New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: external data mutation #1891
feat: external data mutation #1891
Conversation
Codecov Report
@@ Coverage Diff @@
## master #1891 +/- ##
==========================================
+ Coverage 53.83% 54.30% +0.47%
==========================================
Files 103 106 +3
Lines 9147 9441 +294
==========================================
+ Hits 4924 5127 +203
- Misses 3845 3927 +82
- Partials 378 387 +9
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
d44e535
to
087628d
Compare
eb4a65e
to
10fbea6
Compare
I read the design document, but didn't see this question discussed there. Is it the case that when the "dataSource" field's value is "ValueAtLocation," the mutation can only update the field pointed to by the "location" field? That is, that field's current value is the input to a projection, and we will update only that field's value with the projection's output? If that's so, it's not possible to use one field's value as input to the external data oracle for the purpose of updating a different field's value. Is that deliberate? I assume that this is related to the way that the current mutation API types preclude reading one field as criteria for updating a different field. |
Yes, that's correct.
You can technically pass in a composite value as an input to your external data provider so you can read values from multiple fields. For example, let's say we have the following Assign mutation:
The container spec of var providerRequest externaldata.ProviderRequest
err = json.Unmarshal(requestBody, &providerRequest)
if err != nil {
return err
}
for _, key := range providerRequest.Request.Keys {
container = corev1.Container{}
err = json.Unmarshal([]byte(key), &container)
if err != nil {
return fmt.Errorf("failed to unmarshal container: %w", err)
}
// you can access the container here
} |
43810dc
to
3ce74bd
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cool to see work on this!
I did a quick scan to see if I had any high-level thoughts that might change your approach.
How far can one push this? Could one pass the entire "spec" field of a Pod and replace it with the result from the data provider? We have a case where we'd like to add an annotation to an object based on a value from within its "spec" field that we'd pass through a data provider. I take it that's still disallowed, by my reading of the documentation for AssignMetadata. |
@chewong This is not true as of the last time I looked at the design doc or in the current implementation:
Correct, the ability to cross-reference between fields allows for the possibility of infinite recursion. |
3ce74bd
to
2782369
Compare
My latest commit(s) should address all of the PR comments. Feel free to take another look while I am rewriting the unit tests. I've tested it with |
8681fbf
to
41dc418
Compare
Unfortunately I'll be out tomorrow :/ Monday okay? |
3d4d904
to
b077968
Compare
1a78ac9
to
5de34b3
Compare
6c9c25a
to
a4fcba2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, nice job! We probably want to wait on merging this for the sharded rego PR, since that one is blocking release.
a4fcba2
to
e431a21
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thanks @chewong 🎉
e431a21
to
3f20076
Compare
Signed-off-by: Ernest Wong <chuwon@microsoft.com>
Signed-off-by: GitHub <noreply@github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
1c01664
to
2324594
Compare
Signed-off-by: GitHub <noreply@github.com>
2324594
to
8897ad5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Signed-off-by: GitHub noreply@github.com
What this PR does / why we need it:
Continuation of #1506 (credit to the author @sozercan).
Design docs: https://docs.google.com/document/d/1hPi86jdsCKg8puYT5_s_73mPGExUJeZfyKmvG-XWtPc (credit to the authors @sozercan and @ritazh)
This PR adds external data support to gatekeeper's mutation feature based on the design docs above. It also addresses some PR comments in #1506.
Follow-up items after this PR is merged:
caBundles
inProvider
in frameworksWhich issue(s) this PR fixes (optional, using
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when the PR gets merged):Fixes part of #1576
Special notes for your reviewer: