Refactor update-ips script

[simonklb]

Warning

This is public repository, ensure not to disclose:

• personal data beyond what is necessary for interacting with this pull request
• business confidential information, such as customer names

What kind of PR is this?

Required: Mark one of the following that is applicable:

• kind/feature
• kind/improvement
• kind/deprecation
• kind/documentation
• kind/clean-up
• kind/bug
• kind/other

Optional: Mark one or more of the following that are applicable:

Important

Breaking changes should be marked kind/admin-change or kind/dev-change depending on type
Critical security fixes should be marked with kind/security

• kind/admin-change
• kind/dev-change
• kind/security
• kind/adr

What does this PR do / why do we need this PR?

• Part of [3] Improve the logic of update-ips script #1750

Additional information to reviewers

Currently only added unit tests for the current state of the script and improved the error handling:

• Some errors didn't exit the script.
• Some errors didn't exit early or failed without a proper message.

I wanted to a fairly extensive test coverage before I start refactoring to not accidentally break the script. However, due to the code complexity I had to do it more or less line by line because it was too hard to parse the functionality in a more cohesive way.

Would appreciate someone taking a look. At least checking the title of the test cases to see if it is covering the script appropriately.

Screenshots

Checklist

• Proper commit message prefix on all commits
• Change checks:
  • The change is transparent
  • The change is disruptive
  • The change requires no migration steps
  • The change requires migration steps
• Metrics checks:
  • The metrics are still exposed and present in Grafana after the change
  • The metrics names didn't change (Grafana dashboards and Prometheus alerts are not affected)
  • The metrics names did change (Grafana dashboards and Prometheus alerts were fixed)
• Logs checks:
  • The logs do not show any errors after the change
• Network Policy checks:
  • Any changed pod is covered by Network Policies
  • The change does not cause any dropped packages in the NetworkPolicy Dashboard
• Pod Security Policy checks:
  • Any changed pod is covered by Pod Security Admission
  • Any changed pod is covered by Gatekeeper Pod Security Policies
  • The change does not cause any pods to be blocked by Pod Security Admission or Policies
• Falco checks:
  • The change does not cause any alerts to be generated by Falco
• Audit checks:
  • The change does not cause any unnecessary Kubernetes audit events
  • The change requires changes to Kubernetes audit policy
• Bug checks:
  • The bug fix is covered by regression tests

[Xartos]

Dear god 😱 1090 lines of tests for this script, props to you to for doing this

[Elias-elastisys]

Would it be possible in this PR to also add support for plain IPs for s3 instead of a domain? With the current script it produces a python exception. There have been some cases on-prem where we only get an IP.

[simonklb]

Would it be possible in this PR to also add support for plain IPs for s3 instead of a domain? With the current script it produces a python exception. There have been some cases on-prem where we only get an IP.

I don't want to introduce any functional changes as part of the refactoring. But I would be fine doing it as a separate change. Do we have an issue for it?

[Elias-elastisys]

I don't want to introduce any functional changes as part of the refactoring. But I would be fine doing it as a separate change. Do we have an issue for it?

No never created one, but I'll do it now.

[Elias-elastisys]

Issue here #1857

[simonklb]

One functional change has been made:
The dry-run previously was a bit inconsistent. For example, when diffing lists of IPs it was only showing the lists but for other things the diff of the full config file was used. Now every diff is of the full config file with 3 lines of context. Feel free to chime in if you think it should be different!

[simonklb]

@linus-astrom proposed elsewhere to sort IPs which I thought was a good idea. Currently they are not sorted, with this they should be. b30859e Let me know what the rest of you think!

[aarnq]

Huge improvement!

[simonklb]

Would love it if you could dry-run on a few of your environments to verify that nothing diffs (except for maybe the IPs being reordered due to the new sorting). Especially those with Swift and/or RClone enabled!

[aarnq]

Tested it on a few environments and it works well, including Swift + Rclone 👍