KEP-2170: Implement skeleton webhook servers

[tenzen-y]

What this PR does / why we need it:
I implemented the skeleton webhook servers for v2 operator.

Which issue(s) this PR fixes (optional, in Fixes #<issue number>, #<issue number>, ... format, will close the issue(s) when PR gets merged):
Part-of #2209

Checklist:

• Docs included if any changes are user facing

[coveralls]

Pull Request Test Coverage Report for Build 10778925774

Details

• 21 of 21 (100.0%) changed or added relevant lines in 1 file are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 100.0%

---

Totals
Change from base Build 10739885471:	0.0%
Covered Lines:	66
Relevant Lines:	66

---

💛 - Coveralls

[tenzen-y]

/assign @kubeflow/wg-training-leads

[tenzen-y]

I will delegate the actual validation implementations to other contributors who are interested in this project.

[andreyvelich]

Thanks for this @tenzen-y!
I left a few comments.

[andreyvelich]

I think, we discussed before that we want to allow to deploy V1 and V2 operator, so I suggest we name it as:

Suggested change

	name: training-operator
	name: training-operator-v2

[tenzen-y]

The Service was removed based on #2251 (comment) discussion.

[andreyvelich]

Let's use the appropriate label here:

Suggested change

	labels:
	app: training-operator
	labels:
	training.kubeflow.org/component: controller

[andreyvelich]

I make it similar to Katib: https://github.com/kubeflow/katib/blob/master/manifests/v1beta1/components/controller/controller.yaml#L17

[tenzen-y]

Actually, I was not supposed to add this file in this PR. I would like to add Service and Deployment manifests in #2208.

So, could we remove Service and Deployment from this PR so that we can focus on setting up skeleton webhook servers?

[andreyvelich]

Sounds good, we can add them in a separate PR.

[andreyvelich]

Suggested change

	control-plane: kubeflow-training-operator
	training.kubeflow.org/component: controller

[tenzen-y]

The Service was removed based on #2251 (comment) discussion.

[andreyvelich]

I am wondering for what are we planning to use Mutating Webhook ?

[tenzen-y]

IIUC, we need to default .spec.mlPolicy.numNodes to 1, right?

[andreyvelich]

Yeah, but can we set these values via CEL or we require Mutating Webhook in any case if we want to add default values?

[tenzen-y]

That makes sense. In that case, let's decide if we should introduce the webhook mutator during #2209.

So, we can remove the mutator for now.

[tenzen-y]

Done.

[andreyvelich]

Can we call it similar to Katib webhooks ?

Suggested change

	name: validating-webhook-configuration
	name: training.kubeflow.org

[tenzen-y]

This is auto-generated name by controller-gen.
So, we can not change this name.

[andreyvelich]

I remember that we discussed before that we can rename it via Kustomize patch: https://github.com/kubeflow/training-operator/blob/master/manifests/base/webhook/patch.yaml.

[tenzen-y]

Yes, that's right. But we do not add any manifests in this PR because I added only manifests generated by controller-gen so that we can start up the webhook servers during envtest.

In other words, these manifests are at least manifests to launch webhook servers during integration testing.

[tenzen-y]

So, I think #2208 has the responsibility to add manifests not generated by controller-tools. Any thoughts?

[andreyvelich]

Sounds good. @tenzen-y Please can you add the comment in #2208 that we should add the Kustomize patch to update those names ?

[tenzen-y]

Sure. I will describe the detailed task in #2208.

[andreyvelich]

Should we simplify it ?

Suggested change

	name: vclustertrainingruntime.training-operator.kubeflow.org
	name: clustertrainingruntime.training.kubeflow.org

[tenzen-y]

To avoid the conflict between the defaulter and the validator, let's use the "validator" prefix.
Additionally, could we use the "training-operaotr.kubeflow.org" domain since we have 2 components, training-operator and mpi-operator for the training?

[andreyvelich]

To avoid the conflict between the defaulter and the validator, let's use the "validator" prefix

What do you think about the full names, like we did for Katib webhooks:

validator.clustertrainingruntime.kubeflow.org
defaulter.clustertrainingruntime.kubeflow.org

Additionally, could we use the "training-operaotr.kubeflow.org" domain since we have 2 components, training-operator and mpi-operator for the training?

Should we use mpi.kubeflow.org for MPI Operator webhooks for now ?

[tenzen-y]

Sure, it could work fine now.

The TainJob and TrainingRuntime are still in the alpha stage. So, it is easy to change the name once we face conflicts with other kubeflow projects.

Indeed, the MPIOperator does not have any webhooks now.

[tenzen-y]

Done.

[andreyvelich]

Suggested change

	name: vtrainingruntime.training-operator.kubeflow.org
	name: trainingruntime.training.kubeflow.org

[andreyvelich]

Suggested change

	name: vtrainjob.training-operator.kubeflow.org
	name: trainjob.training.kubeflow.org

[andreyvelich]

Can we move those Kind types to constants ?

Suggested change

	return "TranJob", err
	return "TrainJob", err

[tenzen-y]

Done.

[andreyvelich]

Do you want to create deployment for controller as well ?
Also, what do you think about moving service and controller under /base/controller or /base/manager folder ?

[tenzen-y]

The Service was removed based on #2251 (comment) discussion.

[tenzen-y]

@andreyvelich I addressed the comments. The only remaining point is #2251 (comment).

[tenzen-y]

@andreyvelich I addressed all comments. PTAL.

[andreyvelich]

@tenzen-y Do you return these names only to handle this error: https://github.com/kubeflow/training-operator/blob/master/cmd/training-operator.v2alpha1/main.go#L150C5-L152 ?
Do you think it is necessary ?
If some of the webhook will fail, we will get this info since we traceback error from the underlying file: ClusterTrainingRuntime, TrainingRuntime, or TrainJob.

[tenzen-y]

Yes, I believe that this name is helpful because this is not for validation error, this is for set up error.
This error can be seen when the startup webhook server failed.

[andreyvelich]

That's right, but without this name, can we see the file traceback of this error during the webhook setup ?

[tenzen-y]

I guess that the traceback will show the path where the error occurs. However, I still believe this helps understand the components in which failure occurs since this component name (ex. TrainJob) can be shown as a top-level log, and this top-level log allows us to avoid digging into nested traceback logs.

[andreyvelich]

Alright, sounds good!

[andreyvelich]

Thank you for this @tenzen-y!
/lgtm
/approve

[google-oss-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andreyvelich

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [andreyvelich]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tenzen-y]

Thank you for this @tenzen-y! /lgtm /approve

Thank you!