Validation webhook implementation #1682
Conversation
* implementation of dummy validation webhook --------- Co-authored-by: Patryk Wasielewski <pwasiele@splunk.com>
Implement Validation Webhook logic + unit tests + mux server for webhook --------- Co-authored-by: Patryk Wasielewski <pwasiele@splunk.com>
|
CLA Assistant Lite bot: I have read the CLA Document and I hereby sign the CLA 0 out of 2 committers have signed the CLA. |
Pull Request Test Coverage Report for Build 21636244635Details
💛 - Coveralls |
|
|
||
| The webhook validates the following Custom Resource Definitions: | ||
|
|
||
| - Standalone |
There was a problem hiding this comment.
add here bias language CRDs
| - indexerclusters | ||
| - searchheadclusters | ||
| - clustermanagers | ||
| - clustermasters |
There was a problem hiding this comment.
If we are doing it only for v4, then I guess any references to ClusterMaster or LicenseMaster in this file and others could be removed.
There was a problem hiding this comment.
I think it is slightly inconsistent across different files, so we have to decide on the approach.
There was a problem hiding this comment.
the difference is that here it's necessary to list here all resources for validation sake
| func ValidateClusterManagerUpdate(obj, oldObj *enterpriseApi.ClusterManager) field.ErrorList { | ||
| var allErrs field.ErrorList | ||
| allErrs = append(allErrs, ValidateClusterManagerCreate(obj)...) | ||
| return allErrs |
There was a problem hiding this comment.
Could it be just a one line instead of three?
There was a problem hiding this comment.
This comment applies to all such functions
There was a problem hiding this comment.
This is a topic for discussion. One liner could fit here ideally if we would know that this function won't be extended. The problem is that if we want to add i.e immutable fields (and we're planning to) this will look like it
There was a problem hiding this comment.
example
`// ValidateClusterManagerUpdate validates a ClusterManager on UPDATE
func ValidateClusterManagerUpdate(obj, oldObj *enterpriseApi.ClusterManager) field.ErrorList {
allErrs := ValidateClusterManagerCreate(obj)
// Example: Check immutable fields
// Example 1: Prevent changing ClusterManagerRef (if it was set)
if oldObj.Spec.ClusterManagerRef.Name != "" &&
obj.Spec.ClusterManagerRef.Name != oldObj.Spec.ClusterManagerRef.Name {
allErrs = append(allErrs, field.Forbidden(
field.NewPath("spec").Child("clusterManagerRef").Child("name"),
"field is immutable once set"))
}
`
There was a problem hiding this comment.
And what if not? 😄 I get your point.
| func GetClusterManagerWarningsOnCreate(obj *enterpriseApi.ClusterManager) []string { | ||
| var warnings []string | ||
| warnings = append(warnings, getCommonWarnings(&obj.Spec.CommonSplunkSpec)...) | ||
| return warnings |
|
|
||
| warnings := GetClusterManagerWarningsOnCreate(obj) | ||
| if len(warnings) != 0 { | ||
| t.Errorf("GetClusterManagerWarningsOnCreate() returned %d warnings, expected 0", len(warnings)) |
There was a problem hiding this comment.
Why don't we just use assertions?
There was a problem hiding this comment.
It applies to all tests
| func getCommonWarnings(spec *enterpriseApi.CommonSplunkSpec) []string { | ||
| var warnings []string | ||
|
|
||
| // Warn about deprecated fields or configurations |
There was a problem hiding this comment.
It's for the future sake, right?
| name: "invalid indexer cluster - zero replicas", | ||
| obj: &enterpriseApi.IndexerCluster{ | ||
| Spec: enterpriseApi.IndexerClusterSpec{ | ||
| Replicas: 0, |
There was a problem hiding this comment.
I think we are setting up replicas to 3 if not provided (in the controller code), so maybe we should add default value at the spec level if we are introducing webhooks to make sure we are backward compatible in case someone didn't provide the value.
There was a problem hiding this comment.
It applies to all such cases
|
I have read the Code of Conduct and I hereby accept the Terms |
3 participants
Description
Implements an opt-in validation webhook for Splunk Enterprise CRDs that validates spec fields on CREATE and UPDATE operations, providing immediate feedback when invalid configurations are submitted.
The webhook is disabled by default and can be enabled by setting ENABLE_WEBHOOKS=true or using the config/default-with-webhook kustomize overlay.
Key Changes
New Validation Package (
pkg/splunk/enterprise/validation/)Validated Fields
spec.replicasspec.imagePullPolicyAlways,Never, orIfNotPresentspec.livenessInitialDelaySecondsspec.readinessInitialDelaySecondsspec.etcVolumeStorageConfig.storageCapacity^[0-9]+Gi$spec.varVolumeStorageConfig.storageCapacity^[0-9]+Gi$spec.smartstorespec.appRepoWebhook Infrastructure
config/webhook/- Service and ValidatingWebhookConfigurationconfig/certmanager/- TLS certificate via cert-managerconfig/default-with-webhook/- Opt-in kustomize overlayDocumentation
Testing and Verification
Comprehensive unit tests (~95% coverage)
Server and HTTP handler tests
Related Issues
N/A
PR Checklist