Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 Fix XValidations flattening #998

Merged
merged 3 commits into from
Aug 9, 2024
Merged

🐛 Fix XValidations flattening #998

merged 3 commits into from
Aug 9, 2024

Conversation

cezarsa
Copy link
Contributor

@cezarsa cezarsa commented Jun 27, 2024

Fixes #997

This PR ensures XValidations are merged correctly when flattening the CRD schema.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jun 27, 2024
@k8s-ci-robot
Copy link
Contributor

Welcome @cezarsa!

It looks like this is your first PR to kubernetes-sigs/controller-tools 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/controller-tools has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jun 27, 2024
@k8s-ci-robot
Copy link
Contributor

Hi @cezarsa. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Jun 27, 2024
@sbueringer
Copy link
Member

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jun 28, 2024
@JoelSpeed
Copy link
Contributor

Do we need to consider the ordering in flattening? CRD validations are executed in order so do we think the field level validations or the struct level validations should come first? What will happen with this approach, I assume the output here is deterministic?

@cezarsa
Copy link
Contributor Author

cezarsa commented Jul 1, 2024

What will happen with this approach, I assume the output here is deterministic?

It is deterministic and, with the current approach, struct-level validations will come first. This kinda makes sense to me but I don't have a definitive answer if this is the intended behavior or if this has been discussed before.

Ultimately, I don't think the order can affect the correctness or the cost budget for the validations as they are all executed even after a failed rule.

@JoelSpeed
Copy link
Contributor

Ultimately, I don't think the order can affect the correctness or the cost budget for the validations as they are all executed even after a failed rule.

Is that true? I was under the impression that if a rule failed, further rules were not executed until the earlier rule passed?

Either way, I guess that doesn't hugely matter since all rules must pass for the object to be accepted. I would be tempted to poke some of the API machinery folks though just in case they can foresee any issues here/have a suggestion for prioritisation

@cezarsa
Copy link
Contributor Author

cezarsa commented Jul 1, 2024
edited
Loading

Is that true? I was under the impression that if a rule failed, further rules were not executed until the earlier rule passed?

Yes, I just tested it to be sure, using controller-gen from this branch and with an object declared as:

type FooSpec struct {
	// +kubebuilder:validation:XValidation:rule="false",message="validation 3"
	// +kubebuilder:validation:XValidation:rule="false",message="validation 4"
	Thing *Thing `json:"thing"`
}

// +kubebuilder:validation:XValidation:rule="false",message="validation 1"
// +kubebuilder:validation:XValidation:rule="false",message="validation 2"
type Thing struct {
	Field *string `json:"field"`
}

Applying it returned all the validation errors:

$  k apply -f ./example.yaml
The Foo "foo1" is invalid:
* spec.thing: Invalid value: "object": validation 1
* spec.thing: Invalid value: "object": validation 2
* spec.thing: Invalid value: "object": validation 3
* spec.thing: Invalid value: "object": validation 4

@sbueringer
Copy link
Member

sbueringer commented Jul 11, 2024
edited
Loading

I think for cost estimation / compile checks at CRD create/update all rules are compiled and afterwards error messages are produced accordingly: https://github.com/kubernetes/kubernetes/blob/d081fd56a2aba4663f11dd5e27dbcf64c0ec6638/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation.go#L1226

During CR create/update:

@cezarsa @JoelSpeed WDYT? does that make sense?

(feel free to cc someone from api-machinery, not sure who :))

@JoelSpeed JoelSpeed mentioned this pull request Jul 11, 2024
Closed
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jul 11, 2024
@cezarsa cezarsa force-pushed the fix-validations-flattening branch from 7e435ac to 4361106 Compare July 11, 2024 14:56
@cezarsa
Copy link
Contributor Author

cezarsa commented Jul 11, 2024

I'm not sure if having the allOf or not makes any difference:

Having allOf on validations in the CRD actually causes the apiserver to reject it. I tried applying the example CRD from #997 on a k8s v1.28.9 API and it failed with:

$ kubectl apply -f ./crd/validation.bug_foos.yaml
The CustomResourceDefinition "foos.validation.bug" is invalid:
* spec.validation.openAPIV3Schema.properties[spec].properties[thing].allOf[0].x-kubernetes-validations: Forbidden: must be empty to be structural
* spec.validation.openAPIV3Schema.properties[spec].properties[thing].allOf[1].x-kubernetes-validations: Forbidden: must be empty to be structural

@jpbetz
Copy link

jpbetz commented Jul 12, 2024

I'm not sure if having the allOf or not makes any difference:

Having allOf on validations in the CRD actually causes the apiserver to reject it. I tried applying the example CRD from #997 on a k8s v1.28.9 API and it failed with:

$ kubectl apply -f ./crd/validation.bug_foos.yaml
The CustomResourceDefinition "foos.validation.bug" is invalid:
* spec.validation.openAPIV3Schema.properties[spec].properties[thing].allOf[0].x-kubernetes-validations: Forbidden: must be empty to be structural
* spec.validation.openAPIV3Schema.properties[spec].properties[thing].allOf[1].x-kubernetes-validations: Forbidden: must be empty to be structural

kubernetes/kubernetes#124381 was merged into master quite recently. Does it resolve this problem?

@cezarsa
Copy link
Contributor Author

cezarsa commented Jul 22, 2024

kubernetes/kubernetes#124381 was merged into master quite recently. Does it resolve this problem?

Hey @jpbetz, thanks I wasn't aware of that PR but apparently it doesn't solve the problem.
I've just compiled apiserver from source and still see the same error. Repro steps:

  1. Clone https://github.com/kubernetes/kubernetes
  2.  cd kubernetes
 make kube-apiserver kubectl
 ./hack/install-etcd.sh
 cp ./third_party/etcd/etcd _output/bin/
  3. Clone https://github.com/cezarsa/validationbug
  4.  cd validationbug
 KUBEBUILDER_ASSETS=../kubernetes/_output/bin go test

The test above tries to apply a CRD with x-kubernetes-validations inside a all_of block but it failed with:

--- FAIL: TestFunc (6.45s)
    main_test.go:16: unable to install CRDs onto control plane: unable to create CRD instances: unable to create CRD "foos.validation.bug": CustomResourceDefinition.apiextensions.k8s.io "foos.validation.bug" is invalid: [spec.validation.openAPIV3Schema.properties[spec].properties[thing].allOf[0].x-kubernetes-validations: Forbidden: must be empty to be structural, spec.validation.openAPIV3Schema.properties[spec].properties[thing].allOf[1].x-kubernetes-validations: Forbidden: must be empty to be structural]
FAIL
exit status 1
FAIL	github.com/cezarsa/validationbug	7.120s

sbueringer
sbueringer reviewed Aug 9, 2024
View reviewed changes
pkg/crd/flatten.go Outdated
@@ -147,6 +147,8 @@ func flattenAllOfInto(dst *apiext.JSONSchemaProps, src apiext.JSONSchemaProps, e
dstField.Set(srcField)
case "XMapType":
dstField.Set(srcField)
case "XValidations":
dstField.Set(reflect.AppendSlice(dstField, srcField))
Copy link
Member

@sbueringer sbueringer Aug 9, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would flip the order here. I think it's better if the validation from the field is before the ones from the type.

Basically this allows to add validations add the start of the validation array when importing external types (~ that would prioritize "local" validations over imported ones)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Order flipped in 43d3d3a.

@sbueringer
Copy link
Member

@cezarsa Sorry for the delay. Last comment from my side: #998 (comment)

I think even if the current output would be somehow valid (which it doesn't seem to be), it still makes sense to flatten in this case

@sbueringer
Copy link
Member

/ok-to-test

@sbueringer sbueringer added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Aug 9, 2024
@sbueringer
Copy link
Member

Thank you very much!

/lgtm
/approve
/ok-to-test

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 9, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 41fdb218319688b4ade7972c98782bd6a77b78d0

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cezarsa, sbueringer

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 9, 2024
@k8s-ci-robot k8s-ci-robot merged commit 930ec8c into kubernetes-sigs:master Aug 9, 2024
6 checks passed
@renovate renovate bot mentioned this pull request Oct 9, 2024
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sbueringer sbueringer sbueringer left review comments

@joelanford joelanford Awaiting requested review from joelanford

@vincepri vincepri Awaiting requested review from vincepri

Assignees

@sbueringer sbueringer

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Invalid CRD generated when XValidation is used on both field and struct
5 participants
@cezarsa @k8s-ci-robot @sbueringer @JoelSpeed @jpbetz