Fail creating of revision is istio-injection label is not in namespace#1223
Fail creating of revision is istio-injection label is not in namespace#1223shashwathi wants to merge 1 commit intoknative:masterfrom
Conversation
|
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please visit https://cla.developers.google.com/ to sign. Once you've signed (or fixed any issues), please reply here (e.g. What to do if you already signed the CLAIndividual signers
Corporate signers
|
google-prow-robot
added
the
size/L
|
I signed it |
|
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. |
shashwathi
force-pushed
the
check-istio-injection
branch
from
f81ccf5 to
7d24f05
Compare
|
CLAs look good, thanks! |
There was a problem hiding this comment.
RevisionConditionContainerHealthy on a new line for readability
There was a problem hiding this comment.
I don't think we should mark the RevisionConditionBuildSucceeded as I assume this is a prerequisite for creating a revision deployment/pods
If it was set to true before and we set it to false that would confuse the user
There was a problem hiding this comment.
You're missing a corresponding test (and maybe updating some other ones) for this new behaviour.
There was a problem hiding this comment.
I added test coverage for revision_type. I missed it completely. Thanks
There was a problem hiding this comment.
Might be worth using strings.ToLower - since I do not know if case matters
There was a problem hiding this comment.
I would remove this log line as the error is represented in the revision status
|
/assign @tcnghia |
|
/assign @dprotaso |
|
What are people's thoughts (@shashwathi @tcnghia) about moving this check from the revision controller into the web hook? Advantages:
I can't think of any disadvantages since if a user mucks with the underlying deployment of a revision I would expect the controller to reconcile it back to what it was. |
google-prow-robot
added
size/XXL
|
So there's good news and bad news. 👍 The good news is that everyone that needs to sign a CLA (the pull request submitter and all commit authors) have done so. Everything is all good there. 😕 The bad news is that it appears that one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that here in the pull request. Note to project maintainer: This is a terminal state, meaning the |
shashwathi
force-pushed
the
check-istio-injection
branch
from
f79bd4c to
d5f2a9f
Compare
|
CLAs look good, thanks! |
google-prow-robot
added
size/L
|
|
|
Users do not create revisions directly, so they will never see a webhook validation error about a revision. We should do whatever is easiest for the configuration controller. IMO, it's best to let the configuration controller create revisions when it needs to, and give the revision controller responsibility for detecting the misconfiguration and proceeding when it's corrected. With the webhook:
With the controller:
|
|
I'm concerned that validating the intended behavior of a resource versus the structure of a resource makes the API more imperative than declarative. If the user cannot easily predict the outcome of an API operation due to the possibility of transient failures unrelated to the content of the operation, then the API is more "try this" than "the state should be this" and we might be holding it wrong according to Kubernetes API principles. In general, I think validation should be as predictable as possible, ideally deterministic. If a user has a resource that is itself valid, that resource should be accepted unless some condition exists that makes reconciling that object permanently impossible without further user mutations to that specific object (e.g. a field is missing and can never be inferred because the user must make a decision about its future value). It might be good to have some guidance on this in the spec (whether it agrees with me or not), or a link to a relevant section of the Kubernetes API conventions. cc @evankanderson @mattmoor @vaikas-google |
shashwathi
force-pushed
the
check-istio-injection
branch
from
d5f2a9f to
56882f6
Compare
|
@grantr good points and thanks for laying out your philosophy behind this |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: shashwathi Assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
There was a problem hiding this comment.
I would move this to the newTestController method. This simplifies the happy path for all tests and reduces the friction of adding new tests.
Secondly, we should create a new test case that covers the behaviour were the label is not present.
There was a problem hiding this comment.
Let's extract this out in it's own method
shashwathi
force-pushed
the
check-istio-injection
branch
2 times, most recently
from
88423d6 to
287a298
Compare
|
/lgtm |
|
/assign @mattmoor for |
|
(meta question) |
|
We're doing this for the autoscaler here: https://github.com/knative/serving/blob/master/pkg/controller/revision/autoscaler.go#L49 |
|
Ignore my comments, it seems as though that annotation does nothing without the namespace label. |
…amespace - Add test coverage - Enable istio injection in smoke & e2e test namespaces - Update README for test setup
shashwathi
force-pushed
the
check-istio-injection
branch
from
287a298 to
8b123e8
Compare
|
New changes are detected. LGTM label has been removed. |
|
The following is the coverage report on pkg/. Say
*TestCoverage feature is being tested, do not rely on any info here yet |
|
/assign @mattmoor |
|
/assign @mdemirhan (context) @tcnghia (out until monday) seems to have found a way for us to use Pod-level annotations, but it requires changes to Istio configmaps. I think that (following prior discussions around relying on alpha features) we should only take a dependency on a patch to the Istio configmap if it's going to land in a cc @vaikas-google @evankanderson |
|
Once we patch Istio yaml, the only thing we should look out for is going to be "istio-injection=disabled" - as long as a namespace does not have that, we will be fine (i.e. not having that label is ok. Having a random value in that label is ok as well). We should change this PR to catch that case and let everything else flow through. @tcnghia WDTY? |
|
I am patching in the upstream change from Istio #1369 so that we just need check the case that After that change goes in we won't need to worry about namespaces without the label. |
|
/hold |
google-prow-robot
added
the
do-not-merge/hold
10 participants
Proposed Changes
Regards
Shash