Use pkg/webhook along with build webhook implementation #379
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: shashwathi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
shashwathi
changed the title
There was a problem hiding this comment.
Looking good so far, I think the biggest pain will be moving the full validation into the controller itself.
For now, we might be able to get away with having two webhook admission controllers, this one which does simple checks and uses knative/pkg webhook setup, and our existing one which does more thorough checks and can be phased into the real controller in a future PR.
WDYT?
| return err | ||
| } | ||
| return nil | ||
| // return validatePlaceholders(tmpl.TemplateSpec().Steps) |
There was a problem hiding this comment.
I think this was erroneously commented out.
There was a problem hiding this comment.
It was intentional. validatePlaceholders validates the attached template steps and template is obtained by calling kube api. This type of validation wont be in pkg/webhook. For now lets keep this is build webhook controller itself.
| } | ||
| if bs.Template != nil && len(bs.Steps) > 0 { | ||
| return apis.ErrMissingField("b.spec.template").Also(apis.ErrMissingField("b.spec.steps")) | ||
| //return validationError("TemplateAndSteps", "build cannot specify both template and steps") |
There was a problem hiding this comment.
These return validationError lines can just be deleted.
| return err | ||
| } | ||
|
|
||
| // Need kubeclient to fetch template |
There was a problem hiding this comment.
Yeah I think the current thinking is that we'll only do simple validation in the webhook, and leave it up to the controller to do full validation with resolved objects like the template, service account, secrets, etc.
I'm not sure there's a good story yet for surfacing validation errors outside of webhook checks though, we'd probably need to have some new condition type to express the Invalid state.
|
|
||
| // ValidateSecrets for build | ||
| func (bs *BuildSpec) ValidateSecrets() *apis.FieldError { | ||
| // TODO: move this logic into set defaults |
shashwathi
changed the title
|
I like the idea of 2 controllers for now. Updated code to split the validation between the 2 webhooks. Added tests and cleaned up bunch of common dependencies. |
|
/assign @imjasonh |
shashwathi
changed the title
| Options: pkgoptions, | ||
| Handlers: map[schema.GroupVersionKind]pkgwebhook.GenericCRD{ | ||
| v1alpha1.SchemeGroupVersion.WithKind("Build"): &v1alpha1.Build{}, | ||
| v1alpha1.SchemeGroupVersion.WithKind("ClusterBuildTemplate"): &v1alpha1.ClusterBuildTemplate{}, |
There was a problem hiding this comment.
Can you confirm that the common infrastructure works properly with cluster-scoped resources, since AFAIK this is the first one we're trying :)
There was a problem hiding this comment.
Cool 👍
I have added e2e test for build with template and build with cluster template as well. Going forward we will have better coverage for these features
| ) | ||
|
|
||
| // DefaultTime is 10min | ||
| const DefaultTime = 10 * time.Minute |
| package v1alpha1 | ||
|
|
||
| // SetDefaults for build template | ||
| func (b *BuildTemplate) SetDefaults() { |
There was a problem hiding this comment.
Can we just put this into build_template_types.go ? This separate file doesn't add much.
| reason: "long name", | ||
| tmpl: &BuildTemplate{ | ||
| ObjectMeta: metav1.ObjectMeta{ | ||
| Name: "*********************************************************************************************", |
There was a problem hiding this comment.
strings.Repeat("x", maxLength+1) is self-documenting and self-updating if we update maxLength.
There was a problem hiding this comment.
I missed my TODO there. Good catch
| } | ||
| } | ||
|
|
||
| if len(name) > 63 { |
There was a problem hiding this comment.
Can we extract this to a const?
| seen := map[string]struct{}{} | ||
| for _, p := range params { | ||
| if _, ok := seen[p.Name]; ok { | ||
| return apis.ErrMultipleOneOf("ParamName") |
There was a problem hiding this comment.
I don't think MultipleOneOf is the correct error, I think that error is intended to communicate "you can specify X or Y, but not both"
https://godoc.org/github.com/knative/pkg/apis#ErrMultipleOneOf
(ErrMissingOneOf is "you must specify X or Y, but not neither")
Maybe ErrInvalidKeyName? https://godoc.org/github.com/knative/pkg/apis#ErrInvalidKeyName
There was a problem hiding this comment.
Yeah pick the error with closest match I guess. I am okay with ErrInvalidKeyName
| @@ -0,0 +1,111 @@ | |||
| package v1alpha1 | |||
There was a problem hiding this comment.
typo in filename: cluster_build_template_validation_test.go
| reason string // if "", expect success. | ||
| }{{ | ||
| desc: "Single named step", | ||
| tmpl: &ClusterBuildTemplate{ |
There was a problem hiding this comment.
I think we can condense both of these test tables into one, and avoid duplication:
func TestValidateBuildTemplate(t *testing.T) {
for _, c := range []struct {
desc string
spec BuildTemplateSpec
reason string
} {{
...
}} {
t.Run("namespaced-"+c.desc, func(t *testing.T) {
tmpl := &BuildTemplate{Spec: c.spec},
tmpl.Validate()
...
})
t.Run("cluster-namespaced-"+c.desc, func(t *testing.T) {
ctmpl := &ClusterBuildTemplate{Spec: c.spec},
ctmpl.Validate()
...
})
}
}
|
The following is the coverage report on pkg/.
|
* Add validation & defaut for btmpl * add validation for cluster build template * Add validation and defaults for build * Use pkg webhook * compiles * Add webhook package * Move tests * Add tests * webhook test * cleanup unused code * Revert previous change * Add e2e tests for build with template and cluster template * Fix typo * Fix test typo * Increase coverage * Address comments * Add tests * Rename file to generic name
* Add validation & defaut for btmpl * add validation for cluster build template * Add validation and defaults for build * Use pkg webhook * compiles * Add webhook package * Move tests * Add tests * webhook test * cleanup unused code * Revert previous change * Add e2e tests for build with template and cluster template * Fix typo * Fix test typo * Increase coverage * Address comments * Add tests * Rename file to generic name
Address #378
Proposed Changes
FYI
I have not added any tests in this PR. If this change does not get 👎 then I will add tests to this PR and also delete custom webhook code.
Goal of this PR is to get conversation started about this change
Lot of validation in build CRDs included calling k8s API to validate object exist like
secrets, build templates. I have not included that change here because I noticed that Serving did not have any similar validations.
My question is does build CRD want that validation still?
Thoughts or concerns @imjasonh @mattmoor @pivotal-nader-ziada ?