EventHandling: Gateway/HTTPRoute/GRPCRoute resource changes enqueue events for attached IAMAuthPolicy/AccessLogPolicy resource #438
Conversation
zijun726911
force-pushed
the
iam-policy-event-handling
branch
from
248f39a to
a63f1e2
Compare
zijun726911
changed the title
Pull Request Test Coverage Report for Build 6541077103
💛 - Coveralls |
zijun726911
changed the title
zijun726911
changed the title
zijun726911
changed the title
zijun726911
force-pushed
the
iam-policy-event-handling
branch
2 times, most recently
from
465b177 to
8905c08
Compare
| for i, item := range pl.Items { | ||
| items[i] = &item | ||
| for i := range pl.Items { | ||
| items[i] = &pl.Items[i] | ||
| } |
There was a problem hiding this comment.
Previous code items[i] = &item has a bug that mess up the item pointers. it must use items[i] = &pl.Items[i]
There was a problem hiding this comment.
Thanks for catching this. What was the bug doing?
There was a problem hiding this comment.
Previous way &item could cause this scenario:
if pl.Items actually have {httproute-1, httproute-2}
the GetItems() could return {&httproute-2, &httproute-2}
| policy: &anv1alpha1.AccessLogPolicy{}, | ||
| }, | ||
| expectedK8sClientReturnedPolicies: []core.Policy{accessLogPolicy1HappyPath, accessLogPolicy2HappyPath}, | ||
| want: []core.Policy{accessLogPolicy1HappyPath, accessLogPolicy2HappyPath}, |
There was a problem hiding this comment.
GetAttachedPolicies() is able to return both 2 attatched accessLogPolicies
zijun726911
force-pushed
the
iam-policy-event-handling
branch
from
8905c08 to
15a0583
Compare
zijun726911
force-pushed
the
iam-policy-event-handling
branch
from
15a0583 to
62366d5
Compare
| t.log.Errorf("More than one TargetGroupPolicy is attached to the k8sService %s, "+ | ||
| "only the first one TargetGroupPolicy [%s/%s] will take effect, other TargetGroupPolicies will be ignored", refObjNamespacedName, tgp.Namespace, tgp.Name) | ||
| } | ||
| } |
There was a problem hiding this comment.
Ideally we should do that behaviour: If there are two tgps attached to a svc(serviceExport), set one policy status to accepted and set anothers status to conflicted.
But that need more extra work considering our current code structure (GetTargetGroupPolicy logic exists in the giant route reconcile logic). We could impliment that behaviour in a seperate PR. Issue: #440
For now, we just keep old code and new code have same behaviour: just make the first tgp(same for VpcAssociationPolicy) take effect and ignore other same kind policies (print a Error for it)
…) methods for event handling - Extend GetAttachedPolicy method to make it be able to map to multiple IAMAuthPolicy and AccessLogPolicy attached policies - Add IAMAuthPolicyController stub code
zijun726911
force-pushed
the
iam-policy-event-handling
branch
from
62366d5 to
d6cd855
Compare
| if gw, ok := obj.(*gateway_api.Gateway); ok { | ||
| policies := h.mapper.GatewayToAccessLogPolicies(context.Background(), gw) | ||
| for _, p := range policies { | ||
| h.log.Infof("Gateway [%s/%s] resource change triggers AccessLogPolicy [%s/%s] resource change", gw.Namespace, gw.Name, p.Namespace, p.Name) |
There was a problem hiding this comment.
Why use square brackets around the Gateway and Policy namespaced names? We don't do this elsewhere in the codebase
| @@ -73,6 +76,36 @@ func (r *resourceMapper) VpcAssociationPolicyToGateway(ctx context.Context, vap | |||
| return policyToTargetRefObj(r, ctx, vap, &gateway_api.Gateway{}) | |||
| } | |||
|
|
|||
| func (r *resourceMapper) GatewayToIAMAuthPolicies(ctx context.Context, gw *gateway_api.Gateway) []*anv1alpha1.IAMAuthPolicy { | |||
| policies, _ := gateway.GetAttachedPolicies(ctx, r.client, k8s.NamespacedName(gw), &anv1alpha1.IAMAuthPolicy{}) | |||
There was a problem hiding this comment.
What happens if there's an error here?
| authPolicyFinalizer = "iamauthpolicy.k8s.aws/resources" | ||
| ) | ||
|
|
||
| type authPolicyReconciler struct { |
| @@ -21,6 +22,7 @@ import ( | |||
| "github.com/aws/aws-application-networking-k8s/pkg/config" | |||
| ) | |||
|
|
|||
| // TODO: Remove `enqueueRequestsForGatewayEvent`, and use `gatewayEventHandler` only | |||
There was a problem hiding this comment.
why can we not do this now?
| mapper: &resourceMapper{log: log, client: client}} | ||
| } | ||
|
|
||
| func (h *grpcRouteEventHandler) MapToIAMAuthPolicies() handler.EventHandler { |
There was a problem hiding this comment.
I would like to have a test code for this, easier way to test is extract logic into method level so that you can refer to it outside
There was a problem hiding this comment.
I have unit tests for GetAttachedPolicies() does it enough?
| @@ -73,6 +76,36 @@ func (r *resourceMapper) VpcAssociationPolicyToGateway(ctx context.Context, vap | |||
| return policyToTargetRefObj(r, ctx, vap, &gateway_api.Gateway{}) | |||
| } | |||
|
|
|||
| func (r *resourceMapper) GatewayToIAMAuthPolicies(ctx context.Context, gw *gateway_api.Gateway) []*anv1alpha1.IAMAuthPolicy { | |||
There was a problem hiding this comment.
I don't really like a dependency relation from eventhandler to gateway package, I think this means something is wrong. GetAttachedPolicies() will be more suitable for a separate package.
There was a problem hiding this comment.
Ok, will change
| } | ||
|
|
||
| func policyTypeToPolicyListAndTargetRefGroupKind(policyType core.Policy) (core.PolicyList, gwv1beta1.Group, gwv1beta1.Kind, error) { | ||
| func policyTypeToPolicyListAndValidTargetRefObjGKs(policyType core.Policy) (core.PolicyList, map[schema.GroupKind]interface{}, error) { |
There was a problem hiding this comment.
The meaning of this is unclear, what is the goal of this function? The implementation doesn't make it clear either
| expectPolicyNotFound: false, | ||
| }, | ||
| { | ||
| name: "Get gateway attached IAMAuthPolicy, happy path", |
There was a problem hiding this comment.
What is the expected result of happy path? Typically, we shouldn't put "happy path" in the name of a test, but rather state what it is we expect the outcome to be
What type of PR is this? prepare for feature #18
Which issue does this PR fix: #18 #420
What does this PR do / Why do we need it:
If an issue # is not available please add repro steps and logs from aws-gateway-controller showing the issue:
Testing done on this change:
gatewayEventHandler.MapToIAMAuthPolicy()and(r *authPolicyReconciler) Reconcile()(r *authPolicyReconciler) Reconcile()function for the "targetRef gw obj my-hotel", i.e., Gateway/HTTPRoute/GRPCRoute resource changes could enqueue attached IAMAuthPolicy/AccessLogPolicy(Did the same thing for httpRoute, grpcRoute and MapToAccessLogPolicy() )
[FAIL] Creating Access Log Policy [It] sets Access Log Policy status to Conflicted when creating a new policy for the same targetRef and destination typeWill this PR introduce any new dependencies?:
NoWill this break upgrades or downgrades. Has updating a running cluster been tested?: No
Does this PR introduce any user-facing change?: No
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.