-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validating Admissions Webhook (VAW) #52
Labels
Milestone
Comments
thedodd
changed the title
Validating Admissions Webhook
Validating Admissions Webhook (VAW)
Jun 2, 2021
thedodd
added a commit
that referenced
this issue
Sep 8, 2021
Baseline setup is in place. End-to-end interaction with the K8s API is g2g. - Pipelines: endpoint is in place as POC, need to actually validate. - Impl endpoints for other components. closes #52
thedodd
added a commit
that referenced
this issue
Sep 9, 2021
Baseline setup is in place. End-to-end interaction with the K8s API is g2g. - Pipelines: endpoint is in place as POC, need to actually validate. - Impl endpoints for other components. closes #52
thedodd
added a commit
that referenced
this issue
Sep 14, 2021
Baseline setup is in place. End-to-end interaction with the K8s API is g2g. - Pipelines VAW endpoint is in place and performing static validation. Need to implement compatibility validation for updates. - Impl endpoints for other components. closes #52
thedodd
added a commit
that referenced
this issue
Sep 14, 2021
Baseline setup is in place. End-to-end interaction with the K8s API is g2g. - Pipelines VAW endpoint is in place and performing static validation as well as dynamic validation of changes to guard against accidental data loss. - Implemented VAW endpoints for Streams & Tokens. closes #52
thedodd
added a commit
that referenced
this issue
Sep 14, 2021
Baseline setup is in place. End-to-end interaction with the K8s API is g2g. - Pipelines VAW endpoint is in place and performing static validation as well as dynamic validation of changes to guard against accidental data loss. - Implemented VAW endpoints for Streams & Tokens. A few updates to the Pipeline controller to ensure it better handles changes to the pipeline spec. closes #52
thedodd
added a commit
that referenced
this issue
Sep 14, 2021
Baseline setup is in place. End-to-end interaction with the K8s API is g2g. - Pipelines VAW endpoint is in place and performing static validation as well as dynamic validation of changes to guard against accidental data loss. - Implemented VAW endpoints for Streams & Tokens. A few updates to the Pipeline controller to ensure it better handles changes to the pipeline spec. closes #52
thedodd
added a commit
that referenced
this issue
Sep 15, 2021
Baseline setup is in place. End-to-end interaction with the K8s API is g2g. - Pipelines VAW endpoint is in place and performing static validation as well as dynamic validation of changes to guard against accidental data loss. - Implemented VAW endpoints for Streams & Tokens. A few updates to the Pipeline controller to ensure it better handles changes to the pipeline spec. closes #52
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
VAW should query for an object from K8s in order to perform dynamic object validation, ensuring that only changes which are allowed to be made to a CRD are actually accepted.Kube API already provides a copy of the most up-to-date object.Pipeline Stage Removal
Technically, removing a stage from a pipeline is like removing a partition from a stream, it is tantamount to data loss. Normally we don't want to allow for a simple typo/mistake to delete data from a user's cluster. However, there are cases when it should be allowed and is desired for a stage to be removed.
For such cases, let's have the VAW look for an optional annotation on Pipeline objects, say
allow-remove-stage/pipelines.hadron.rs
(the value doesn't matter and isn't evaluated). When this is present, the VAW will allow a stage to be removed, else it will reject the change as an error describing the danger, but will also describe how to bypass this validation with the aforementioned annotation.Also need to update the Pipeline Controller to look for such stage removals and update active pipelines to remove any such references to the removed stage. Adding of new stages should also be updated to be proactively updated.
Cert-Manager Dependency
Document the dependency on the cert-manager.
update helm chart to to only require optional cert-manager integration. Require secret key ref otherwise.See Make cert-manager optional #87The text was updated successfully, but these errors were encountered: