Skip to content

OCPBUGS-55192: Add IngressController .spec.domain validation #2308

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

OCPBUGS-55192: Add IngressController .spec.domain validation #2308

wants to merge 1 commit into from

Conversation

grzpiotrowski
Copy link

@grzpiotrowski grzpiotrowski commented May 2, 2025
edited
Loading

This PR fixes OCPBUGS-55192.

Add ratcheting validation of the .spec.domain field of ingress controller.
Domain must consist of lowercase alphanumeric characters '-' or '.', and each label must start and end with an alphanumeric character.

Previously, the user could configure the .spec.domain field incorrectly which could result in the router pods entering a CrashLoopBackOff state immediately upon creation with error: invalid canonical hostname: [...].

  • operator/v1/types_ingress.go (IngressControllerSpec): Add ratcheting validation of the Domain field.
  • operator/v1/tests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml Add test cases for the ingress controller .spec.domain field validation

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented May 2, 2025

Hello @grzpiotrowski! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

@openshift-ci openshift-ci bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label May 2, 2025
@openshift-ci openshift-ci bot requested review from deads2k and everettraven May 2, 2025 15:03
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented May 2, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: grzpiotrowski
Once this PR has been reviewed and has the lgtm label, please assign joelspeed for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@grzpiotrowski grzpiotrowski changed the title Add IngressController .spec.domain validation OCPBUGS-55192: Add IngressController .spec.domain validation May 2, 2025
@openshift-ci-robot openshift-ci-robot added jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. labels May 2, 2025
@openshift-ci-robot
Copy link

@grzpiotrowski: This pull request references Jira Issue OCPBUGS-55192, which is invalid:

  • expected the bug to target the "4.20.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

This PR fixes OCPBUGS-55192.

Add ratcheting validation of the .spec.domain field of ingress controller.
Domain must consist of lowercase alphanumeric characters '-' or '.', and each label must start and end with an alphanumeric character.

Previously, the user could configure the .spec.domain field incorrectly which could result in the router pods entering a CrashLoopBackOff state immediately upon creation with error: invalid canonical hostname: [...].

Opted not to add the max length validation // +kubebuilder:validation:MaxLength=253 as it could be slightly misleading, because even if .spec.domain does not exceed that 253 characters limit, we could end up with an invalid canonical hostname error as this is constructed from the router name and the IC domain, which length could not be predicted here.

  • operator/v1/types_ingress.go (IngressControllerSpec): Add ratcheting validation of the Domain field.
  • operator/v1/tests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml Add test cases for the ingress controller .spec.domain field validation

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label May 2, 2025
@grzpiotrowski grzpiotrowski force-pushed the OCPBUGS-55192-ic-spec-domain-validation branch from 2e10452 to a538d6c Compare May 2, 2025 15:34
@openshift-ci openshift-ci bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels May 2, 2025
@grzpiotrowski grzpiotrowski force-pushed the OCPBUGS-55192-ic-spec-domain-validation branch from a538d6c to d5e7974 Compare May 2, 2025 15:44
@openshift-ci openshift-ci bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels May 2, 2025
@grzpiotrowski grzpiotrowski changed the title OCPBUGS-55192: Add IngressController .spec.domain validation [WIP] OCPBUGS-55192: Add IngressController .spec.domain validation May 2, 2025
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 2, 2025
@grzpiotrowski grzpiotrowski marked this pull request as draft May 2, 2025 16:01
@grzpiotrowski grzpiotrowski force-pushed the OCPBUGS-55192-ic-spec-domain-validation branch from d5e7974 to a179eae Compare May 13, 2025 14:52
@openshift-ci openshift-ci bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels May 13, 2025
@grzpiotrowski grzpiotrowski force-pushed the OCPBUGS-55192-ic-spec-domain-validation branch 2 times, most recently from c4e9ebf to 9a9eb85 Compare May 13, 2025 15:15
@grzpiotrowski grzpiotrowski marked this pull request as ready for review May 13, 2025 15:17
@grzpiotrowski
Copy link
Author

/retitle OCPBUGS-55192: Add IngressController .spec.domain validation

@openshift-ci openshift-ci bot requested a review from JoelSpeed May 13, 2025 15:18
@openshift-ci openshift-ci bot changed the title [WIP] OCPBUGS-55192: Add IngressController .spec.domain validation OCPBUGS-55192: Add IngressController .spec.domain validation May 13, 2025
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 13, 2025
@grzpiotrowski
Copy link
Author

/jira refresh

@openshift-ci-robot openshift-ci-robot added the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label May 13, 2025
@openshift-ci-robot
Copy link

@grzpiotrowski: This pull request references Jira Issue OCPBUGS-55192, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.20.0) matches configured target version for branch (4.20.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @melvinjoseph86

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot removed the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label May 13, 2025
@openshift-ci openshift-ci bot requested a review from melvinjoseph86 May 13, 2025 15:48
@Miciah
Copy link
Contributor

Miciah commented May 13, 2025

/assign

JoelSpeed
JoelSpeed reviewed May 13, 2025
View reviewed changes
Copy link
Contributor

@JoelSpeed JoelSpeed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please review the readme in the tests folder of this repo to see how we handle ratcheting validation tests. We will want to see those here

operator/v1/types_ingress.go Outdated
@@ -68,6 +68,7 @@ type IngressControllerSpec struct {
//
// If empty, defaults to ingress.config.openshift.io/cluster .spec.domain.
//
// +kubebuilder:validation:XValidation:rule="(has(oldSelf) && self == oldSelf) || self.matches('^([a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)'+'(\\.[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)*$')",message="domain must consist of lowercase alphanumeric characters, '-' or '.', and each label must start and end with an alphanumeric character and not exceed 63 characters"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You don't actually explain a label here right? Probably want to rework the first part of the error message to explain that it's alphanumeric and possibly hypehanted labels, separate by periods

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reworded the message slightly.

operator/v1/types_ingress.go Outdated
@@ -68,6 +68,7 @@ type IngressControllerSpec struct {
//
// If empty, defaults to ingress.config.openshift.io/cluster .spec.domain.
//
// +kubebuilder:validation:XValidation:rule="(has(oldSelf) && self == oldSelf) || self.matches('^([a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)'+'(\\.[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)*$')",message="domain must consist of lowercase alphanumeric characters, '-' or '.', and each label must start and end with an alphanumeric character and not exceed 63 characters"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opted not to add the max length validation // +kubebuilder:validation:MaxLength=253 as it could be slightly misleading, because even if .spec.domain does not exceed that 253 characters limit, we could end up with an invalid canonical hostname error as this is constructed from the router name and the IC domain, which length could not be predicted here.

What is the minimum length of the router name? From that you can work out the actual maximum of this, but you're right, it won't be 100% accurate. It's still better than nothing though. We should add a max length here

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The router name is "router-" (without the quotation marks) plus the name of the IngressController, so the minimum is 8 characters. The "default" router's canonical name is 14 chars, so 14 might be a reasonable amount to subtract from 253.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ingress controller name itself can be anything right? What would the behaviour be if the total length of router-<name> and the value of this field exceeded 253 chars? What would be truncated?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Coming back to this. As far as I could see when trying to create an ingress controller with a domain exceeding the maximum length, the router pod would be in a CrashLoopBackOff with the state:

    lastState:
      terminated:
        containerID: cri-o://abed0ee9a4e38d8cf6b0060e3d4a76572f2ec575e66116a26814432a234fe84f
        exitCode: 1
        finishedAt: "2025-07-29T14:21:21Z"
        message: |
          error: invalid canonical hostname: router-test-long-domain.apps.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb.ccccccccccccccccccccccccccccccccccccccccccccccccccccccbbbbbb.dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd.eeeeeeeeeeeeeee.com
        reason: Error
        startedAt: "2025-07-29T14:21:21Z"

operator/v1/types_ingress.go Outdated
@@ -68,6 +68,7 @@ type IngressControllerSpec struct {
//
// If empty, defaults to ingress.config.openshift.io/cluster .spec.domain.
//
// +kubebuilder:validation:XValidation:rule="(has(oldSelf) && self == oldSelf) || self.matches('^([a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)'+'(\\.[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)*$')",message="domain must consist of lowercase alphanumeric characters, '-' or '.', and each label must start and end with an alphanumeric character and not exceed 63 characters"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you considered using a format validation?

Suggested change
// +kubebuilder:validation:XValidation:rule="(has(oldSelf) && self == oldSelf) || self.matches('^([a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)'+'(\\.[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)*$')",message="domain must consist of lowercase alphanumeric characters, '-' or '.', and each label must start and end with an alphanumeric character and not exceed 63 characters"
// +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain.validate(self).hasValue()",message="domain must consist of lowercase alphanumeric characters, '-' or '.', and each label must start and end with an alphanumeric character and not exceed 63 characters"

operator/v1/types_ingress.go Outdated
@@ -68,6 +68,7 @@ type IngressControllerSpec struct {
//
// If empty, defaults to ingress.config.openshift.io/cluster .spec.domain.
//
// +kubebuilder:validation:XValidation:rule="(has(oldSelf) && self == oldSelf) || self.matches('^([a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)'+'(\\.[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)*$')",message="domain must consist of lowercase alphanumeric characters, '-' or '.', and each label must start and end with an alphanumeric character and not exceed 63 characters"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While we are here, can we update the godoc to more thoroughly explain the validations we are imposing?

@grzpiotrowski grzpiotrowski force-pushed the OCPBUGS-55192-ic-spec-domain-validation branch from 9a9eb85 to 4bce138 Compare July 1, 2025 14:31
@grzpiotrowski grzpiotrowski force-pushed the OCPBUGS-55192-ic-spec-domain-validation branch from 4bce138 to 0ccba13 Compare July 29, 2025 14:22
@openshift-ci-robot
Copy link

@grzpiotrowski: This pull request references Jira Issue OCPBUGS-55192, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.20.0) matches configured target version for branch (4.20.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @melvinjoseph86

In response to this:

This PR fixes OCPBUGS-55192.

Add ratcheting validation of the .spec.domain field of ingress controller.
Domain must consist of lowercase alphanumeric characters '-' or '.', and each label must start and end with an alphanumeric character.

Previously, the user could configure the .spec.domain field incorrectly which could result in the router pods entering a CrashLoopBackOff state immediately upon creation with error: invalid canonical hostname: [...].

  • operator/v1/types_ingress.go (IngressControllerSpec): Add ratcheting validation of the Domain field.
  • operator/v1/tests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml Add test cases for the ingress controller .spec.domain field validation

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@grzpiotrowski
Add IngressController .spec.domain API validation
e45d28e 
This commit fixes OCPBUGS-55192.

https://issues.redhat.com/browse/OCPBUGS-55192

Add ratcheting validation of the .spec.domain field of ingress controller.

Domain must consist of DNS labels separated by periods, where each label
contains only lowercase alphanumeric characters and hyphens, must start
and end with an alphanumeric character, and must not exceed 63 characters.

* operator/v1/types_ingress.go
(IngressControllerSpec): Add ratcheting validation of the Domain field.
* operator/v1/tests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml
Add test cases for the ingress controller .spec.domain field validation

Generated files:
* openapi/openapi.json
* openapi/generated_openapi/zz_generated.openapi.go
* operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml
* operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml
* operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/IngressControllerLBSubnetsAWS.yaml
* operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/SetEIPForNLBIngressController+IngressControllerLBSubnetsAWS.yaml
* operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/SetEIPForNLBIngressController.yaml
* operator/v1/zz_generated.swagger_doc_generated.go
@grzpiotrowski grzpiotrowski force-pushed the OCPBUGS-55192-ic-spec-domain-validation branch from 0ccba13 to e45d28e Compare July 29, 2025 15:14
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jul 29, 2025

@grzpiotrowski: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/integration e45d28e link true /test integration

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Miciah Miciah Miciah left review comments

@JoelSpeed JoelSpeed JoelSpeed left review comments

@deads2k deads2k Awaiting requested review from deads2k

@everettraven everettraven Awaiting requested review from everettraven

@melvinjoseph86 melvinjoseph86 Awaiting requested review from melvinjoseph86

Assignees

@Miciah Miciah

Labels
jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@grzpiotrowski @openshift-ci-robot @Miciah @JoelSpeed