Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ pkg/cloud/services/networking/securitygroups.go reimplement reconcilation #773

Merged
merged 4 commits into from
Mar 16, 2021
Merged

✨ pkg/cloud/services/networking/securitygroups.go reimplement reconcilation #773

merged 4 commits into from
Mar 16, 2021

Conversation

chrischdi
Copy link
Member

What this PR does / why we need it:
Reimplements the security group reconcilation by only creating and/or
deleting the rules desired / not desired instead of deleting all and creating all rules.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #771

Special notes for your reviewer:

  1. Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.

Release note:

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 8, 2021
@k8s-ci-robot
Copy link
Contributor

Welcome @chrischdi!

It looks like this is your first PR to kubernetes-sigs/cluster-api-provider-openstack 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/cluster-api-provider-openstack has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot
Copy link
Contributor

Hi @chrischdi. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Mar 8, 2021
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 8, 2021
@theopenlab-ci
Copy link

theopenlab-ci bot commented Mar 8, 2021

Build failed.

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 8, 2021
@chrischdi
Copy link
Member Author

I had to remove the RemoteIPPrefix: "0.0.0.0/0", which at the end has the same result as setting nothing: allow all.

Otherwise the reconcilation is getting a 409 because it would try to create another security group rule which has the same spec.

@jichenjc
Copy link
Contributor

jichenjc commented Mar 8, 2021

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Mar 8, 2021
@theopenlab-ci
Copy link

theopenlab-ci bot commented Mar 8, 2021

Build failed.

@jichenjc
Copy link
Contributor

jichenjc commented Mar 9, 2021

recheck

@theopenlab-ci
Copy link

theopenlab-ci bot commented Mar 9, 2021

Build failed.

@chrischdi
Copy link
Member Author

recheck

I'll debug it in a local devstack setup. From our environment I can see that the environment does not save the description.

@chrischdi
Copy link
Member Author

I was able to fix the issue. By default there are already security group rules inside the security groups which have another description.

Because of that I changed the order to first delete not needed rules and create the new ones afterwards

@theopenlab-ci
Copy link

theopenlab-ci bot commented Mar 9, 2021

Build succeeded.

@jichenjc
Copy link
Contributor

reasonable change just curious about following statement, why are we creating an exactly same rule if we know
it's same, why we will create it?

I had to remove the RemoteIPPrefix: "0.0.0.0/0", which at the end has the same result as setting nothing: allow all.

Otherwise the reconcilation is getting a 409 because it would try to create another security group rule which has the same spec.

@sbueringer
Copy link
Member

/retitle ✨ pkg/cloud/services/networking/securitygroups.go reimplement reconcilation

@k8s-ci-robot k8s-ci-robot changed the title ✨ pkg/cloud/services/networking/securitygroups.go reimplement reconcilation ✨ pkg/cloud/services/networking/securitygroups.go reimplement reconcilation Mar 11, 2021
@sbueringer
Copy link
Member

reasonable change just curious about following statement, why are we creating an exactly same rule if we know
it's same, why we will create it?

I had to remove the RemoteIPPrefix: "0.0.0.0/0", which at the end has the same result as setting nothing: allow all.

Otherwise the reconcilation is getting a 409 because it would try to create another security group rule which has the same spec.

I think the problem is that the deep equal does not detect that it's the same because the server will return something else compared to what we created before.

@sbueringer
Copy link
Member

@chrischdi please rebase so that the tests are run against the new v1alpha4 master version

@chrischdi
Copy link
Member Author

reasonable change just curious about following statement, why are we creating an exactly same rule if we know
it's same, why we will create it?

I had to remove the RemoteIPPrefix: "0.0.0.0/0", which at the end has the same result as setting nothing: allow all.

Otherwise the reconcilation is getting a 409 because it would try to create another security group rule which has the same spec.

I think the problem is that the deep equal does not detect that it's the same because the server will return something else compared to what we created before.

Exactly: on our OpenStack (which is "VMware Integrated OpenStack") the following happens:

  • security groups get reconciled
    • rules get created
  • security groups get reconciled again later on
    • rules previously created having RemoteIPPrefix: "0.0.0.0/0" will get deleted and created again, because the API returns nil instead of 0.0.0.0/0.

I can see the same result when using the openstack cli and checking the output of openstack security group rule list --debug <secgroup ID>

However: I think the response of the API is still okay, because nil will default to 0.0.0.0/0 in the backend according the cli docs:

$ openstack help security group rule create | grep -e ' --remote-ip' -A 3
  --remote-ip <ip-address>
                        Remote IP address block (may use CIDR notation;
                        default for IPv4 rule: 0.0.0.0/0, default for IPv6
                        rule: ::/0)

It is also ok for me to revert the removal of 0.0.0.0/0 on this PR if you like me to do so :-)

@chrischdi chrischdi force-pushed the reimplement-securitygroup-reconcilation branch from 6c41df5 to a977e09 Compare March 12, 2021 12:34
@chrischdi
Copy link
Member Author

@chrischdi please rebase so that the tests are run against the new v1alpha4 master version

rebased to master :-)

@theopenlab-ci
Copy link

theopenlab-ci bot commented Mar 12, 2021

Build failed.

@chrischdi
Copy link
Member Author

/retest

@chrischdi
Copy link
Member Author

recheck

@theopenlab-ci
Copy link

theopenlab-ci bot commented Mar 12, 2021

Build failed.

@chrischdi
Copy link
Member Author

Looks like we're hitting the same issues as in #779 , maybe I should wait for #759

@chrischdi
pkg/cloud/services/networking/securitygroups.go reimplement reconcila…
944a7df 
…tion

Reimplements the security group reconcilation by only creating and/or
deleting the rules desired / not desired.

Signed-off-by: Schlotter, Christian <christian.schlotter@daimler.com>
@chrischdi
pkg/cloud/services/networking/securitygroups.go lower log level for s…
88c8e7e 
…tatus logs
@chrischdi
pkg/cloud/services/networking/securitygroups.go remove RemoteIPPrefix…
efd9a20 
… when matching 0.0.0.0/0

A RemoteIPPrefix of 0.0.0.0/0 is equal to the default (""/None). Because
of that we do not set it to not trigger reconcilations.
@chrischdi
pkg/cloud/services/networking/securitygroups.go switch order, first d…
98ecc10 
…elete then create

By default there are already rules which exist and do not match by name.
Therefor we first delete not-matching rules and create the desired ones
afterwards.
@chrischdi chrischdi force-pushed the reimplement-securitygroup-reconcilation branch from a977e09 to 98ecc10 Compare March 15, 2021 14:14
@chrischdi
Copy link
Member Author

rebased to master again to have gcp based tests

@chrischdi
Copy link
Member Author

/test help

@sbueringer
Copy link
Member

/test pull-cluster-api-provider-openstack-make-conformance

@k8s-ci-robot
Copy link
Contributor

@chrischdi: The specified target(s) for /test were not found.
The following commands are available to trigger jobs:

  • /test pull-cluster-api-provider-openstack-build
  • /test pull-cluster-api-provider-openstack-test
  • /test pull-cluster-api-provider-openstack-e2e-test
  • /test pull-cluster-api-provider-openstack-make-conformance

Use /test all to run the following jobs:

  • pull-cluster-api-provider-openstack-build
  • pull-cluster-api-provider-openstack-test

In response to this:

/test help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@theopenlab-ci
Copy link

theopenlab-ci bot commented Mar 15, 2021

Build failed.

sbueringer
sbueringer approved these changes Mar 15, 2021
View reviewed changes
Copy link
Member

@sbueringer sbueringer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

conformance test green now :)

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: chrischdi, sbueringer

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 15, 2021
@jichenjc
Copy link
Contributor

recheck

@theopenlab-ci
Copy link

theopenlab-ci bot commented Mar 16, 2021

Build failed.

@jichenjc
Copy link
Contributor

reasonable change just curious about following statement, why are we creating an exactly same rule if we know
it's same, why we will create it?

I had to remove the RemoteIPPrefix: "0.0.0.0/0", which at the end has the same result as setting nothing: allow all.

Otherwise the reconcilation is getting a 409 because it would try to create another security group rule which has the same spec.

I think the problem is that the deep equal does not detect that it's the same because the server will return something else compared to what we created before.

Exactly: on our OpenStack (which is "VMware Integrated OpenStack") the following happens:

* security groups get reconciled
  
  * rules get created

* security groups get reconciled again later on
  
  * rules previously created having `RemoteIPPrefix: "0.0.0.0/0"` will get deleted and created again, because the API returns `nil` instead of `0.0.0.0/0`.

I can see the same result when using the openstack cli and checking the output of openstack security group rule list --debug <secgroup ID>

However: I think the response of the API is still okay, because nil will default to 0.0.0.0/0 in the backend according the cli docs:

$ openstack help security group rule create | grep -e ' --remote-ip' -A 3
  --remote-ip <ip-address>
                        Remote IP address block (may use CIDR notation;
                        default for IPv4 rule: 0.0.0.0/0, default for IPv6
                        rule: ::/0)

It is also ok for me to revert the removal of 0.0.0.0/0 on this PR if you like me to do so :-)

no need, just want to understand the logic here, all good :_)

@jichenjc
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 16, 2021
@jichenjc
Copy link
Contributor

wait for zuul job to merge

@jichenjc
Copy link
Contributor

@sbueringer looks like we don't want to run openstack/check anymore as the playbook is missing
so we should go ahead merge this and overwrite the failure..

@jichenjc
Copy link
Contributor

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 16, 2021
@k8s-ci-robot k8s-ci-robot merged commit 1a851a4 into kubernetes-sigs:master Mar 16, 2021
@sbueringer
Copy link
Member

@jichenjc Yes we have to ignore the OpenLab failures for now. I'll try to remove the OpenLab ASAP after we have the ProwJob on release-0.3

@chrischdi chrischdi mentioned this pull request May 18, 2021
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sbueringer sbueringer sbueringer approved these changes

@hidekazuna hidekazuna Awaiting requested review from hidekazuna

@prankul88 prankul88 Awaiting requested review from prankul88

Assignees

@jichenjc jichenjc

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Improve security group reconcilation
4 participants
@chrischdi @k8s-ci-robot @jichenjc @sbueringer