-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TriggerAuth-podIdentity.identityId - validation removed (operator) #5142
TriggerAuth-podIdentity.identityId - validation removed (operator) #5142
Conversation
Signed-off-by: radekfojtik <[email protected]>
Thank you for your contribution! 🙏 We will review your PR as soon as possible. While you are waiting, make sure to:
Learn more about: |
Signed-off-by: radekfojtik <[email protected]>
Signed-off-by: radekfojtik <[email protected]>
Signed-off-by: radekfojtik <[email protected]>
@JorTurFer @tomkerkhove please take a look guys |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested the PR locally with:
- Install keda v2.11.0 with helm
- Create
TriggerAuthentication
withidentityId: ""
- Upgrade to keda v.2.12.0 - I was able to reproduce the issue
- Deploy patched keda and validation webhook images, include
ValidatingWebhookConfiguration
from charts:main branch
Old TriggerAuthentication
s with identityId: ""
don't cause issues and the validation webhook blocks the creation of new ones.
return nil | ||
} | ||
|
||
func isEmptyString(str *string) bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Util functions like this one have a high potential for code duplicity. Can you add a new file to pkg/util
and move the function there? Ideally with generics, something like
func IsDefaultValue[T comparable](value *T) bool {
var def T
return value != nil && *value == def
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that this is a good feedback ❤️
if spec.PodIdentity.IdentityID != nil && *spec.PodIdentity.IdentityID == "" { | ||
return nil, fmt.Errorf("identityid of PodIdentity should not be empty. If it's set, identityId has to be different than \"\"") | ||
if isEmptyString(podIdentity.IdentityID) { | ||
return fmt.Errorf("identityid of PodIdentity should not be empty. If it's set, identityId has to be different than \"\"") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return fmt.Errorf("identityid of PodIdentity should not be empty. If it's set, identityId has to be different than \"\"") | |
return fmt.Errorf("identityId of PodIdentity should not be empty. If it's set, identityId has to be different than \"\"") |
Just a side note, we shouldn't rely on validation webhooks that much. If possible, this should work withouth validation as well. |
100% |
I have to disagree with this point. KEDA has to work properly handling the scenario, but the data validation is the responsibility of the webhooks, don't you think? I mean, why do we use validating webhooks for validating the data plane, if we are going to raise validation messages in the operator too? KEDA operator will fail with a handled error if the user is providing the item wrongly (it won't panic), so other validations over the data constraints should be managed by the webhooks and users have to assume that validations are done by webhooks. As user, you can't skip the validating webhooks and also expect a well-formed validation with a lot of info about the validating error |
LGTM but let's wait until @zroubalik and @tomkerkhove agree with it (or not xD), because this moves the responsibility from the operator to webhooks |
No, because webhooks are optional. If it would be mandatory then I'd agree. Validation webhooks are more for enforcing best practices in the current state of KEDA, not for ensuring things are valid. If we want to go that route than making it mandatory is the only viable option. |
@zroubalik @tomkerkhove Having this validation on the |
@josefkarasek There is no need to set the |
@JorTurFer could you please look at this? We should resolve this already :) Thanks |
I reviewed here: #5142 (comment) From my perspective, webhooks have to validate the information and the operator has to just handle errors if they are. No having VALIDATING webhooks IMHO explicitly means that you don't have validations (because you are not installing them), just fails if you introduce something wrong. It moves the responsibility from the operator to the webhooks. If the operator sees and empty pod identity, it doesn't matter who sets it, and it continues with its work, failing if it has to fail |
We should push this topic @zroubalik @tomkerkhove |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions. |
@JorTurFer let's add it to the agenda for the next meeting |
Sorry, I did not see the pings - Let's discuss indeed |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions. |
This issue has been automatically closed due to inactivity. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions. |
This issue has been automatically closed due to inactivity. |
TriggerAuthentication.podIdentity - validation of
identityId
(empty string "") removed (operator)Checklist
Fixes #5109
Relates to #