bypass k8s container image validation when ict's defined (allow for e…

[gabemontero]

…mpty string)

per a discussion between @smarterclayton , @bparees , and myself (and perhaps @Kargakis as well, though maybe he got pulled in later on), @smarterclayton asked that we introduce a change to bypass the k8s validation in the container image field when an openshift ICT is defined (which will populate said field).

While the OpenShift sample templates will still set this field to non-empty for backward compatibility, we can at least allow customers with new templates to not have to put a meaningless value for the container.image field.

PTAL gentlemen

[bparees]

Unexpected

[gabemontero]

part of next push

[0xmichalis]

cc: @ironcladlou @mfojtik

[gabemontero]

updates based on comments pushed

[bparees]

it seems like you can get rid of this whole structure. all you need to do in this loop is again check if the container.Image field is length 0, and if so, update it.

[bparees]

nevermind, didn't see that the trigger itself only applies to specific containers in the template, not all of them. my bad.

[bparees]

@openshift/api-review needs api review since we're changing what is "valid" for a DC's image field.

[smarterclayton]

It would be better to extract this to its own method, and only mutate the field for the duration of the validate call, not permanently. It would also be better to use a valid value for image, rather than relying on the empty whitespace being treated for the field.

I.e.:

func setEmptyImageChangeReferences(template, triggers) sets.String {
  // ... mutate each container with a trigger, return the names of those containers
  ... 
    containers[i].Image = "unset"
  ...
}
func resetEmptyImageChangeReferences(template, empty) {
  for i := range template.Containers {
    if empty.Has(template.Containers[i].Name) {
      template.Containers[i].Image = ""
    }
  }
}

func validateDeploymentConfigPodSpecTemplate(...) {
  emptyImages := setEmptyImageChangeReferences(template, triggers)
  errs := validatePodSpecTemplate(template)
  resetEmptyImageChangeReferences(template, emptyImages)
  return errs
}

We should not let our mutation escape the validation method.

[smarterclayton]

Names are arbitrary, just chosen for example.

[gabemontero]

Yeah, the span of mutation had originally occurred to me as well, but since the parameter into ValidateDeploymentConfigSpec is NOT a pointer, my understanding was that golang would pass in a copy of the param to the method.

Looking again though, while the DeploymentConfigSpec passed in is not a pointer, the underlying Template field is a pointer. Perhaps then even with DeploymentConfigSpec parameter being a "copy", the Template pointer field will be the same address in both DeploymentConfigSpec copies ... as I type, I'm thinking yes, but confirmation / correction of my train of thought here would be great.

I'll start working on the changes in the interim.

[smarterclayton]

All slices are passed by pointer, so you'll need to revert those as well.

On Mon, Jun 6, 2016 at 10:39 AM, Gabe Montero [email protected]
wrote:

In pkg/deploy/api/validation/validation.go
#9167 (comment):

@@ -39,6 +39,39 @@ func ValidateDeploymentConfigSpec(spec deployapi.DeploymentConfigSpec) field.Err
if spec.Template == nil {
allErrs = append(allErrs, field.Required(specPath.Child("template"), ""))
} else {

•   // if we have both an ICT defined and an empty Template->PodSpec->Container->Image field, we are going
  

Yeah, the span of mutation had originally occurred to me as well, but
since the parameter into ValidateDeploymentConfigSpec is NOT a pointer,
my understanding was that golang would pass in a copy of the param to the
method.

Looking again though, while the DeploymentConfigSpec passed in is not a
pointer, the underlying Template field is a pointer. Perhaps then even
with DeploymentConfigSpec parameter being a "copy", the Template pointer
field with be the same address in both DeploymentConfigSpec copies ... as
I type, I'm thinking yes, but confirmation / correction of my train of
thought here would be great.

I'll start working on the changes in the interim.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/openshift/origin/pull/9167/files/7108af0c910f3080a151b4fbd222c31265396ccb#r65901447,
or mute the thread
https://github.com/notifications/unsubscribe/ABG_p6agQgWm-H2gYfbesbJMRIW-2rxbks5qJDE1gaJpZM4It4tM
.

[liggitt]

whatever we do, we should have a test that validates a DC/DCSpec with empty image names and ensures the validation doesn't mutate (original DC or DC spec passed in still has empty image names)

[gabemontero]

I like deep copy as well ... will go down that route unless a strong objection surfaces.

[smarterclayton]

Let's not deep copy, it's very expensive on a pod template. The fuzz test is sufficient to prove non mutation.

[gabemontero]

Apologies, don't know what is meant by "fuzz test". Can you clarify @smarterclayton ?

Pending that, I'll move forward with removing the deep copy and incorporating a temp update / revert pattern.

[smarterclayton]

Create a test that calls validation with an object and verifies it doesn't
change, but do so with a range of input. Fuzzing would allow you to test
many more outcomes, but I'd be ok with a test that from inspection is the
same. I acknowledge Jordan's concerns, but deep copy is a hammer and I'm
not concerned with mutation if we have a very focused test.

On Wed, Jun 8, 2016 at 11:07 AM, Gabe Montero [email protected]
wrote:

In pkg/deploy/api/validation/validation.go
#9167 (comment):

@@ -39,6 +39,39 @@ func ValidateDeploymentConfigSpec(spec deployapi.DeploymentConfigSpec) field.Err
if spec.Template == nil {
allErrs = append(allErrs, field.Required(specPath.Child("template"), ""))
} else {

•   // if we have both an ICT defined and an empty Template->PodSpec->Container->Image field, we are going
  

Apologies, don't know what is meant by "fuzz test". Can you clarify
@smarterclayton https://github.com/smarterclayton ?

Pending that, I'll move forward with removing the deep copy and
incorporating a temp update / revert pattern.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/openshift/origin/pull/9167/files/7108af0c910f3080a151b4fbd222c31265396ccb#r66274074,
or mute the thread
https://github.com/notifications/unsubscribe/ABG_p4UxNFf_r1BDUEyYtrNMFzbI6pWyks5qJtq0gaJpZM4It4tM
.

[gabemontero]

OK, I've pushed the change that removes deepCopy and introduces a mutate/restore semantic. I updated the test case that confirms the container name change does not extend beyond the validate call slightly, but certainly did not get expansive, given @smarterclayton said he'd be ok with a test that was the same.

[liggitt]

how would a client display what image the dc would actually deploy if the image name is empty. the UI already has issues when the name is set to " " (c.f. openshift/origin-web-console#55)

[bparees]

pretty sure the UI is/was going to be updated to show the ICT imagestream reference instead of the image field, for cases where the image field is blank (or " ") and an ICT exists.

[gabemontero]

OK, have pushed update with:

1. used "unset" as the fake out value
2. set the fake out value on and validated with a deep copy
3. added test verifying the fake out value does not persist beyond the validate call (btw, verified it did persist beyond the call prior to doing 2)

ptal - thx

[0xmichalis]

reduce the nesting by blacklisting

if trigger.Type != ... || trigger,params == nil {
    continue
}
// ...

[gabemontero]

yep, looks better ... update pushed

[bparees]

lgtm

[smarterclayton]

It would be better to have a map of container name to original image and just set them all. Returning array could be overkill.

[gabemontero]

OK, removed the array return, did not add a map return, and inlined the saving of the original names and restoring of them in the validate method itself.

[bparees]

ict?

[gabemontero]

yep, ict ... will fix

[gabemontero]

also @openshift/api-review - does the recent implementation discussion have bearing on the api-review, or does the api-review only pertain to the specifics of what is a valid container image field?

[smarterclayton]

This change is approved to allow deployment configs to have empty image
values.

On Mon, Jun 13, 2016 at 1:29 PM, Gabe Montero [email protected]
wrote:

also @openshift/api-review
https://github.com/orgs/openshift/teams/api-review - does the recent
implementation discussion have bearing on the api-review, or does the
api-review only pertain to the specifics of what is a valid container image
field?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#9167 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/ABG_p3pZH9c9ij-rGirCYTVuCxD98Khvks5qLZOKgaJpZM4It4tM
.

[liggitt]

make([]string, len(template.Spec.Containers))

[gabemontero]

suggestion pushed

[gabemontero]

[test]

[0xmichalis]

It seems that you can return early here if len(containerEmptyImageInICT) == 0. It will also reduce indentation.

[gabemontero]

update pushed

[bparees]

handleEmpty impl still lgtm, pending @Kargakis' if-inversion/indentation nit.

[gabemontero]

last @Kargakis comment induced change pushed ... redoing [test]

[openshift-bot]

Evaluated for origin test up to 6049db4

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/4824/)

[bparees]

lgtm [merge]

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/4824/) (Image: devenv-rhel7_4373)

[openshift-bot]

Evaluated for origin merge up to 6049db4