-
Notifications
You must be signed in to change notification settings - Fork 577
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 2039256: kubebuilder validation format hostname is not RFC compliant #1120
Bug 2039256: kubebuilder validation format hostname is not RFC compliant #1120
Conversation
@candita: This pull request references Bugzilla bug 2039256, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@candita: This pull request references Bugzilla bug 2039256, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
cbaf1ae
to
d6c4fd5
Compare
@candita: This pull request references Bugzilla bug 2039256, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
4 similar comments
@candita: This pull request references Bugzilla bug 2039256, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@candita: This pull request references Bugzilla bug 2039256, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@candita: This pull request references Bugzilla bug 2039256, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@candita: This pull request references Bugzilla bug 2039256, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
d6c4fd5
to
06635b6
Compare
@candita: This pull request references Bugzilla bug 2039256, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest |
1 similar comment
/retest |
06635b6
to
9ae3162
Compare
/lgtm |
@candita: This pull request references Bugzilla bug 2039256, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/assign @benluddy |
Is it necessary to change the regular expression so that it no longer matches strings that might already exist in the wild (e.g. with uppercase letters or symbols)? Any update to an existing Would it be reasonable to loosen this validation, then expect a bad hostname (or, more likely, errors resulting from using the bad hostname) to be surfaced by an operator in ComponentRouteStatus? |
Hi @benluddy,
It's a tradeoff. I considered this when I began the process, got some feedback on it, and decided it was better to match the
I considered this too, and consulted with the developer of If there's some scenario where we would want to allow |
I think that's what I'm proposing, too. Aren't these the same components that would be encountering validation errors during Route updates? For example, https://github.com/openshift/cluster-authentication-operator/blob/65cd3f0c3801462ac5bd4f3839a92f021d75f1ce/pkg/controllers/customroute/custom_route_controller.go#L100? I'd expect this controller to set "Degraded: true" on the appropriate entry of Couldn't there be cases where some, but not all, of the componentRoutes contain hostnames containing uppercase letters (for example)? If this regex is tightened, none of the components consuming componentRoutes that are valid will no longer be able to keep their respective componentRouteStatus up-to-date. How will users discover that their cluster is in this state? |
At one point in the design, there was no hostname validation, then there was a trusted kubebuilder format that was actually broken, so I am trying to fix that without introducing a complicated regex that is hard to maintain. To fix this bug, all I really need to do is make it allow dashes and numbers in the TLD. But there are so many other potential bugs with the former regex, that it's worth fixing this now (it doesn't check for total length, allows symbols and upper case, doesn't allow one-word hostnames, allow start/end of labels with non-alphanumeric)
There is one componentRouteStatus per componentRoute, stored in api/config/v1/types_ingress.go Line 101 in a615696
Nothing in IngressOperator uses or updates that IngressStatus , so it must be there for the components. Did I answer your question?
|
if I understand it correctly, the components (other operators than ingress operator) will update the status of the singleton we want to understand how big of a problem that is. |
The verify test fails due to using a invalid construct for RE2. |
@candita: This pull request references Bugzilla bug 2039256, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
e204de0
to
ec20d3a
Compare
ec20d3a
to
1fec415
Compare
/retest |
@Miciah, I fixed that last typo. Could you PTAL and label? |
Thanks! |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: candita, deads2k, Miciah, tkashem The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@candita: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@candita: This pull request references Bugzilla bug 2039256. The bug has been updated to no longer refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Would this fix the missing bugzilla link? |
@candita: All pull requests linked via external trackers have merged: Bugzilla bug 2039256 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/cherry-pick release-4.10 |
@candita: new pull request created: #1162 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@candita: #1120 failed to apply on top of branch "release-4.8":
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Maybe not. |
…validation format hostname is not RFC compliant
Bug 2081457: kubebuilder validation format hostname is not RFC compliant
We use the go-openapi/strfmt library for the "hostname" kubebuilder validation format in
componentRoutes
. This format does not accept numbers or hyphens in the TLD as noted in https://bugzilla.redhat.com/show_bug.cgi?id=2039256#c3.I checked with the openshift/api team and they recommended replacing the hostname format with my own regex, but I have to be careful with downgrades. Therefore I changed the regex pattern to be looser.
The old pattern that came from go-openapi/strfmt:
^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$
The new pattern is simply an
|
of the old pattern with the correct, tighter, pattern (formatted here for clarity):^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$ | ^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$
Based on previous code review, the tighter side of the
|
removes the uppercase A-Z provision, removes \p{S} (symbols), and \p{L} (international language letters). Also enforces labels must start/end in alphanumeric characters, and one-word hostnames accepted.I also checked with go-openapi owners in go-openapi/strfmt#94 about changing the library regex, but the solution they prefer doesn't fit for a solution for us.
Also fixes duplicate bug (with higher priority) https://bugzilla.redhat.com/show_bug.cgi?id=2049473