feature request: support kubernetes server-side validation

[zjj2wry]

Problem description

kubectl apply --help

 --server-side=false: If true, apply runs in the server instead of the client.

i hope pulumi preview can execute server-side validation, this would be help avoid some wrong PR being merged. something like invalid name or xxx not allowed. thanks you very much

• I saw an issue in the following Pulumi Program:

• I saw an issue in the following documentation:

• I had trouble finding the information that I needed:

• Other:

Errors & Logs

Affected product version(s)

Reproducing the issue

Suggestions for a fix

[lukehoban]

I believe this is being tracked as part of #352. There is also a preview feature to do server side diffing available via https://www.pulumi.com/docs/reference/pkg/kubernetes/provider/#enabledryrun_nodejs. @lblackstone Does the existing support include doing server-side validation as well? Or is that tracked separately anywhere?

[lblackstone]

We're already performing validation by default whenever possible:

pulumi-kubernetes/provider/pkg/provider/provider.go

Lines 1045 to 1054 in d787167

	// HACK: Do not validate against OpenAPI spec if there is a computed value. The OpenAPI spec
	// does not know how to deal with the placeholder values for computed values.
	if !hasComputedValue(newInputs) && !k.clusterUnreachable {
	resources, err := k.getResources()
	if err != nil {
	return nil, pkgerrors.Wrapf(err, "Failed to fetch OpenAPI schema from the API server")
	}
	// Validate the object according to the OpenAPI schema for its GVK.
	err = openapi.ValidateAgainstSchema(resources, newInputs)

This unfortunately has the limitation of not validating if the resource includes a computed value, or if the cluster is unreachable during preview.

[kwiesmueller]

Hey there,
this came up in a GitHub search for Server-Side Apply.
If you need any help implementing this, feel free to get in touch with us (wg-api-expression) on the Kubernetes slack: https://kubernetes.slack.com/archives/C0123CNN8F3

[nesl247]

Is there any update on this? We're having our developers have more and more access to submitting PRs, and we're finding that because they can't run preview themselves, more errors are being introduced for things we can't tell via code review. One thing that bit us just today was using a non-standard cron schedule. By looking at it, it looks perfectly valid, but it isn't in Kubernetes.

[fernandocarletti]

I crossed with this issue many times as well, even noticed some false updates where an typo in a field was accepted as a valid update, we got that by doing an update with refresh.

[lblackstone]

You can opt in to server-side apply today using the https://www.pulumi.com/docs/reference/pkg/kubernetes/provider/#enabledryrun_go flag, but it isn't well tested yet, and likely has some bugs. Finishing this is still high on the priority list, but no updates beyond that for now. If you do enable the feature flag, please file issues for any bugs you encounter.

[nesl247]

@lblackstone Is there any way to know if that flag has been properly picked up by pulumi (some way to verify it's working)?

[lblackstone]

@lblackstone Is there any way to know if that flag has been properly picked up by pulumi (some way to verify it's working)?

The logs should include messages of the form calculated diffs for [namespace/name] using dry-run if it's enabled, or calculated diffs for [namespace/name] using inputs only if not.

[lblackstone]

Server-side apply/diff support can be enabled using the enableServerSideApply Provider flag, so I'll close this as fixed.