WIP: Replace webhook validations with CEL validation #475
Conversation
cert-manager-prow
bot
added
do-not-merge/work-in-progress
erikgb
force-pushed
the
more-api-validation
branch
2 times, most recently
from
3749249
to
c7c15cb
Compare
cert-manager-prow
bot
added
size/L
erikgb
force-pushed
the
more-api-validation
branch
5 times, most recently
from
78f63d5
to
3741f38
Compare
cert-manager-prow
bot
added
size/XL
erikgb
force-pushed
the
more-api-validation
branch
3 times, most recently
from
d9853ff
to
17a72ed
Compare
cert-manager-prow
bot
added
the
needs-rebase
erikgb
force-pushed
the
more-api-validation
branch
from
17a72ed
to
ec915d4
Compare
cert-manager-prow
bot
removed
the
needs-rebase
erikgb
force-pushed
the
more-api-validation
branch
from
ec915d4
to
2224375
Compare
erikgb
changed the title
cert-manager-prow
bot
removed
the
do-not-merge/work-in-progress
erikgb
force-pushed
the
more-api-validation
branch
from
2224375
to
60e3819
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: juliocamarero The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
question: Did you run these tests against main, before switching to CEL validation? I think that would be valuable if we've not done it yet!
There was a problem hiding this comment.
Good point! I think some of them actually might fail, and that is because the webhook validation code is complex and error-prone. Let me pull the tests into a new PR to see.
There was a problem hiding this comment.
I just tried this, and it is not working - for "technical reasons". 😢 Our integration tests are poorly configured IMO, and improving this will require some changes that at least @inteon would reject. 😉 The main issue in this case, is that the validating webhook configuration is only available from the Helm chart. And to bootstrap an integration test with webhook enabled, we need the webhook configuration in a format that is machine-readable.
If we adopted more of the "best practices" established by kubebuilder, this would be an improvement - at least to me.
Relates to cert-manager/makefile-modules#209.
| @@ -100,6 +102,9 @@ type BundleSource struct { | |||
|
|
|||
| // BundleTarget is the target resource that the Bundle will sync all source | |||
| // data to. | |||
| // +kubebuilder:validation:XValidation:rule="[has(self.configMap), has(self.secret)].exists(x,x)", message="must define at least one target configMap/secret" | |||
| // +kubebuilder:validation:XValidation:rule="!has(self.additionalFormats) || ![has(self.additionalFormats.jks), has(self.additionalFormats.pkcs12)].all(x,x) || self.additionalFormats.jks.key != self.additionalFormats.pkcs12.key", message="additional format keys must be unique" | |||
| // +kubebuilder:validation:XValidation:rule="!has(self.additionalFormats) || !((has(self.configMap) ? [self.configMap.key] : []) + (has(self.secret) ? [self.secret.key] : [])).exists(k,(has(self.additionalFormats.jks) && self.additionalFormats.jks.key == k) || (has(self.additionalFormats.pkcs12) && self.additionalFormats.pkcs12.key == k))", message="additional format keys must be different from configMap/secret keys" | |||
There was a problem hiding this comment.
question: Is a +kubebuilder comment the only way of specifying these validation rules? (I'm unfamiliar generally with this CEL validation stuff)
This CEL code is super important to our UX but it's really difficult to read, understand and test it when it's embedded in a comment like this - seems like a sharp edge.
This isn't a blocker or anything, but it seems a shame if this is the only way today!
There was a problem hiding this comment.
No, it should be possible to hack the expression directly into the CRDs, but that is not something I would do. 😆 The expressions are mainly complex because the API is suboptimal. After #486, I think the expressions could become really simple.
Thanks for reviewing @SgtCoDFish (and @juliocamarero)! But I think the best option here is to put this PR back into draft-mode and wait for a conclusion on #486.
cert-manager-prow
bot
added
the
do-not-merge/work-in-progress
erikgb
changed the title
cert-manager-prow
bot
added
the
needs-rebase
Signed-off-by: Erik Godding Boye <[email protected]>
erikgb
force-pushed
the
more-api-validation
branch
from
60e3819
to
2af5468
Compare
cert-manager-prow
bot
removed
the
needs-rebase
I want to see if it's possible to remove the trust-manager validating webhook, as it will eliminate the requirement to pre-install cert-manager. But it doesn't seem possible, at least not with the current Bundle API, to fully replace the webhook validations with CEL api-server validation. We might get a bit further after redesigning the
targetstructure ref. #242, but the label selectors require a webhook to be validated AFAIK.I personally think the CEL validations are more compact and fairly easy to read, at least the common union validations. The additional formats validation CEL expression is probably a bit over the line, so I am open to reverting it. But I wanted to see how far I could get with CEL, and I even got assistance from Jordan Liggit himself! 🦄
Jordan suggested optional fields to reduce the complexity, but I decided to avoid them for now - since that will require Kubernetes version >= 1.29 to work. We can simplify later on.
Please let me know what you think!
/cc @juliocamarero @SgtCoDFish @inteon