Remove validating webhook #2595
Conversation
k8s-ci-robot
added
release-note
k8s-ci-robot
added
approved
robscott
force-pushed
the
remove-webhook
branch
from
bef43ea
to
74dbd10
Compare
|
This is a pretty big PR, will add a hold so we can get at least a couple reviewers to sign off on this. /hold |
k8s-ci-robot
added
the
do-not-merge/hold
| @@ -56,8 +56,8 @@ type GatewayList struct { | |||
| // GatewaySpec defines the desired state of Gateway. | |||
| // | |||
| // Not all possible combinations of options specified in the Spec are | |||
| // valid. Some invalid configurations can be caught synchronously via a | |||
| // webhook, but there are many cases that will require asynchronous | |||
| // valid. Some invalid configurations can be caught synchronously via CRD | |||
There was a problem hiding this comment.
not CEL validation ? I feel like CRD validation is vague and can be done in various different ways and not necessarily CEL
There was a problem hiding this comment.
ditto for other mentions of CRD validation
There was a problem hiding this comment.
Yep, you're right, this is intentionally vague. CRD validation is intended to cover all forms of built-in validation, including both CEL and OpenAPI, I don't think we need to provide that level of detail in the spec though as the implementation details of the validation could change without meaningfully changing the spec.
There was a problem hiding this comment.
We still have a section in guidelines.md entitled Limitations of CRD and Webhook Validation which we may want to reword some, as it seems the relevance will be somewhat changed and broken after this PR.
Also found a couple other documentation areas, you can probably just apply this diff to resolve them:
diff --git a/site-src/concepts/versioning.md b/site-src/concepts/versioning.md
index 4a254122..d9e11f48 100644
--- a/site-src/concepts/versioning.md
+++ b/site-src/concepts/versioning.md
@@ -2,12 +2,11 @@
## Overview
Each new release of Gateway API is defined with a "bundle version" that
-represents the Git tag of a release, such as v0.8.0. This contains the
+represents the Git tag of a release, such as v1.0.0. This contains the
following:
* API Types (Go bindings for the resources)
* CRDs (Kubernetes definitions of the resources)
-* Validating Webhook (Will be deprecated in v1.0 release)
### Release Channels
Release channels are used to indicate feature stability within Gateway API. All
diff --git a/site-src/contributing/contributor-ladder.md b/site-src/contributing/contributor-ladder.md
index d498de5b..760fb7f7 100644
--- a/site-src/contributing/contributor-ladder.md
+++ b/site-src/contributing/contributor-ladder.md
@@ -85,7 +85,6 @@ reviewer or approver, this includes:
* Conformance
* Documentation
* GEPs
-* Webhook Validation
## Maintainers and GAMMA Leads
If not part of THIS pr, then definitely of one in the future as we cut the release that removes the webhook.
robscott
force-pushed
the
remove-webhook
branch
from
74dbd10
to
c46ef99
Compare
|
Thanks @shaneutt! I applied your suggestions + added the following note on the |
apis/v1/validation/common.go
Outdated
There was a problem hiding this comment.
Hmm, for all the files in /validation, are breaking an API by removing this validation code? Is this code used directly by implementations, rather than just in the webhook? Should we do a separate deprecation for it?
There was a problem hiding this comment.
Good question. In my opinion, this is covered under "source code" within our versioning policy which has no compatibility guarantees: https://gateway-api.sigs.k8s.io/concepts/versioning/#source-code. I started to split this out to leave validation code in and just deprecate the packages, but I think that could lead to a worse outcome - stale code. Although we have some unit tests for the code, by removing the webhook, we'd be removing one of the primary ways we tested this code. I think the removal of this is adequately covered by the overall webhook deprecation announcements we made in the v0.8 and v1.0 release notes.
| ### | ||
| # This section and below can be REMOVED once the webhook is removed. | ||
| ### |
|
LGTM with one caveat about if we can remove the |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: robscott, shaneutt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
needs-rebase
robscott
force-pushed
the
remove-webhook
branch
from
c46ef99
to
26c8a5a
Compare
k8s-ci-robot
removed
the
needs-rebase
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
I think this has sat long enough, been discussed at multiple community meetings, and now has multiple approvals, removing the hold. /hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
|
Should the validation go package be removed only from v1 and not from v1alpha1 and v1beta1? Asking because Istio imports sigs.k8s.io/gateway-api/apis/v1alpha2/validation to perform some validation, and now they are gone. How can we support both 1.0 and older? |
Istio doesn't support v1alpha2 anymore. I think the current logic is broken in Istio, and can probably be removed entirely given the removal of the webhook? |
|
Since CEL has been present in CRDs since v0.8 and this validation code will only be removed as part of the v1.1 release (when this PR will get released), I think it's likely safe to remove any code that ran these validations controller-side when you upgrade to importing v1.1. Note that the v1.1 release is still likely at least a couple of months away. |
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
As described in #2319, it's time for the webhook to go away. The next minor release of Gateway API will not include the webhook, so there's no need to keep it around. This should also dramatically speed up presubmits.
Does this PR introduce a user-facing change?: