ClusterMesh: improve validation of remote nodes and services #32749
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
589f499 to
4d177b5
Compare
|
/test |
The NodeObserver does not depend on the NodeSync method. Hence, let's move it to a separate interface, to avoid having to implement it needlessly, e.g., in tests. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
As a preparation for the subsequent commits, let's hard-code the node key creator and observer implementations, rather than propagating them through hive, given that they are just tiny wrappers. This simplifies further extensions, and ensures that we use the same approach in tests as well, allowing to early catch possible issues. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
Extend the validation performed upon retrieval of node entries from a remote cluster, to ensure improved consistency and prevent the propagation of corrupted data. In particular, let's ensure that the cluster and name fields are always set, that the cluster name matches that of the cluster we are connected to, and that the name corresponds to the kvstore key. Additionally, let's provide the possibility of validating the clusterID correspondence as well. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
Extract and generalize the clustermesh service observer logic, to additionally reduce code duplication and ensure that the two usages are always synchronized. While being there, let's also slightly improve the log messages, and drop the type check, as always guaranteed to be correct. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
Let's generate the kvstore key and value data representing a shared service marshalling the ClusterService structure, rather than by means of strings concatentation. That makes it easier to understand and extend in the future. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
Extend the validation performed upon retrieval of shared services from a remote cluster, to ensure improved consistency and prevent the propagation of corrupted data. In particular, let's ensure that the cluster, namespace and name fields are always set, that the cluster name matches that of the cluster we are connected to, and that the namespaced name corresponds to the kvstore key. Additionally, let's provide the possibility of validating the clusterID correspondence as well. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
Now that we enforce the correspondence of the advertised clusterID with the one present as part of node and service objects, let's add an extra test to ensure that node and service entries associated with the old clusterID are eventually drained upon reconnection. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
4d177b5 to
2a52f8a
Compare
|
Rebased onto main to fix conflicts |
|
/test |
dylandreimerink
approved these changes
May 30, 2024
ldelossa
approved these changes
May 30, 2024
YutaroHayakawa
approved these changes
May 31, 2024
This was referenced Jun 10, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Extend the validation performed upon retrieval of node and service entries from a remote cluster, to ensure improved consistency and prevent the propagation of corrupted data. In particular, let's ensure that the cluster and (namespaced) name fields are always set, that the cluster name matches that of the cluster we are connected to, and that the (namespaced) name corresponds to the kvstore key. Additionally, let's provide the possibility of validating the clusterID correspondence as well.
Please review commit by commit, and refer to the individual descriptions for additional details.
Related: #29602