fix: move validation admission policy outside of crds directory#9024
fix: move validation admission policy outside of crds directory#9024zhaohuabing wants to merge 20 commits into
Conversation
✅ Deploy Preview for cerulean-figolla-1f9435 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a0caaf38c2
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #9024 +/- ##
==========================================
+ Coverage 74.77% 74.83% +0.06%
==========================================
Files 252 252
Lines 40675 40675
==========================================
+ Hits 30415 30440 +25
+ Misses 8179 8158 -21
+ Partials 2081 2077 -4 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c499193462
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
zhaohuabing
force-pushed
the
fix-9015
branch
2 times, most recently
from
2e05bcc to
d3ade13
Compare
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d3ade13519
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a12ec94e88
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 31c07399ba
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4376333a5d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5f43969e13
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| {{- $vap := lookup "admissionregistration.k8s.io/v1" "ValidatingAdmissionPolicy" "" $safeUpgradePolicyName -}} | ||
| {{- $vapBinding := lookup "admissionregistration.k8s.io/v1" "ValidatingAdmissionPolicyBinding" "" $safeUpgradePolicyName -}} |
There was a problem hiding this comment.
These unconditional lookup calls can make chart rendering fail before any manifests are emitted: Helm documents that lookup errors from the API server (including missing resource types or permission errors) fail template processing. That means installs/upgrades now fail on clusters where ValidatingAdmissionPolicy is unavailable/disabled or where the installer cannot get these cluster-scoped resources, even in --skip-crds workflows that previously avoided this path. Consider gating with capability checks (and/or avoiding lookup in skip-CRD flows) so unsupported environments can still install.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
I see the concern, but I think this is an expected install prerequisite rather than a regression. Gateway API installation now includes ValidatingAdmissionPolicy resources, so clusters using this chart path need to expose admissionregistration.k8s.io/v1/ValidatingAdmissionPolicy. Similarly, Helm uses the Kubernetes identity running the install; that identity needs the cluster-scoped permissions required to install/read these resources.
jukie
left a comment
jukie
left a comment
There was a problem hiding this comment.
LGTM, but let's discuss including this in the v1.8.1 cherry-pick.
This could be disruptive for users who exclude crds/ from gateway-helm and install through another path like the gateway-crds-helm chart. Before this change, those users had no VAP in their gateway-helm set, and if they already have the VAP installed through another path they'll need to work through an ownership transition. It's minor but it is an undesired behavior change for a patch release.
Let's discuss this at this week's community meeting. |
zhaohuabing
dismissed stale reviews from jukie, cnvergence, and rudrakhp
via
ec789fc
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
| @@ -0,0 +1,3 @@ | |||
| gatewayAPI: | |||
There was a problem hiding this comment.
should this live at the top level instead https://github.com/zhaohuabing/gateway/blob/ff48f15437818b57ce9815a37182139fe7290eea/charts/gateway-helm/values.tmpl.yaml ?
There was a problem hiding this comment.
Yes, it’s technically possible, but I think crds.gatewayAPI.supportingResources.enabled reads more clearly: the full path makes it explicit that these supporting resources are associated with the Gateway API CRDs. It also fits Helm’s existing value-scoping model better and stays consistent with crds.gatewayAPI.enabled / crds.gatewayAPI.channel.
If we prefer a top-level gatewayAPI.supportingResources.enabled value, I can move the VAP template into the main gateway-helm chart so it can read that value directly. My slight preference is to keep it in the crds subchart and expose it as crds.gatewayAPI.supportingResources.enabled, since these supporting resources are used for the Gateway API CRDs
6 participants
This PR moves validationAdmissionPolicy out of the crds directory and into the templates directory.
This fixes Flux installation as it treats all resources in the crds directory as CRDs.
Fixes #9015
Release Notes: Yes