-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CFE-857: Apply user defined tags on created gcp resources #7279
Conversation
c6b0254
to
e67b432
Compare
07652d2
to
80da9cd
Compare
0170f96
to
5bd3416
Compare
You will want to separate the go vendoring into a separate commit (like this https://github.com/openshift/installer/blob/master/docs/dev/dependencies.md#go) to make it easier to review |
Thank you for reviewing @patrickdillon! I have split the go mod changes into two for go.mod update and for adding new vendor code. |
5658f2b
to
bfac051
Compare
@bharath-b-rh: This pull request references CFE-857 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/remove-hold |
/retest-required |
/cc @bfournie |
if errors.As(err, &gErr) && (gErr.HTTPCode() == http.StatusNotFound || | ||
gErr.HTTPCode() == http.StatusForbidden) { | ||
logrus.Debugf("does not have permission to access %s tag or does not exist", name) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why give an ambiguous message if you can identify the 2 scenarios?
if errors.As(err, &gErr) && (gErr.HTTPCode() == http.StatusNotFound || | |
gErr.HTTPCode() == http.StatusForbidden) { | |
logrus.Debugf("does not have permission to access %s tag or does not exist", name) | |
if errors.As(err, &gErr) { | |
switch gErr.HTTPCode() { | |
case http.StatusNotFound: | |
logrus.Debugf("tag %s does not exist: %s", name, err.Error()) | |
case http.StatusForbidden: | |
logrus.Debugf("permission issues accessing tag %s: %s", name, err.Error()) | |
} | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Error returned by the GCP APIs is also similar. I think it's because RBAC can be defined on each tag key and value, and with a given service account, it won't be possible to say whether the tag exists and is inaccessible or it doesn't exist at all, so thought to keep the same. Below error was returned for a tag value which didn't exist.
User [xyz] does not have permission to access tagValues instance [namespaced] (or it may not exist): Permission denied on resource 'openshift/key/value' (or it may not exist).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code updated, new API of cloudresourcemanager
package returns StatusForbidden
for both non-existent and inaccessible tags.
// getProcessedTags returns the list user-provided validated tags. | ||
func getProcessedTags(mgr TagManager, ic *types.InstallConfig) (map[string]string, error) { | ||
if !processedTags.getState() { | ||
if err := validateUserTags(mgr, ic); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a bit weird that the definition for validateUserTags
lives in the validation.go
file and it basically just calls validateAndStoreUserTags
which is defined in this file. Also, I don't see why this function has to receive the InstallConfig
object if it only needs the project name and the userTags to do its job.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I missed this unnecessary call while incorporating the comments, I will update it.
I thought to pass the InstallConfig
object reference and use what's required, instead of passing individual parameters. Please let me know, if needs to be changed.
@@ -0,0 +1,83 @@ | |||
// Code generated by MockGen. DO NOT EDIT. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This code will be merged with mock code in pkg/asset/installconfig/gcp/mock/gcpclient_generated.go
after updating google.golang.org/api/cloudresourcemanager
from v1
to v3
in the follow up PR.
return dupTags | ||
} | ||
|
||
// getCloudResourceServiceForTags returns the client required for querying resource manager resources. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code will be merged with client code in pkg/asset/installconfig/gcp/client.go
after updating google.golang.org/api/cloudresourcemanager
from v1
to v3
in the follow up PR.
@bharath-b-rh: This pull request references CFE-857 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
LGTM in terms of the code but I haven't tested it myself. I'll leave it to @patrickdillon to give this a last look and tag it. |
Generally this looks good to me (but needs a rebase). We are moving away from Terraform and implementing a CAPI-based install pattern (see the enhancement for details). This code is already done so I am fine with merging it, but depending on the progress we make, it is possible we will not be using Terraform for GCP in 4.16. In order to support this feature going forward, it will be necessary for us to implement user tag support in the cluster-api-provider-gcp as it currently does not have support. |
da46904
to
1363d39
Compare
@bharath-b-rh: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/retest-required |
Thank you! I have rebased the PR. |
/lgtm |
11fb96e
into
openshift:master
PR is for adding user-defined tags to the GCP resources created by installer during cluster creation.
Name
and it needs to be derived using the parametersOrganizationID, UserTag.Key, UserTag.Value
defined by user in install-config.