[platform] Validate computed tenant namespace length in cozystack-api#2376
[platform] Validate computed tenant namespace length in cozystack-api#2376
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✅ Files skipped from review due to trivial changes (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughAdded tenant namespace length validation to Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related issues
Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request introduces validation to ensure that the computed workload namespace for "Tenant" applications does not exceed the 63-character DNS-1123 label limit. It adds the validateTenantNamespaceLength method to the REST struct, which is called during the creation of Tenant applications, and includes comprehensive unit tests to verify the validation logic across various nesting depths and name lengths. I have no feedback to provide as there were no review comments to evaluate.
Reject Tenant creation when the computed workload namespace (parent namespace + "-" + tenant name) would exceed the 63-character DNS-1123 label limit. Previously only the per-name length was checked against the Helm release limit, so a deeply-nested tenant could pass Create() and then fail later as an opaque HelmRelease reconcile error. Assisted-By: Claude <[email protected]> Signed-off-by: Aleksei Sviridkin <[email protected]>
8d7e962 to
2b96be8
Compare
What this PR does
The aggregated
cozystack-apivalidates each individual Tenant name length against the Helm release limit (46 chars for thetenant-prefix), but it never validates the computed workload namespace that is built by dash-joining the parent namespace with the tenant name. A user can thereforekubectl applya nestedTenantwhose own name passes the per-name check, only to have Kubernetes later reject the generatedNamespacefor exceeding the 63-character DNS-1123 label limit. The failure surfaces as an opaque HelmRelease reconcile error, and the Tenant CR is left stranded in the cluster with astatus.namespacethat can never exist.This PR closes that gap at the aggregation layer by rejecting such requests synchronously in
Create()with a clearfield.Invaliderror that names the computed namespace and its length, so the failure is reported atkubectl applytime before any HelmRelease is created.The change is scoped to the
Tenantkind only.Update()is not touched because Kubernetes names and namespaces are immutable and the existing code already intentionally skips name validation there. No Helm chart, CRD, or codegen changes are required.The PR is split into two commits that document the bug and its fix via TDD:
validateTenantNamespaceLength, thekindName == "Tenant"gate inCreate(), andTestValidateTenantNamespaceLengthcovering boundary cases (pass at 63, fail at 64, fail at 68). The pinning test from commit 1 is removed in the same commit now that the gap is closed.Release note
Summary by CodeRabbit
Bug Fixes
Tests