robot @mdbooth @lentzi90