OCPBUGS-39403: Fix parseIPList to Continue Processing After Invalid IPs and Return Valid IPs

[mJace]

Summary

This PR updates the parseIPList function to handle IP lists containing invalid IPs or CIDRs more gracefully. Previously, the function would return an empty string as soon as it encountered an invalid IP or CIDR. This update ensures that the function will now continue processing the rest of the list and return a space-separated string of all valid IPs and CIDRs.

Changes

• Modified parseIPList to:
  • Log all invalid entries for troubleshooting.
  • Return a string of valid IPs and CIDRs, or an empty string if none are valid.

Benefits

• Improved Robustness: The function now handles mixed validity IP lists more gracefully, allowing valid entries to be processed even if there are some invalid entries.
• Enhanced Debugging: Logging of invalid IPs or CIDRs provides better visibility into issues with input data.

Additional Notes

• The function continues to trim and validate input while logging detailed information about invalid entries.
• Ensure to review and test the function with various IP list scenarios to confirm the correctness of the changes.

[openshift-ci]

Hi @mJace. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[alebedev87]

/assign

[alebedev87]

@mJace : would it be possible for you to provide some unit tests for this change?

[candita]

/assign

[mJace]

@alebedev87
I added more test case to function TestParseIPList in pkg/router/template/template_helper_test.go.

[candita]

I would keep the log line up at line 391 where you find an invalid IP, e.g. log it for each invalid ip. Then you don't need the invalidIPs slice, nor to take a len later.

[mJace]

Thank you for your advice.

[candita]

/ok-to-test

[mJace]

/retest-required

[mJace]

/retest

[candita]

Since this changes behavior, we need to make sure this error is noticed, and indicate that the invalid IP is now ignored. Something like this:

Suggested change

	log.V(0).Info("parseIPList found invalid IP/CIDR", ip)
	log.Error("error parsing IP list, ignoring invalid IP/CIDR", ip)

[mJace]

I added a customErr for IP/CIDR since only net.parseCIDR returns err.

[alebedev87]

I'm wondering whether this one should be an error, taking into account that now we don't stop the parsing and there can be some valid IPs still. I think that the error would make more sense down the code where we find that the list is empty. However in the similar conditions in the same function (when we return "") we use log.V(7).Info(). So it seems to be inconsistent.

[mJace]

@alebedev87 That’s why I use log.V(0).Info at the beginning.
I reviewed all scenarios that call log.Error() in template_helper.go, and they all return "" immediately.
Since, in this case, we will continue parsing the rest of the IP, is it okay to use log.Info but at a higher log level?
If yes, what level should I use here?

[alebedev87]

The default log level is 2 so if we want this message to be visible it has to be <= 2. From what I can see in template_helper.go the log level 0 is what's used in similar cases (example) - when the user needs to be informed but the flow may continue. Similarly, looking at the other functions - failing the parsing with an error if the list of valid IPs/CIDRs is empty seems to be the way to go.

[alebedev87]

Btw the condition about the trimmer list being compared to the given list doesn't seem to use the right logging level:

	if trimmedList != list {
		log.V(7).Info("parseIPList leading/trailing spaces found")
		return ""
	}

I would prefer it to be a level 0 too as we want the user to see this.

[candita]

Followup to https://github.com/openshift/router/pull/621/files#r1815351390.

Suggested change

	if got != tc.expectedReturn {
	if expectedEmpty && got != "" || got != tc.expectedReturn {

[candita]

Looks like this was taken care of.

[candita]

Suggested change

	t.Errorf("Failure: expected %q, got %q", tc.input, got)
	if expectedEmpty {
	log.Errorf("Failure: expected none, got %q", got)
	} else {
	t.Errorf("Failure: expected %q, got %q", tc.expectedReturn, got)
	}

[openshift-ci-robot]

@mJace: This pull request references Jira Issue OCPBUGS-39403, which is invalid:

• expected the bug to be open, but it isn't
• expected the bug to target the "4.19.0" version, but no target version was set
• expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is Closed (Won't Do) instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Summary

This PR updates the parseIPList function to handle IP lists containing invalid IPs or CIDRs more gracefully. Previously, the function would return an empty string as soon as it encountered an invalid IP or CIDR. This update ensures that the function will now continue processing the rest of the list and return a space-separated string of all valid IPs and CIDRs.

Changes

• Modified parseIPList to:
• Log all invalid entries for troubleshooting.
• Return a string of valid IPs and CIDRs, or an empty string if none are valid.

Benefits

• Improved Robustness: The function now handles mixed validity IP lists more gracefully, allowing valid entries to be processed even if there are some invalid entries.
• Enhanced Debugging: Logging of invalid IPs or CIDRs provides better visibility into issues with input data.

Additional Notes

• The function continues to trim and validate input while logging detailed information about invalid entries.
• Ensure to review and test the function with various IP list scenarios to confirm the correctness of the changes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[alebedev87]

/jira refresh

[openshift-ci-robot]

@alebedev87: This pull request references Jira Issue OCPBUGS-39403, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.19.0) matches configured target version for branch (4.19.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lihongan

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[alebedev87]

/lgtm
/approve
/hold

Holding for @candita to have another look.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alebedev87

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [alebedev87]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[alebedev87]

/retest

[mJace]

/retest

[alebedev87]

openshift/origin#29466 should fix the image registry failure of e2e-aws-serial.

[gcs278]

openshift/origin#29466 is merged
/test e2e-aws-serial

[candita]

/lgtm
/unhold

[rhamini3]

Pre-merge verified on cluster version: 4.18.0-0.ci.test-2025-02-12-162751-ci-ln-2i21xl2-latest

iamin@iamin-mac Downloads % oc get clusterversion 
NAME      VERSION                                                   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.18.0-0.ci.test-2025-02-12-162751-ci-ln-2i21xl2-latest   True        False         50m     Cluster version is 4.18.0-0.ci.test-2025-02-12-162751-ci-ln-2i21xl2-latest

1. annotate the route with valid and invalid IPs

iamin@iamin-mac cluster-ingress-operator % oc annotate route edge-route --overwrite haproxy.router.openshift.io/ip_whitelist='0.0.0.0 192.abc.0.d 192.168.47.9'
route.route.openshift.io/edge-route annotated

2. view the pod logs to see the invalid IP

iamin@iamin-mac Downloads % oc -n openshift-ingress logs router-default-5b7c764c88-kjvss | grep parseIPList

I0212 17:56:43.909529       1 template_helper.go:366] "msg"="parseIPList called" "logger"="template" "value"="0.0.0.0 192.abc.0.d 192.168.47.9"
I0212 17:56:43.909568       1 template_helper.go:392] "msg"="parseIPList found invalid IP/CIDR" "192.abc.0.d"="(MISSING)" "logger"="template"
I0212 17:56:43.909599       1 template_helper.go:402] "msg"="parseIPList parsed the list" "logger"="template" "validIPs"="0.0.0.0 192.168.47.9"

3. check haProxy to make sure only valid logs are present and invalid logs aren't

iamin@iamin-mac cluster-ingress-operator % oc -n openshift-ingress rsh  router-default-5b7c764c88-kjvss
sh-5.1$ cat haproxy.config | grep edge-route
backend be_edge_http:default:edge-route
sh-5.1$ cat haproxy.config | grep edge-route -A25
backend be_edge_http:default:edge-route
  mode http
  option redispatch
  option forwardfor
  balance random
  acl allowlist src 0.0.0.0 192.168.47.9
  tcp-request content reject if !allowlist

4. annotate route with all invalid IPs

iamin@iamin-mac cluster-ingress-operator % oc annotate route edge-route --overwrite haproxy.router.openshift.io/ip_whitelist='0.0.0.e 192.abc.0.d 192.168.47.'
route.route.openshift.io/edge-route annotated

5. check logs to make sure all IPs are flagged as invalid

iamin@iamin-mac cluster-ingress-operator % oc -n openshift-ingress logs router-default-5b7c764c88-kjvss                                                     

I0212 18:01:24.498486       1 template_helper.go:366] "msg"="parseIPList called" "logger"="template" "value"="0.0.0.e 192.abc.0.d 192.168.47."
I0212 18:01:24.498498       1 template_helper.go:392] "msg"="parseIPList found invalid IP/CIDR" "0.0.0.e"="(MISSING)" "logger"="template"
I0212 18:01:24.498527       1 template_helper.go:392] "msg"="parseIPList found invalid IP/CIDR" "192.abc.0.d"="(MISSING)" "logger"="template"
I0212 18:01:24.498539       1 template_helper.go:392] "msg"="parseIPList found invalid IP/CIDR" "192.168.47."="(MISSING)" "logger"="template"
I0212 18:01:24.499173       1 template_helper.go:366] "msg"="parseIPList called" "logger"="template" "value"=""
I0212 18:01:24.499178       1 template_helper.go:370] "msg"="parseIPList empty list found" "logger"="template"

6. haProxy should not contain any IPs

iamin@iamin-mac cluster-ingress-operator % oc -n openshift-ingress rsh  router-default-5b7c764c88-kjvss                                                       
sh-5.1$ cat haproxy.config | grep edge-route -A25
backend be_edge_http:default:edge-route
  mode http
  option redispatch
  option forwardfor
  balance random

marking bug as verified
/label qe-approved

[openshift-ci-robot]

@mJace: This pull request references Jira Issue OCPBUGS-39403, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.19.0) matches configured target version for branch (4.19.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (iamin@redhat.com), skipping review request.

In response to this:

Summary

This PR updates the parseIPList function to handle IP lists containing invalid IPs or CIDRs more gracefully. Previously, the function would return an empty string as soon as it encountered an invalid IP or CIDR. This update ensures that the function will now continue processing the rest of the list and return a space-separated string of all valid IPs and CIDRs.

Changes

• Modified parseIPList to:
• Log all invalid entries for troubleshooting.
• Return a string of valid IPs and CIDRs, or an empty string if none are valid.

Benefits

• Improved Robustness: The function now handles mixed validity IP lists more gracefully, allowing valid entries to be processed even if there are some invalid entries.
• Enhanced Debugging: Logging of invalid IPs or CIDRs provides better visibility into issues with input data.

Additional Notes

• The function continues to trim and validate input while logging detailed information about invalid entries.
• Ensure to review and test the function with various IP list scenarios to confirm the correctness of the changes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD b447c4d and 2 for PR HEAD f0926cb in total

[openshift-ci]

@mJace: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@mJace: Jira Issue OCPBUGS-39403: All pull requests linked via external trackers have merged:

• openshift/router#621

Jira Issue OCPBUGS-39403 has been moved to the MODIFIED state.

In response to this:

Summary

This PR updates the parseIPList function to handle IP lists containing invalid IPs or CIDRs more gracefully. Previously, the function would return an empty string as soon as it encountered an invalid IP or CIDR. This update ensures that the function will now continue processing the rest of the list and return a space-separated string of all valid IPs and CIDRs.

Changes

• Modified parseIPList to:
• Log all invalid entries for troubleshooting.
• Return a string of valid IPs and CIDRs, or an empty string if none are valid.

Benefits

• Improved Robustness: The function now handles mixed validity IP lists more gracefully, allowing valid entries to be processed even if there are some invalid entries.
• Enhanced Debugging: Logging of invalid IPs or CIDRs provides better visibility into issues with input data.

Additional Notes

• The function continues to trim and validate input while logging detailed information about invalid entries.
• Ensure to review and test the function with various IP list scenarios to confirm the correctness of the changes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: ose-haproxy-router-base
This PR has been included in build ose-haproxy-router-base-container-v4.19.0-202502200708.p0.gffb6637.assembly.stream.el9.
All builds following this will include this PR.

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: openshift-enterprise-haproxy-router
This PR has been included in build openshift-enterprise-haproxy-router-container-v4.19.0-202502200708.p0.gffb6637.assembly.stream.el9.
All builds following this will include this PR.