provider: avoid CSI secret name collisions #2537
Conversation
Fixing a really small but obnoxious typo as well as a nil reference panic found during development on that same variable. Signed-off-by: Jose A. Rivera <[email protected]>
Signed-off-by: Jose A. Rivera <[email protected]>
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jarrpa The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
jarrpa
force-pushed
the
jarrpa/csi-secret-collision
branch
from
c9bb002 to
77ce704
Compare
|
LGTM. |
jarrpa
force-pushed
the
jarrpa/csi-secret-collision
branch
from
77ce704 to
44dbbb8
Compare
services/provider/server/server.go
Outdated
| @@ -393,6 +393,10 @@ func (s *OCSProviderServer) getCephClientInformation(ctx context.Context, name s | |||
| return cephClient.Status.Info["secretName"], cephClient.Annotations[controllers.StorageCephUserTypeAnnotation], nil | |||
| } | |||
|
|
|||
| func scrCephClientCsiSecretName(secretType, suffix string) string { | |||
There was a problem hiding this comment.
Shouldn't this be called storageClaimCepCSISecretName mainly because it produces a name for a secret reconciled by the storage claim, not the request?
| // This field was named before a small refactor to clarify | ||
| // what it actually represents, but is being kept as-is so as | ||
| // to not change the generative logic. | ||
| StorageClassClaimName string `json:"storageClassRequestName"` |
There was a problem hiding this comment.
Shouldn't this be called StorageClaimName? we moved away from StorageClassClaim API and replaced it with StorageClaim API
There was a problem hiding this comment.
I didn't think it was worth the effort to unify that everywhere in the codebase on the provider side. That's another follow-up PR, if anything.
There was a problem hiding this comment.
As the final results are changes we don't need to keep storageClassRequestName in the json we can just change it to storageclaimName. WDYT?
There was a problem hiding this comment.
@jarrpa I am not asking to change existing misleading names. Just to not add new fields/renames into misleading names
| func getStorageClassRequestName(consumerUUID, storageClassRequestName string) string { | ||
| // getStorageClassRequestHash generates a hash for a StorageClassRequest based | ||
| // on the MD5 hash of the StorageClassClaim name and storageConsumer UUID. | ||
| func getStorageClassRequestHash(consumerUUID, storageClassClaimName string) string { |
There was a problem hiding this comment.
If we are doing this change then you need to change the call sites on storageClassRequestManager that refer to the same param as StorageClassRequestName which I agree is misleading
There was a problem hiding this comment.
change storageClassClaimName to storageClaimName ?
jarrpa
force-pushed
the
jarrpa/csi-secret-collision
branch
from
44dbbb8 to
d7b072f
Compare
| TicketAnnotation = "ocs.openshift.io/provider-onboarding-ticket" | ||
| ProviderCertsMountPoint = "/mnt/cert" | ||
| onboardingTicketKeySecret = "onboarding-ticket-key" | ||
| storageClassClaimNameLabel = "ocs.openshift.io/storageclassclaim-name" |
There was a problem hiding this comment.
| storageClassClaimNameLabel = "ocs.openshift.io/storageclassclaim-name" | |
| storageClaimNameLabel = "ocs.openshift.io/storageclaim-name" |
it should be storageClaimNameLabel?
There was a problem hiding this comment.
I think this is more dangerous (and might have side effects) and regardless should not be part of this PR
| func getStorageClassRequestName(consumerUUID, storageClassRequestName string) string { | ||
| // getStorageClassRequestHash generates a hash for a StorageClassRequest based | ||
| // on the MD5 hash of the StorageClassClaim name and storageConsumer UUID. | ||
| func getStorageClassRequestHash(consumerUUID, storageClassClaimName string) string { |
There was a problem hiding this comment.
change storageClassClaimName to storageClaimName ?
| // This field was named before a small refactor to clarify | ||
| // what it actually represents, but is being kept as-is so as | ||
| // to not change the generative logic. | ||
| StorageClassClaimName string `json:"storageClassRequestName"` |
There was a problem hiding this comment.
As the final results are changes we don't need to keep storageClassRequestName in the json we can just change it to storageclaimName. WDYT?
Edit: I see you mentioned a follow-up in one of the comments, from above what will you be working on @jarrpa? |
|
@Madhu-1: To all your @leelavg Neither! The follow-up PR will be to refactor the logic in the |
Probably as a holdover from a previous design, the provider server code uses "storageClassRequestName" in multiple places where it is not appropriate. These often hold the name for the *StorageClassClaim* that came in as part of the FulfillStorageClassClaim() call. I seriously lost hours of my time before I figured out this mistake, so I'm saving everyone else the headache in the future. Signed-off-by: Jose A. Rivera <[email protected]>
Signed-off-by: Jose A. Rivera <[email protected]>
Previously, when fetching a storage claim config, a remote consumer was given information for creating the Ceph CSI Secrets that was identical to the secret names on the provider side. Running a consumer in the same namespace as the provider introduced namespace collisions. Hilariously, by virtue of being the same information, things just kinda worked out anyway. Still, this is likely going to produce massive problems later, so better to fix it now. Signed-off-by: Jose A. Rivera <[email protected]>
jarrpa
force-pushed
the
jarrpa/csi-secret-collision
branch
from
d7b072f to
b1da566
Compare
I agree with a small caveat. If you are renaming existing names or adding new vars/fields with new names you should use the correct terminology with this new stuff. This does not mean you need to go and rename the entirety of the existing codebase |
|
to author & reviewers, may I know the status quo of this PR? if it makes sense, can we resist the renames not to ride on a bug fix? yes, we renamed storageclassclaim api to storageclaim api in client side and storageclassrequest gets the fields indirectly from client via gRPC and gRPC methods aren't updated yet, can we not do some part here and some part in another PR? I understand the refactor of func to get hash, however at the end it'll neither be storageclassrequest nor storageclassclaim and can we not make diff there? |
|
Superseded by #2571, thanks for working on this! |
openshift-merge-robot
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Previously, when fetching a storage claim config, a remote consumer was given information for creating the Ceph CSI Secrets that was identical to the secret names on the provider side. Running a consumer in the same namespace as the provider introduced namespace collisions.
Hilariously, by virtue of being the same information, things just kinda worked out anyway. Still, this is likely going to produce massive problems later, so better to fix it now.
Signed-off-by: Jose A. Rivera [email protected]