-
Notifications
You must be signed in to change notification settings - Fork 468
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove validating webhook #2595
Conversation
bef43ea
to
74dbd10
Compare
This is a pretty big PR, will add a hold so we can get at least a couple reviewers to sign off on this. /hold |
@@ -56,8 +56,8 @@ type GatewayList struct { | |||
// GatewaySpec defines the desired state of Gateway. | |||
// | |||
// Not all possible combinations of options specified in the Spec are | |||
// valid. Some invalid configurations can be caught synchronously via a | |||
// webhook, but there are many cases that will require asynchronous | |||
// valid. Some invalid configurations can be caught synchronously via CRD |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not CEL validation ? I feel like CRD validation is vague and can be done in various different ways and not necessarily CEL
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto for other mentions of CRD validation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, you're right, this is intentionally vague. CRD validation is intended to cover all forms of built-in validation, including both CEL and OpenAPI, I don't think we need to provide that level of detail in the spec though as the implementation details of the validation could change without meaningfully changing the spec.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally LGTM, thanks for working on it Rob, since it is a big PR, defer to other forks to have a look, in case we do not miss anything.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We still have a section in guidelines.md
entitled Limitations of CRD and Webhook Validation
which we may want to reword some, as it seems the relevance will be somewhat changed and broken after this PR.
Also found a couple other documentation areas, you can probably just apply this diff to resolve them:
diff --git a/site-src/concepts/versioning.md b/site-src/concepts/versioning.md
index 4a254122..d9e11f48 100644
--- a/site-src/concepts/versioning.md
+++ b/site-src/concepts/versioning.md
@@ -2,12 +2,11 @@
## Overview
Each new release of Gateway API is defined with a "bundle version" that
-represents the Git tag of a release, such as v0.8.0. This contains the
+represents the Git tag of a release, such as v1.0.0. This contains the
following:
* API Types (Go bindings for the resources)
* CRDs (Kubernetes definitions of the resources)
-* Validating Webhook (Will be deprecated in v1.0 release)
### Release Channels
Release channels are used to indicate feature stability within Gateway API. All
diff --git a/site-src/contributing/contributor-ladder.md b/site-src/contributing/contributor-ladder.md
index d498de5b..760fb7f7 100644
--- a/site-src/contributing/contributor-ladder.md
+++ b/site-src/contributing/contributor-ladder.md
@@ -85,7 +85,6 @@ reviewer or approver, this includes:
* Conformance
* Documentation
* GEPs
-* Webhook Validation
## Maintainers and GAMMA Leads
If not part of THIS pr, then definitely of one in the future as we cut the release that removes the webhook.
74dbd10
to
c46ef99
Compare
Thanks @shaneutt! I applied your suggestions + added the following note on the
|
apis/v1/validation/common.go
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, for all the files in /validation
, are breaking an API by removing this validation code? Is this code used directly by implementations, rather than just in the webhook? Should we do a separate deprecation for it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good question. In my opinion, this is covered under "source code" within our versioning policy which has no compatibility guarantees: https://gateway-api.sigs.k8s.io/concepts/versioning/#source-code. I started to split this out to leave validation
code in and just deprecate the packages, but I think that could lead to a worse outcome - stale code. Although we have some unit tests for the code, by removing the webhook, we'd be removing one of the primary ways we tested this code. I think the removal of this is adequately covered by the overall webhook deprecation announcements we made in the v0.8 and v1.0 release notes.
### | ||
# This section and below can be REMOVED once the webhook is removed. | ||
### |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🎉
LGTM with one caveat about if we can remove the |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: robscott, shaneutt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
c46ef99
to
26c8a5a
Compare
/lgtm |
I think this has sat long enough, been discussed at multiple community meetings, and now has multiple approvals, removing the hold. /hold cancel |
Should the validation go package be removed only from v1 and not from v1alpha1 and v1beta1? Asking because Istio imports sigs.k8s.io/gateway-api/apis/v1alpha2/validation to perform some validation, and now they are gone. How can we support both 1.0 and older? |
Istio doesn't support v1alpha2 anymore. I think the current logic is broken in Istio, and can probably be removed entirely given the removal of the webhook? |
Since CEL has been present in CRDs since v0.8 and this validation code will only be removed as part of the v1.1 release (when this PR will get released), I think it's likely safe to remove any code that ran these validations controller-side when you upgrade to importing v1.1. Note that the v1.1 release is still likely at least a couple of months away. |
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
As described in #2319, it's time for the webhook to go away. The next minor release of Gateway API will not include the webhook, so there's no need to keep it around. This should also dramatically speed up presubmits.
Does this PR introduce a user-facing change?: