Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added Validations for WorkloadGroups, fixed issue with references. #8062

Merged
merged 6 commits into from
Jan 30, 2025
Merged

Added Validations for WorkloadGroups, fixed issue with references. #8062

merged 6 commits into from
Jan 30, 2025

Conversation

hhovsepy
Copy link
Contributor

@hhovsepy hhovsepy commented Jan 14, 2025
edited
Loading

Describe the change

Added 2 new Validation Warning messages for Workload Groups:
"Warning KIA1701 Service Account not found in this namespace".
"Warning KIA1702 More than one Workload Group with duplicate labels found in the same namespace"
Kiali does not list ServiceAccounts directly from the system but is listing them from the Pods.
That is why the notification severity is Warning not a Error.

Steps to test the PR

Create a WorkloadGroup with non existing Service Account, or with Service Account from other namespace, and with labels which exist in another WG in the same namespace.

apiVersion: networking.istio.io/v1
kind: WorkloadGroup
metadata:
  name: ratings-vm
  namespace: bookinfo
spec:
  metadata:
    labels:
      app: ratings-vm
  template:
    serviceAccount: bookinfo-ratings
---
apiVersion: networking.istio.io/v1
kind: WorkloadEntry
metadata:
  name: ratings-vm
spec:
  address: 2.2.2.2
  labels:
    class: vm
    app: ratings-vm
    version: v3
  serviceAccount: bookinfo-ratings
  network: vm-us-east
---
apiVersion: networking.istio.io/v1
kind: WorkloadGroup
metadata:
  name: ratings-vm2
  namespace: bookinfo
spec:
  metadata:
    labels:
      app: ratings-vm
  template:
    serviceAccount: wrong
---
apiVersion: networking.istio.io/v1
kind: WorkloadEntry
metadata:
  name: ratings-vm2
  namespace: bookinfo
spec:
  address: 2.2.2.2
  labels:
    class: vm2
    app: ratings-vm2
    version: v4
  serviceAccount: bookinfo-ratings
  network: vm-us-east
---
apiVersion: networking.istio.io/v1
kind: WorkloadGroup
metadata:
  name: ratings-vm-no-entry
  namespace: bookinfo
spec:
  template:
    serviceAccount: bookinfo-ratings

Screenshot From 2025-01-20 12-38-35

Automation testing

Added unit tests.

Issue reference

#8058
Docs: kiali/kiali.io#853

@hhovsepy hhovsepy mentioned this pull request Jan 15, 2025
Merged
@hhovsepy hhovsepy marked this pull request as ready for review January 15, 2025 15:58
@hhovsepy hhovsepy requested a review from ferhoyos January 15, 2025 15:58
@hhovsepy hhovsepy self-assigned this Jan 15, 2025
@hhovsepy hhovsepy marked this pull request as draft January 17, 2025 12:53
@hhovsepy hhovsepy marked this pull request as ready for review January 20, 2025 11:43
ferhoyos
ferhoyos requested changes Jan 28, 2025
View reviewed changes
Copy link
Contributor

@ferhoyos ferhoyos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice job @hhovsepy, a pair of validations well tested with multiple scenarios. I have been playing a bit with the WorkloadGroup definitions and the validations seem to work as expected 🙂.

I think there is a small mismatch in the workload entry CR.

Not related to this PR, I have a pair of suggestions about Workload Group support in Kiali:

  • It is a bit confusing that all Workload Groups status are Not Ready because they don't have pods. I assume that we are limited and we cannot know if they are ready, but I think it is better to show an Unknown status instead of Not Ready.

image

The same in the Workload group details page:
image

  • Since only the overview tab of a Workload Group shows any information, maybe it would be better to hide the rest of the tabs and just show the overview one. Another option is to show a message in all the tabs that the feature is not available in workload groups (like we already do for logs):

image

business/references/workloadentry_references.go Show resolved Hide resolved
business/workloads.go Outdated Show resolved Hide resolved
business/checkers/authorization/principals_checker_test.go Outdated Show resolved Hide resolved
@hhovsepy
Added Validations for WorkloadGroups, fixed issue with references.
dd59126 
lint

Test Sidecars with correct labels without class

Added validation KIA1702

Fixed Labels to WG.Spec.Metadata.Labels
@hhovsepy
Skip labels selector or WG, consider WG without Spec.Metadata
39a2d5f
ferhoyos
ferhoyos previously approved these changes Jan 29, 2025
View reviewed changes
Copy link
Contributor

@ferhoyos ferhoyos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Hayk for the clarifications, now the PR is ready to be merged.

@hhovsepy
Copy link
Contributor Author

@ferhoyos added missing comments, hiding the rest of unsupported tabs in WorkloadGroups, also in the test steps added the WorkloadEntries, so the status is not "Not Ready":
Screenshot From 2025-01-29 10-32-10
Screenshot From 2025-01-29 10-12-12

@hhovsepy hhovsepy requested a review from ferhoyos January 29, 2025 09:37
@hhovsepy
Copy link
Contributor Author

@ferhoyos tabs will be hidden in App details page as well:
Screenshot From 2025-01-29 12-30-32

@ferhoyos
Copy link
Contributor

Thanks, Hayk, for the changes! Now it looks much better.

The issue I see is that the application details page doesn’t explain why the information is limited (e.g., there is no workload group badge anywhere). Additionally, there is no application type like in the workloads, which makes the message somewhat confusing.

My two cents:

  • Change the message to something like: "Kiali provides limited information about this application because it contains a non-Kubernetes workload."
  • Add the WG or a similar badge to the workload to indicate which one is non-Kubernetes.

@hhovsepy
Copy link
Contributor Author

Thanks @ferhoyos, changed the message, but the 'W' badge is remained used since we don't display 'WG' or other workload types anywhere.
Screenshot From 2025-01-30 08-14-05

ferhoyos
ferhoyos approved these changes Jan 30, 2025
View reviewed changes
Copy link
Contributor

@ferhoyos ferhoyos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't mean to substitue the Workload icon by the Workload group one, just adding an icon to the right indicating that it is a workload group or another icon that indicates that it is an unsupported workload.

image

Anyway, reading the new message it is quite clear that the limited information provided is due to the workload type. Approving the PR.

@hhovsepy hhovsepy merged commit d67f9f0 into kiali:master Jan 30, 2025
10 checks passed
@jshaughn jshaughn added the test: back-end/integration PR adds/updates back-end tests (unit and/or integration) label Jan 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ferhoyos ferhoyos ferhoyos approved these changes

Assignees

@hhovsepy hhovsepy

Labels
test: back-end/integration PR adds/updates back-end tests (unit and/or integration)
Projects
Kiali Sprint 25-03 | Kiali v2.6
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hhovsepy @ferhoyos @jshaughn