Kubectl apply and strategic merge patch using openapi

[mengqiy]

• support openapi in strategic merge patch
• test openapi in strategic merge patch
• kubectl apply use openapi to calculate diff be default. It will fall back to use baked-in types when openapi is not available.
• test openapi in kubectl apply

Fixes: kubernetes/kubectl#55

kubectl apply use openapi to calculate diff be default. It will fall back to use baked-in types when openapi is not available.

/assign @apelisse

[mengqiy]

I will add tests for kubectl apply soon. It should not affect other code.

[apelisse]

That is very big, and there are clear ways to split. Would you mind splitting in smaller pieces?

[apelisse]

These should really really not be public. Let's see below why you need that.

[apelisse]

This should be done in a preliminary pull-request, along with a description. It's really hard to guess what you're trying to do and why you're doing this. (though I might have an idea :-)

[apelisse]

Also maybe move that code to a different package?

[apelisse]

do we need that type if it's basically just embedding the openapi.BaseItem?

[apelisse]

InvalidTypeError is a validation error, I'm not sure why it's coming from openapi

[mengqiy]

I'm reusing it in my code.

[apelisse]

do we need that type if it's basically just embedding the openapi.BaseItem?

Then this would be openapi.BaseItem

[apelisse]

do we need that type if it's basically just embedding the openapi.BaseItem?

If we don't have the extra layer, then this function can be removed

[apelisse]

I still haven't read patch.go

[apelisse]

Looking at PatchMetaFromStruct.LookupPatchMetadata, it looks like aggregating the errors is a new feature. is this really something we want? IOW, it made sense for validation, does it make sense here? I'd rather keep it simple.

[apelisse]

I don't know what subschema is yet, but that looks a little odd

[apelisse]

OK, Now that I've seen what subschema is. I think that code belongs to types. IOW, the code that depends on the subschema should be where you know if you have a subschema, a list or a primitive.

[liggitt]

was this addressed?

[apelisse]

We really shouldn't have to cast :-/

[mengqiy]

I know cast is bad, when it supposed to be visited by the interface. :-/
I will try to refactor it and I will touch k8s.io/apimachinery/third_party/forked/golang/json/fields.go to get rid of Elem().

[apelisse]

As mentionned earlier, I'd maybe keep that as a simple Error error.

Also note that if you make that change, everything will break in an non-obvious way because this doesn't implement a "Item" interface of some sort.

[apelisse]

Same as before, not sure this is super useful

[apelisse]

I don't think this should be necessary

[apelisse]

oh I see, I'll comment up-there

[apelisse]

I would consider panicking here, assuming that validation would have caught that before. (and everywhere)

[apelisse]

key is odd, do you always have a key? what if you have an array?

[mengqiy]

Array should be handled by Elem().

[apelisse]

Maybe move that to a different function: parseStrategy(subschema.GetExtensions())

[k8s-reviewable]

This change is 

[mengqiy]

@apelisse Addressed most of your comments except the bazel one. I have tweak the bazel BUILD files for a while. I can't make it work. Please advice.
FYI, to review apply_test.go, using https://reviewable.kubernetes.io/reviews/kubernetes/kubernetes/51321 will be helpful.

[apelisse]

That is vastly better than the previous version, thank you Mengqi

[apelisse]

Remove :-)

[apelisse]

Do we fall back on "baked-in" if openapi is not present or doesn't have the merge info?

[mengqiy]

Yes we do. I will update the help text.

[apelisse]

You don't need glob.

[apelisse]

:D

[apelisse]

You don't need to specify the type do you?

Can you just do

var (
    // ...
    mergeItemStructSchema = PatchMetaFromStruct{T: GetTagStructTypeOrDie(mergeItem)}
)

[apelisse]

If that test fails, how do I know from the error message which variant of the schema failed?

[mengqiy]

Good point. It worth pointing out.

[mengqiy]

@apelisse Bazel test is happy now. Thank you soooo much for helping me figure out the bazel problem!

[mengqiy]

@apelisse ping for review or lgtm

[mengqiy]

/priority critical-urgent
Label it as critical-urgent to prevent the bot from moving out of 1.9 milestone.

[mengqiy]

/remove-priority important-soon

[mengqiy]

@thockin Can you please approve the godep change in be20a67? They are auto generated by script.

[thockin]

Rather than going to top-level OWNERs, we should see approval from OWNERs of those subsystem that are not yet covered.

@grodrigues3 @kubernetes/sig-contributor-experience-bugs this is an opportunity to refine the approver suggestions.

/approve

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: apelisse, liggitt, mengqiy, pwittrock, thockin

Associated issue: 55

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• pkg/kubectl/OWNERS [liggitt,pwittrock,thockin]
• staging/src/k8s.io/apiextensions-apiserver/OWNERS [thockin]
• staging/src/k8s.io/apimachinery/OWNERS [liggitt,thockin]
• staging/src/k8s.io/apiserver/OWNERS [liggitt,thockin]
• staging/src/k8s.io/client-go/OWNERS [liggitt,thockin]
• staging/src/k8s.io/kube-aggregator/OWNERS [thockin]
• staging/src/k8s.io/sample-apiserver/OWNERS [liggitt,thockin]
• staging/src/k8s.io/sample-controller/OWNERS [thockin]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[k8s-github-robot]

[MILESTONENOTIFIER] Milestone Pull Request Labels Incomplete

@apelisse @mengqiy @pwittrock @smarterclayton @sttts

Action required: This pull request requires label changes.

kind: Must specify exactly one of kind/bug, kind/cleanup or kind/feature.

Help

• Additional instructions
• Commands for setting labels

[k8s-github-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 51321, 55969, 55039, 56183, 55976). If you want to cherry-pick this change to another branch, please follow the instructions here.

[k8s-ci-robot]

@mengqiy: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
pull-kubernetes-bazel	29f6d0825e5a8c87bfa988058931b43012d162de	link	/test pull-kubernetes-bazel
pull-kubernetes-e2e-gce-gpu	d4167cf044abfc5c2c551963c1467d1cad5dd16f	link	/test pull-kubernetes-e2e-gce-gpu
pull-kubernetes-e2e-gce-bazel	d4167cf044abfc5c2c551963c1467d1cad5dd16f	link	/test pull-kubernetes-e2e-gce-bazel
pull-kubernetes-e2e-gce-etcd3	d4167cf044abfc5c2c551963c1467d1cad5dd16f	link	/test pull-kubernetes-e2e-gce-etcd3
pull-kubernetes-node-e2e	be20a67	link	/test pull-kubernetes-node-e2e

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[liggitt]

is there any indication in the discovery doc that the resource supports strategic merge patch? I would not assume the mere presence of an openapi schema to mean SMP is supported.

[mengqiy]

I guess this question is related to the discussion #56606 (comment).

is there any indication in the discovery doc that the resource supports strategic merge patch?

I don't think there is an explicit indicator.
If there are patch metadata (e.g. PatchStrategy, MergeKey) in the discovery doc, then this type supports SMP. But if there is not patch metadata, the type may still support SMP and it uses the default behavior(replacing lists).

I would not assume the mere presence of an openapi schema to mean SMP is supported.

It's not clear what does SMP is supported mean.
If a type and its schema appear in the openapi schema with no patch metadada, SMP will process it with the default approach (replacing a list). It should not do anything wrong.

Did I miss anything?

[liggitt]

Yes, it assumes every API server that publishes openapi schemas is able to accept strategic merge patches. Previously, the client only assumed that compiled-in known core kubernetes types were served by a server supporting SMP.

[mengqiy]

Let me summarize it for SMP

Before this PR:
Only compiled-in types (native k8s api resources) are supported.
No support for user-defined api resource no support for CRD.

After this PR:
There are 2 approaches:
Using baked-in types: only support native k8s api resources
Using openapi schema: support native k8s api resources and user-defined api resource. But no support for CRD.

Correct me if anything is wrong.

[liggitt]

Using openapi schema: support native k8s api resources and user-defined api resource

It assumes user-defined api resources support strategic merge patch

[liggitt]

But to do MIME type negotiation, we need to parse the endpoints part of openapi schema.

If we want to use openapi docs dynamically to form patch requests, I think that's what we need to do.

So this way will require much more efforts than the approach I mentioned above.
IMO it may be risky to introduce a lot of new code at this point.

I agree it is more effort, but I have a hard time accepting the "if at first you don't succeed" negotiation approach when we've already been given exactly the information we need to know what patch types are accepted

and is risky at this point

I also agree with this. Which is better at this point for this release?

• attempting multiple patch types falling back to merge patch if SMP is rejected with 406?
• defaulting this feature off
• disabling this feature

Whatever we choose for the moment, we should work to make use of the accepted content in the next release.

[apelisse]

Can we: send SMP if the type is registered, JMP otherwise? AFAIU that wouldn't really change the existing behavior (before that pull-request), yet exercise that code and already have some benefits?

[pwittrock]

This is a good example of why we need libraries that combine the discovery and openapi information for each resource type. We need and abstraction that hides the specific source of metadata for the resources.

@liggitt What do you recommend for 1.9? Disable or try to get a fix in?

[mengqiy]

I'm leaning to what @apelisse suggested in #51321 (comment).
It should be a trivial change with fewer than 50 lines of code change.

[shiywang]

hi @liggitt @mengqiy about the MIME type negotiation part is that means we check the "consumes" portion of a related resource in discovery doc, if it support, then use SMP, if not use JMP. if so what we need maybe in 1.10 is to add the function as @mengqiy memtioned

But to do MIME type negotiation, we need to parse the endpoints part of openapi schema.
There is no facility to support parsing the endpoints part of openapi schema, we only have the code to parse the models part.

so all we have to do is make NewOpenAPIData also return paths and add some lookup/indication function ? @mengqiy @apelisse I would like to take a look of adding this openapi helper function if you haven't yet.

This is a good example of why we need libraries that combine the discovery and openapi information for each resource type. We need and abstraction that hides the specific source of metadata for the resources.

This also sounds interesting, but I haven't got the idea of "combine" @pwittrock could you explain more ? thanks

[liggitt]

Using openapi if available to compute SMP for compiled in types seems like the best we can do for 1.9 (known types can assume SMP as today, and just get more up to date schema info via SMP) In 1.10, we can expand using openapi for SMP for non-compiled-in types once we add support for checking the "consumes" portion of the openapi doc On Dec 1, 2017, at 1:59 PM, Phillip Wittrock <notifications@github.com> wrote: *@pwittrock* commented on this pull request. ------------------------------ In pkg/kubectl/cmd/apply.go <#51321 (comment)>:

createPatchErrFormat := "creating patch with:\noriginal:\n%s\nmodified:\n%s\ncurrent:\n%s\nfor:"

- switch { - case runtime.IsNotRegisteredError(err): - // fall back to generic JSON merge patch - patchType = types.MergePatchType - preconditions := []mergepatch.PreconditionFunc{mergepatch.RequireKeyUnchanged("apiVersion"), - mergepatch.RequireKeyUnchanged("kind"), mergepatch.RequireMetadataKeyUnchanged("name")} - patch, err = jsonmergepatch.CreateThreeWayJSONMergePatch(original, modified, current, preconditions...) - if err != nil { - if mergepatch.IsPreconditionFailed(err) { - return nil, nil, fmt.Errorf("%s", "At least one of apiVersion, kind and name was changed") + // Try to use openapi first if the openapi spec is available and can successfully calculate the patch. + // Otherwise, fall back to baked-in types. + if p.openapiSchema != nil { + if schema = p.openapiSchema.LookupResource(p.mapping.GroupVersionKind); schema != nil { This is a good example of why we need libraries that combine the discovery and openapi information for each resource type. We need and abstraction that hides the specific source of metadata for the resources. @liggitt <https://github.com/liggitt> What do you recommend for 1.9? Disable or try to get a fix in? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#51321 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA70cjQx3dpLJVpDu5lNuxGx_pjGX6f6ks5s8EypgaJpZM4PCTsm> .