Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforcing immutability of Spec variables #1587

Closed
wangdrew opened this issue Jun 22, 2019 · 3 comments
Closed

Enforcing immutability of Spec variables #1587

wangdrew opened this issue Jun 22, 2019 · 3 comments
Assignees
@hasbro17
Labels
blocked kind/feature Categorizes issue or PR as related to a new feature.

Comments

@wangdrew
Copy link

I'm writing an operator to manage RabbitMQ queues and would like to know if there's a way for k8s to enforce immutability of particular spec fields. I have the following struct which represents a rabbitMQ queue and some parameters to have it bind to a rabbitMQ exchange:

type RmqQueueSpec struct {
	VHost string `json:"vhost,required"`
	Exchange string `json:"exchange,required"`
	RoutingKey string `json:"routingKey"`
	SecretConfig map[string]string `json:"secretConfig"`
}

The reason why I want immutability, specifically for VHost, is because it's a parameter that's used to namespace a queue in rabbitMQ. If it were changed for an existing deployed queue, the reconciler will fail to query rabbitMQ for the intended queue since it will be querying with a different vhost (effectively a different namespace), which could cause the creation of a new queue or an update of the wrong queue.

There are a few alternatives that I'm considering such as using the ObjectMeta.Name field to contain both the concatenated vhost and the queuename to ensure that they are immutable for a deployed queue. Or caching older spec parameters (haven't figured out exactly how to do this yet) and do a comparison in the reconciler in order to return an error. However neither of these approaches seem ideal.

Please bear with me as I'm also new to Kubernetes and appreciate any advice/feedback. Thanks!
@hasbro17
Copy link
Contributor

Hi @wangdrew, that's an interesting use case.

The ideal way to do this would be via the CRD's OpenAPI Validation by marking certain fields as immutable.
The good news is this is being worked on upstream, but you'll have to wait a while for that.
kubernetes/kubernetes#65973
kubernetes/enhancements#1099

In the meanwhile you'll have to use a ValidatingAdmissionWebhook to validate your CR and check that certain fields are not changed by looking at the AdmissionRequest and comparing the old and new objects.

We're still sorting out our proposal to scaffold Validating and Mutating AdmissionWebhooks in the SDK.
#1455
Parent issue: #1217

However if you want to get a head start and check out the APIs that we'll eventually be using, you can check out this Validating webhook example in the upstream controller-runtime library that the SDK uses.
https://github.com/kubernetes-sigs/controller-runtime/blob/master/examples/builtins/validatingwebhook.go

@hasbro17 hasbro17 self-assigned this Jun 24, 2019
@hasbro17 hasbro17 added kind/feature Categorizes issue or PR as related to a new feature. blocked labels Jun 24, 2019
@hasbro17
Copy link
Contributor

If you have questions on the approach we can discuss them here.
But for tracking the feature request for validating admission webhooks, we should probably consolidate that to #1217

@hasbro17
Copy link
Contributor

hasbro17 commented Jul 2, 2019

Closing in favor of #1217

@hasbro17 hasbro17 closed this as completed Jul 2, 2019
@drpaneas drpaneas mentioned this issue Apr 27, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hasbro17 hasbro17

Labels
blocked kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wangdrew @hasbro17