cloud-provider-openstack icon indicating copy to clipboard operation
cloud-provider-openstack copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

[occm] [cinder-csi-plugin] Sanitize AZ name

Open scrungus opened this issue 6 months ago • 8 comments

What this PR does / why we need it: AZ names can contain unicode characters, for example "Württemberg". The current behaviour is that this causes the occm pod to crash:

$ crictl logs a358b0388996d (openstack-cloud-controller-manager)
error syncing 'test-hshu2jf73dym-default-worker-6s4mq-s9swb': Node "test-hshu2jf73dym-default-worker-6s4mq-s9swb" is invalid: metadata.labels: Invalid value: "Württemberg Test": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?'), requeuing

This PR sanitizes the label value before it is applied. We also see the same problem in cinder-csi-plugin:

$ kubectl logs -n openstack-system openstack-cinder-csi-nodeplugin-cl5tc
...
I0822 14:53:22.576401       1 main.go:101] Received NotifyRegistrationStatus call: &RegistrationStatus{PluginRegistered:false,Error:RegisterPlugin error -- plugin registration failed with err: error updating Node object with CSI driver node info: error updating node: timed out waiting for the condition; caused by: failed to patch status "{\"metadata\":{\"annotations\":{\"csi.volume.kubernetes.io/nodeid\":\"{\\\"cinder.csi.openstack.org\\\":\\\"0699b10e-b4bc-4129-9280-5b7c8556418f\\\",\\\"csi.tigera.io\\\":\\\"sst-yde-test-1-yt3243sf6os5-control-plane-m4hpg\\\"}\"},\"labels\":{\"topology.cinder.csi.openstack.org/zone\":\"Düdingen Test\"}}}" for node "sst-yde-test-1-yt3243sf6os5-control-plane-m4hpg": Node "sst-yde-test-1-yt3243sf6os5-control-plane-m4hpg" is invalid: metadata.labels: Invalid value: "Düdingen Test": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?'),}

So this change also sanitises the label coming from the metadata service. Special notes for reviewers:

I believe a similar fix is needed for cinder-csi-plugin Release note:

Fixes a bug where unicode characters in the openstack availability zone can crash the OCCM or cinder-csi-plugin pods.

scrungus avatar Aug 23 '24 14:08 scrungus