-
Notifications
You must be signed in to change notification settings - Fork 261
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add unit tests for openstackmachine_webhook
#1737
Comments
From Matt:
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
Hi @mdbooth, I would like to give this task a try yet I have no clue about the actual functionality of |
Hi, Mykola! This would be great. I'll try to give you some context, but as I don't know your current level please forgive me if I give too much, or let me know if it's too little. Our webhooks are defined here: https://github.com/kubernetes-sigs/cluster-api-provider-openstack/tree/main/pkg/webhooks. They run as part of the CAPO manager process, so the requests are sent to CAPO itself via the webhook service. We only use admission webhooks. tl;dr When a user makes a CRUD call for one of our objects to kube-apiserver we get a callback from kube-apiserver which allows us to accept or reject the operation. Mostly we use the webhooks to ensure we only allow certain parts of the spec to mutate. The OpenStackMachine webhook cluster-api-provider-openstack/pkg/webhooks/openstackmachine_webhook.go Lines 109 to 111 in 078a792
However, the preceeding function variously zeroes out parts of both objects if we allow them to be updated. We now have an You can easily run just this test suite like this:
This test suite uses envtest, so it downloads and runs an actual kube-apiserver and etcd just for the test, loads our CRDs, and starts CAPO (for the webhooks) before running any tests. The tests consist of performing client operations with an actual k8s client. e.g. This one ensures that CAPO can set the providerID but it can't subsequently be updated: cluster-api-provider-openstack/test/e2e/suites/apivalidations/openstackmachine_test.go Lines 53 to 66 in 078a792
The testing in this test suite is inadequate. For example, we don't test that mutations to identityRef are allowed. I think the above fully describes the immediate task. For some additional context (stop reading if it's not helpful), we likely want to move most validations that can be performed by CEL or other CRD-based validations out of the webhooks and into the CRDs. Here's an example of this in ImageParam: cluster-api-provider-openstack/api/v1beta1/types.go Lines 31 to 45 in 078a792
Here we assert that exactly one of the properties must be set, and that ID, if set, must be a valid uuid. These validations are performed by kube-apiserver directly without making a webhook call. The apivalidations suite, because it is an envtest and therefore makes real api calls, can validate this logic whether it is implemented as a webhook or not. My strong preference is to implement these tests in apivalidations so as we gradually reduce what we validate in the webhook, we can continue to test that the user-visible behaviour remains the same. |
Hi @mdbooth, Thanks a lot for the detailed explanation. Please provide as more details as it is required. If something is not clear to me, I will ask for the clarification. I still doubt if I can successfully start. I have prepared some basic PR (#2068) a have a few questions:
|
Looking at your test, I can't immediately explain that. Is that a bug in the webhook? It looks ok 🤔
We only validate v1beta1, which doesn't contain instanceID. v1alpha6 will be converted to v1beta1 via the separate conversion webhook first, so we don't need to worry about it here. |
Thank you for the information. I will add the unit tests to |
This file has no unit tests.
Originally posted by @EmilienM in #1696 (comment)
The text was updated successfully, but these errors were encountered: