Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve the Gateway ResolvedRefs condition documentation #1419

Merged
merged 1 commit into from
Oct 5, 2022
Merged

Improve the Gateway ResolvedRefs condition documentation #1419

merged 1 commit into from
Oct 5, 2022

Conversation

mlavacca
Copy link
Member

What type of PR is this?

/kind documentation

What this PR does / why we need it:
The ListenerReasonRefNotPermitted documentation has been improved to specify that this reason can be triggered by either an unpermitted BackendRef or an unpermitted CertificateRef. Besides, the ListenerReasonInvalidCertificateRef documentation has been improved to specify better what makes a listener CertificateRef invalid

Which issue(s) this PR fixes:

Fixes #1362

Does this PR introduce a user-facing change?:

NONE

@k8s-ci-robot k8s-ci-robot added kind/documentation Categorizes issue or PR as related to documentation. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Sep 30, 2022
@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Sep 30, 2022
@k8s-ci-robot
Copy link
Contributor

Hi @mlavacca. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Sep 30, 2022
@mlavacca mlavacca force-pushed the listener-not-permitted-docs branch 2 times, most recently from 614abc7 to 1144ce7 Compare September 30, 2022 09:38
@mlavacca mlavacca changed the title Gateway API docs updated Gateway API docs update Sep 30, 2022
robscott
robscott reviewed Sep 30, 2022
View reviewed changes
Copy link
Member

@robscott robscott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @mlavacca! Would like to get @youngnick's review on this as well.

/cc @youngnick

apis/v1alpha2/gateway_types.go Outdated
Comment on lines 408 to 411
// one of the Listener's Routes references an object in another namespace,
// where the object in the other namespace does not have a ReferenceGrant
// explicitly allowing the reference. The unpermitted reference can be
// either a BackendRef, or a CertificateRef.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple thoughts that are

  1. It seems strange for this to extend to invalid references in attached routes. Maybe @youngnick has been thinking about this as part of the broader conditions update he's working on?
  2. It seems like cross-namespace references that are not allowed by a ReferenceGrant should always receive the RefNotPermitted reason, regardless of if the Secret actually exists.

Copy link
Member Author

@mlavacca mlavacca Oct 3, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. It seems like cross-namespace references that are not allowed by a ReferenceGrant should always receive the RefNotPermitted reason, regardless of if the Secret actually exists.

In this case, we should decide which reason has the highest severity: RefNotPermitted or InvalidCertificateRef. In my opinion, if no reference is allowed, the reason should beRefNotPermitted, no matter if the secret exists or is valid.
@robscott Do you agree/disagree or think that it is not clear by reading the description?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with what you're suggesting in this comment, I think this PR still needs some work to make that clear in the spec.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. It seems strange for this to extend to invalid references in attached routes. Maybe @youngnick has been thinking about this as part of the broader conditions update he's working on?

I just figured out that the previous comment here was copy-paste from the RouteReasonRefNotPermitted:

gateway-api/apis/v1beta1/shared_types.go

Lines 247 to 251 in 1e037bb

// This reason is used with the "ResolvedRefs" condition when
// one of the Listener's Routes has a BackendRef to an object in
// another namespace, where the object in the other namespace does
// not have a ReferenceGrant explicitly allowing the reference.
RouteReasonRefNotPermitted RouteConditionReason = "RefNotPermitted"

And it doesn't make any sense here; it misled me. The only reason to have RefNotPermitted should be the reference to an ungranted secret. So I'm going to fix it.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I addressed both your points, it should be clearer now.

apis/v1alpha2/gateway_types.go Outdated Show resolved Hide resolved
@robscott
Copy link
Member

@mlavacca Can you change the PR title to be a bit more descriptive? Easy to lose track of this PR when looking through the list.

@mlavacca mlavacca changed the title Gateway API docs update Improve the Gateway ResolvedRefs condition documentation Oct 3, 2022
@robscott
Copy link
Member

robscott commented Oct 3, 2022

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Oct 3, 2022
@mlavacca mlavacca force-pushed the listener-not-permitted-docs branch 2 times, most recently from 6195c10 to d2ea1f2 Compare October 4, 2022 13:01
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Oct 4, 2022
mikemorris
mikemorris reviewed Oct 4, 2022
View reviewed changes
Copy link
Contributor

@mikemorris mikemorris left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ListenerReasonRefNotPermitted changes LGTM, and I proposed a phrasing tweak to hopefully clarify ListenerReasonInvalidCertificateRef a bit more.

Thanks for your work on this @mlavacca, this feels pretty close now and a good clarification!

apis/v1alpha2/gateway_types.go Outdated Show resolved Hide resolved
@mlavacca
Gateway API docs updated
a9ff76e 
The ListenerReasonRefNotPermitted documentation has been improved to
specify that this reason can be triggered by either an unpermitted
BackendRef or an unpermitted CertificateRef.
Besides, the ListenerReasonInvalidCertificateRef documentation has
been improved to specify better what makes a listener CertificateRef
invalid.

Signed-off-by: Mattia Lavacca <lavacca.mattia@gmail.com>
mikemorris
mikemorris approved these changes Oct 5, 2022
View reviewed changes
Copy link
Contributor

@mikemorris mikemorris left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 5, 2022
@shaneutt shaneutt requested a review from robscott October 5, 2022 18:51
robscott
robscott approved these changes Oct 5, 2022
View reviewed changes
Copy link
Member

@robscott robscott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @mlavacca, this is a great improvement!

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mikemorris, mlavacca, robscott

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 5, 2022
@robscott robscott added this to the v0.6.0 milestone Oct 5, 2022
@k8s-ci-robot k8s-ci-robot merged commit 38a295b into kubernetes-sigs:main Oct 5, 2022
@mlavacca mlavacca mentioned this pull request Oct 6, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@robscott robscott robscott approved these changes

@mikemorris mikemorris mikemorris approved these changes

@shaneutt shaneutt Awaiting requested review from shaneutt

@youngnick youngnick Awaiting requested review from youngnick

Assignees

@mikemorris mikemorris

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/documentation Categorizes issue or PR as related to documentation. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v0.6.0
Development

Successfully merging this pull request may close these issues.

Clarify RefNotPermitted and InvalidCertificateRef reasons in API Spec
4 participants
@mlavacca @k8s-ci-robot @robscott @mikemorris