Inject empty parameters field for legacy schemas

[maxsmythe]

To handle legacy (pre-v1) CRDs, we inject
x-kubernetes-preserve-unknown-fields
in order to preserve the legacy behavior
that unknown fields were not pruned by the API
server.

Unfortunately, we are not handling the case
where no parameters are provided, which currently
means that parameters will be stripped from users' CRs.

This fixes that.

Fixes: open-policy-agent/gatekeeper#1468

Signed-off-by: Max Smythe smythe@google.com

[codecov-commenter]

Codecov Report

Merging #130 (b18e1ba) into master (86fb1b2) will increase coverage by 0.40%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master     #130      +/-   ##
==========================================
+ Coverage   42.19%   42.59%   +0.40%     
==========================================
  Files          35       35              
  Lines        2766     2775       +9     
==========================================
+ Hits         1167     1182      +15     
+ Misses       1234     1228       -6     
  Partials      365      365              

Flag	Coverage Δ
unittests	42.59% <ø> (+0.40%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...rks/constraint/pkg/apis/templates/v1/conversion.go	73.33% <0.00%> (+23.33%)	⬆️
...onstraint/pkg/apis/templates/v1beta1/conversion.go	73.33% <0.00%> (+23.33%)	⬆️
...nstraint/pkg/apis/templates/v1alpha1/conversion.go	73.33% <0.00%> (+23.33%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 86fb1b2...b18e1ba. Read the comment docs.

[julianKatz]

This strikes me as the case of Validation being a nil pointer, which then should be defaulted to:

{ legacySchema: false }

But that seems different than the test cases that were added in constrainttemplate_types_test.go, which are about Validation.OpenAPIV3Schema being nil.

Can you elaborate?

[maxsmythe]

If validation is nil, then K8s defaulting doesn't go further, which means the default value for legacySchema is never applied.

The test validates that legacySchema behaves properly when openAPIV3Schema is nil. The extra defaulting makes it so that that logic actually gets invoked.

[julianKatz]

This strikes me as a defaulting action, rather than a conversion action. I think we'd be better off linking those two things together somehow.

[maxsmythe]

This is a conversion action.

In the case where legacySchema == false, the schema remains nil and the expectation is that no parameters are provided.

When legacySchema == true, users could provide any value to parameters and it would be accepted, this preserves that.

Essentially we are unpacking the implicit x-preserves embedded in legacySchema, no new intent is being injected (which defaulting would do)

[ritazh]

Thanks for working on this PR @maxsmythe! With this change, users would still need to update their CRDs right? (ie. we need to force update the GK CT CRD via helm)

[maxsmythe]

You're welcome! :)

Users still need to update their CRDs. In general, it seems dangerous to allow CRDs to go stale.

I talk a bit more about the CRD thing in Oren's issue:

open-policy-agent/gatekeeper#1458

Basically saying that we could paper over having an old CRD, but that would eventually break anyway once we moved to defaulting to v1 CRDs.

[maxsmythe]

Also, if we do want to paper over having an out-of-date CRD manifest, we'd have to do that in the Gatekeeper repo.

[sozercan]

LGTM