Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: turning default-create-vap-binding-for-constraints to true #3478

Closed
wants to merge 3 commits into from
Closed

chore: turning default-create-vap-binding-for-constraints to true #3478

wants to merge 3 commits into from

Conversation

JaydipGabani
Copy link
Contributor

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #

Special notes for your reviewer:

@JaydipGabani JaydipGabani requested a review from a team as a code owner August 7, 2024 22:00
@codecov-commenter
Copy link

codecov-commenter commented Aug 7, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 48.07%. Comparing base (3350319) to head (abbe6e9).
Report is 119 commits behind head on master.

❗ There is a different number of reports uploaded between BASE (3350319) and HEAD (abbe6e9). Click for more details.

HEAD has 1 upload less than BASE
Flag BASE (3350319) HEAD (abbe6e9)
unittests 2 1
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #3478      +/-   ##
==========================================
- Coverage   54.49%   48.07%   -6.42%     
==========================================
  Files         134      219      +85     
  Lines       12329    15165    +2836     
==========================================
+ Hits         6719     7291     +572     
- Misses       5116     7058    +1942     
- Partials      494      816     +322
Flag Coverage Δ
unittests 48.07% <ø> (-6.42%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@ritazh
Copy link
Member

ritazh commented Aug 7, 2024
edited
Loading

I see we used to check if useVap label was set in the CT. https://github.com/open-policy-agent/gatekeeper/pull/3266/files#diff-474c206a215a22d369287c928c6e0785a964328557d19689e6080f978b8792ebR314
By the same token, we should have checked if generateVAP: true is set in the CT.
If constraint checks that then we do not need to change the flag's default value.

@JaydipGabani
Copy link
Contributor Author

JaydipGabani commented Aug 8, 2024
edited
Loading

@ritazh link for relavent discussion on why we are checking for CEL code in template - #3398 (comment). I can add the check on another PR. Hers is the PR #3479.

maxsmythe
maxsmythe reviewed Aug 8, 2024
View reviewed changes
pkg/controller/constraint/constraint_controller.go
@@ -65,7 +65,7 @@ import (
var (
log = logf.Log.V(logging.DebugLevel).WithName("controller").WithValues(logging.Process, "constraint_controller")
discoveryErr *apiutil.ErrResourceDiscoveryFailed
DefaultGenerateVAPB = flag.Bool("default-create-vap-binding-for-constraints", false, "Create VAPBinding resource for constraint of the template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy Binding, true: create Validating Admission Policy Binding.")
DefaultGenerateVAPB = flag.Bool("default-create-vap-binding-for-constraints", true, "Create VAPBinding resource for constraint of the template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy Binding, true: create Validating Admission Policy Binding. Defaults to true.")
Copy link
Contributor

@maxsmythe maxsmythe Aug 8, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should not default alpha features to true. This is because alpha features should not be enabled by default.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After talking with Rita, the idea is that generation of VAP bindings will be governed by the template only (either via default value or explicitly setting intent).

This explains #3479. B/c this requires opt-in for the feature to activate, this SGTM

@JaydipGabani JaydipGabani mentioned this pull request Aug 8, 2024
Merged
maxsmythe
maxsmythe approved these changes Aug 8, 2024
View reviewed changes
Copy link
Contributor

@maxsmythe maxsmythe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@JaydipGabani
Copy link
Contributor Author

Closing this PR since we have another change for checking generateVAP: true on template. #3479

@JaydipGabani JaydipGabani deleted the vapb-default branch August 8, 2024 23:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maxsmythe maxsmythe maxsmythe approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@JaydipGabani @codecov-commenter @ritazh @maxsmythe