New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Directly convert CRD structuralSchema to smdSchema #87872
Conversation
b57f3e8
to
0c8bbbc
Compare
the verify failure seem legitimate :-) |
0c8bbbc
to
4368ba6
Compare
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: jennybuckley The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
4023fe4
to
6caad85
Compare
This is mostly done but I still need to figure out a plan for testing it |
6caad85
to
bb677ae
Compare
rebased |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've mostly started looking at the wiring. Haven't looked at the actual conversion. Let's talk about it in person though.
// and uses a default deduced type converter if none is provided. | ||
func NewCRDStructuredMergeManager(typeConverter TypeConverter, objectConverter runtime.ObjectConvertor, objectDefaulter runtime.ObjectDefaulter, gv schema.GroupVersion, hub schema.GroupVersion) (_ Manager, err error) { | ||
if typeConverter == nil { | ||
typeConverter = internal.DeducedTypeConverter{} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I realize that this is how we used to do it, but wouldn't it be better to have this somewhere else actually? It feels a little odd here now.
utilruntime.HandleError(fmt.Errorf("error building openapi models for %s: %v", crd.Name, err)) | ||
openAPIModels = nil | ||
utilruntime.HandleError(fmt.Errorf("failed to building typeConverter for apply: %s: %v", crd.Name, err)) | ||
return nil, fmt.Errorf("the server could not properly serve the CR schema") // validation should avoid this |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Even understanding the context, I'm not sure I understand what this error means?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the error we return in many other cases in this file, and then we log a more specific reason in the apiserver logs.
Not that we couldn't also return the specific error to the client
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That seems like something people can take an action on? "It failed because of XYZ", at least they can figure out what to do, no? Agreed that if it's a bug that requires an update/bug-fix then it's not as useful.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the validation of the crd's structural schema is done correctly, then this shouldn't ever be hit, so if it does get hit, then this would be due to a bug that requires an update/bug-fix
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This isn't meant to catch structural schema errors, it's meant to catch errors where, the structural schema is valid and it still fails to convert
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kubernetes/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/customresource_handler.go
Lines 1257 to 1263 in bb677ae
s := &structuralschema.Structural{} | |
if structuralSchema, ok := structuralSchemas[v]; ok { | |
if len(structuralschema.ValidateStructural(nil, structuralSchema)) == 0 { | |
s = structuralSchema | |
} | |
} | |
err = builder.AddStructural(v, s) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rather than block all get/put/post/delete requests to the custom resource on this, I'd rather see us attempt this same operation in the CRD controller and add an error condition to the CRD if it fails, to surface the error to the CRD author (similar to what we do for structural errors)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not against doing that for safety, but we don't expect this error to be able to be possibly triggered by users, since we ensure that only valid structural schemas are passed into the builder.AddStructural, which should only return an error if an invalid structural schema was passed in.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If a user sends the apiserver a CRD with a schema that fails structural validation, then we won't even try to pass it into the builder.AddStructural function (and we pass in an empty structural schema instead).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the surface area is large enough and the conversion complex enough that I think we should gain confidence with a non-blocking condition-adding approach before making it blocking
// and merges it with the models defined in the static OpenAPI spec. | ||
// Returns nil models if the ServerSideApply feature is disabled, or the static spec is nil, or an error is encountered. | ||
func buildOpenAPIModelsForApply(staticOpenAPISpec *spec.Swagger, crd *apiextensionsv1.CustomResourceDefinition) (proto.Models, error) { | ||
// Returns nil if the ServerSideApply feature is disabled, or the static spec is nil, or an error is encountered. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not something you just changed, but I think it's a little odd to read the code when you can return nil even if there is no error. That's not ideal. Especially since both these checks (feature enabled
, staticOpenAPISpec == nil
) could be done before calling the method. Would you mind moving these out?
@jennybuckley: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Quick question: is this only going to change the schemas that are known as structural, or all of them? |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
@fejta-bot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What type of PR is this?
/kind feature
/sig api-machinery
/wg apply
/priority important-longterm
/cc @apelisse @jpbetz @sttts
What this PR does / why we need it:
Currently we convert the validation field in CRDs into v2 openapi, then into 'proto.Models', then into an smd schema. This causes issues because CRDs are allowed to put v3 openapi in their validation fields, some of which an smd schema could express, but isn't compatible with 'proto.Models', so that information is lost.
Does this PR introduce a user-facing change?: