-
Notifications
You must be signed in to change notification settings - Fork 590
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Let admission webhook check KongPlugins with secret configuration #1036
Conversation
Codecov Report
@@ Coverage Diff @@
## main #1036 +/- ##
==========================================
- Coverage 49.65% 49.42% -0.24%
==========================================
Files 32 32
Lines 3198 3207 +9
==========================================
- Hits 1588 1585 -3
- Misses 1481 1492 +11
- Partials 129 130 +1
Continue to review full report at Codecov.
|
For KongPlugins that set ConfigFrom: - Verify that the KongPlugin does not also set Config. - Use the Secret value indicated by ConfigFrom when validating plugin configuration. Fix #1023
Use configurationv1 for the controller configuration v1 package import, following convention elsewhere.
a9bba11
to
48f3795
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No explicit blockers, but a lack of available testing as you mentioned in the description leaves me with some concerns.
How would you feel about putting together a written (manual) test plan for the admission controller which covers base functionality and the fix as a hack? Let me know your thoughts? 🤔
Other thoughts: The railgun prototype brings testing utilities that may enable us to test this more simply going forward, do you think that's potentially helpful or something we could use for this iteration?
Manual testing plan is:
Sample output: test.txt I think the additional kubebuilder test scaffolding can help us here, but am not entirely sure, since the book documentation on it is a bit light. We'd still need a live Kong instance to test against, and I'm not sure if it supports that or just more thorough interactions with a mock K8S client and API server. |
What this PR does / why we need it:
We don't currently support pulling configuration a KongPlugin's ConfigFrom configuration in the admission webhook. Some plugins have fields that must be populated and have no default, e.g.
issuer
for the OpenID Connect plugin. The only current remedy is to disable validation entirely, which isn't ideal.This PR:
configurationv1
import convention we use elsewhere forgit.luolix.top/kong/kubernetes-ingress-controller/pkg/apis/configuration/v1
in the admission webhook.Which issue this PR fixes:
fixes #1023
Special notes for your reviewer:
Reviewed validation unit tests. We currently lack units for most of the webhook checks because most of them require a Kong instance's
/schemas/<whatever>/validate
endpoint or other admin API access (e.g.GET /consumers/<username>
to check whether a consumer would be a duplicate). We'd need integration tests to validate these, but our current framework doesn't allow us to easily test just whether we can upload configuration, since it's based around testing proxy behavior after. We should consider how to work such validation webhook tests into the new Go integration test system.