[external api] Set a default empty array for VpcFirewallRuleUpdate

[karencfv]

In our attempt to make the Go SDK generator less hacky oxidecomputer/oxide.go#283, we had the unexpected side effect of breaking our VpcFirewallRuleUpdateParams struct https://github.com/oxidecomputer/oxide.go/pull/283/files#diff-841a2b1b5f072b633551cac9c34c9732a722b415e297a1530b92d5988962062eR6810-R6811 due to Go's fun way of handling empty values. Using this API no longer allows us to delete the entirety of the firewall rules.

This commit sets an empty array as the default for rules following the pattern that other APIs use.
https://github.com/oxidecomputer/omicron/blob/main/nexus/types/src/external_api/params.rs#L1163-L1177

cc @sudomateo

[sudomateo]

I'm cool with this change to be consistent with other APIs but I would have assumed even without this change setting rules to [] in the request body would have worked. Did the previous configuration enforce a non-empty array?

Oh, I think I see it now. The Go SDK has omitempty on the rules attribute so setting [] serializes to null. The rules attribute isn't nullable in omicron so the omitempty will remain in the Go SDK. Now sending null in the request body will allow omicron to default rules to []. Do I have that right?

[david-crespo]

Sorry, meant to comment on Friday. Does this make it so you can nuke all your rules by posting {} as the request body? That makes me slightly nervous as it’s a little surprising, though it will probably never happen. It feels like an API-side workaround for a client quirk, if I understand this omitempty correctly. There’s no way to make the SDK act normal, i.e., pass what you actually give it as the request body?

[sudomateo]

Sorry, meant to comment on Friday. Does this make it so you can nuke all your rules by posting {} as the request body? That makes me slightly nervous as it’s a little surprising, though it will probably never happen.

Correct. This is how the UI code also does it. If you delete the last firewall rule in the UI the request body that's sent is {"rules":[]} since there's no DELETE endpoint for firewall rules.

It feels like an API-side workaround for a client quirk, if I understand this omitempty correctly. There’s no way to make the SDK act normal, i.e., pass what you actually give it as the request body?

We could update the Go SDK to remove omitempty or change it to omitzero. That'll make the serialization like so.

rules: []string(nil)
no tag    -> {"rules":null}
omitempty -> {}
omitzero  -> {}

rules: []string{}
no tag    -> {"rules":[]}
omitempty -> {}
omitzero  -> {"rules":[]}

rules: []string{"foo"}
no tag    -> {"rules":["foo"]}
omitempty -> {"rules":["foo"]}
omitzero  -> {"rules":["foo"]}

[karencfv]

UPDATE: Had a chat in the Product sync about this and we'll be continuing the conversation.

Just want to add a datapoint here. What we really need here is a DELETE endpoint. Right now I'm basically shoehorning the functionality into an endpoint that's just meant to update. If we want to protect users from accidentally deleting things and explicitly requiring rules for an update, a separate means to delete would be more correct.