Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validating Admissions Webhook (VAW) #52

Closed
9 tasks done
thedodd opened this issue May 28, 2021 · 0 comments · Fixed by #84
Closed
9 tasks done

Validating Admissions Webhook (VAW) #52

thedodd opened this issue May 28, 2021 · 0 comments · Fixed by #84
Labels
A-crd Hadron K8s CRDs A-operator Hadron Kubernetes operator
Milestone
First Release

Comments

@thedodd
Copy link
Collaborator

thedodd commented May 28, 2021
edited
Loading

  • blocked by: Implement K8s Controller #53
  • using axum for the interface..
  • any replica of the Hadron Operator should be allowed to handle VAW requests as all data will be read and cached.
  • VAW should query for an object from K8s in order to perform dynamic object validation, ensuring that only changes which are allowed to be made to a CRD are actually accepted. Kube API already provides a copy of the most up-to-date object.
  • all Hadron CRDs should hit the VAW before admitting into the cluster. Malformed or invalid data will be rejected.
  • all CRs should undergo full dynamic validation to ensure referenced objects exist. This mostly applies to pipelines referencing streams right now.
  • finish last few reconciler tasks.

Pipeline Stage Removal

Technically, removing a stage from a pipeline is like removing a partition from a stream, it is tantamount to data loss. Normally we don't want to allow for a simple typo/mistake to delete data from a user's cluster. However, there are cases when it should be allowed and is desired for a stage to be removed.

For such cases, let's have the VAW look for an optional annotation on Pipeline objects, say allow-remove-stage/pipelines.hadron.rs (the value doesn't matter and isn't evaluated). When this is present, the VAW will allow a stage to be removed, else it will reject the change as an error describing the danger, but will also describe how to bypass this validation with the aforementioned annotation.

Also need to update the Pipeline Controller to look for such stage removals and update active pipelines to remove any such references to the removed stage. Adding of new stages should also be updated to be proactively updated.

Cert-Manager Dependency

Document the dependency on the cert-manager.

  • update operator's env inputs to mount certs for webhook server, and update code to mount and use certs for server TLS.
  • update helm chart to to only require optional cert-manager integration. Require secret key ref otherwise. See Make cert-manager optional #87
@thedodd thedodd added this to the First Release milestone May 28, 2021
@thedodd thedodd added the A-crd Hadron K8s CRDs label May 28, 2021
@thedodd thedodd changed the title Dynamic schema validation Validating Admissions Webhook Jun 2, 2021
@thedodd thedodd added the A-operator Hadron Kubernetes operator label Jun 2, 2021
@thedodd thedodd changed the title Validating Admissions Webhook Validating Admissions Webhook (VAW) Jun 2, 2021
thedodd added a commit that referenced this issue Sep 8, 2021
@thedodd
Impl CR VAW
3054a64 
Baseline setup is in place. End-to-end interaction with the K8s API is
g2g.

- Pipelines: endpoint is in place as POC, need to actually validate.
- Impl endpoints for other components.

closes #52
@thedodd thedodd mentioned this issue Sep 8, 2021
Merged
2 tasks
thedodd added a commit that referenced this issue Sep 9, 2021
@thedodd
Impl CR VAW
4a65818 
Baseline setup is in place. End-to-end interaction with the K8s API is
g2g.

- Pipelines: endpoint is in place as POC, need to actually validate.
- Impl endpoints for other components.

closes #52
thedodd added a commit that referenced this issue Sep 14, 2021
@thedodd
Impl CR VAW
daeb414 
Baseline setup is in place. End-to-end interaction with the K8s API is
g2g.

- Pipelines VAW endpoint is in place and performing static validation.
  Need to implement compatibility validation for updates.
- Impl endpoints for other components.

closes #52
thedodd added a commit that referenced this issue Sep 14, 2021
@thedodd
Impl CR VAW
46c090d 
Baseline setup is in place. End-to-end interaction with the K8s API is
g2g.

- Pipelines VAW endpoint is in place and performing static validation as
  well as dynamic validation of changes to guard against accidental data
  loss.
- Implemented VAW endpoints for Streams & Tokens.

closes #52
thedodd added a commit that referenced this issue Sep 14, 2021
@thedodd
Impl CR VAW
46c5bfb 
Baseline setup is in place. End-to-end interaction with the K8s API is
g2g.

- Pipelines VAW endpoint is in place and performing static validation as
  well as dynamic validation of changes to guard against accidental data
  loss.
- Implemented VAW endpoints for Streams & Tokens.

A few updates to the Pipeline controller to ensure it better handles
changes to the pipeline spec.

closes #52
thedodd added a commit that referenced this issue Sep 14, 2021
@thedodd
Impl CR VAW
fa47874 
Baseline setup is in place. End-to-end interaction with the K8s API is
g2g.

- Pipelines VAW endpoint is in place and performing static validation as
  well as dynamic validation of changes to guard against accidental data
  loss.
- Implemented VAW endpoints for Streams & Tokens.

A few updates to the Pipeline controller to ensure it better handles
changes to the pipeline spec.

closes #52
thedodd added a commit that referenced this issue Sep 15, 2021
@thedodd
Impl CR VAW
9ec847e 
Baseline setup is in place. End-to-end interaction with the K8s API is
g2g.

- Pipelines VAW endpoint is in place and performing static validation as
  well as dynamic validation of changes to guard against accidental data
  loss.
- Implemented VAW endpoints for Streams & Tokens.

A few updates to the Pipeline controller to ensure it better handles
changes to the pipeline spec.

closes #52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-crd Hadron K8s CRDs A-operator Hadron Kubernetes operator
Projects
None yet
Milestone
First Release
Development

Successfully merging a pull request may close this issue.

Impl CR VAW hadron-project/hadron
1 participant
@thedodd