Mutation Objects

[yanirq]

What this PR does / why we need it:
Provided CRDs to support mutation: Assign and AssignMetadata CRDs
The PR includes CRDs + generated artifacts.

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #907

Special notes for your reviewer:
deploy-mutation might be necessary in this PR to deploy mutation specific resources (using an additional overlay to kustomize)

[maxsmythe]

This is looking good! I left a few comments, though I realize this is WIP.

[maxsmythe]

Do we want this to be a list of interface{}?

That would allow for testing more complex objects as well as unknown types (string vs integer etc.)

That being said, coercing the types is much less ambiguous, and numbers might need other comparators anyway (greaterThan, for example).

Personally I'm split. Starting with string seems safer, as we can always expand the set of valid types over time.

[yanirq]

I'd go with the safer path for starters.

[maxsmythe]

+1

[maxsmythe]

Value needs to be of type interface{} so users can assign arbitrary values to arbitrary points in an object's schema.

[yanirq]

Changed Value type to runtime.RawExtension if that answers the way we add objects by definition
(both on assign_types.go and assignmetadata_types.go)

[yanirq]

also - interface{} does not seem to be supported by controller-gen

[maxsmythe]

I don't think we can use RawExtension as it looks like it expects to be wrapping an object:

https://godoc.org/k8s.io/apimachinery/pkg/runtime#RawExtension

How does controller-gen break if we try to use interface{}?

[maxsmythe]

I played around a bit, it looks like json.RawMessage might work?

[yanirq]

How does controller-gen break if we try to use interface{}?

See kubernetes-sigs/controller-tools#294 (comment)
The suggestion there is indeed use either json.RawMessage or RawExtension.

@fedepaol @mmirecki have you encounter an issue on the POC or current PRs with processing one of these types ? can RawExtension option to assign a full fledged sub-object meet our needs ?

[fedepaol]

We want to be able to pass both a full fledged object (i.e. for the sidecar injection example) or a scalar value (i.e. when changing the image pull policy).

This drives two different things:

• What to put in the CRD manifest
• How to map it in golang

Here we want a field that can be both an object, a scalar value (bool, integer, etc) or an array.
If we declare the field to be an object in the CRD, a string won't be accepted: Invalid value: "string": spec.foo in body must be of type object: "string" .

The option we have (I believe) is to use something like anyOf for alternative typed properties, or go with the object way and expect it to have a fixed property like "value: foo" in case the path we are aiming at is not an object (but this last one feels clunky).

The way we declare the CRD drives the go struct, having a single field to be either a json or a rawextensions (both would work), or a serie of typed alternative fields (with one of them being an object).

@maxsmythe @yanirq thoughts?

[maxsmythe]

I don't think there's a way to use anyOf in controller-gen, which is unfortunate. The sub-object route seems like it would work.

What if we changed spec.parameters.value to be spec.parameters.assign.value

We could then have something like:

Parameters struct {
   // +kubebuilder:validation:XPreserveUnknownFields
   Assign runtime.RawExtension `json:"assign,omitempty"`
}

It's a bit hacky to use RawExtension as this isn't a K8s object, but it saves us wrapping json.RawMessage in a struct and writing custom serializers like they did for runtime.RawExtension.

Fun finding: controller-runtime infers schema type from field type, so json.RawMessage is typed as a string (it is an alias for []byte), but runtime.RawExtension is an object because it is a struct enclosing a string.

[yanirq]

@maxsmythe I changed the struct as suggested above.
One thought I had is to somehow override RawExtension.object to RawExtension.value just for semantic purposes (to get spec.parameters.assign.value) I don't think there is such an option but I won't mind to be enlightened.

[maxsmythe]

You could create your own "RawExtension", though switching .Object to .Value wouldn't work.

You could follow the same pattern raw extension does (create your own struct that implements MarshalJSON() and UnmarshalJSON(), use json:"-", and then extend it how you want, including lazy-unmarshaling the JSON when a .Value() method is called.

[maxsmythe]

We'll need pod-specific status reporting ad some point, though that can be added on as a follow-on PR.

[yanirq]

Follow-on PR sounds good.
I'll make sure to open an issue if need be.

[maxsmythe]

+1 would be good to have an issue for this so we don't forget. Won't be necessary while we're just getting things running, but very necessary for users.

[maxsmythe]

String makes sense here as annotations and labels can only be strings.

[yanirq]

So something should be added/changed here ? or keep it as it is ?

[maxsmythe]

this works as-is :)

[maxsmythe]

I'm curious why one resource is "assigns" (plural) and the other is "assignmetadata" (singular)

Also, I don't see the CRD manifests?

[yanirq]

assignmetadata now changed to plural

[maxsmythe]

awesome, thanks!

[codecov-io]

Codecov Report

Merging #916 (8070c95) into master (dcbf36b) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #916   +/-   ##
=======================================
  Coverage   43.46%   43.46%           
=======================================
  Files          47       47           
  Lines        3173     3173           
=======================================
  Hits         1379     1379           
  Misses       1598     1598           
  Partials      196      196           

Flag	Coverage Δ
unittests	43.46% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update dcbf36b...8070c95. Read the comment docs.

[fedepaol]

I think both this and the next one must be []string to be aligned with Constraints.
@maxsmythe can you confirm?

[maxsmythe]

Ah, you are correct, both of these should be []string

[yanirq]

Done

[yanirq]

@maxsmythe I covered all the comments.
Can you please take a look and see if the PR looks good ?

[maxsmythe]

Getting very close! Just minor cleanup-type stuff left IMO.

@ritazh @sozercan @shomron thoughts?

[maxsmythe]

Not a big fan of removing load restrictions, but it seems like this is probably the cleanest way of having dev CRDs, otherwise we'd need to change the file structure a bit, which may not play well with controller-gen.

TL;DR this works

[maxsmythe]

nit: Assign.value holds the value to be assigned

[yanirq]

done

[maxsmythe]

Should the plural just be "assign"?

I'm a bit biased here as I really don't like K8s use of plurals, I think having multiple names causes more problems than it solves.

In any case whatever we choose should be consistent with assignmetadata

[yanirq]

Changed plurals of assign and assignmetadata to be consistent (singular names).

Fun fact: controller-gen (flect) perceives assignmetadata plural as assignmetadata probably due to the ata suffix

[maxsmythe]

Interesting. Programatically managing these grammar details seems like a hard thing to do.

[maxsmythe]

None of these roles are necessary, they should all be folded up into the gatekeeper-manager role

[yanirq]

Done

[maxsmythe]

Did we remove permissions entirely?

I thought we were going to add them to the gatekeeper-manager role?

[yanirq]

After digging deeper I learned that there is a convention where controller-gen generates these permissions and outputs them to role.yaml according to kubebuilder markers on the controllers themselves (and not on CRDs) as we can see in config and constraints for example.

I can add them manually to gatekeeper-manager role (which will be overridden and exclude these permission when we run deploy) or we can add them to the role.yaml file in the controller related PRs (I already added a comment for one here)

[yanirq]

@maxsmythe was the permissions comment/question placed here on purpose ? (cainjection_in_assign.yaml) I'm trying to understand, out of placement context, if I missed anything else.

[maxsmythe]

It was just placed randomly, I probably should have just added it to the bottom of the PR. Sorry.

You are correct. I'd forgotten that we were putting the permissions on the controller (which makes sense as that's the thing that actually needs the access).

[maxsmythe]

@ritazh @shomron This looks basically ready, once permissions are ironed out, WDYT?

[maxsmythe]

LGTM

[yanirq]

@maxsmythe PR re-based to resolve conflicts and allow merge.

[maxsmythe]

Thanks!

@ritazh @shomron @sozercan @brycecr

Last chance to comment before merging. I think I'll merge EOD tomorrow if no one has feedback.

[ritazh]

Do we want to add a TODO here to make sure we add the following under resources and remove the one under overlays in the future?

-  bases/mutations.gatekeeper.sh_assignmetadata.yaml
-  bases/mutations.gatekeeper.sh_assign.yaml

gatekeeper/config/crd/kustomization.yaml

Line 4 in 611327a

resources:

[yanirq]

done

[ritazh]

lgtm

Just one nit