bypass k8s container image validation when ict's defined (allow for e…#9167
Conversation
| }) | ||
|
|
||
| if len(errs) > 0 { | ||
| t.Errorf("Unxpected non-empty error list: %+v", errs) |
There was a problem hiding this comment.
part of next push
|
cc: @ironcladlou @mfojtik |
gabemontero
force-pushed
the
bypassImageCheckWithICTs
branch
from
7a877c7 to
7108af0
Compare
|
updates based on comments pushed |
| if needToChangeImageField { | ||
| for i, container := range spec.Template.Spec.Containers { | ||
| // only update containers listed in the icp | ||
| match, ok := containerEmptyImageInICT[container.Name] |
There was a problem hiding this comment.
it seems like you can get rid of this whole structure. all you need to do in this loop is again check if the container.Image field is length 0, and if so, update it.
There was a problem hiding this comment.
nevermind, didn't see that the trigger itself only applies to specific containers in the template, not all of them. my bad.
|
@openshift/api-review needs api review since we're changing what is "valid" for a DC's image field. |
| if spec.Template == nil { | ||
| allErrs = append(allErrs, field.Required(specPath.Child("template"), "")) | ||
| } else { | ||
| // if we have both an ICT defined and an empty Template->PodSpec->Container->Image field, we are going |
There was a problem hiding this comment.
It would be better to extract this to its own method, and only mutate the field for the duration of the validate call, not permanently. It would also be better to use a valid value for image, rather than relying on the empty whitespace being treated for the field.
I.e.:
func setEmptyImageChangeReferences(template, triggers) sets.String {
// ... mutate each container with a trigger, return the names of those containers
...
containers[i].Image = "unset"
...
}
func resetEmptyImageChangeReferences(template, empty) {
for i := range template.Containers {
if empty.Has(template.Containers[i].Name) {
template.Containers[i].Image = ""
}
}
}
func validateDeploymentConfigPodSpecTemplate(...) {
emptyImages := setEmptyImageChangeReferences(template, triggers)
errs := validatePodSpecTemplate(template)
resetEmptyImageChangeReferences(template, emptyImages)
return errs
}
We should not let our mutation escape the validation method.
There was a problem hiding this comment.
Names are arbitrary, just chosen for example.
There was a problem hiding this comment.
Yeah, the span of mutation had originally occurred to me as well, but since the parameter into ValidateDeploymentConfigSpec is NOT a pointer, my understanding was that golang would pass in a copy of the param to the method.
Looking again though, while the DeploymentConfigSpec passed in is not a pointer, the underlying Template field is a pointer. Perhaps then even with DeploymentConfigSpec parameter being a "copy", the Template pointer field will be the same address in both DeploymentConfigSpec copies ... as I type, I'm thinking yes, but confirmation / correction of my train of thought here would be great.
I'll start working on the changes in the interim.
There was a problem hiding this comment.
All slices are passed by pointer, so you'll need to revert those as well.
On Mon, Jun 6, 2016 at 10:39 AM, Gabe Montero notifications@github.com
wrote:
In pkg/deploy/api/validation/validation.go
#9167 (comment):@@ -39,6 +39,39 @@ func ValidateDeploymentConfigSpec(spec deployapi.DeploymentConfigSpec) field.Err
if spec.Template == nil {
allErrs = append(allErrs, field.Required(specPath.Child("template"), ""))
} else {
// if we have both an ICT defined and an empty Template->PodSpec->Container->Image field, we are goingYeah, the span of mutation had originally occurred to me as well, but
since the parameter into ValidateDeploymentConfigSpec is NOT a pointer,
my understanding was that golang would pass in a copy of the param to the
method.Looking again though, while the DeploymentConfigSpec passed in is not a
pointer, the underlying Template field is a pointer. Perhaps then even
with DeploymentConfigSpec parameter being a "copy", the Template pointer
field with be the same address in both DeploymentConfigSpec copies ... as
I type, I'm thinking yes, but confirmation / correction of my train of
thought here would be great.I'll start working on the changes in the interim.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/openshift/origin/pull/9167/files/7108af0c910f3080a151b4fbd222c31265396ccb#r65901447,
or mute the thread
https://github.com/notifications/unsubscribe/ABG_p6agQgWm-H2gYfbesbJMRIW-2rxbks5qJDE1gaJpZM4It4tM
.
There was a problem hiding this comment.
whatever we do, we should have a test that validates a DC/DCSpec with empty image names and ensures the validation doesn't mutate (original DC or DC spec passed in still has empty image names)
There was a problem hiding this comment.
I like deep copy as well ... will go down that route unless a strong objection surfaces.
There was a problem hiding this comment.
There was a problem hiding this comment.
Apologies, don't know what is meant by "fuzz test". Can you clarify @smarterclayton ?
Pending that, I'll move forward with removing the deep copy and incorporating a temp update / revert pattern.
There was a problem hiding this comment.
Create a test that calls validation with an object and verifies it doesn't
change, but do so with a range of input. Fuzzing would allow you to test
many more outcomes, but I'd be ok with a test that from inspection is the
same. I acknowledge Jordan's concerns, but deep copy is a hammer and I'm
not concerned with mutation if we have a very focused test.
On Wed, Jun 8, 2016 at 11:07 AM, Gabe Montero notifications@github.com
wrote:
In pkg/deploy/api/validation/validation.go
#9167 (comment):@@ -39,6 +39,39 @@ func ValidateDeploymentConfigSpec(spec deployapi.DeploymentConfigSpec) field.Err
if spec.Template == nil {
allErrs = append(allErrs, field.Required(specPath.Child("template"), ""))
} else {
// if we have both an ICT defined and an empty Template->PodSpec->Container->Image field, we are goingApologies, don't know what is meant by "fuzz test". Can you clarify
@smarterclayton https://github.com/smarterclayton ?Pending that, I'll move forward with removing the deep copy and
incorporating a temp update / revert pattern.—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/openshift/origin/pull/9167/files/7108af0c910f3080a151b4fbd222c31265396ccb#r66274074,
or mute the thread
https://github.com/notifications/unsubscribe/ABG_p4UxNFf_r1BDUEyYtrNMFzbI6pWyks5qJtq0gaJpZM4It4tM
.
There was a problem hiding this comment.
OK, I've pushed the change that removes deepCopy and introduces a mutate/restore semantic. I updated the test case that confirms the container name change does not extend beyond the validate call slightly, but certainly did not get expansive, given @smarterclayton said he'd be ok with a test that was the same.
|
how would a client display what image the dc would actually deploy if the image name is empty. the UI already has issues when the name is set to |
|
pretty sure the UI is/was going to be updated to show the ICT imagestream reference instead of the image field, for cases where the image field is blank (or " ") and an ICT exists. |
gabemontero
force-pushed
the
bypassImageCheckWithICTs
branch
from
7108af0 to
e55285d
Compare
|
OK, have pushed update with:
ptal - thx |
| needToChangeImageField := false | ||
| if len(containerEmptyImageInICT) > 0 { | ||
| for _, trigger := range triggers { | ||
| if trigger.Type == deployapi.DeploymentTriggerOnImageChange { |
There was a problem hiding this comment.
reduce the nesting by blacklisting
if trigger.Type != ... || trigger,params == nil {
continue
}
// ...There was a problem hiding this comment.
yep, looks better ... update pushed
gabemontero
force-pushed
the
bypassImageCheckWithICTs
branch
from
e55285d to
7f128e4
Compare
|
lgtm |
gabemontero
force-pushed
the
bypassImageCheckWithICTs
branch
2 times, most recently
from
1a33ff9 to
2faa1aa
Compare
| changedContainers = append(changedContainers, &(template.Spec.Containers[i])) | ||
| template.Spec.Containers[i].Image = "unset" | ||
| } | ||
| } |
There was a problem hiding this comment.
It would be better to have a map of container name to original image and just set them all. Returning array could be overkill.
There was a problem hiding this comment.
OK, removed the array return, did not add a map return, and inlined the saving of the original names and restoring of them in the validate method itself.
gabemontero
force-pushed
the
bypassImageCheckWithICTs
branch
from
2faa1aa to
abd1b6f
Compare
|
|
||
| if needToChangeImageField { | ||
| for i, container := range template.Spec.Containers { | ||
| // only update containers listed in the icp |
There was a problem hiding this comment.
yep, ict ... will fix
gabemontero
force-pushed
the
bypassImageCheckWithICTs
branch
2 times, most recently
from
d6caf70 to
e05e23e
Compare
|
also @openshift/api-review - does the recent implementation discussion have bearing on the api-review, or does the api-review only pertain to the specifics of what is a valid container image field? |
gabemontero
force-pushed
the
bypassImageCheckWithICTs
branch
from
e05e23e to
30abda3
Compare
|
This change is approved to allow deployment configs to have empty image On Mon, Jun 13, 2016 at 1:29 PM, Gabe Montero notifications@github.com
|
| } | ||
|
|
||
| func getContainerImageNames(template *kapi.PodTemplateSpec) []string { | ||
| originalContainerImageNames := make([]string, 0) |
There was a problem hiding this comment.
make([]string, len(template.Spec.Containers))
There was a problem hiding this comment.
suggestion pushed
gabemontero
force-pushed
the
bypassImageCheckWithICTs
branch
from
30abda3 to
be845a3
Compare
|
[test] |
| } | ||
| } | ||
| needToChangeImageField := false | ||
| if len(containerEmptyImageInICT) > 0 { |
There was a problem hiding this comment.
It seems that you can return early here if len(containerEmptyImageInICT) == 0. It will also reduce indentation.
|
handleEmpty impl still lgtm, pending @Kargakis' if-inversion/indentation nit. |
gabemontero
force-pushed
the
bypassImageCheckWithICTs
branch
from
be845a3 to
6049db4
Compare
|
last @Kargakis comment induced change pushed ... redoing [test] |
|
Evaluated for origin test up to 6049db4 |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/4824/) |
|
lgtm [merge] |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/4824/) (Image: devenv-rhel7_4373) |
|
Evaluated for origin merge up to 6049db4 |
6 participants
…mpty string)
per a discussion between @smarterclayton , @bparees , and myself (and perhaps @Kargakis as well, though maybe he got pulled in later on), @smarterclayton asked that we introduce a change to bypass the k8s validation in the container image field when an openshift ICT is defined (which will populate said field).
While the OpenShift sample templates will still set this field to non-empty for backward compatibility, we can at least allow customers with new templates to not have to put a meaningless value for the container.image field.
PTAL gentlemen