Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Prototype] Fix for PATCH without tier prefix #9445

Conversation

caseydavenport
Copy link
Member

Description

This is one attempt at fixing #9437

Basically, we try the update as provided. If it fails, then we retry it removing the "tier" from the object. This allows us to call applyPatch on an object without the tier prefix, which passes the name validation.

Once it passes the applyPatch name validation, it continues on to PrepareForUpdate, at which point we need to re-canonicalize the objects to include the tier prefix on them for storage...

I am not sure this is a viable solution - we need to think about what happens if there actually are policies in different tiers and someone tries to send a PATCH. I think it might just be OK, because in the second case you would need to specify the tier name (it's only for default that this is really a problem?)

At a minimum, for this change to go in we'd want to also:

  • Only apply this logic for policies in the default tier
  • Only apply this logic if we get the precise error back that we expect in the mismatched tier case.

Related issues/PRs

Todos

  • Tests
  • Documentation
  • Release note

Release Note

TBD

Reminder for the reviewer

Make sure that this PR has the correct labels and milestone set.

Every PR needs one docs-* label.

  • docs-pr-required: This change requires a change to the documentation that has not been completed yet.
  • docs-completed: This change has all necessary documentation completed.
  • docs-not-required: This change has no user-facing impact and requires no docs.

Every PR needs one release-note-* label.

  • release-note-required: This PR has user-facing changes. Most PRs should have this label.
  • release-note-not-required: This PR has no user-facing changes.

Other optional labels:

  • cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.
  • needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.

@caseydavenport caseydavenport requested a review from a team as a code owner November 5, 2024 23:47
@marvin-tigera marvin-tigera added this to the Calico v3.30.0 milestone Nov 5, 2024
@marvin-tigera marvin-tigera added release-note-required Change has user-facing impact (no matter how small) docs-pr-required Change is not yet documented labels Nov 5, 2024
// Canonicalize the old object's name as well to make sure it's consistent.
// This typically shouldn't be needed for update requests, but is necessary in PATCH
// requests because we may need to strip the tier earlier in the pipeline to pass earlier validation.
old.(*calico.NetworkPolicy).Name = canonicalizePolicyName(old)
}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assuming this approach even has legs, we'll need to make this change for global policies as well.

@@ -417,11 +419,27 @@ func (rs *resourceStore) GuaranteedUpdate(
klog.Errorf("checking preconditions (%s)", err)
return err
}

// update the object by applying the userUpdate func & encode it
updatedObj, ttl, err := userUpdate(curState.obj, *curState.meta)
if err != nil {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably want to check the exact error message here.

// object without the tier in the name, in which case we need to retry the update against the
// object without the tier in the name.
switch curState.obj.(type) {
case *v3.GlobalNetworkPolicy:
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should probably only execute this logic if the tier is "default"

@caseydavenport
Copy link
Member Author

Closing this as @MichalFupso is working on a better fix.

@marvin-tigera marvin-tigera removed release-note-required Change has user-facing impact (no matter how small) docs-pr-required Change is not yet documented labels Jan 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants