chore: Add checks for selectors in KubernetesSDConfig (#6177) #6359
Conversation
|
@slashpai can you review the pr |
There was a problem hiding this comment.
I haven't reviewed full but its a good start, could you please add a test as well in https://github.com/prometheus-operator/prometheus-operator/blob/main/pkg/prometheus/resource_selector_test.go#L1710?
| @@ -354,6 +366,32 @@ type KubernetesSDConfig struct { | |||
| Selectors []K8SSelectorConfig `json:"selectors,omitempty"` | |||
| } | |||
|
|
|||
| // ValidateSelectorRoles validate the roles based on main role. | |||
There was a problem hiding this comment.
pkg/prometheus/promcfg.go
Outdated
| @@ -2604,6 +2604,12 @@ func (cg *ConfigGenerator) generateScrapeConfig( | |||
| if len(sc.Spec.KubernetesSDConfigs) > 0 { | |||
| configs := make([][]yaml.MapItem, len(sc.Spec.KubernetesSDConfigs)) | |||
| for i, config := range sc.Spec.KubernetesSDConfigs { | |||
|
|
|||
| err := (&config).ValidateSelectorRoles() | |||
There was a problem hiding this comment.
validation should be called from validateKubernetesSDConfigs in https://github.com/prometheus-operator/prometheus-operator/blob/main/pkg/prometheus/resource_selector.go
|
@slashpai done the changes and added the tests |
pkg/prometheus/resource_selector.go
Outdated
| foundSelectorRoles := make(map[monitoringv1alpha1.Role]struct{}) | ||
| allowedSelectors := map[monitoringv1alpha1.Role][]string{ | ||
| RolePod: {string(RolePod)}, | ||
| RoleService: {string(RoleService)}, | ||
| RoleEndpointSlice: {string(RolePod), string(RoleService), string(RoleEndpointSlice)}, | ||
| RoleEndpoint: {string(RolePod), string(RoleService), string(RoleEndpoint)}, | ||
| RoleNode: {string(RoleNode)}, | ||
| RoleIngress: {string(RoleIngress)}, | ||
| } | ||
|
|
||
| for _, selector := range c.Selectors { | ||
|
|
||
| if _, ok := foundSelectorRoles[selector.Role]; ok { | ||
| return fmt.Errorf("duplicated selector role: %s", selector.Role) | ||
| } |
There was a problem hiding this comment.
I have the impression that foundSelectorRoles is never populated, therefore line 858 will never return ok 🤔
There was a problem hiding this comment.
If it returns ok then error will come, while if it returns !ok then it should pass, tests are also passing
There was a problem hiding this comment.
I agree with Arthur, I also tried it as a simple go code here https://go.dev/play/p/Di7AaLX_iW-
currently it accepts the the role pod for role node which it shouldn't.
Take a look at validation here we need to do something similar https://github.com/prometheus/prometheus/blob/92544c00bf9d43eecd7161911d541a3fbe7af8cc/discovery/kubernetes/kubernetes.go#L204-L233
pkg/prometheus/promcfg.go
Outdated
| @@ -2604,6 +2604,7 @@ func (cg *ConfigGenerator) generateScrapeConfig( | |||
| if len(sc.Spec.KubernetesSDConfigs) > 0 { | |||
| configs := make([][]yaml.MapItem, len(sc.Spec.KubernetesSDConfigs)) | |||
| for i, config := range sc.Spec.KubernetesSDConfigs { | |||
|
|
|||
There was a problem hiding this comment.
nit: remove the blank line
pkg/prometheus/resource_selector.go
Outdated
| @@ -830,13 +840,38 @@ func (rs *ResourceSelector) SelectScrapeConfigs(ctx context.Context, listFn List | |||
| return res, nil | |||
| } | |||
|
|
|||
| // ValidateSelectorRoles validate the roles based on main role. | |||
| func ValidateSelectorRoles(c monitoringv1alpha1.KubernetesSDConfig) error { | |||
There was a problem hiding this comment.
I don't think we need to have a function for this as it is not used any other place, better lets move the code to
prometheus-operator/pkg/prometheus/resource_selector.go
Lines 832 to 862 in 1e9c2bb
pkg/prometheus/resource_selector.go
Outdated
| foundSelectorRoles := make(map[monitoringv1alpha1.Role]struct{}) | ||
| allowedSelectors := map[monitoringv1alpha1.Role][]string{ | ||
| RolePod: {string(RolePod)}, | ||
| RoleService: {string(RoleService)}, | ||
| RoleEndpointSlice: {string(RolePod), string(RoleService), string(RoleEndpointSlice)}, | ||
| RoleEndpoint: {string(RolePod), string(RoleService), string(RoleEndpoint)}, | ||
| RoleNode: {string(RoleNode)}, | ||
| RoleIngress: {string(RoleIngress)}, | ||
| } | ||
|
|
||
| for _, selector := range c.Selectors { | ||
|
|
||
| if _, ok := foundSelectorRoles[selector.Role]; ok { | ||
| return fmt.Errorf("duplicated selector role: %s", selector.Role) | ||
| } |
There was a problem hiding this comment.
I agree with Arthur, I also tried it as a simple go code here https://go.dev/play/p/Di7AaLX_iW-
currently it accepts the the role pod for role node which it shouldn't.
Take a look at validation here we need to do something similar https://github.com/prometheus/prometheus/blob/92544c00bf9d43eecd7161911d541a3fbe7af8cc/discovery/kubernetes/kubernetes.go#L204-L233
pkg/prometheus/resource_selector.go
Outdated
| } | ||
|
|
There was a problem hiding this comment.
nit: remove extra blank line
pkg/prometheus/resource_selector.go
Outdated
| @@ -870,7 +909,9 @@ func (rs *ResourceSelector) validateKubernetesSDConfigs(ctx context.Context, sc | |||
| if _, err := labels.Parse(s.Label); err != nil { | |||
| return fmt.Errorf("[%d]: %w", i, err) | |||
| } | |||
|
|
|||
There was a problem hiding this comment.
nit: remove extra blank line
pkg/prometheus/resource_selector.go
Outdated
|
|
||
| for _, selector := range c.Selectors { | ||
|
|
||
| if _, ok := foundSelectorRoles[selector.Role]; ok { |
There was a problem hiding this comment.
We need to apply strings.ToLower() on the role value (e.g. prometheus-operator both "Pod" and "pod").
|
@slashpai done the changes |
pkg/prometheus/resource_selector.go
Outdated
| @@ -42,6 +42,16 @@ import ( | |||
| "github.com/prometheus-operator/prometheus-operator/pkg/operator" | |||
| ) | |||
|
|
|||
| // The valid options for Role. | |||
| const ( | |||
There was a problem hiding this comment.
it would be good to have the consts defined in pkg/apis/monitoring/v1 directly.
There was a problem hiding this comment.
@simonpasquier previously i have done the same, but @slashpai suggested me to put it in the resource_selector
There was a problem hiding this comment.
Thats for validation methods 🙂
Since consts were also moved I was ok but I agree with Simon consts go better in types.go
There was a problem hiding this comment.
Let's have a follow-up for this.
pkg/prometheus/resource_selector.go
Outdated
| var allowed bool | ||
|
|
||
| for _, role := range allowedSelectors[config.Role] { | ||
| if role == strings.ToLower(string(s.Role)) { | ||
| allowed = true | ||
| break | ||
| } | ||
| } | ||
| if !allowed { | ||
| return fmt.Errorf("[%d] : %s role supports only %s selectors", i, config.Role, strings.Join(allowedSelectors[config.Role], ", ")) | ||
| } |
There was a problem hiding this comment.
(suggestion) we could use https://pkg.go.dev/slices#Contains
pkg/prometheus/resource_selector.go
Outdated
| } | ||
|
|
||
| for _, s := range config.Selectors { | ||
| if _, ok := allowedSelectors[config.Role]; !ok { |
There was a problem hiding this comment.
we need strings.ToLower too?
| if _, ok := allowedSelectors[config.Role]; !ok { | |
| if _, ok := allowedSelectors[strings.ToLower(config.Role)]; !ok { |
There was a problem hiding this comment.
@simonpasquier done
pkg/prometheus/resource_selector.go
Outdated
| @@ -42,6 +42,16 @@ import ( | |||
| "github.com/prometheus-operator/prometheus-operator/pkg/operator" | |||
| ) | |||
|
|
|||
| // The valid options for Role. | |||
| const ( | |||
There was a problem hiding this comment.
Let's have a follow-up for this.
|
TestSelectScrapeConfigs/Kubernetes_SD_config_with_valid_label_and_field_selectors is failing |
…rator#6177) chore: test added rfac: kubernetes sd role chore: cofig.Role to lowercase rfac: unit_test role_consts
|
@simonpasquier done the above changes, rfac the unit test |
Description
fix: #6177
additional checks on the role selectors vs. the main role added
Type of change
What type of changes does your code introduce to the Prometheus operator? Put an
xin the box that apply.CHANGE(fix or feature that would cause existing functionality to not work as expected)FEATURE(non-breaking change which adds functionality)BUGFIX(non-breaking change which fixes an issue)ENHANCEMENT(non-breaking change which improves existing functionality)NONE(if none of the other choices apply. Example, tooling, build system, CI, docs, etc.)Changelog entry