馃悰 Fix KCPRequestInfoResolver for kind: Cluster #2961
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
needs-ok-to-test
|
Hi @nikhita. Thanks for your PR. I'm waiting for a kcp-dev member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/ok-to-test Invited you to the org. |
openshift-ci
bot
added
ok-to-test
|
Closing & re-opening this PR to migrate it to the new Prow. Please do not be alarmed. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kcp-ci-bot
added
dco-signoff: no
|
@nikhita: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
| expectedSubresource string | ||
| }{ | ||
| "path with /api prefix": { | ||
| path: "/api/v1/namespaces/default/pods", |
There was a problem hiding this comment.
Why are these valid paths? You need to prefix by cluster or service, there's no default logical cluster to access without specifying.
There was a problem hiding this comment.
at some point we redirected to system:admin, but disabled or broke that behaviour. Now the behaviour is a nasty error message in the log. We should decide how to move forward and make it an hard error early in the stack, e.g. here.
There was a problem hiding this comment.
Btw, these tests here might (or not, to be verifiy) actually be correct. In WithInClusterServiceAccountRequestRewrite we handle the case of a service account calling back without the /cluster prefix, but with the cluster set in the JWT.
There was a problem hiding this comment.
We also strip the /clusters/.. prefix here before passing to the RequestInfoResolver:
kcp/pkg/cache/server/config.go
Lines 172 to 186 in 88d6071
There was a problem hiding this comment.
if we strip the cluster prefix, why do we need this special requestinfo resolver in the first place?
| @@ -33,16 +34,28 @@ func NewKCPRequestInfoResolver() *KCPRequestInfoResolver { | |||
| } | |||
| } | |||
|
|
|||
| var clustersRE = regexp.MustCompile(`/clusters/[^/]+/(.*)$`) | |||
| var clustersRE = regexp.MustCompile(`/clusters/[^/]+(/.*)$`) | |||
There was a problem hiding this comment.
am curious: why don't we start with ^ aka match the beginning of the string? Now we would also match /foo/cluster/.... Don't think that's intentional.
There was a problem hiding this comment.
am curious: why don't we start with ^ aka match the beginning of the string?
This is to handle all /services/... URLs. The request resolver was actually added to handle the /services/... URLs - 963ffde
Some more additional context is in #2479 (comment)
There was a problem hiding this comment.
the service URLs rechnically have nothing to do with the main kcp server. Would rather expect them to strip the prefix first before apply this resolver.
There was a problem hiding this comment.
Im bit lost. Will this solve :ncdc: comment about 60s timeouts? As if I want to build service with streaming to VW backed services, this might be an issue.?
There was a problem hiding this comment.
So expectations is that WE ALWAYS trim first prefix for /services, and first /clusters?
The cache server preprocesses the path to remove the cluster prefix in https://github.com/kcp-dev/kcp/blob/88d6071b2aaf47bcd5e854f8209e4c3bd8035b35/pkg/cache/server/config.go#L172-L186. When a resource of type "cluster" is created and the first cluster prefix is dropped, the path would be a k8s request info path (/apis/...) but will still have the `clusters` keyword in the path. Due to this, the regex in the kcp request info resolver does not work well. This commit updates the resolver: 1. If a path is a k8s request info path (begins with `/api` or `/apis`), then the path is not checked against the regex. 2. The regex is updated to preserve the forward slash in the strippedURL.
nikhita
force-pushed
the
fix-for-kind-cluster
branch
from
5788e66
to
1c41780
Compare
kcp-ci-bot
added
dco-signoff: yes
|
/test pull-kcp-lint |
|
/retest |
| t := req.Clone(req.Context()) | ||
| t.URL.Path = strippedURL | ||
| return k.delegate.NewRequestInfo(t) | ||
| if !containsPrefix([]string{"/apis/", "/api/"}, req.URL.Path) { |
There was a problem hiding this comment.
with my comment above, this line could go and we would be back at the old code, right?
|
@kcp-dev/kcp-contributors lets pick this up? |
Summary
The cache server preprocesses the path to remove the cluster prefix in
kcp/pkg/cache/server/config.go
Lines 172 to 186 in 88d6071
When a resource of
kind: Clusteris created and the first cluster prefix is dropped, the path would be a k8s request info path (/apis/...) but will still have theclusterskeyword in the path.Due to this, the regex in the kcp request info resolver does not work well.
This commit updates the resolver to include the following changes:
If a path is a k8s request info path (begins with
/apior/apis), then the path is not checked against the regex.The regex is updated to preserve the forward slash in the strippedURL.
Related issue(s)
Fixes #2811