🌱 Protected annotation-to-condition pattern #1278
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
akutz
force-pushed
the
feature/anno-to-cond
branch
from
e12154d to
1094519
Compare
faisalabujabal
approved these changes
Oct 29, 2025
| return apierrorsutil.NewAggregate(errs) | ||
| } | ||
|
|
||
| var anno2ConditionRegex = regexp.MustCompile(`^condition.vmoperator.vmware.com.protected/(.+)?$`) |
Contributor
There was a problem hiding this comment.
more of a nit: but do we not have a standard about the ordering of items in a file: consts, vars, types, funcs?
Contributor
There was a problem hiding this comment.
should it also be in the constant file with the other annotations?
| allErrs = append(allErrs, field.Forbidden(annotationPath.Key(vmopv1.ImportedVMAnnotation), modifyAnnotationNotAllowedForNonAdmin)) | ||
| } | ||
|
|
||
| if vm.Annotations[pkgconst.SkipDeletePlatformResourceKey] != oldVM.Annotations[pkgconst.SkipDeletePlatformResourceKey] { |
Contributor
There was a problem hiding this comment.
should we remove the annotations from the constant file since they are only used in the tests now?
| } | ||
|
|
||
| func unitTestsValidateUpdate() { | ||
| func unitTestsValidateUpdate() { //nolint:gocyclo |
Contributor
There was a problem hiding this comment.
is it not better to refactor and split our tests rather than ignoring it?
Collaborator
Author
There was a problem hiding this comment.
Yes, but not as part of this PR.
| return table | ||
| } | ||
|
|
||
| DescribeTable("disallow update of protected annotations by non-privileged user", |
Contributor
There was a problem hiding this comment.
why define the methods outside of the describe instead of inside?
Collaborator
Author
There was a problem hiding this comment.
Because it's not a describe, it's a DescribeTable.
bryanv
approved these changes
Oct 29, 2025
| _ ReconcileStatusData) []error { //nolint:unparam | ||
|
|
||
| for k, v := range vmCtx.VM.Annotations { | ||
| if anno2ConditionRegex.MatchString(k) { |
Contributor
There was a problem hiding this comment.
Why the regex with the capture group when not using that, vs strings.HasPrefix()?
| if t != "" { | ||
| switch s { | ||
| case metav1.ConditionFalse: | ||
| conditions.MarkFalse(vmCtx.VM, t, r, m+"%s", "") |
This patch introduces a feature that allows integration with VM
conditions by external actors. Privileged users may set annotations
on a VM that match the following pattern:
condition.vmoperator.vmware.com.protected/UNIQUE_ID: TYPE[;STATUS][;REASON][;MESSAGE]
Any annotations that match the above pattern are added/updated to a
VM's conditions.
Please note that STATUS must be either True, False, or Unknown. Any
other value will be reported as Unknown.
Also, there is currently no way to remove a condition via this method,
only add/update them.
akutz
force-pushed
the
feature/anno-to-cond
branch
from
d936f14 to
053bffb
Compare
Minimum allowed line rate is |
dilyar85
pushed a commit
to dilyar85/vm-operator
that referenced
this pull request
Nov 5, 2025
🌱 Protected annotation-to-condition pattern
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do, and why is it needed?
This patch introduces a feature that allows integration with VM conditions by external actors. Privileged users may set annotations on a VM that match the following pattern:
Any annotations that match the above pattern are added/updated to a VM's conditions.
Please note that STATUS must be either True, False, or Unknown. Any other value will be reported as Unknown.
Also, there is currently no way to remove a condition via this method, only add/update them.
Which issue(s) is/are addressed by this PR? (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
Are there any special notes for your reviewer:
Please add a release note if necessary: