MAISTRA-1071 Add manifest namespace validation

[dgn]

This is two parts:

• validatingWebhook code to give users early and comprehensible feedback on why they can't use a namespace
• reconciler.validateManifests function that makes sure we'll never deploy resources into namespaces that are not part of the mesh

[rcernich]

It's probably worth returning the error and letting the reconciliation restart. If there's a gateway that references a namespace that is legitimate, then we'll error when we validate, which will be a false error message.

[dgn]

So you want to restart reconciliation without logging an error in this case?

[dgn]

The thing is that this will probably only happen rarely, and even if it happens, it will only have an impact if you have a gateway outside the control plane namespace. The idea with just logging and continuing was that 99% of the time it'll be alright, because the gateway is in the cp namespace anyway

[rcernich]

I believe you can just return the error from the reconcile loop and let it do its thing. I don't remember if we need to log it and return it, or just return it. @luksa?

[rcernich]

I agree that it's probably unlikely that it will fail and unlikely that a namespace other than the control plane will be used. Maybe keep track of the fact that the smmr lookup failed and then if there's a validation failure, you can return the smmr error instead. wdyt?

[dgn]

Yeah, I think that makes sense

[dgn]

I fixed it now. While at it, I found another issue; I had forgotten to split the manifests (by "---") so was only looking at the first manifest in the output of each helm template (which for the gateways are multiple).

[dgn]

FYI I ran the validation function 1k times and it takes 21ms on average on my machine, so should be okay

[luksa]

LGTM but I'm wondering why we need to consider the member namespaces when checking the manifests. Aren't all resources deployed in the control plane namespace? If yes, then we could perform the validation when we render the charts.

[dgn]

LGTM but I'm wondering why we need to consider the member namespaces when checking the manifests. Aren't all resources deployed in the control plane namespace? If yes, then we could perform the validation when we render the charts.

The gateways are an exception in that they can be deployed to any namespace by providing a
istio.gateways.some-gateway.namespace: someNamespace; this is meant to allow for multiple ingress/egress gateways in separate namespaces.

The reason I added this in a generic fashion is that things like this could come up again in future versions of Istio, and it might not just be restricted to gateways

[dgn]

Adding a hold as this will go into 1.1.5

[dgn]

/cherry-pick maistra-1.2

[maistra-bot]

@dgn: #462 failed to apply on top of branch "maistra-1.2":

Using index info to reconstruct a base tree...
M	pkg/controller/common/util.go
M	pkg/controller/servicemesh/controlplane/reconciler.go
M	pkg/controller/servicemesh/controlplane/reconciler_test.go
M	pkg/controller/servicemesh/webhooks/validation/controlplane_test.go
A	pkg/controller/servicemesh/webhooks/validation/controlplane_util.go
A	pkg/controller/servicemesh/webhooks/validation/controlplane_v1_1.go
Falling back to patching base and 3-way merge...
Auto-merging pkg/controller/versions/util.go
CONFLICT (content): Merge conflict in pkg/controller/versions/util.go
CONFLICT (modify/delete): pkg/controller/servicemesh/webhooks/validation/controlplane_v1_1.go deleted in HEAD and modified in MAISTRA-1071 Add manifest namespace validation. Version MAISTRA-1071 Add manifest namespace validation of pkg/controller/servicemesh/webhooks/validation/controlplane_v1_1.go left in tree.
Auto-merging pkg/controller/servicemesh/webhooks/validation/controlplane_test.go
CONFLICT (content): Merge conflict in pkg/controller/servicemesh/webhooks/validation/controlplane_test.go
Auto-merging pkg/controller/servicemesh/controlplane/reconciler_test.go
CONFLICT (content): Merge conflict in pkg/controller/servicemesh/controlplane/reconciler_test.go
Auto-merging pkg/controller/servicemesh/controlplane/reconciler.go
Auto-merging pkg/controller/common/util.go
CONFLICT (content): Merge conflict in pkg/controller/common/util.go
error: Failed to merge in the changes.
Patch failed at 0001 MAISTRA-1071 Add manifest namespace validation

In response to this:

/cherry-pick maistra-1.2

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.