Security group and Security group rules validation

[itzikb-redhat]

Add/Update Validations and validations tests to SecurityGroup and SecurityGroupRule

[mdbooth]

@itzikb-redhat I just rebased this so it no longer includes #167, no other changes.

[pierreprinetti]

I'm curious: what does MaxLength do when the field is an enum?

[mdbooth]

I also wondered this. It's possible that even though it's technically redundant for validation purposes, it may still be used in the runtime complexity calculations? I'll bet @JoelSpeed would know.

[JoelSpeed]

For runtime complexity, the openapi schema shows that the field is an enum, so the estimated worst case is based on the maximum length of the enum values. You don't actually need a maxlength on an enum WRT CEL, but it also cannot hurt to include it

[itzikb-redhat]

I'll remove both length rules

[pierreprinetti]

If the protocol is ICMP, this value must be an ICMP type

Before reading the code, I can't immediately find a meaning to this sentence

[pierreprinetti]

When setting up ICMP, I would naïvely leave PortRangeMin and PortRangeMax empty. Would I be wrong?

[itzikb-redhat]

First I have a typo, PorRangeMin -> icmp type, PortRangeMax - icmp code
Can you suggest an alternative to the comment?
At least from my testing with the openstack client you can leave them out (Then I think the rule catch all the ICMP types)

[pierreprinetti]

(I'm commenting the comment) I don't believe you can represent the protocol as an integer here. You probably could if type Protocol's underlying type was an integer and you overrode UnmarshalJSON to also accept strings. But I am not sure that Kubebuilder would like it.

Do you really plan on accepting integers here? And if not, how do I set e.g. vrrp?

[itzikb-redhat]

I'm not sure what the concern is. If you want vrrp to be set as a number you set the number "112" (as a string)

[pierreprinetti]

If you want users to pass numbers as strings, you should tell them explicitly in the comment. Also would null be passed as "null"?

[itzikb-redhat]

Regarding null I think I'll just remove it. About numbers as strings - Do we want to use also allow integers?

[pierreprinetti]

that's a question for @mdbooth @mandre

[mdbooth]

I think:

• We don't allow numbers and just use the strings
• We should validate Protocol as an enum

As for null, what does OpenStack do with that? Is it the same as any? If so, I think we should support either any or null (meaning unspecified here), but not both.

If we go with null we should write it as 'if not specified...' or similar.

[itzikb-redhat]

ok we'll go with not specified and use strings. As for enum - we use a pattern instead

[pierreprinetti]

@mdbooth
May I humour you with this

(also cf gophercloud/gophercloud#2442 (comment) )

[JoelSpeed]

Enums in Kube APIs are generally PascalCase, these probably want to follow that convention? Any, ICMP, ICMPv6, IPv6Encap etc

[mdbooth]

@JoelSpeed I previously gave this some thought in the Image API. These constants are defined by the OpenStack API. In my first version of the Image API I translated the constants, but:

• It's a huge mess in the code
• It's another source of errors
• I suspect it's more confusing for users who are likely using the OpenStack docs as a primary source for more complex things like this

So my current thinking is that we don't translate constants which are defined by the OpenStack API.

This is itself a source of confusion because now users need to understand which constants are OpenStack constants and which are not. I think either choice has trade offs, but my current feeling is that this has the better balance for this API.

@mandre Incidentally, if we agree with this we should document it explicitly in our API conventions.

Perhaps we could have a convention that we point out explicitly in the Godocs that these are 'passthrough' values which correlate exactly to OpenStack values.

[mandre]

Sounds good. I've added the following to our API convention doc:

* Constants coming from OpenStack should be copied verbatim.

[JoelSpeed]

If that's the direction of the project, then that is fair. A lot of other projects around clouds have made the same decision. Though of course, you do then juxtapose with core Kube APIs and other APIs that follow kube conventions

If a user knows openstack uses snake case, and knows Kube uses pascal case, I guess they have a 50/50 of getting it right

[JoelSpeed]

Use the serialised version of the field name in the user facing error, also, maybe prefer must to should?

Suggested change

	// +kubebuilder:validation:XValidation:rule="has(self.portRangeMin) == has(self.portRangeMax)",message="PortRangeMin and PortRangeMax should exist together"
	// +kubebuilder:validation:XValidation:rule="has(self.portRangeMin) == has(self.portRangeMax)",message="portRangeMin and portRangeMax must only exist together"

Have you considered making an optional portRange struct, with min and max fields within that are required?

[JoelSpeed]

Why a pointer for a required field?

[JoelSpeed]

Don't use uints, they don't translate into an openapi schema in any way that correctly validates the unsigned nature, use int32 and set a minimum value of zero using the appropriate kubebuilder marker

[JoelSpeed]

Why aren't you using an enum for protocol?