✨ Add validation webhook for AWSMachine

[tahsinrahman]

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

[detiber]

It looks like we can override the odd vawsmachine.kb.io naming through this annotation... Could we name it validating.awsmachine.x-k8s.io here instead? @ncdc @vincepri thoughts?

[ncdc]

Probably would be clearer. We'll have to remember to make this change for every webhook.

[detiber]

@ncdc we could add a quick script to validate the default naming isn't used for CI. Might be able to even use something as naive as: if git --no-pager grep kb.io; then echo "kb.io type prefix found"; exit 1; fi

[detiber]

I created a PR for renaming the validation webhook for AWSMachineTemplate here, and we can discuss more on that PR: #1219

[detiber]

Suggested change

	// +kubebuilder:webhook:verbs=create;update,path=/validate-infrastructure-cluster-x-k8s-io-v1alpha3-awsmachine,mutating=false,failurePolicy=fail,groups=infrastructure.cluster.x-k8s.io,resources=awsmachines,versions=v1alpha3,name=vawsmachine.kb.io
	// +kubebuilder:webhook:verbs=create;update,path=/validate-infrastructure-cluster-x-k8s-io-v1alpha3-awsmachine,mutating=false,failurePolicy=fail,groups=infrastructure.cluster.x-k8s.io,resources=awsmachines,versions=v1alpha3,name=validation.awsmachine.infrastructure.x-k8s.io

[ncdc]

Suggested change

	return errors.New("awsMachineSpec is immutable")
	return field.Forbidden(field.NewPath("spec"), "cannot be modified")

[detiber]

I suspect we'll need to allow updates to at least a subset of the spec (controller setting awsmachine.Spec.ProviderID for example).

We could probably allow updates to the AdditionalTags and AdditionalSecurityGroups fields safely as well (since those should be updated on each reconcile).

It might also be helpful for people that are troubleshooting issues with initial instance creation to be able to modify fields like the AMI, ImageLookupOrg, InstanceType, IAMInstanceProfile, AvailabilityZone, Subnet, SSHKeyName, NetworkInterfaces, etc assuming the instance doesn't exist.

[ncdc]

Would it make sense to allow all updates as long as we haven't created an ec2 instance yet? We might need to worry about race conditions such as:

1. Simultaneously:
   1. Reconciler receives AWSMachine at ResourceVersion=1
   2. User quickly gets in some updates, now ResourceVersion=2
2. Reconciler creates ec2 instance using data from ResourceVersion=1 (maybe it's slow today)
3. Reconciler sees updated AWSMachine at ResourceVersion=2
   1. But it can't do anything at this point, so the data doesn't match what happened in ec2

[detiber]

@ncdc as long as we don't necessarily rely on something like the providerID being set on the awsmachine.Spec, and fallback to doing a describe for the instance we should be able to avoid race conditions.

[ncdc]

@detiber I don't think that helps what I described above?

[tahsinrahman]

@ncdc our current implementation is also susceptible to this race condition you mentioned, right? so if we move the logic that's now deleted in this PR into the webhook validation code, it can also face this scenario?

[ncdc]

@tahsinrahman you are correct. I guess this comes back to my question from https://github.com/kubernetes-sigs/cluster-api-provider-aws/pull/1218/files#r344289646: is it better to allow updates with the possibility of a race, or err on the side of caution and reject all updates?

[tahsinrahman]

I'm on the side of disallowing all updates for now and see how it affects user experience. But lets come to an agreement on what to do! :)

[detiber]

sgtm, seems like the general consensus is to disallow updates for now :)

[ncdc]

I think we have consensus!

[ncdc]

1 small comment. @detiber @vincepri how does this look to you?

[detiber]

Suggested change

	// +kubebuilder:webhook:verbs=create;update,path=/validate-infrastructure-cluster-x-k8s-io-v1alpha3-awsmachine,mutating=false,failurePolicy=fail,groups=infrastructure.cluster.x-k8s.io,resources=awsmachines,versions=v1alpha3,name=validation.awsmachine.infrastructure.x-k8s.io
	// +kubebuilder:webhook:verbs=create;update,path=/validate-infrastructure-cluster-x-k8s-io-v1alpha3-awsmachine,mutating=false,failurePolicy=fail,groups=infrastructure.cluster.x-k8s.io,resources=awsmachines,versions=v1alpha3,name=validation.awsmachine.infrastructure.cluster.x-k8s.io

[detiber]

I suspect we'll need to allow updates to at least a subset of the spec (controller setting awsmachine.Spec.ProviderID for example).

We could probably allow updates to the AdditionalTags and AdditionalSecurityGroups fields safely as well (since those should be updated on each reconcile).

It might also be helpful for people that are troubleshooting issues with initial instance creation to be able to modify fields like the AMI, ImageLookupOrg, InstanceType, IAMInstanceProfile, AvailabilityZone, Subnet, SSHKeyName, NetworkInterfaces, etc assuming the instance doesn't exist.

[chuckha]

Should we be documenting anything on this PR? Such as what validations we are enforcing and how to set up the validation web hook? Or is everything opaque to the user and no documentation is required?

[ncdc]

@chuckha the examples already set up cert-manager and webhooks. However, ultimately we need more comprehensive documentation around webhook setup, including how to use something other than cert-manager. I'd like to add that to kubernetes-sigs/cluster-api#1757.

As far as documenting what validations we're enforcing, this will disallow all updates to AWSMachine.Spec... Although we have to address @detiber's comment:

I suspect we'll need to allow updates to at least a subset of the spec (controller setting awsmachine.Spec.ProviderID for example).

And potentially:

We could probably allow updates to the AdditionalTags and AdditionalSecurityGroups fields safely as well (since those should be updated on each reconcile).

I'm not sure where the best place is to document this. Any ideas?

[detiber]

Should we be documenting anything on this PR? Such as what validations we are enforcing and how to set up the validation web hook? Or is everything opaque to the user and no documentation is required?

We should likely add a doc similar to https://github.com/kubernetes-sigs/cluster-api/blob/master/docs/book/src/providers/v1alpha2-to-v1alpha3.md and add an item discussing the more strict validation there.

I don't think we should have to inform users how to deploy the validation webhook, since it will be deployed as part of the published provider components yaml.

[chuckha]

Should we be documenting anything on this PR? Such as what validations we are enforcing and how to set up the validation web hook? Or is everything opaque to the user and no documentation is required?

We should likely add a doc similar to https://github.com/kubernetes-sigs/cluster-api/blob/master/docs/book/src/providers/v1alpha2-to-v1alpha3.md and add an item discussing the more strict validation there.

I don't think we should have to inform users how to deploy the validation webhook, since it will be deployed as part of the published provider components yaml.

I think we could have it in that doc for the current upgrade. More informational changes to be aware of. Perhaps changes to your existing YAML you may need to make.

Then, I was thinking about future uses and where I'd go to find out validation rules. I'd probably look at either godoc or reference documentation (like the k8s reference docs). So godoc seems like a good place to put this from my perspective

[tahsinrahman]

Do I have to manually go through each fields in awsMachine.spec one by one? or is there any helper functions that'll allow me to check only providerID, AdditionalTags and AdditionalSecurityGroups is changed?

[ncdc]

Oh and we'd presumably want to allow annotations and labels to change too.

I think if you want an "easy" way, you could deep-copy both old & new, clear our the fields that we allow to be changed in both of the copies, and then compare with reflect.DeepEqual... maybe?

[ncdc]

I just learned about a better way to return validation errors - please see https://book.kubebuilder.io/cronjob-tutorial/webhook-implementation.html / xref kubernetes-sigs/cluster-api#1795 too.

[tahsinrahman]

@ncdc sorry for being late. I updated the pr, ptal :)

[ncdc]

Should we return apierrors.NewInvalid() here?

[ncdc]

Should we return apierrors.NewInvalid() here?

[ncdc]

nit: I usually try to avoid using new as a variable name, given that it's a go keyword. If you want to change the name, you could use something like updated instead.

[detiber]

/approve
leaving lgtm to @ncdc

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: detiber, tahsinrahman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [detiber]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ncdc]

@tahsinrahman if you'd like, we can merge as-is and I can open a small follow-up PR to address my remaining comments. Please let me know your preference. Thanks!

[tahsinrahman]

@tahsinrahman if you'd like, we can merge as-is and I can open a small follow-up PR to address my remaining comments. Please let me know your preference. Thanks!

oops, i somehow missed your review. let me update it in this pr

update: @ncdc updated!

[ncdc]

Thanks!
/lgtm