Defaulting to the latest tag if no tag was specified.
#826
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ybettan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
approved
✅ Deploy Preview for kubernetes-sigs-kmm ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
/hols |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #826 +/- ##
==========================================
- Coverage 79.09% 71.63% -7.47%
==========================================
Files 51 68 +17
Lines 5109 4519 -590
==========================================
- Hits 4041 3237 -804
- Misses 882 1087 +205
- Partials 186 195 +9 ☔ View full report in Codecov by Sentry. |
internal/webhook/module.go
Outdated
| if km.ContainerImage != "" { | ||
| imgToCheck = km.ContainerImage | ||
| } | ||
| if !strings.ContainsRune(imgToCheck, '@') && !strings.ContainsRune(imgToCheck, ':') { |
There was a problem hiding this comment.
why can't we just return ImageHashOrTagNotSet from here? Why do we have to wait for the loop to finish?
There was a problem hiding this comment.
If we return directly then we will only warn about a single potential missing tag in a single kernelMapping instead of appending them all to 1 warning.
There was a problem hiding this comment.
Why do we need a warning in the webhook? Container image is either valid or not.
There was a problem hiding this comment.
I think we should have a new mutating webhook that sets the latest tag instead of returning warnings.
internal/webhook/module.go
Outdated
| if km.ContainerImage != "" { | ||
| imgToCheck = km.ContainerImage | ||
| } | ||
| if !strings.ContainsRune(imgToCheck, '@') && !strings.ContainsRune(imgToCheck, ':') { |
There was a problem hiding this comment.
what do you think about using NewTag and NewDigest to verify the correctness of the image? Those functions are part of the go-containerregistry/pkg/name package, and they make a little bit more verifications than just the presence of @ or :
internal/webhook/module.go
Outdated
|
|
||
| "github.com/go-logr/logr" | ||
| multierror "github.com/hashicorp/go-multierror" |
There was a problem hiding this comment.
I think we should use errors.Join from the standard library instead.
internal/webhook/module.go
Outdated
| if km.ContainerImage != "" { | ||
| imgToCheck = km.ContainerImage | ||
| } | ||
| if !strings.ContainsRune(imgToCheck, '@') && !strings.ContainsRune(imgToCheck, ':') { |
There was a problem hiding this comment.
I think we should have a new mutating webhook that sets the latest tag instead of returning warnings.
k8s-ci-robot
added
size/XL
ybettan
force-pushed
the
latest-tag
branch
8 times, most recently
from
4227a87
to
9acd668
Compare
k8s-ci-robot
added
size/L
ybettan
force-pushed
the
latest-tag
branch
4 times, most recently
from
5711d0f
to
f001c8d
Compare
In the current code, we handle differently build/sign and deploying a pre-built kmod. This is the current behavior: * If a `build`/`sign` section is set in the module, and the image tag isn't specified, then we will return an error. * If there are no `build`/`sign` section, and the image tag isn't specified, then we will default to the `latest` tag. This change is adjusting the behavior of both workflow to always default to the `latest` image tag if it is not specified in the `Module`/`ManagedClusterModule`. This is achieved by adding a new mutating-webhook for the `Module`&`ManangedClusterModule` objects. This change is also adding the `nullable` attributes to some API fields in order for it to work. Signed-off-by: Yoni Bettan <yonibettan@gmail.com>
Signed-off-by: Yoni Bettan <yonibettan@gmail.com>
k8s-ci-robot
added
size/XL
|
@ybettan: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/hold This is very fragile and will require an API bump for each field that we forgot to check. @yevgeny-shnaidman @TomerNewman How about we just add a validation-webhook rule to refuse We can proceed with this mutating webhook without the |
k8s-ci-robot
added
the
do-not-merge/hold
|
/close |
|
@ybettan: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Defaulting to the
latesttag if no tag was specified.In the current code, we handle differently build/sign and deploying a
pre-built kmod.
This is the current behavior:
build/signsection is set in the module, and the image tagisn't specified, then we will return an error.
build/signsection, and the image tag isn'tspecified, then we will default to the
latesttag.This change is adjusting the behavior of both workflow to always defaul
to the
latestimage tag if it is not specified in theModule/ManagedClusterModule.This is achieved by adding a new mutating-webhook for the
Module&ManangedClusterModuleobjects.This change is also adding the
nullableattributes to some API fieldsin order for it to work.
/cc @qbarrand @yevgeny-shnaidman
The
+nullablekubebuilder annotation is required until this PR is merged.