Directly convert CRD structuralSchema to smdSchema #87872
Conversation
k8s-ci-robot
added
the
do-not-merge/work-in-progress
k8s-ci-robot
added
release-note-none
jennybuckley
force-pushed
the
crd-smd-direct
branch
2 times, most recently
from
b57f3e8
to
0c8bbbc
Compare
k8s-ci-robot
added
the
area/dependency
|
the verify failure seem legitimate :-) |
jennybuckley
force-pushed
the
crd-smd-direct
branch
from
0c8bbbc
to
4368ba6
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: jennybuckley The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
area/test
sig/testing
jennybuckley
force-pushed
the
crd-smd-direct
branch
6 times, most recently
from
4023fe4
to
6caad85
Compare
jennybuckley
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
This is mostly done but I still need to figure out a plan for testing it |
k8s-ci-robot
added
the
needs-rebase
jennybuckley
force-pushed
the
crd-smd-direct
branch
from
6caad85
to
bb677ae
Compare
k8s-ci-robot
removed
the
needs-rebase
|
rebased |
|
/retest |
| // and uses a default deduced type converter if none is provided. | ||
| func NewCRDStructuredMergeManager(typeConverter TypeConverter, objectConverter runtime.ObjectConvertor, objectDefaulter runtime.ObjectDefaulter, gv schema.GroupVersion, hub schema.GroupVersion) (_ Manager, err error) { | ||
| if typeConverter == nil { | ||
| typeConverter = internal.DeducedTypeConverter{} |
There was a problem hiding this comment.
I realize that this is how we used to do it, but wouldn't it be better to have this somewhere else actually? It feels a little odd here now.
| utilruntime.HandleError(fmt.Errorf("error building openapi models for %s: %v", crd.Name, err)) | ||
| openAPIModels = nil | ||
| utilruntime.HandleError(fmt.Errorf("failed to building typeConverter for apply: %s: %v", crd.Name, err)) | ||
| return nil, fmt.Errorf("the server could not properly serve the CR schema") // validation should avoid this |
There was a problem hiding this comment.
Even understanding the context, I'm not sure I understand what this error means?
There was a problem hiding this comment.
This is the error we return in many other cases in this file, and then we log a more specific reason in the apiserver logs.
Not that we couldn't also return the specific error to the client
There was a problem hiding this comment.
That seems like something people can take an action on? "It failed because of XYZ", at least they can figure out what to do, no? Agreed that if it's a bug that requires an update/bug-fix then it's not as useful.
There was a problem hiding this comment.
If the validation of the crd's structural schema is done correctly, then this shouldn't ever be hit, so if it does get hit, then this would be due to a bug that requires an update/bug-fix
There was a problem hiding this comment.
This isn't meant to catch structural schema errors, it's meant to catch errors where, the structural schema is valid and it still fails to convert
There was a problem hiding this comment.
There was a problem hiding this comment.
rather than block all get/put/post/delete requests to the custom resource on this, I'd rather see us attempt this same operation in the CRD controller and add an error condition to the CRD if it fails, to surface the error to the CRD author (similar to what we do for structural errors)
There was a problem hiding this comment.
I'm not against doing that for safety, but we don't expect this error to be able to be possibly triggered by users, since we ensure that only valid structural schemas are passed into the builder.AddStructural, which should only return an error if an invalid structural schema was passed in.
There was a problem hiding this comment.
If a user sends the apiserver a CRD with a schema that fails structural validation, then we won't even try to pass it into the builder.AddStructural function (and we pass in an empty structural schema instead).
There was a problem hiding this comment.
the surface area is large enough and the conversion complex enough that I think we should gain confidence with a non-blocking condition-adding approach before making it blocking
| // and merges it with the models defined in the static OpenAPI spec. | ||
| // Returns nil models if the ServerSideApply feature is disabled, or the static spec is nil, or an error is encountered. | ||
| func buildOpenAPIModelsForApply(staticOpenAPISpec *spec.Swagger, crd *apiextensionsv1.CustomResourceDefinition) (proto.Models, error) { | ||
| // Returns nil if the ServerSideApply feature is disabled, or the static spec is nil, or an error is encountered. |
There was a problem hiding this comment.
This is not something you just changed, but I think it's a little odd to read the code when you can return nil even if there is no error. That's not ideal. Especially since both these checks (feature enabled, staticOpenAPISpec == nil) could be done before calling the method. Would you mind moving these out?
k8s-ci-robot
added
the
needs-rebase
|
@jennybuckley: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
wg/api-expression
|
Quick question: is this only going to change the schemas that are known as structural, or all of them? |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
|
@fejta-bot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What type of PR is this?
/kind feature
/sig api-machinery
/wg apply
/priority important-longterm
/cc @apelisse @jpbetz @sttts
What this PR does / why we need it:
Currently we convert the validation field in CRDs into v2 openapi, then into 'proto.Models', then into an smd schema. This causes issues because CRDs are allowed to put v3 openapi in their validation fields, some of which an smd schema could express, but isn't compatible with 'proto.Models', so that information is lost.
Does this PR introduce a user-facing change?: