add toggle to disable creation of CRD validation and document it

2019-11-15 13:01:03 +01:00 · 2019-11-15 13:01:03 +01:00 · c4889a3c82
parent 9e222bf90c
commit c4889a3c82
16 changed files with 856 additions and 806 deletions
--- a/charts/postgres-operator/templates/customrresourcedefinition.yaml
+++ b/charts/postgres-operator/templates/customrresourcedefinition.yaml
@ -54,6 +54,7 @@ spec:
  scope: Namespaced
  subresources:
    status: {}
+  version: v1
  validation:
    openAPIV3Schema:
      type: object
@ -364,7 +365,6 @@ spec:
                  type: string
                subPath:
                  type: string
-  version: v1
 ---
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
@ -409,6 +409,7 @@ spec:
  scope: Namespaced
  subresources:
    status: {}
+  version: v1
  validation:
    openAPIV3Schema:
      type: object
@ -657,5 +658,4 @@ spec:
                  pattern: '^(\d+(e\d+)?|\d+(\.\d+)?(e\d+)?[EPTGMK]i?)$'
                scalyr_server_url:
                  type: string
-  version: v1
 {{ end }}
--- a/charts/postgres-operator/values-crd.yaml
+++ b/charts/postgres-operator/values-crd.yaml
@ -17,6 +17,8 @@ configTarget: "OperatorConfigurationCRD"

 # general top-level configuration parameters
 configGeneral:
+  # choose if deployment creates/updates CRDs with OpenAPIV3Validation
+  enable_crd_validation: true
  # start any new database pod without limitations on shm memory
  enable_shm_volume: true
  # etcd connection string for Patroni. Empty uses K8s-native DCS.
--- a/charts/postgres-operator/values.yaml
+++ b/charts/postgres-operator/values.yaml
@ -17,6 +17,8 @@ configTarget: "ConfigMap"

 # general configuration parameters
 configGeneral:
+  # choose if deployment creates/updates CRDs with OpenAPIV3Validation
+  enable_crd_validation: "true"
  # start any new database pod without limitations on shm memory
  enable_shm_volume: "true"
  # etcd connection string for Patroni. Empty uses K8s-native DCS.
--- a/docs/administrator.md
+++ b/docs/administrator.md
@ -3,6 +3,30 @@
 Learn how to configure and manage the Postgres Operator in your Kubernetes (K8s)
 environment.

+## CRD Validation
+
+[CustomResourceDefinitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions)
+will be registered with schema validation by default when the operator is
+deployed. The `OperatorConfiguration` CRD will only get created if the
+`POSTGRES_OPERATOR_CONFIGURATION_OBJECT` [environment variable](../manifests/postgres-operator.yaml#L36)
+in the deployment yaml is set and not empty.
+
+When submitting manifests of [`postgresql`](../manifests/postgresql.crd.yaml) or
+[`OperatorConfiguration`](../manifests/operatorconfiguration.crd.yaml) custom
+resources with kubectl, validation can be bypassed with `--validate=false`. The
+operator can also be configured to not register CRDs with validation on `ADD` or
+`UPDATE` events. Running instances are not affected when enabling the validation
+afterwards unless the manifests is not changed then. Note, that the provided CRD
+manifests contain the validation for users to understand what schema is
+enforced.
+
+Once the validation is enabled it can only be disabled manually by editing or
+patching the CRD manifest:
+
+```bash
+zk8 patch crd postgresqls.acid.zalan.do -p '{"spec":{"validation": null}}'
+```
+
 ## Namespaces

 ### Select the namespace to deploy to
--- a/docs/quickstart.md
+++ b/docs/quickstart.md
@ -119,15 +119,15 @@ kubectl get pod -l app.kubernetes.io/name=postgres-operator
 kubectl create -f manifests/minimal-postgres-manifest.yaml
 ```

-After the cluster manifest is submitted the operator will create Service and
-Endpoint resources and a StatefulSet which spins up new Pod(s) given the number
-of instances specified in the manifest. All resources are named like the
-cluster. The database pods can be identified by their number suffix, starting
-from `-0`. They run the [Spilo](https://github.com/zalando/spilo) container
-image by Zalando. As for the services and endpoints, there will be one for the
-master pod and another one for all the replicas (`-repl` suffix). Check if all
-components are coming up. Use the label `application=spilo` to filter and list
-the label `spilo-role` to see who is currently the master.
+After the cluster manifest is submitted and passed the validation the operator
+will create Service and Endpoint resources and a StatefulSet which spins up new
+Pod(s) given the number of instances specified in the manifest. All resources
+are named like the cluster. The database pods can be identified by their number
+suffix, starting from `-0`. They run the [Spilo](https://github.com/zalando/spilo)
+container image by Zalando. As for the services and endpoints, there will be one
+for the master pod and another one for all the replicas (`-repl` suffix). Check
+if all components are coming up. Use the label `application=spilo` to filter and
+list the label `spilo-role` to see who is currently the master.

 ```bash
 # check the deployed cluster
--- a/docs/reference/operator_parameters.md
+++ b/docs/reference/operator_parameters.md
@ -69,6 +69,11 @@ Variable names are underscore-separated words.

 Those are top-level keys, containing both leaf keys and groups.

+* **enable_crd_validation**
+  toggles if the operator will create or update CRDs with
+  [OpenAPI v3 schema validation](https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/#validation)
+  The default is `true`.
+
 * **etcd_host**
  Etcd connection string for Patroni defined as `host:port`. Not required when
  Patroni native Kubernetes support is used. The default is empty (use
--- a/manifests/configmap.yaml
+++ b/manifests/configmap.yaml
@ -21,6 +21,7 @@ data:
  # default_memory_request: 100Mi
  docker_image: registry.opensource.zalan.do/acid/spilo-11:1.6-p1
  # enable_admin_role_for_users: "true"
+  # enable_crd_validation: "true"
  # enable_database_access: "true"
  enable_master_load_balancer: "false"
  # enable_pod_antiaffinity: "false"
--- a/manifests/operatorconfiguration.crd.yaml
+++ b/manifests/operatorconfiguration.crd.yaml
@ -14,6 +14,7 @@ spec:
  scope: Namespaced
  subresources:
    status: {}
+  version: v1
  validation:
    openAPIV3Schema:
      type: object
@ -262,5 +263,3 @@ spec:
                  pattern: '^(\d+(e\d+)?|\d+(\.\d+)?(e\d+)?[EPTGMK]i?)$'
                scalyr_server_url:
                  type: string
-
-  version: v1
--- a/manifests/postgresql-operator-default-configuration.yaml
+++ b/manifests/postgresql-operator-default-configuration.yaml
@ -3,6 +3,7 @@ kind: OperatorConfiguration
 metadata:
  name: postgresql-operator-default-configuration
 configuration:
+  # enable_crd_validation: true
  etcd_host: ""
  docker_image: registry.opensource.zalan.do/acid/spilo-11:1.6-p1
  # enable_shm_volume: true
--- a/manifests/postgresql.crd.yaml
+++ b/manifests/postgresql.crd.yaml
@ -14,6 +14,7 @@ spec:
  scope: Namespaced
  subresources:
    status: {}
+  version: v1
  validation:
    openAPIV3Schema:
      type: object
@ -324,5 +325,3 @@ spec:
                  type: string
                subPath:
                  type: string
-
-  version: v1
--- a/pkg/apis/acid.zalan.do/v1/crds.go
+++ b/pkg/apis/acid.zalan.do/v1/crds.go
--- a/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go
+++ b/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go
@ -150,6 +150,7 @@ type ScalyrConfiguration struct {

 // OperatorConfigurationData defines the operation config
 type OperatorConfigurationData struct {
+	EnableCRDValidation        *bool                              `json:"enable_crd_validation,omitempty"`
 	EtcdHost                   string                             `json:"etcd_host,omitempty"`
 	DockerImage                string                             `json:"docker_image,omitempty"`
 	Workers                    uint32                             `json:"workers,omitempty"`
--- a/pkg/controller/controller.go
+++ b/pkg/controller/controller.go
@ -6,7 +6,7 @@ import (
 	"sync"

 	"github.com/sirupsen/logrus"
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	rbacv1beta1 "k8s.io/api/rbac/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@ -240,7 +240,7 @@ func (c *Controller) initController() {
 	c.initClients()

 	if configObjectName := os.Getenv("POSTGRES_OPERATOR_CONFIGURATION_OBJECT"); configObjectName != "" {
-		if err := c.createConfigurationCRD(); err != nil {
+		if err := c.createConfigurationCRD(c.opConfig.EnableCRDValidation); err != nil {
 			c.logger.Fatalf("could not register Operator Configuration CustomResourceDefinition: %v", err)
 		}
 		if cfg, err := c.readOperatorConfigurationFromCRD(spec.GetOperatorNamespace(), configObjectName); err != nil {
@ -256,7 +256,7 @@ func (c *Controller) initController() {

 	c.modifyConfigFromEnvironment()

-	if err := c.createPostgresCRD(); err != nil {
+	if err := c.createPostgresCRD(c.opConfig.EnableCRDValidation); err != nil {
 		c.logger.Fatalf("could not register Postgres CustomResourceDefinition: %v", err)
 	}

--- a/pkg/controller/operator_config.go
+++ b/pkg/controller/operator_config.go
@ -25,6 +25,7 @@ func (c *Controller) importConfigurationFromCRD(fromCRD *acidv1.OperatorConfigur
 	result := &config.Config{}

 	// general config
+	result.EnableCRDValidation = fromCRD.EnableCRDValidation
 	result.EtcdHost = fromCRD.EtcdHost
 	result.DockerImage = fromCRD.DockerImage
 	result.Workers = fromCRD.Workers
--- a/pkg/controller/util.go
+++ b/pkg/controller/util.go
@ -4,7 +4,7 @@ import (
 	"encoding/json"
 	"fmt"

-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	apiextv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@ -91,12 +91,12 @@ func (c *Controller) createOperatorCRD(crd *apiextv1beta1.CustomResourceDefiniti
 	})
 }

-func (c *Controller) createPostgresCRD() error {
-	return c.createOperatorCRD(acidv1.PostgresCRD())
+func (c *Controller) createPostgresCRD(enableValidation *bool) error {
+	return c.createOperatorCRD(acidv1.PostgresCRD(enableValidation))
 }

-func (c *Controller) createConfigurationCRD() error {
-	return c.createOperatorCRD(acidv1.ConfigurationCRD())
+func (c *Controller) createConfigurationCRD(enableValidation *bool) error {
+	return c.createOperatorCRD(acidv1.ConfigurationCRD(enableValidation))
 }

 func readDecodedRole(s string) (*spec.PgUser, error) {
--- a/pkg/util/config/config.go
+++ b/pkg/util/config/config.go
@ -12,10 +12,11 @@ import (

 // CRD describes CustomResourceDefinition specific configuration parameters
 type CRD struct {
-	ReadyWaitInterval time.Duration `name:"ready_wait_interval" default:"4s"`
-	ReadyWaitTimeout  time.Duration `name:"ready_wait_timeout" default:"30s"`
-	ResyncPeriod      time.Duration `name:"resync_period" default:"30m"`
-	RepairPeriod      time.Duration `name:"repair_period" default:"5m"`
+	ReadyWaitInterval   time.Duration `name:"ready_wait_interval" default:"4s"`
+	ReadyWaitTimeout    time.Duration `name:"ready_wait_timeout" default:"30s"`
+	ResyncPeriod        time.Duration `name:"resync_period" default:"30m"`
+	RepairPeriod        time.Duration `name:"repair_period" default:"5m"`
+	EnableCRDValidation *bool         `name:"enable_crd_validation" default:"true"`
 }

 // Resources describes kubernetes resource specific configuration parameters