vms-admitter: remove validation of vm clone volume from webhook #12628
Conversation
kubevirt-bot
added
release-note-none
|
/sig storage |
kubevirt-bot
added
sig/storage
kind/cleanup
|
/cc @mhenriks |
|
/hold Let's get #12547 in first so we have a PR that we can easily backport Then this one will only hit main and release 1.4+ |
kubevirt-bot
added
the
do-not-merge/hold
kubevirt-bot
removed
the
do-not-merge/hold
|
@ShellyKa13 Not good form for you to unhold a PR you did not put a hold on |
|
/hold |
kubevirt-bot
added
do-not-merge/hold
ShellyKa13
force-pushed
the
remove-auth-web
branch
from
8cf8f61 to
504b467
Compare
kubevirt-bot
added
dco-signoff: no
ShellyKa13
force-pushed
the
remove-auth-web
branch
from
504b467 to
4695584
Compare
kubevirt-bot
added
dco-signoff: yes
tests/storage/datavolume.go
Outdated
| vm, err := virtClient.VirtualMachine(vm.Namespace).Create(context.Background(), vm, metav1.CreateOptions{}) | ||
| Expect(err).ToNot(HaveOccurred()) | ||
| defer func() { | ||
| err := virtClient.VirtualMachine(vm.Namespace).Delete(context.Background(), vm.Name, metav1.DeleteOptions{}) |
There was a problem hiding this comment.
Can you remind me why this defer is necessary?
There was a problem hiding this comment.
not sure why I added it, can't think of a reason why would it be needed since the vm should be cleaned up when the test ends anyways.. Will remove it..
ShellyKa13
force-pushed
the
remove-auth-web
branch
from
83929f3 to
78b5c1c
Compare
|
/retest-required |
|
/test pull-kubevirt-e2e-k8s-1.30-sig-storage |
|
/approve |
kubevirt-bot
added
the
needs-rebase
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mhenriks The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kubevirt-bot
added
the
approved
|
@arnongilboa , can you please have a look at this change? |
sure, it's in my queue |
tests/storage/datavolume.go
Outdated
| @@ -1025,30 +1025,6 @@ var _ = SIGDescribe("DataVolume Integration", func() { | |||
| Entry("with explicit role (all namespaces) snapshot clone", explicitCloneRole, true, false, snapshotCloneMutateFunc, false), | |||
| Entry("with explicit role (one namespace) snapshot clone", explicitCloneRole, false, true, snapshotCloneMutateFunc, false), | |||
| ) | |||
|
|
|||
| It("should skip authorization when DataVolume already exists", func() { | |||
There was a problem hiding this comment.
Why is this test irrelevant anymore? shouldn't we test it even after dropping the webhook validation?
There was a problem hiding this comment.
This was part of a PR of Micheal which is mostly since he added this logic to the webhook, but I guess I can keep this test since it can test the vm watch as well
| @@ -1602,48 +1594,6 @@ var _ = Describe("Validating VM Admitter", func() { | |||
| Entry("when everything suppied with 'sa' service account", "ns1", "ns2", "ns3", "sa", "ns3", "ns2", "sa"), | |||
| ) | |||
|
|
|||
| It("should successfully authorize clone with existing DataVolume", func() { | |||
There was a problem hiding this comment.
Why is this utest irrelevant anymore? shouldn't we test it even after dropping the webhook validation?
There was a problem hiding this comment.
the auth is checked in the vm watch ut. no need to test it here anymore since the webhook doesnt take it into account anymore
| @@ -1537,195 +1532,6 @@ var _ = Describe("Validating VM Admitter", func() { | |||
| Expect(causes).To(HaveLen(1)) | |||
| Expect(causes[0].Field).To(Equal("fake")) | |||
| }) | |||
|
|
|||
| DescribeTable("should successfully authorize clone", func(arNamespace, vmNamespace, sourceNamespace, | |||
There was a problem hiding this comment.
Why is this utest irrelevant anymore? shouldn't we check clone authorization from same / differnt ns?
There was a problem hiding this comment.
This is being tested in the vm watch
|
|
||
| // stop vm | ||
| vm = libvmops.StopVirtualMachine(vm) | ||
| libvmops.StartVirtualMachine(vm) | ||
| }, |
There was a problem hiding this comment.
intentionally removed the DV succeeded check covered by createVMSuccess? no need to stop as the ns is deleted?
There was a problem hiding this comment.
I dont need to create the vm anymore since the webhook doesnt fail the creation, instead the VM is created I see that the condition I expect is there and then I start the vm in that function there is a check the VM started successfully which assures the dv succeeded.
…taVolume already exists" Since the change that I will be making removes the auth check alltogether from the webhook we dont need some of the changes that were recently in PR kubevirt#12547 Signed-off-by: Shelly Kagan <[email protected]>
When having this check in the webhook we are preventing the creation of VMs which they datasource might not exist yet. Furthermore there are cases like in restore of backup where the vms volumes are already populated and dont event need to create the datavolume hence for sure no neede to prevent the VM from being created in absence of such source. This fix aims to fix bug: https://issues.redhat.com/browse/CNV-43272 While also make our product more aligned with eventual consistency model. Signed-off-by: Shelly Kagan <[email protected]>
Signed-off-by: Shelly Kagan <[email protected]>
Now we expect the create action to succeed and have a condition to represent that there are permission issues with the creation of the DV. After adding the permission we see that the we can be started and running successfully. Signed-off-by: Shelly Kagan <[email protected]>
Signed-off-by: Shelly Kagan <[email protected]>
ShellyKa13
force-pushed
the
remove-auth-web
branch
from
78b5c1c to
1f8de69
Compare
kubevirt-bot
removed
the
needs-rebase
|
/lgtm |
|
Required labels detected, running phase 2 presubmits: |
|
/unhold |
kubevirt-bot
removed
the
do-not-merge/hold
|
/retest |
When having this check in the webhook we are preventing the creation of VMs which their datasource might not exist yet. Furthermore there are cases like in restore of backup where the vms volumes are already populated and dont event need to create the datavolume hence for sure no need to prevent the VM from being created in absence of such source.
This fix aims to fix bug: https://issues.redhat.com/browse/CNV-43272 While also make our product more aligned with eventual consistency model.
Note: to clarify the removed authentication from the webhook is still being done in the vm reconcile loop before creating the datavolumes
Fixes # Jira-ticket: https://issues.redhat.com/browse/CNV-43272
Why we need it and why it was done in this way
The following tradeoffs were made:
The following alternatives were considered:
Links to places where the discussion took place:
Special notes for your reviewer
Checklist
This checklist is not enforcing, but it's a reminder of items that could be relevant to every PR.
Approvers are expected to review this list.
Release note