TriggerAuth-podIdentity.identityId - validation removed (operator) #5142
Conversation
Signed-off-by: radekfojtik <68660951+radekfojtik@users.noreply.github.com>
|
Thank you for your contribution! 🙏 We will review your PR as soon as possible. While you are waiting, make sure to:
Learn more about: |
![semgrep-app[bot]](https://avatars.githubusercontent.com/in/60555?s=60&v=4){kind=small}
Signed-off-by: radekfojtik <68660951+radekfojtik@users.noreply.github.com>
Signed-off-by: radekfojtik <68660951+radekfojtik@users.noreply.github.com>
Signed-off-by: radekfojtik <68660951+radekfojtik@users.noreply.github.com>
|
@JorTurFer @tomkerkhove please take a look guys |
There was a problem hiding this comment.
I tested the PR locally with:
- Install keda v2.11.0 with helm
- Create
TriggerAuthenticationwithidentityId: "" - Upgrade to keda v.2.12.0 - I was able to reproduce the issue
- Deploy patched keda and validation webhook images, include
ValidatingWebhookConfigurationfrom charts:main branch
Old TriggerAuthentications with identityId: "" don't cause issues and the validation webhook blocks the creation of new ones.
| return nil | ||
| } | ||
|
|
||
| func isEmptyString(str *string) bool { |
There was a problem hiding this comment.
Util functions like this one have a high potential for code duplicity. Can you add a new file to pkg/util and move the function there? Ideally with generics, something like
func IsDefaultValue[T comparable](value *T) bool {
var def T
return value != nil && *value == def
}
There was a problem hiding this comment.
I think that this is a good feedback ❤️
| if spec.PodIdentity.IdentityID != nil && *spec.PodIdentity.IdentityID == "" { | ||
| return nil, fmt.Errorf("identityid of PodIdentity should not be empty. If it's set, identityId has to be different than \"\"") | ||
| if isEmptyString(podIdentity.IdentityID) { | ||
| return fmt.Errorf("identityid of PodIdentity should not be empty. If it's set, identityId has to be different than \"\"") |
There was a problem hiding this comment.
| return fmt.Errorf("identityid of PodIdentity should not be empty. If it's set, identityId has to be different than \"\"") | |
| return fmt.Errorf("identityId of PodIdentity should not be empty. If it's set, identityId has to be different than \"\"") |
|
Just a side note, we shouldn't rely on validation webhooks that much. If possible, this should work withouth validation as well. |
|
100% |
I have to disagree with this point. KEDA has to work properly handling the scenario, but the data validation is the responsibility of the webhooks, don't you think? I mean, why do we use validating webhooks for validating the data plane, if we are going to raise validation messages in the operator too? KEDA operator will fail with a handled error if the user is providing the item wrongly (it won't panic), so other validations over the data constraints should be managed by the webhooks and users have to assume that validations are done by webhooks. As user, you can't skip the validating webhooks and also expect a well-formed validation with a lot of info about the validating error |
|
LGTM but let's wait until @zroubalik and @tomkerkhove agree with it (or not xD), because this moves the responsibility from the operator to webhooks |
No, because webhooks are optional. If it would be mandatory then I'd agree. Validation webhooks are more for enforcing best practices in the current state of KEDA, not for ensuring things are valid. If we want to go that route than making it mandatory is the only viable option. |
|
@zroubalik @tomkerkhove Having this validation on the |
@josefkarasek There is no need to set the |
|
@JorTurFer could you please look at this? We should resolve this already :) Thanks |
I reviewed here: #5142 (comment) From my perspective, webhooks have to validate the information and the operator has to just handle errors if they are. No having VALIDATING webhooks IMHO explicitly means that you don't have validations (because you are not installing them), just fails if you introduce something wrong. It moves the responsibility from the operator to the webhooks. If the operator sees and empty pod identity, it doesn't matter who sets it, and it continues with its work, failing if it has to fail |
|
We should push this topic @zroubalik @tomkerkhove |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions. |
|
@JorTurFer let's add it to the agenda for the next meeting |
stale
bot
removed
the
stale
|
Sorry, I did not see the pings - Let's discuss indeed |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions. |
|
This issue has been automatically closed due to inactivity. |
stale
bot
removed
the
stale
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions. |
|
This issue has been automatically closed due to inactivity. |
TriggerAuthentication.podIdentity - validation of
identityId(empty string "") removed (operator)Checklist
Fixes #5109
Relates to #