no-jira: Validate AWS resource tag keys with aws: prefix #2183
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@patrickdillon: This pull request explicitly references no jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/hold |
|
Hello @patrickdillon! Some important instructions when contributing to openshift/api: |
openshift-ci
bot
added
do-not-merge/hold
openshift-merge-robot
added
the
needs-rebase
|
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci
bot
added
the
lifecycle/stale
|
@patrickdillon Did you intend to move this PR forward? |
Yes. I see now the dependent work has merged. So I can rebase this; I am tied up with a conference this week so I will try to get this once I'm back next week. |
|
@patrickdillon Just a reminder to move this one along when you have a moment |
patrickdillon
force-pushed
the
aws-tag-prefix
branch
from
9ae0e4a to
aee6105
Compare
openshift-merge-robot
removed
the
needs-rebase
openshift-ci
bot
added
size/L
|
/remove-lifecycle stale |
openshift-ci
bot
removed
the
lifecycle/stale
|
/hold cancel @JoelSpeed finally ready, thanks! |
openshift-ci
bot
removed
the
do-not-merge/hold
| value: value* | ||
| type: AWS | ||
| expectedStatusError: "invalid AWS resource tag value. The string can contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', '@'" | ||
| - name: Should not be able to create an aws resourcetag with aws prefix in key |
There was a problem hiding this comment.
Please also add a ratcheting test (see readme in the tests dir) to prove that existing values are not affected by this change. You should show that
- Existing entries persist when a new item is added to the list
- Additional bad entries are not allowed when there is an existing bad entry
- The bad entry can be updated to a valid entry
There was a problem hiding this comment.
Ok, I added the ratcheting validation tests, but am stuck on the first one (the other two work ok). In order to allow existing bad values, I updated the validation in 34f8d72 but apparently this is invalid, as the tests fail with:
Invalid value: "self == oldSelf || !self.startsWith('aws:')": oldSelf cannot be used on the uncorrelatable portion of the schema within spec.validation.openAPIV3Schema.properties[status].properties[platformStatus].properties[aws].properties[resourceTags]
I see in these k8s docs that this means the rule cannot be applied:
Errors will be generated on CRD writes if a schema node contains a transition rule that can never be applied, e.g. "oldSelf cannot be used on the uncorrelatable portion of the schema within path".
I'm not sure how to resolve this issue. Any insight?
There was a problem hiding this comment.
@JoelSpeed claude helped me figure out that I needed to change ResourceTags to listType=map, but now the actual validation of the aws: prefix does not seem to be working
[config.openshift.io/v1, Resource=infrastructures][ClusterProfiles=Hypershift,SelfManagedHA][FeatureSet="Default"][FeatureGate=-AWSClusterHostedDNSInstall][File=0000_10_config-operator_01_infrastructures-Default.crd.yaml] Infrastructure On Update [It] Should not be able to create an aws resourcetag with aws prefix in key
/Users/padillon/go/src/github.com/openshift/api/tests/generator.go:345
[FAILED] Expected an error, got nil
In [It] at: /Users/padillon/go/src/github.com/openshift/api/tests/generator.go:321 @ 10/14/25 22:00:52.111
Stuck on this.
There was a problem hiding this comment.
I went ahead and side-stepped the issue by validating for immutability. IMHO that makes more sense, as post-install updates are not supported. On the other hand, I'm not sure if there are issues with making a field immutable post-GA; the intention was always for these fields to be immutable, it just wasn't validated.
There was a problem hiding this comment.
We still need a ratcheting test to show that anyone who already has a value with aws: in the prefix won't be broken by this change
There was a problem hiding this comment.
Oh right, that makes sense: so we don't brick the rest of the aws platform status from being updated. Because I made resourceTags immutable, we can't cover the three expected cases in your original message. Does the check added in d582954 look good/sufficient? Or what else would you have in mind.
There was a problem hiding this comment.
Yep, that covers it, thanks
config/v1/tests/infrastructures.config.openshift.io/AAA_ungated.yaml
Outdated
Show resolved
Hide resolved
|
/hold |
openshift-ci
bot
added
do-not-merge/hold
|
@JoelSpeed these fields are supposed to be immutable. Should i just add validation to enforce that? |
patrickdillon
force-pushed
the
aws-tag-prefix
branch
from
7219772 to
0eddb96
Compare
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
| value: value* | ||
| type: AWS | ||
| expectedStatusError: "invalid AWS resource tag value. The string can contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', '@'" | ||
| - name: Should not be able to create an aws resourcetag with aws prefix in key |
There was a problem hiding this comment.
We still need a ratcheting test to show that anyone who already has a value with aws: in the prefix won't be broken by this change
patrickdillon
force-pushed
the
aws-tag-prefix
branch
2 times, most recently
from
8f7a956 to
d582954
Compare
JoelSpeed
left a comment
JoelSpeed
left a comment
There was a problem hiding this comment.
/lgtm
/verified by new integration tests
| value: value* | ||
| type: AWS | ||
| expectedStatusError: "invalid AWS resource tag value. The string can contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', '@'" | ||
| - name: Should not be able to create an aws resourcetag with aws prefix in key |
There was a problem hiding this comment.
Yep, that covers it, thanks
|
Scheduling tests matching the |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JoelSpeed The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/verified by e2e-aws |
openshift-ci-robot
added
the
verified
|
@patrickdillon: This PR has been marked as verified by In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@patrickdillon: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/hold Revision d582954 was retested 3 times: holding |
openshift-ci
bot
added
the
do-not-merge/hold
AWS docs indicate that tag keys cannot be prefix with aws:. See: https://docs.aws.amazon.com/directoryservice/latest/devguide/API_Tag.html Using this key prefix leads to an AWS API error indicating the prefix is reserved for AWS system usage. This commit adds API validation and ratecheting tests, as the key was previously allowed. Adds validation to enforce immutability on AWS resourcetags, in the same manner as Azure & GCP. Updating resourcetags post-install is not supported.
Generated with PROTO_OPTIONAL=true make update
patrickdillon
force-pushed
the
aws-tag-prefix
branch
from
d582954 to
a9187b1
Compare
openshift-ci-robot
removed
the
verified
|
New changes are detected. LGTM label has been removed. |
|
/hold cancel @JoelSpeed I just noticed this never merged due to essentially a rebase conflict. I rebased and reran |
openshift-ci
bot
removed
the
do-not-merge/hold
5 participants
AWS docs indicate that tag keys cannot be prefix with aws:. See:
https://docs.aws.amazon.com/directoryservice/latest/devguide/API_Tag.html
Using this key prefix leads to an AWS API error indicating the prefix
is reserved for AWS system usage. This commit adds API validation
and ratecheting tests, as the key was previously allowed.
This was originally included in #2124 but cannot land due to a bug addressed by openshift/kubernetes#2167, so
Depends on #2124
Depends on openshift/kubernetes#2167