-
Notifications
You must be signed in to change notification settings - Fork 425
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
⚠ Add admissionregisteration/v1 support for webhook #469
Conversation
@@ -27,7 +27,7 @@ func (c *CronJob) SetupWebhookWithManager(mgr ctrl.Manager) error { | |||
Complete() | |||
} | |||
|
|||
// +kubebuilder:webhook:verbs=create;update,path=/validate-testdata-kubebuilder-io-v1-cronjob,mutating=false,failurePolicy=fail,matchPolicy=Equivalent,groups=testdata.kubebuiler.io,resources=cronjobs,versions=v1,name=validation.cronjob.testdata.kubebuilder.io,sideEffects=Some | |||
// +kubebuilder:webhook:verbs=create;update,path=/validate-testdata-kubebuilder-io-v1-cronjob,mutating=false,failurePolicy=fail,matchPolicy=Equivalent,groups=testdata.kubebuiler.io,resources=cronjobs,versions=v1,name=validation.cronjob.testdata.kubebuilder.io,sideEffects=NoneOnDryRun |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change is because in admissionregistration/v1
, the sideEffects can only be None
and NoneOnDryRun
when creates Configurations
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you checking for this case anywhere? There should be an error if anything other than either of those two is set.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, there is no such check, please check this comment: #469 (comment) What do you think about this? Or you think it is better to forbid users to create config with Some
and Unknown
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general I would want as much static validation as possible for my operator project so that I don't have to wait for my CI's apiserver to tell me my webhook config is invalid when I upgrade from v1beta1 to v1. Is there a good reason not to statically validate side effects?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess the counter-argument is that having one marker for two versions is nice, and if one value in that marker is invalid for one version then you can't generate the config for either version, which I think is what you're suggesting in your comment.
The right solution IMO is to add an optional +kubebuilder:webhook:webhookVersion=<v1|v1beta1>
field so you can specify which version to generate for a marker if you want to generate both and configure them differently. The case where this field wasn't added to the marker is the current case, so no version list is needed and this isn't a breaking change. Thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess the counter-argument is that having one marker for two versions is nice, and if one value in that marker is invalid for one version then you can't generate the config for either version, which I think is what you're suggesting in your comment.
Yeah, exactly. This is my main concern so I decided not to handle the static validation and let kube-apiserver handle it, but it may not be a good solution because users have to modify the configuration every time they re-generate it.
The right solution IMO is to add an optional +kubebuilder:webhook:webhookVersion=<v1|v1beta1> field so you can specify which version to generate for a marker if you want to generate both and configure them differently.
I think this will work, but it will double the number of markers if the user wants to generate both v1
and v1beta1
webhooks. How about we do the following, with a marker +kubebuilder:webhook:webhookVersions=<[]string>
:
- We default to generate
v1
configuration if the marker is not specified. - Generate
v1
if the marker is+kubebuilder:webhook:webhookVersions=v1
- Generate
v1beta1
if the marker is+kubebuilder:webhook:webhookVersions=v1beta1
- Generate both
v1
andv1beta1
if the marker is+kubebuilder:webhook:webhookVersions=v1;v1beta1
or+kubebuilder:webhook:webhookVersions=v1beta1;v1
, we throw error out if thesideEffects
(later we also needed to handleAdmissionReviewVersions
) cannot meet requirement for either versions.
In this way, we still provide a chance for the user to generate bothv1
andv1beta1
in one marker.
The case where this field wasn't added to the marker is the current case, so no version list is needed and this isn't a breaking change.
I think it will still be a breaking change because we will generate v1
configurations by default (currently v1beta1
)?
WDYT @estroz ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Works for me.
this isn't a breaking change.
To the marker definition I mean, since current markers will work as-is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@estroz This has been implemented, PTAL :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
kindly ping @vincepri , can you please take a look? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
/assign @alvaroaleman
/hold
Feel free to unhold when ready
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jiachengxu, vincepri The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Should we merge this after we release v0.3.1, I guess this would be v0.4.0? |
Actually it seems we already merged #468, which is a breaking change, so this can go in and the next release is v0.4.0 |
kindly ping @alvaroaleman , do you have any further comments? If not, I will just unhold the PR, and rock and roll :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/hold cancel
The problem with making |
@caboteria this was fixed in #474, which forces you to set |
@vincepri there should probably be another release for this, but since it breaks the v0.4.0 marker scheme, should it be v0.5.0? |
Thanks @estroz for the pointer, that helps! I'm "go get"ing the current master rev of controller-tools so I'm all set, but my concern is that the defaults for controller-tools don't work with the current controller-runtime so it's easy for noobs like me to stub their toe when trying to build an operator. Should v1beta1 be the default until controller-runtime works with v1? |
There is no |
For making controller-runtime work with |
Thanks @estroz, the current master version is better in that respect than 0.4.0 which happily generates manifests that deploy but cause errors at run-time:
I guess one person's "fairly indicative" is another's "wtf"... Don't get me wrong, I appreciate the effort that you all are making to move controller-tools forward and I second both the suggestion to release controller-tools 0.5.0 and to make controller-runtime work with v1. At the moment we're in a situation where it's easy for noobs (like me) to waste time having to debug things that should just work. |
🤣 I meant the static error your see when generating admission webhooks for markers that don't have $ controller-gen --version
Version: v0.4.1-0.20200902055707-2f203e490e8a
$ tree api/v1
api/v1
├── cronjob_types.go
├── cronjob_webhook.go
├── groupversion_info.go
└── zz_generated.deepcopy.go
$ cat api/v1/cronjob_webhook.go
package v1
// +kubebuilder:webhook:path=/mutate-batch-my-domain-v1-cronjob,mutating=true,failurePolicy=fail,sideEffects=None,groups=batch.my.domain,resources=cronjobs,verbs=create;update,versions=v1,name=mcronjob.kb.io
...
$ controller-gen webhook paths=./...
AdmissionReviewVersions is mandatory for v1 {Mutating,Validating}WebhookConfiguration The deploy-time errors you get when deploying a v1 webhook config without |
@caboteria A PR is created here: kubernetes-sigs/controller-runtime#1233 to tackle this issue. |
This PR implements support to generate {Mutating, Validating}WebhookConfiguration with version
v1
.Fixes #419
The first intention was to add a package marker
webhookVersions=<[]string>
for the user to specify the versions that want to generate. It will default tov1
if thewebhookVersions
is not specified. However, after discussion with @estroz (#469 (comment)), we found out this cannot work nicely because, for different versions of WebhookConfiguraiton, Some fields (SideEffects, AdmissionReviewVersions) can have different available values, and if one value in that marker is invalid for one version then you can't generate the config for either version.So we decided to use an optional field marker
+kubebuilder:webhookVersions=<[]string>
to specify the versions in the+kubebuilder:webhookVersions
directly, it works as follows:v1
configuration if the marker is not specified.v1
if the marker is+kubebuilder:webhook:webhookVersions=v1
v1beta1
if the marker is+kubebuilder:webhook:webhookVersions=v1beta1
v1
andv1beta1
if the marker is+kubebuilder:webhook:webhookVersions=v1;v1beta1
or+kubebuilder:webhook:webhookVersions=v1beta1;v1
, we throw error out if thesideEffects
(later we also needed to handleAdmissionReviewVersions
) cannot meet requirement for either versions.This is a breaking change since we generate
v1
version configurations by default if the marker is not specified.