webhook rules for sandbox shutdown

[LiboYu2]

Here are the rules that are implemented by this change.

• When creating a vdb, all subclusters and sandboxes(if any) must not have shutdown set to true.
• If a sandbox has shutdown(spec) true and any of its subclusters has the annotation "vertica.com/shutdown-driven-by-sandbox" set to true in the old vdb, we should prevent the user from updating that subcluster's shutdown field.
• You cannot unsandbox a subcluster with shutdown true(spec and/or status) or part of a sandbox with shutdown true
• You cannot change spec.sandboxes[].image if the sandbox has shutdown true or has any subcluster with shutdown true(spec and/or status)
• You cannot terminate a sandbox if it has has shutdown true. terminate means removing the sandbox in spec.sandboxes[] and its subclusters in spec.subclusters[] at the same time.

[roypaulin]

This will create too many msgs. Let's have a single loop over sandbox.Subclusters and for each subcluster find the shutdown value in both spec and status(make sure the subcluster exists in status). If any of them is true return a generate a generic msg like subcluster %q is marked for shut down or has already been shut down

[LiboYu2]

"make sure the subcluster exists in status"
I got your point. When a user tries to change the sandbox image, the subcluster is already shutdown at this time. This is different from my original understanding. I will make a change.

[LiboYu2]

This is from the JIRA:
"You cannot change spec.sandboxes[].image if the sandbox has shutdown true or has any subcluster with shutdown true(spec and/or status)"

Could you remove the "or" from within the brackets? Thanks.

[roypaulin]

Why? I mean what I said. If you prefer here is what I mean You cannot change spec.sandboxes[].image if the sandbox has shutdown true or has any subcluster with shutdown true(spec or status)

[LiboYu2]

Got it. It is different from your original comment: "for each subcluster find the shutdown value in both spec and status(make sure the subcluster exists in status)."

[roypaulin]

Split the content of this function into smaller functions to make it more readable. Unsandboxing means 2 things: 1. we removed one or multiple subclusters from sandbox or we remove one or multiple sandboxes from spec.sandboxes.
In both cases we need to identify subclusters to be unsandboxed and for each for them, check if the subcluster shutdown(spec/status) is true or if it is/was part of a sandbox that has shutdown true.

[LiboYu2]

"check if the subcluster shutdown(spec/status)"
for the condition shutdown(spec/status), is it an OR or AND? Currently I implemented it as an OR.

[roypaulin]

It is an OR.

[cchen-vertica]

We need to add one more limitation: we cannot add one or multiple subclusters to a sandbox if the sandbox is shutdown or partially shutdown. I didn't test it, but I think we cannot restart a sandboxed subcluster if that sandbox changed its group members.

[LiboYu2]

The proposed new rule can be found in another webhook JIRA VER-97254

[roypaulin]

Let's change the 1st rule to this: when a subcluster or sandbox is added to the vdb for the 1st time (not in status yet) they all must have shutdown field set to false.

[LiboYu2]

I believe the original 1st rule is still a valid one. The two cover different scenarios. Should we add what you proposed as a new rule?

[cchen-vertica]

Why don't we allow shutdown in db creation?

[roypaulin]

No, this new rule covers the original first rule. When you create a vdb, the subclusters and/or sandboxes in the spec will not be in the status.

[roypaulin]

There is already a constant in annotations.go. A function to get the annotation's value too.

[roypaulin]

Suggested change

[roypaulin]

You also need the following cases:

• change sc1 shutdown and check there is no error as it is not part of the sandbox
• set sandbox.shutdown to false, rerun the above cases and check there is no error.

[LiboYu2]

new cases added

[roypaulin]

It is an OR.

[roypaulin]

Why? I mean what I said. If you prefer here is what I mean You cannot change spec.sandboxes[].image if the sandbox has shutdown true or has any subcluster with shutdown true(spec or status)

[roypaulin]

No, this new rule covers the original first rule. When you create a vdb, the subclusters and/or sandboxes in the spec will not be in the status.

[roypaulin]

We are getting close.

[roypaulin]

Suggested change

	return fmt.Sprintf("Shutdown field of sandbox %q is set to true", newSandbox.Name)
	errMsgs = append(errMsgs, fmt.Sprintf("Shutdown field of sandbox %q is set to true", newSandbox.Name))

[LiboYu2]

will make the change.

[roypaulin]

Yes, but it can happen that the sandbox has shutdown true and also all its subclusters have shutdown true. In that case we want to report all the error msgs so the user is aware.

[roypaulin]

Suggested change

	return fmt.Sprintf("Subcluster %q is marked for shut down or has already been shut down", subcluster.Name)
	errMsgs = append(errMsgs, fmt.Sprintf("Subcluster %q is marked for shut down or has already been shut down", subcluster.Name))

[LiboYu2]

same comment as the above one.

[roypaulin]

Suggested change

	return ""
	return errMsgs

[LiboYu2]

same comment as the above one. When it returns empty string, it means no error.

[roypaulin]

Suggested change

	func (v *VerticaDB) checkSboxForShutdown(newSandbox *Sandbox, newSClusterMap map[string]*Subcluster, statusSClusterIndexMap map[string]int) string {
	func (v *VerticaDB) checkSboxForShutdown(newSandbox *Sandbox, newSClusterMap map[string]*Subcluster, statusSClusterIndexMap map[string]int) []string {
	errMsgs := []string{}

We still want to return all the error msgs. We just did not want to return one batch for spec and another for status.

[LiboYu2]

Now I know what you want to achieve. I withdraw my previous comments and will make the change.

[roypaulin]

Suggested change

	allErrs = append(allErrs, err)
	continue
	}
	if oldSandbox.Shutdown {
	p := field.NewPath("spec").Child("sandboxes")
	err := field.Invalid(p,
	oldSubcluster.Name,
	fmt.Sprintf("cannot unsandbox subcluster %q in sandbox %q that has Shutdown field set to true",
	oldSubcluster.Name, oldSandbox.Name))
	allErrs = append(allErrs, err)
	continue
	}
	allErrs = append(allErrs, err)
	}
	if oldSandbox.Shutdown {
	p := field.NewPath("spec").Child("sandboxes").Index(...)
	err := field.Invalid(p.Child("shutdown"),
	oldSandbox.Name,
	fmt.Sprintf("cannot unsandbox subcluster %q in sandbox %q that has shutdown field set to true",
	oldSubcluster.Name, oldSandbox.Name))
	allErrs = append(allErrs, err)
	}

[roypaulin]

Suggested change

	err := field.Invalid(p.Index(index),
	subclusterName.Name,
	err := field.Invalid(p.Index(index).Child("shutdown"),
	newSubcluster.Shutdown,

[roypaulin]

Suggested change

	fmt.Sprintf("cannot change Shutdown field for subcluster %q that has annotation \"vertica.com/shutdown-driven-by-sandbox\" set to true",
	fmt.Sprintf("cannot change shutdown field for subcluster %q whose shutdown is driven by sandbox %q",

[roypaulin]

Suggested change

	err := field.Invalid(p,
	err := field.Invalid(p.Child("shutdown"),

[roypaulin]

Suggested change

	err := field.Invalid(p,
	err := field.Invalid(p.child("shutdown"),

[roypaulin]

This is the last round. After my comments are addressed, I will approve

[roypaulin]

Do not return.

[roypaulin]

Do not return.
Also to make the error msg shorter, we can first append the subcluster names and then add the msg. The err msg will look like: ......Subclusters sc1, sc2, sc3 are marked for shut down or have already been shut down.

[roypaulin]

This check should be at the beginning of the loop so you can skip to the next sandbox if the current sandbox has shutdown true.

[LiboYu2]

This if statement compares the number of subclusters to be removed with the number of subclusters in the sandbox.
If they equal, that means the sandbox will be terminated.
There is another for loop on the top of this if statement. It is used to calculate "sclustersToTerminate" used in the if statement.

[roypaulin]

Again, if oldSandboxMap[sandboxToBeRemoved].Shutdown is false then there is no point in running all this code. Check oldSandboxMap[sandboxToBeRemoved].Shutdown at the beginning of the loop and if false skip and go to next sandbox. Something like:

for _, sandboxToBeRemoved := range sandboxesToBeRemoved {
       if !oldSandboxMap[sandboxToBeRemoved].Shutdown {
              continue
       }

[LiboYu2]

That is a good point. I will check oldSandboxMap[sandboxToBeRemoved].Shutdown earlier. If it is false, let it skip the rest of the current loop.

[roypaulin]

Let's keep the same function structure and call these check... like checkShutdownSandboxImage

[roypaulin]

Suggested change

	// ensures a new subcluster or sandbox to be added to a vdb has Shutdown field set to false
	// validateNewSBoxOrSClusterShutdownUnset ensures a new subcluster or sandbox to be added to a vdb has Shutdown field set to false

Follow the same forma for other functions

[cchen-vertica]

Minor: update GenStatusSandboxMap to GenStatusSubclusterMap

[cchen-vertica]

Minor: this map should be a map[string]any or map[string]bool.

[cchen-vertica]

This needs to be addressed.

[cchen-vertica]

add space in front of "return"

[cchen-vertica]

You need to check if the old sandbox name and new sandbox name are the same. If we move a subcluster from a sandbox to another in new vdb, that subcluster is still in new vdb, but it will be unsandboxed.

[LiboYu2]

I will make code change to cover that scenario and set up a new test case.

[cchen-vertica]

Add parenthesis for readability.

[cchen-vertica]

For one sandbox, we probably reach here multiple times so we probably return duplicate errors.

[cchen-vertica]

Why are we checking old sandbox's subclusters? Doesn't this rule apply on the subclusters in new sandbox?

[LiboYu2]

This is from the JIRA: " If a sandbox has shutdown(spec) true and any of its subclusters has the annotation "vertica.com/shutdown-driven-by-sandbox" set to true in the old vdb, we should prevent the user from updating that subcluster's shutdown field. "
Here we check the subclusters that exist in both new and old vdbs.

[cchen-vertica]

Then in line 1836, we should check oldSandbox.Shutdown.

[roypaulin]

No we should check newSandbox. Here is the scenario this covers: sandbox sand1 has a subcluster sc1. you set sand1.shutdown to true, the operator will set sc1.shutdown to true and add the annotation to sc1. So now sand.shutdown = true, sc1.shutdown. true and sc1 has "vertica.com/shutdown-driven-by-sandbox". We do not want a user to come and change sc1.shutdown because that annotation is a proof that the sandbox drives the shutdown.

This is relevant only if sand1.shutdown is still true(newvdb)

[cchen-vertica]

Enrich the comment to explain the returned value.

[cchen-vertica]

This needs to be addressed.

[cchen-vertica]

Fix golint error of the comments here.

[cchen-vertica]

Will this fix the duplicate error messages bug? In the for loop, we have this sequence: sc1, sand1; sc2, sand2; sc3, sand1. unsandboxIndex will be 1(assume sand1's index is 1), 2, 1. We still come here twice for sand1.

You should check the sandbox outside this loop or use a map to store checked sandboxes.

[cchen-vertica]

This condition doesn't help. Even the subcluster does not persist, the subcluster could be unsandboxed.

[cchen-vertica]

Then in line 1836, we should check oldSandbox.Shutdown.

[cchen-vertica]

This comment doesn't match the function implementation. I don't think we need to check if all subclusters inside the sandbox are terminating. If a "shutdown" sandbox is removed, we should error out.

[roypaulin]

That's a good point. I overthought this. @LiboYu2 when a sandbox is removed check its shutdown and if it is true, block the change. We should also do the same for remove_subcluster, a subcluster must not be removed from vdb if shutdown is true, but that will be part of his other ticket. This has already taken too long.

[LiboYu2]

I will change the code to adopt the new logic. Could you update the rule in the JIRA as well?

[roypaulin]

Directly pass oldObj to these functions to stay consistent.

[roypaulin]

Why this comment? I do not think oldSandbox.shutdown value matters.

[LiboYu2]

This is useless. I will remove it.

[roypaulin]

Do you need the last part of this condition? We want to prevent any change.

[LiboYu2]

Do you mean this one "!newSubcluster.Shutdown"? It is used to check if a user sets the shutdown to false while the sandbox is marked for shutdown. It is needed.

[roypaulin]

We want to prevent any kind of change so "oldSubcluster.Shutdown != newSubcluster.Shutdown" is enough

[LiboYu2]

If we only have "oldSubcluster.Shutdown != newSubcluster.Shutdown", that will stop the operator from the setting the shutdown field to true from false.

[cchen-vertica]

Remove the comment in this line.

[LiboYu2]

removed

[cchen-vertica]

Update the comment here

[LiboYu2]

updated.

[cchen-vertica]

Why do we need the sandbox to be persistent?

[LiboYu2]

Because of this condition "oldSubcluster.Shutdown != newSubcluster.Shutdown"
The rule applies when a user tries to mess with an existing subcluster. If it is a new subcluster, it will be covered by other rules.

[cchen-vertica]

That condition is for persistent subclusters, not for persistent sandboxes.

[LiboYu2]

If the sandbox is not persistent, it will be a new sandbox, For new sandboxes to be created, its shutdown field will not be true. We are only concerned about subclusters in persistent sandboxes.

[cchen-vertica]

If we have a subcluster that isn't in a sandbox of old vdb, but we put it in the sandbox of new vdb, your code cannot cover that subcluster, right?

[cchen-vertica]

Do we have a rule to prevent a "shutdown" subcluster to add to a sandbox in your PR?

[LiboYu2]

Yes. There are more rules in https://jira.verticacorp.com/jira/browse/VER-97254

[LiboYu2]

Correct myself. Rule 1 of https://jira.verticacorp.com/jira/browse/VER-97368 covers that scenario.

[LiboYu2]

If we have a subcluster that isn't in a sandbox of old vdb, but we put it in the sandbox of new vdb, your code cannot cover that subcluster, right?

Right. That is the sandboxing scenario. It will be covered in https://jira.verticacorp.com/jira/browse/VER-97254

[cchen-vertica]

You can remove the else here since you already used a "continue" in line 1884

[LiboYu2]

with the "else", it is easier to read and understand the logic.

[cchen-vertica]

Then line 1884 doesn't make sense. You can just use if oldSandboxMap[sandboxToBeRemoved].Shutdown, what's the point to use an else block.

[LiboYu2]

I will remove it.