Webhook warnings #3936
Webhook warnings #3936
Conversation
jetstack-bot
added
release-note
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: irbekrm The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
jetstack-bot
added
approved
|
These commits used to be a part of #3850 that was later split into smaller PRs. |
irbekrm
force-pushed
the
webhook_warnings
branch
from
d0ae875 to
0b7e74c
Compare
Adds warnings to the top level validating functions' signatures Signed-off-by: irbekrm <irbekrm@gmail.com>
… is set Signed-off-by: irbekrm <irbekrm@gmail.com>
Signed-off-by: irbekrm <irbekrm@gmail.com>
irbekrm
force-pushed
the
webhook_warnings
branch
from
0b7e74c to
e455459
Compare
|
/kind cleanup |
jetstack-bot
added
kind/cleanup
|
/test pull-cert-manager-e2e-v1-20 |
|
The e2e test failures appear to be flakes, it works for me locally /test pull-cert-manager-e2e-v1-20 |
There was a problem hiding this comment.
Overall looks good, only a couple of fairly unimportant bits from me.
There could be a case for maybe having ValidateFunc and ValidateUpdateFunc return, say, a ValidationResponse struct. I think that could make a lot of the testing logic cleaner.
That said I really don't think it's necessary - especially since it'd need so many changes and this PR looks like it'll work totally fine as-is.
Signed-off-by: irbekrm <irbekrm@gmail.com>
test timeout /test pull-cert-manager-bazel |
pkg/api/util/warnings.go
Outdated
| // https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/ | ||
| const ( | ||
| // DeprecatedACMEEABKeyAlgorithmField is raised when the deprecated keyAlgorithm field for an ACME issuer's external account binding (EAB) is set. | ||
| DeprecatedACMEEABKeyAlgorithmField = "ACME issuer spec field 'externalAccount.keyAlgorithm' is deprecated. The value of this field will be ignored." |
There was a problem hiding this comment.
This const isn't referenced outside of the pkg/internal/apis/certmanager/validation package. I think it should live in there as an un-exported const (or alternatively just hardcoded as the message in the call-site, which has the side effect of forcing us to write it out explicitly in test cases too, so we know if the message has been changed unintentionally)
There was a problem hiding this comment.
I thought that in this case there is no harm in exporting this const and having all the future warnings in the same place would help us with consistency of the wording and naming + make it easier to change the warning text (i.e if we later want to add a version at which this field would be removed).
If anyone was actually parsing these warnings, I'd rather them use the const, then hardcode strings.
There was a problem hiding this comment.
My concern is that if we start treating this as an API surface, it makes minor re-wording/edits harder in future (e.g. if we ever want to change this text).
I don't think we'd want to encourage people to parse this text, and it seems like it is harder for us to read the code that's actually emitting these warnings if there's a cross-package reference.
If this is to be exported and parseable, what's the versioning story here?
There was a problem hiding this comment.
If this were more akin to the reason field on a condition (i.e. short, all one word, etc) then I'd definitely agree that there's value in having them exported. This seems more akin to the 'message' field on a condition, which is explicitly designed to be human readable.
As far as I'm aware, k8s itself doesn't treat warning messages as part of its API surface and does not advise building automation on top of parsing these strings
There was a problem hiding this comment.
Good point about versioning, I didn't think about that.
I guess because these warnings would be returned to whoever applies the yaml (rather than just apearing in the logs), I thought it'd be nice to have them consistently worded, which might be easier achievable if they are all in the same place vs a bunch of hardcoded strings across the codebase.
There was a problem hiding this comment.
👍 re consistency - what do you think about just moving them to where they are actually used (unexported to convey they shouldn't be depended upon/parsed), but keeping them as consts for consistencies sake? I just think being in an 'api/' package insinuates it forms part of our API (and thus can be depended upon in a similar manner to other parts of our API)
There was a problem hiding this comment.
I think I agree that this could be unexported. There's no reason we couldn't make it exported later if we felt a need for it.
I also think it makes sense to move it to where it's used and remove the new file.
There was a problem hiding this comment.
Thanks for the comments!
I've made the warning value unexported.
I did still put it into a file of its own in the internal validation package because I felt like this might help with the consistency of any future validation warnings that we might want to add- happy to be convinced otherwise.
|
I think aside from #3936 (comment) this looks good to go. I'm happy to merge after that's been addressed. |
Signed-off-by: irbekrm <irbekrm@gmail.com>
|
/lgtm (pending test completion) |
Thanks for the review @SgtCoDFish ! I think Prow dislikes any additional characters after |
😭 well, I think I dislike prow 😂 /lgtm |
This PR:
allows for validation functions that are called by validating webhook to return a warning that would be displayed to the caller by Kubernetes. Top level validation functions now return warnings as well as errors.
adds an actual warning if ACME issuer's EAB key algorithm field, that was deprecated by Use upstream golang/crypto for ACME EAB + move crypto fork to cert-manager org #3877, is set.
See #3220 for additional context.
This is what the warning added by this PR looks like:
(The warning text was written with the assumption that we will not actually remove the key algorithm field in
cert-managerv1. Else the warning should have included in which version we intend to remove it.)