Skip to content

Formally define and validate the cluster name format #32641

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jun 7, 2024
Merged

Formally define and validate the cluster name format #32641

merged 6 commits into from
Jun 7, 2024

Conversation

giorio94
Copy link
Member

@giorio94 giorio94 commented May 21, 2024
edited
Loading

Formally define and validate that a cluster name must respect the following constraints:

  • It must contain at most 32 characters;
  • It must begin and end with a lower case alphanumeric character;
  • It may contain lower case alphanumerics and dashes between;
  • The "default" name is reserved, and forbidden with ClusterID != 0.

The specification almost matches the cluster name definition from the Kubernetes multi-cluster services API [1] (except for the shorter maximum length), and derives from the already implicit requirements due to the usage of the cluster name as:

  • a k8s label value [2] (for CiliumIdentities),
  • a hostname [3] when configuring the host aliases during clustermesh interconnection;
  • part of TLS certificates common name [4].

The goal of the explicit validation is to ensure that Cilium components fail to start with a clear error if the cluster name is invalid, rather than failing silently at a later stage.

Given the above constraints, the vast majority of existing deployments are not expected to affected by this change. Still, to enable users performing a smooth transition, we currently only emit an error log in case of invalid cluster names. The cluster name format will start being strictly enforced starting from the Cilium version. Similarly, helm validation can be temporarily skipped setting upgradeCompatibility to 1.15 or earlier.

[1]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-multicluster/1645-multi-cluster-services-api#proposal
[2]: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set
[3]: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-label-names
[4]: https://stackoverflow.com/a/5142550

Formally define and validate the cluster name format

@giorio94 giorio94 added release-note/minor This PR changes functionality that users may find relevant to operating Cilium. area/clustermesh Relates to multi-cluster routing functionality in Cilium. area/helm Impacts helm charts and user deployment experience area/agent Cilium agent related. labels May 21, 2024
@giorio94
Copy link
Member Author

/test

@giorio94 giorio94 force-pushed the pr/giorio94/main/cluster-name-validation branch from 008d7fe to 49b3df8 Compare May 22, 2024 07:09
@giorio94
Copy link
Member Author

/ci-clustermesh

@giorio94
clustermesh, operator: slightly rework invoke function registration
60302e6 
Directly register the target function, rather than creating a wrapper,
both for simplicity, and to make a subsequent introduction of a new
parameter in ClusterInfo.Validate transparent from this point of view.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94 giorio94 force-pushed the pr/giorio94/main/cluster-name-validation branch from 49b3df8 to cc8561a Compare May 31, 2024 13:30
giorio94 added 5 commits May 31, 2024 15:33
@giorio94
options: formalize and validate cluster name format
17d4691 
Formally define and validate that a cluster name must respect the
following constraints:

* It must contain at most 32 characters;
* It must begin and end with a lower case alphanumeric character;
* It may contain lower case alphanumerics and dashes between;
* The "default" name is reserved, and forbidden with ClusterID != 0.

The specification almost matches the cluster name definition from the
Kubernetes multi-cluster services API [1] (except for the shorter
maximum length), and derives from the already implicit requirements
due to the usage of the cluster name as:

* a k8s label value [2] (for CiliumIdentities),
* a hostname [3] when configuring the host aliases during clustermesh
  interconnection;
* part of TLS certificates common name [4].

The goal of the explicit validation is to ensure that Cilium components
fail to start with a clear error if the cluster name is invalid, rather
than failing silently at a later stage.

Given the above constraints, the vast majority of existing deployments
are not expected to affected by this change. Still, to enable users
performing a smooth transition, we currently only emit an error log
in case of invalid cluster names. The cluster name format will start
being strictly enforced starting from the Cilium version.

[1]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-multicluster/1645-multi-cluster-services-api#proposal
[2]: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set
[3]: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-label-names
[4]: https://stackoverflow.com/a/5142550

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94
clustermesh: validate remote cluster name
70197f6 
Following the formalization of the cluster name format, let's
additionally emit an error log when trying to connect to a cluster
associated with an invalid name. Starting from v1.17, Cilium will
reject connecting to a cluster with an invalid name.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94
helm: formalize and validate cluster name format
9dea31e 
Describe the cluster name specifications, and mimic the same checks
performed by the Cilium components, to provide early feedback in case
the cluster name is invalid. To enable users performing a smooth
transition, helm validation can be skipped setting upgradeCompatibility
to 1.15 or earlier. In that case, Cilium components will still emit
error logs to warn users in case the cluster name is invalid.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94
gha: configure extreme cluster names in conformance clustermesh
a72c7db 
To detect and prevent possible regressions causing valid names to not be
correctly supported.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94
docs: document the cluster name format
24a384b 
Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94 giorio94 force-pushed the pr/giorio94/main/cluster-name-validation branch from cc8561a to 24a384b Compare May 31, 2024 13:40
@giorio94
Copy link
Member Author

/test

@giorio94 giorio94 requested a review from marseel June 3, 2024 08:08
@giorio94 giorio94 marked this pull request as ready for review June 3, 2024 08:08
@giorio94 giorio94 requested review from a team as code owners June 3, 2024 08:08
@giorio94 giorio94 requested review from gandro, a user and brlbil June 3, 2024 08:08
gandro
gandro approved these changes Jun 3, 2024
View reviewed changes
Copy link
Member

@gandro gandro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome work!

pippolo84
pippolo84 approved these changes Jun 4, 2024
View reviewed changes
Copy link
Member

@pippolo84 pippolo84 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💯

ghost
ghost approved these changes Jun 4, 2024
View reviewed changes
Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

docs good

marseel
marseel approved these changes Jun 4, 2024
View reviewed changes
Copy link
Contributor

@marseel marseel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good 🚀

@giorio94
Copy link
Member Author

giorio94 commented Jun 6, 2024

@derailed Gentle ping 🙏

derailed
derailed approved these changes Jun 7, 2024
View reviewed changes
Copy link
Contributor

@derailed derailed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@giorio94 Nice work!

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jun 7, 2024
@borkmann borkmann merged commit 025fc0f into main Jun 7, 2024
@borkmann borkmann deleted the pr/giorio94/main/cluster-name-validation branch June 7, 2024 22:08
@hswong3i
Copy link

Could we at least allow for 63 characters as https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-label-names defined?

This is because I usually use uuid as cluster name which coming with 37 characters. Some more example (i.e. at least raw uuid or md5sum or sha1sum or sha224sum result working fine under 63 characters limitation):

hswong3i@ubuntu-Inspiron-14-5420:~$ ID=`uuid` && echo $ID && echo -n $ID | wc -m
119d9ef4-4a32-11ef-9d55-8755d52f1094
36
hswong3i@ubuntu-Inspiron-14-5420:~$ ID=`uuid | md5sum | sed 's/\s*-$//g'` && echo $ID && echo -n $ID | wc -m
8e03de2fc4391c1a62644bf8eb4ba7f2
32
hswong3i@ubuntu-Inspiron-14-5420:~$ ID=`uuid | sha1sum | sed 's/\s*-$//g'` && echo $ID && echo -n $ID | wc -m
98dc7c04d5b231e72693502c7d4b0f5a012e1ea4
40
hswong3i@ubuntu-Inspiron-14-5420:~$ ID=`uuid | sha224sum | sed 's/\s*-$//g'` && echo $ID && echo -n $ID | wc -m
1d14cacd968a42963333d487dfca3c851811cee885a9397852636957
56
hswong3i@ubuntu-Inspiron-14-5420:~$ ID=`uuid | sha256sum | sed 's/\s*-$//g'` && echo $ID && echo -n $ID | wc -m
8c15853e8049304be6c3d2805e2e02caf092f54c65a21cb4557f51b8247194c2
64
hswong3i@ubuntu-Inspiron-14-5420:~$ ID=`uuid | sha512sum | sed 's/\s*-$//g'` && echo $ID && echo -n $ID | wc -m
175ff0a20fea01757d025ea742f848bfb2af64d10e0eeece63c30b863f3e6d59a564e7cc8fb0975bc62664e253a3517399d1f81a5eaa09525d239dcd3b6bf67d
128

@hswong3i hswong3i mentioned this pull request Jul 25, 2024
Closed
3 tasks
@giorio94
Copy link
Member Author

Could we at least allow for 63 characters as https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-label-names defined?

Discussion ongoing in #34006. I encourage users hitting the same limitation to leave a comment to that issue, so that we can figure out the best path forward. based on the overall consensus.

@joestringer joestringer added upgrade-impact This PR has potential upgrade or downgrade impact. and removed upgrade-impact This PR has potential upgrade or downgrade impact. labels Apr 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@derailed derailed derailed approved these changes

@gandro gandro gandro approved these changes

@pippolo84 pippolo84 pippolo84 approved these changes

@marseel marseel marseel approved these changes

@brlbil brlbil brlbil approved these changes

@youngnick youngnick youngnick approved these changes

+1 more reviewer
Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
area/agent Cilium agent related. area/clustermesh Relates to multi-cluster routing functionality in Cilium. area/helm Impacts helm charts and user deployment experience ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
10 participants
@giorio94 @hswong3i @derailed @gandro @pippolo84 @marseel @brlbil @youngnick @borkmann @joestringer