-
Notifications
You must be signed in to change notification settings - Fork 177
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ScyllaDBCluster webhook validation #2271
base: master
Are you sure you want to change the base?
Conversation
@zimnx: GitHub didn't allow me to request PR reviews from the following users: zimnx. Note that only scylladb members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: zimnx The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
9a65306
to
6ae7f48
Compare
6ae7f48
to
38ef9a7
Compare
/cc rzetelskik Ready to review |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
first batch
if spec.MinReadySeconds != nil && *spec.MinReadySeconds < 0 { | ||
allErrs = append(allErrs, apimachineryvalidation.ValidateNonnegativeField(int64(*spec.MinReadySeconds), fldPath.Child("minReadySeconds"))...) | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ReadinessGates validation is missing: see e.g. https://github.com/kubernetes/kubernetes/blob/v1.32.0/pkg/apis/core/validation/validation.go#L3736-L3742
|
||
func ValidateScyllaDBClusterDatacenterTemplate(dcTemplate *scyllav1alpha1.ScyllaDBClusterDatacenterTemplate, fldPath *field.Path) field.ErrorList { | ||
allErrs := field.ErrorList{} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
metadata validation is missing (labels, annotations, especially pod-specific)
|
||
func ValidateScyllaDBClusterDatacenterTemplate(dcTemplate *scyllav1alpha1.ScyllaDBClusterDatacenterTemplate, fldPath *field.Path) field.ErrorList { | ||
allErrs := field.ErrorList{} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
seems like placement should be validated as well?
if dcTemplate.ScyllaDB.Storage != nil { | ||
if dcTemplate.ScyllaDB.Storage.Metadata != nil { | ||
allErrs = append(allErrs, apimachinerymetav1validation.ValidateLabels(dcTemplate.ScyllaDB.Storage.Metadata.Labels, fldPath.Child("scyllaDB", "storage", "metadata", "labels"))...) | ||
allErrs = append(allErrs, apimachineryvalidation.ValidateAnnotations(dcTemplate.ScyllaDB.Storage.Metadata.Annotations, fldPath.Child("scyllaDB", "storage", "metadata", "annotations"))...) | ||
} | ||
|
||
storageCapacity, err := resource.ParseQuantity(dcTemplate.ScyllaDB.Storage.Capacity) | ||
if err != nil { | ||
allErrs = append(allErrs, field.Invalid(fldPath.Child("scyllaDB", "storage", "capacity"), dcTemplate.ScyllaDB.Storage.Capacity, fmt.Sprintf("unable to parse capacity: %v", err))) | ||
} else if storageCapacity.CmpInt64(0) <= 0 { | ||
allErrs = append(allErrs, field.Invalid(fldPath.Child("scyllaDB", "storage", "capacity"), dcTemplate.ScyllaDB.Storage.Capacity, "must be greater than zero")) | ||
} | ||
|
||
if dcTemplate.ScyllaDB.Storage.StorageClassName != nil { | ||
for _, msg := range apimachineryvalidation.NameIsDNSSubdomain(*dcTemplate.ScyllaDB.Storage.StorageClassName, false) { | ||
allErrs = append(allErrs, field.Invalid(fldPath.Child("scyllaDB", "storage", "storageClassName"), *dcTemplate.ScyllaDB.Storage.StorageClassName, msg)) | ||
} | ||
} | ||
} | ||
|
||
if dcTemplate.ScyllaDB.CustomConfigMapRef != nil { | ||
for _, msg := range apimachineryvalidation.NameIsDNSSubdomain(*dcTemplate.ScyllaDB.CustomConfigMapRef, false) { | ||
allErrs = append(allErrs, field.Invalid(fldPath.Child("scyllaDB", "customConfigMapRef"), *dcTemplate.ScyllaDB.CustomConfigMapRef, msg)) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems to duplicate with types_scylladbdatacenter.go
. Also why isn't this split into functions (nit)?
if dcTemplate.ScyllaDBManagerAgent.CustomConfigSecretRef != nil { | ||
for _, msg := range apimachineryvalidation.NameIsDNSSubdomain(*dcTemplate.ScyllaDBManagerAgent.CustomConfigSecretRef, false) { | ||
allErrs = append(allErrs, field.Invalid(fldPath.Child("scyllaDBManagerAgent", "customConfigSecretRef"), *dcTemplate.ScyllaDBManagerAgent.CustomConfigSecretRef, msg)) | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto
var supportedServiceTypes = []scyllav1alpha1.NodeServiceType{ | ||
scyllav1alpha1.NodeServiceTypeHeadless, | ||
scyllav1alpha1.NodeServiceTypeLoadBalancer, | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
clusterIP should also be supported: https://github.com/scylladb/scylla-operator-enterprise/pull/41#discussion_r1688275789
var allowedNodeServiceTypesByBroadcastAddressType = map[scyllav1alpha1.BroadcastAddressType][]scyllav1alpha1.NodeServiceType{ | ||
scyllav1alpha1.BroadcastAddressTypePodIP: { | ||
scyllav1alpha1.NodeServiceTypeHeadless, | ||
scyllav1alpha1.NodeServiceTypeLoadBalancer, | ||
}, | ||
scyllav1alpha1.BroadcastAddressTypeServiceLoadBalancerIngress: { | ||
scyllav1alpha1.NodeServiceTypeLoadBalancer, | ||
}, | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto
} | ||
|
||
if !isDatacenterStatusUpToDate(old, oldDCStatus) { | ||
allErrs = append(allErrs, field.InternalError(fldPath.Child("datacenters").Index(i), fmt.Errorf("datacenters %q can't be removed because its status, that's used to determine node count, is not yet up to date with the generation of this resource; please retry later", removedDCName))) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
allErrs = append(allErrs, field.InternalError(fldPath.Child("datacenters").Index(i), fmt.Errorf("datacenters %q can't be removed because its status, that's used to determine node count, is not yet up to date with the generation of this resource; please retry later", removedDCName))) | |
allErrs = append(allErrs, field.InternalError(fldPath.Child("datacenters").Index(i), fmt.Errorf("datacenter %q can't be removed because its status, that's used to determine node count, is not yet up to date with the generation of this resource; please retry later", removedDCName))) |
return dcStatus.Name == removedDCName | ||
}) | ||
if !ok { | ||
continue |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shouldn't this also result in an error? Isn't no status equivalent to out-of-date status?
} | ||
|
||
if oldDCStatus.Nodes != nil && *oldDCStatus.Nodes != 0 { | ||
allErrs = append(allErrs, field.Forbidden(fldPath.Child("datacenters").Index(i), fmt.Sprintf("datacenter %q can't be removed because the nodes are being scaled down", removedDCName))) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: its nodes
@zimnx: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to me on the high level, I really like thow the validating webhooks are structured in the codebase 👍.
Verifying for idempotency, nothing stands out as problematic to me.
@rzetelskik is it reasonable to defer the new checks you've requested (and possibly other wishlist checks) to a separate issue? I don't have enough context to have an opinion here. But having a PR stuck on scope expansion lacking bandwidth feels like a choice inferior to merging a "good enough" webhook.
lgtm
/assign rzetelskik
Which comments exactly are asking for a scope expansion? Unless I'm missing something, they either refer to missing (or incorrect) validation, or are nits, which can be ignored. |
@rzetelskik I meant specifically ReadinessGates validation, metadata validation, placement validation - looks like they ask that new checks be implemented by the author of the PR. I'm just floating an idea of merging a "good enough" webhook and deferring those to a separate issue. Note that I do not know if a webhook without those is "good enough". |
The thing with validation is that we cannot make it stricter between releases. Splitting it into followup issues could lead to forgeting about one. I'll add those validations as part of this effort. |
Description of your changes:
Adds validation rules for v1alpha1.ScyllaDBCluster to existing validating webhook.
Which issue is resolved by this Pull Request:
Resolves #2280