Webhook to check name + namespace exceeds 63 characters #117
Conversation
yiraeChristineKim
force-pushed
the
ACM-3558
branch
2 times, most recently
from
be17816 to
d37ce21
Compare
yiraeChristineKim
force-pushed
the
ACM-3558
branch
2 times, most recently
from
2cfe113 to
76261c0
Compare
yiraeChristineKim
force-pushed
the
ACM-3558
branch
4 times, most recently
from
1dc429a to
c6bfb1d
Compare
yiraeChristineKim
force-pushed
the
ACM-3558
branch
from
0d814e7 to
7203213
Compare
yiraeChristineKim
force-pushed
the
ACM-3558
branch
2 times, most recently
from
9f492e2 to
f8e9617
Compare
yiraeChristineKim
requested review from
dhaiducek,
mprahl,
JustinKuli and
gparvin
yiraeChristineKim
force-pushed
the
ACM-3558
branch
from
f8e9617 to
6a4f78a
Compare
deploy/manager/manager.yaml
Outdated
| labels: | ||
| app.kubernetes.io/component: manager | ||
| app.kubernetes.io/created-by: webhook | ||
| app.kubernetes.io/instance: controller-manager | ||
| app.kubernetes.io/managed-by: kustomize | ||
| app.kubernetes.io/name: deployment | ||
| app.kubernetes.io/part-of: webhook | ||
| control-plane: controller-manager |
There was a problem hiding this comment.
Do we need to add any of these labels for the webhook to work? If so, let's make them a bit more specific to just our controller, if possible. Eg app.kubernetes.io/name: governance-policy-propagator
There was a problem hiding this comment.
seems like woking well without label
| Expect(err).ShouldNot(HaveOccurred()) | ||
| }) | ||
| Describe("Test name + namespace over 63", func() { | ||
| It("Should the error message is presented", func() { |
There was a problem hiding this comment.
Can we add another test for when the error doesn't happen? Since this is the only test running right now when the webhook is enabled, I think?
There was a problem hiding this comment.
I tried to add update case but namespace and name cannot be modified... I tried to add long namespace and short name but namespace itself has limitation so... would you give some idea?!
yiraeChristineKim
force-pushed
the
ACM-3558
branch
3 times, most recently
from
e0378df to
6e8dd3f
Compare
yiraeChristineKim
force-pushed
the
ACM-3558
branch
2 times, most recently
from
6dab275 to
3d1fdd0
Compare
yiraeChristineKim
force-pushed
the
ACM-3558
branch
from
3d1fdd0 to
fa4d861
Compare
api/v1/policy_webhook.go
Outdated
|
|
||
| var ( | ||
| // log is for logging in this package. | ||
| policylog = logf.Log.WithName("policy-resource") |
There was a problem hiding this comment.
| policylog = logf.Log.WithName("policy-resource") | |
| policylog = logf.Log.WithName("policy-validating-webhook") |
| @@ -0,0 +1,61 @@ | |||
| apiVersion: v1 | |||
There was a problem hiding this comment.
Note that when this is added to ACM, you'll want to use OpenShift's mechanism of generating certificates instead of Cert Manager:
https://docs.openshift.com/container-platform/4.13/security/certificates/service-serving-certificate.html#add-service-certificate_service-serving-certificate
https://docs.openshift.com/container-platform/4.13/security/certificates/service-serving-certificate.html#add-service-certificate-validating-webhook_service-serving-certificate
No action is needed in this PR though.
main.go
Outdated
|
|
||
| pflag.StringVar(&metricsAddr, "metrics-bind-address", ":8383", "The address the metric endpoint binds to.") | ||
| pflag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") | ||
| pflag.BoolVar(&enableLeaderElection, "leader-elect", true, | ||
| "Enable leader election for controller manager. "+ | ||
| "Enabling this will ensure there is only one active controller manager.") | ||
| pflag.BoolVar(&enableWebhooks, "enable-webhooks", true, | ||
| "Enable webhook for validating namespace + name less than 63 characters") |
There was a problem hiding this comment.
| "Enable webhook for validating namespace + name less than 63 characters") | |
| "Enable the policy validating webhook") |
| Expect(utf8.RuneCountInString(testNamespace+"."+case17PolicyReplicatedName) + | ||
| utf8.RuneCountInString("managed1")).Should(BeNumerically(">", 63)) |
There was a problem hiding this comment.
| Expect(utf8.RuneCountInString(testNamespace+"."+case17PolicyReplicatedName) + | |
| utf8.RuneCountInString("managed1")).Should(BeNumerically(">", 63)) | |
| Expect(utf8.RuneCountInString("managed1."+testNamespace+"."+case17PolicyReplicatedName)).Should(BeNumerically(">", 63)) |
yiraeChristineKim
force-pushed
the
ACM-3558
branch
from
fa4d861 to
57df98c
Compare
|
@JustinKuli did you want to take another look at this? |
- The 63 character limit validation for policy name is not working while creating a Policy via CLI. - Policy creation - Policy name + namespace name can’t go longer than 63 From CLI, it possible to create a policy with a name like “policy-check-setupjob-setupjob-operator-installer” with no issue; but, while wanting to edit it, we can’t. - Getting this error: “The combined length of namespace and policy nmabe (namespaceName.policyName) should not exceed 63 characters (see attached screeshot) Ref: https://issues.redhat.com/browse/ACM-3558 Signed-off-by: Yi Rae Kim <[email protected]>
yiraeChristineKim
force-pushed
the
ACM-3558
branch
from
57df98c to
6de2be4
Compare
| ports: | ||
| - port: 443 | ||
| protocol: TCP | ||
| targetPort: 9443 |
There was a problem hiding this comment.
Do you want to use the name (i.e. webhook-http) here instead of the port number?
There was a problem hiding this comment.
I think targetport is enough
There was a problem hiding this comment.
why I change to webhook-http, http duplicated so there was kind test error
|
/unhold |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JustinKuli, mprahl, yiraeChristineKim The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Description: No validation if name + namespace exceeds 63 characters and Policy applied via CLI or Gitops now
After fix:
Error from server (Forbidden): error when creating "policy.yaml": admission webhook "policy.open-cluster-management.io.webhook" denied the request: the combined length of namespace and policy name (namespaceName.policyName) should not exceed 63 charactersThis error message shows on terminal when policy name + namespace exceeds 63 characters
Ref: https://issues.redhat.com/browse/ACM-4394