Validate beta features only when v1 Tasks and Pipelines are defined #6701
Conversation
tekton-robot
added
kind/misc
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
/assign |
There was a problem hiding this comment.
Couldn't we use the context (ctx) to kno when to validate and when to not validate (as there is already information in there about if it's at creation, or update, etc..) ?
One of the shortcomings of this is, if the webhook is not ready/registered, one might be able to create something that is not valid (aka uses beta fields while the configuration is set to stable) and get it executed. This, however, can only happen explicitely (user removes the webhook/admission controller registration) or at installation (in a very short period of time where CRDs are there but the webhook has not fully started…).
|
chatted offline with @vdemeester, but this PR doesn't actually change anything from the current implementation. Right now, we don't do any validation in the reconciler for beta fields. We do call We could discuss future improvements guarding against the webhook being disabled or not ready, but this PR doesn't change our current validation behavior, it just makes it possible for us to swap to v1 as our storage version without breaking v1beta1 pipelines using beta features. We could also choose to add beta features validation for v1 remote tasks here: pipeline/pkg/reconciler/pipelinerun/resources/pipelineref.go Lines 163 to 173 in dffb5f4 Note that this would be a change from what we're doing today. |
|
I am a bit neutral on this, I don't really like that approach too much, but I don't hate it either, and it does unblock switching the storage version. As a side note, I don't really see a big rush to switch the storage version (as discussed during the API WG) but I also don't see too much reason to block that either. I would love to have opinion of others @tektoncd/core-maintainers 👼🏼 |
|
@vdemeester could you elaborate on your concerns with this proposal or any problems you think we might run into? We could definitely brainstorm ways to make the reconciler more resilient to issues with the webhook validation being accidentally skipped, but I don't think that should block this PR. |
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
known flake: #6672 |
|
hey @lbernick this is neat and generally I like the approach. I have two questions -
|
In the reconciler, we only call
It doesn't. This is an example of how validation for remote Pipelines differs from validation of local Pipelines. We should probably add this validation, but I don't think that should block this PR. |
tekton-robot
added
the
needs-rebase
tekton-robot
removed
the
needs-rebase
|
The following is the coverage report on the affected files.
|
There was a problem hiding this comment.
Code LGTM, but let's wait till the pipeline wg next week to merge to align on the discussions around alternatives to this and why we need this PR - I wrote up my understanding of the summary here: #6592 (comment)
There was a problem hiding this comment.
Code LGTM, but let's wait till the pipeline wg next week to merge to align on the discussions around alternatives to this and why we need this PR - I wrote up my understanding of the summary here: #6592 (comment)
|
/hold cancel |
tekton-robot
removed
the
do-not-merge/hold
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dibyom, JeromeJu, vdemeester The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
| @@ -70,7 +76,6 @@ func (ps *PipelineSpec) Validate(ctx context.Context) (errs *apis.FieldError) { | |||
| errs = errs.Also(validatePipelineContextVariables(ps.Tasks).ViaField("tasks")) | |||
| errs = errs.Also(validatePipelineContextVariables(ps.Finally).ViaField("finally")) | |||
| errs = errs.Also(validateExecutionStatusVariables(ps.Tasks, ps.Finally)) | |||
| errs = errs.Also(ps.ValidateBetaFields(ctx)) | |||
There was a problem hiding this comment.
just to make it clear for the reviewers, this PR is moving this validation from func (ps *PipelineSpec) Validate() to func (p *Pipeline) Validate() such that the validation ValidateBetaFields is done during pipeline creation time compared to pipelineRun.
Currently, validation differs between api versions: when beta features are used in v1 APIs, "enable-api-fields" must be set to "alpha" or "beta", but when beta features are used in beta APIs, "enable-api-fields" may be set to "alpha", "beta", or "stable". We also validate the specs of referenced Tasks or Pipelines in the TaskRun/PipelineRun reconciler. This presents a problem when referencing a Task or Pipeline declared locally, since the Task or Pipeline may be converted into a different API version when it's stored. This commit moves validation for beta features to apply only to Tasks and Pipelines when they are created or updated, and not called when a Task spec or Pipeline spec is validated. This commit will allow us to swap the storage version of our API without user-facing impact. Separately, we plan to decouple feature versioning from API versioning, as it is a better long-term solution. This commit contains no expected functional changes, since the TaskRun and PipelineRun reconcilers do not currently validate that"enable-api-fields" is set to "alpha" or "beta" when beta features are used in referenced Tasks or Pipelines. This validation will be added for v1 remote Tasks and Pipelines in a separate commit.
discussion at Pipelines WG today-- no concerns re: merging this PR |
|
/lgtm |
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
known flake: #6672 |
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
If that fix works, and the PR has rebased from the main. Then we shouldn’t encounter the flaky again? |
Currently, validation differs between api versions: when beta features are used in v1 APIs,
"enable-api-fields" must be set to "alpha" or "beta", but when beta features are used in beta APIs,
"enable-api-fields" may be set to "alpha", "beta", or "stable".
We also validate the specs of referenced Tasks or Pipelines in the TaskRun/PipelineRun reconciler.
This presents a problem when referencing a Task or Pipeline declared locally, since the Task or Pipeline may be converted into a different API version when it's stored.
This commit moves validation for beta features to apply only to Tasks and Pipelines when they are created or updated,
and not called when a Task spec or Pipeline spec is validated.
This commit will allow us to swap the storage version of our API without user-facing impact.
Separately, we plan to decouple feature versioning from API versioning, as it is a better long-term solution (#6592).
This commit contains no expected functional changes, since the TaskRun and PipelineRun reconcilers do not
currently validate that"enable-api-fields" is set to "alpha" or "beta" when beta features are used in
referenced Tasks or Pipelines.
This validation will be added for v1 remote Tasks and Pipelines in a separate commit (#6725).
Closes #6616.
/kind misc
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
/kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tepRelease Notes