docs: add documentation for adding a new API fields with validation using DV tags only and testing#8906
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
size/XL
aaron-prindle
force-pushed
the
dv-adding-a-new-field-docs-v2
branch
from
d11a786 to
bf0efac
Compare
|
/assign @thockin |
| rule, prefer handwritten validation for that field rather than mixing DV and | ||
| handwritten validation for the same field. |
There was a problem hiding this comment.
Do we prefer handwritten if part of the validation on the same field can be DV?
There was a problem hiding this comment.
Yes, my understanding from our last sync meeting on Friday is that API reviewers want new APIs fields validation to be all DV or no DV for the validations of a given new field.
There was a problem hiding this comment.
Updated the text to be:
If DV can cover some of the new field's checks but cannot cover all of them,
prefer handwritten validation for that field rather than splitting one field's
checks between DV and handwritten validation.
|
|
||
| While the goal is to express as much validation declaratively as possible, some complex or validation rules might still require manual implementation in `validation.go`. | ||
|
|
||
| #### Adding a new API field with DV-native validation |
There was a problem hiding this comment.
It is straightforward for adding a "new API type". But a bit tricky when it comes to a new API field:
If this type already migrated some existing fields to DV. Do we still support? Once the strategy add the WithDeclarativeEnforcement(), non-prefixed tag would become authoritative and handwritten counterpart needs to be deleted; otherwise, the migrated fields need to add the k8s:beta(or alpha?) prefix to enable explicitly shadowing.
There was a problem hiding this comment.
I clarified the scope of this section with an additional small paragraph around this
This guidance assumes the API type is plumbed for declarative
validation. If the type already has existing DV migrated/shadowed fields (+k8s:alpha/+k8s:beta) and still relies on fields w/ handwritten validation and/or shadowed DV, those older fields can continue to
exist as-is, but do not introduce that split for the new field covered by this
section.
| * gate off, field specified | ||
| * gate off, field omitted | ||
| * gate off, old value unchanged on update | ||
| * gate off, old value changed on update |
There was a problem hiding this comment.
The last case, gate off, old value changed on update, we should have a fobidden error right? I think we can extend this a bit about what should be the expected test result.
There was a problem hiding this comment.
I updated the test guidance to make the expected result explicit. Now is a table:
| Case | Expected result |
|---|---|
| gate on, field specified | Allowed if the value is valid. |
| gate on, field omitted | Allowed. |
| gate on, invalid value specified | Rejected with the field's normal validation error, such as NotSupported, Invalid, TooLong, or TooMany. |
| gate off, field specified | Rejected. With the standard ifDisabled(...)=+k8s:forbidden pattern, expect a forbidden error. |
| gate off, field omitted | Allowed. |
| gate off, old value unchanged on update | Allowed due to ratcheting. |
| gate off, old value changed on update | Rejected. With the standard ifDisabled(...)=+k8s:forbidden pattern, expect a forbidden error because the update is attempting to write a disabled field value. |
aaron-prindle
force-pushed
the
dv-adding-a-new-field-docs-v2
branch
2 times, most recently
from
962fe20 to
78e1c1a
Compare
|
/area api-validation |
|
@aaron-prindle: The label(s) DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Addressed the initial review comments there, PTAL the updated docs @yongruilin |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
aaron-prindle
force-pushed
the
dv-adding-a-new-field-docs-v2
branch
from
78e1c1a to
d4e3229
Compare
k8s-ci-robot
removed
the
lgtm
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: aaron-prindle The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
aaron-prindle
force-pushed
the
dv-adding-a-new-field-docs-v2
branch
2 times, most recently
from
91932a6 to
6580962
Compare
aaron-prindle
force-pushed
the
dv-adding-a-new-field-docs-v2
branch
from
3fc5f11 to
6e8fd84
Compare
aaron-prindle
force-pushed
the
dv-adding-a-new-field-docs-v2
branch
13 times, most recently
from
9106ed7 to
4aa242c
Compare
|
@liggitt I've updated the PR here to reflect to updated guidance from the sig-arch meeting. Of note, we actually do check feature gate values for some validations in HW code, specifically when a new enum value is added to an enum and that new enum value is feature gated (as part of new gated functionality). I've updated the documentation here for this case now. PTAL when you get a chance, thanks! |
|
/cc @liggitt (typo on initial message github name) |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
…sing DV tags only and testing
aaron-prindle
force-pushed
the
dv-adding-a-new-field-docs-v2
branch
from
56edf4d to
bef182e
Compare
|
New changes are detected. LGTM label has been removed. |
k8s-ci-robot
removed
the
lgtm
|
Updated the feature gating + defaulting logic based on offline conversation. Now this does support the common practive of using +k8s:optional, snippet below: // +featureGate=Frobber2D
// +optional
// +k8s:optional
// +default=8
// +k8s:maximum=128
Width *int32 `json:"width,omitempty" protobuf:"varint,3,opt,name=width"`
|
|
PTAL @yongruilin at the updated defaulting section |
| Width *int32 `json:"width,omitempty" protobuf:"varint,3,opt,name=width"` | ||
| ``` | ||
|
|
||
| Declarative validation has some logic where `+k8s:optional` and `+default` get treated as +k8s:required (which we don't want for this case) BUT there is additional logic in DV whereif +k8s:optional, +default, and +featureGate are on a field (as it is in this case) then it is treated as +k8s:optional (which is correcT) so be sure all of those tags are on the defaulted & feature-gated field. |
There was a problem hiding this comment.
BUT there is additional logic in DV whereif +k8s:optional, +default, and +featureGate are on a field (as it is in this case)
Would you like to hold this? since it hasn't been implemented yet.
There was a problem hiding this comment.
/hold
Good point, I will hold this awaiting the implementation for this support that we identified as a TODO for v1.37
k8s-ci-robot
added
the
do-not-merge/hold
5 participants
This updates api_changes.md with a prescriptive section for the CUJ: “add a new API field and validate it with declarative validation”. It documents the DV plumbing prerequisites, DV tag authoring, feature gate and strategy wiring, codegen checks, status subresource handling, current workarounds like +k8s:validation-gen-nolint, and copy-paste snippets + testing guidance for declarative_validation_test.go and strategy_test.go.
Which issue(s) this PR fixes:
Fixes #
N/A