🌱 KCP: improve validation webhooks #6129
Conversation
Signed-off-by: Stefan Büringer [email protected]
|
/cc @fabriziopandini |
k8s-ci-robot
requested review from
fabriziopandini,
JoelSpeed and
stmcginnis
k8s-ci-robot
added
cncf-cla: yes
There was a problem hiding this comment.
Overall looks good, but looks like it's a breaking change. We probably want to move these webhooks to an internal package like the others, right? Do you want to tackle that in this PR? Or we could revert the path change for this PR and include it in a change that makes the webhook implementation internal.
I'm not sure if we should apply the same stability guarantees to the Validate func as to our API usually. This func is not really meant to be used externally. It is just exported because KCP has to use it too. I'm not sure if it's worth moving the webhook out of the API package as that is a breaking change itself (even though we could do that with deprecation). I think for now I would prefer staying with our policy of only moving the webhooks to a separate package if we are using a client. Overall I think this breaking change should be acceptable as it improves error messages, probably nobody uses this func apart from us and it's very easy to adopt to this breaking change if folks upgrade to v1.2.0. |
|
Would it be better to move them internally just to avoid someone asking the next time there's a PR. Seems like it could be a good help wanted issue. 😝 |
I'm not sure. I think it has more downsides for us to move it elsewhere as it makes it just more complicated :) But let's see what others think. |
Right, but given that's the decision we made with other webhooks and controllers what's the difference that makes it unsuitable here? |
In my opinion the only policy we have/implemented right now is that we only did it for webhooks which require additional dependencies because they are using a client and other things. I think at the moment this only applies to the Cluster and ClusterClass webhooks. Otherwise the question becomes, why don't we move all webhooks out of the API package. I think that something we can discuss (ideally on a separate issue). I think for now we kept them there so they are closer to the types they are validating/defaulting. (btw, I'm not really against moving all webhooks. I'm just not sure if I see the benefit yet and I would want to have a discussion / consensus about that before opening help wanted issues) |
| @@ -63,7 +63,7 @@ func (c *KubeadmConfig) ValidateDelete() error { | |||
| } | |||
|
|
|||
| func (c *KubeadmConfigSpec) validate(name string) error { | |||
| allErrs := c.Validate() | |||
| allErrs := c.Validate(field.NewPath("spec")) | |||
There was a problem hiding this comment.
Is passing the spec field inside for code or is it solving an actual problem? While going through the changes, the older version with e.g. "spec" "x" "y" "z" is a bit more clear than the current proposed changes
There was a problem hiding this comment.
This solves the problem that we are reporting wrong field paths in our field errors in some webhooks.
We have different places where KubeadmConfigSpec are used, e.g. in KCP. But today all our webhooks report that the error is in .spec... without considering that it's actually e.g. .spec.kubeadmConfigSpec...
Furthermore (in my opinion) it's a best practice to build up those field paths incrementally, so each function only has to append new relative paths and we don't have to look up and down complex call hierarchies to figure out if the resulting field error has a correct field path. We are e.g. using that in our ClusterClass validation quite extensively (and in my opinion successfully :) ).
|
@sbueringer: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
@vincepri PTAL, if you have some time, thank you! :) |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: vincepri The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Signed-off-by: Stefan Büringer [email protected]
What this PR does / why we need it:
While investigating #6113 I found out that our KCP validation has a few issues:
Overall I think that should make especially ClusterClass/KubeadmControlPlaneTemplate safer to use as the errors are already returned on creation of KubeadmControlPlaneTemplate. Not during topology reconcile when KubeadmControlPlane cannot be created.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Related to #6113