Validation Webhook: Auto-Accept Status Updates

[sam-heilbron]

Description

Auto-accept status updates, instead of requiring a full translation run

Context

The validation webhook executes a full translation run to determine whether a proposed change is valid. Status only changes will not affect the validity of the proposed change, and therefore it is both unnecessary and expensive to run translation for status only changes.

Checklist:

• I included a concise, user-facing changelog (for details, see https://github.com/solo-io/go-utils/tree/master/changelogutils) which references the issue that is resolved.
• If I updated APIs (our protos) or helm values, I ran make -B install-go-tools generated-code to ensure there will be no code diff
• I followed guidelines laid out in the Gloo Edge contribution guide
• I opened a draft PR or added the work in progress label if my PR is not ready for review
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works

[solo-changelog-bot]

Issues linked to changelog:
#6990

[EItanya]

proto.Equal?

[EItanya]

Also, what about metadata, do we not care about label changes, etc.?

[sam-heilbron]

Yeah I was thinking about this and erred on the side of "if it's not a spec change, allow it". One example of a problematic change is:
You could change the label of a VirtualService, which is selected by a Gateway, and that would mean that the Gateway no longer selects any VS's and should reject the change.

[jenshu]

You could change the label of a VirtualService, which is selected by a Gateway, and that would mean that the Gateway no longer selects any VS's and should reject the change.

wouldn't this be a reason for not skipping validation when there's a metadata-only change?

[sam-heilbron]

Yup! Just pushing up an update

[github-actions]

Visit the preview URL for this PR (updated for commit 40fe50c):

https://gloo-edge--pr7010-vwh-accept-status-up-44jybh9x.web.app

_{(expires Tue, 30 Aug 2022 18:52:06 GMT)}

_{🔥 via Firebase Hosting GitHub Action 🌎}

[jenshu]

add resource name/namespace/kind here too?

[jenshu]

Suggested change

	logger.Debugf("Skipping validatation. Reason: status only update")
	logger.Debugf("Skipping validation. Reason: status only update")

[jenshu]

does resourceVersion not change on status updates?

[sam-heilbron]

Yeah good call. I tried adding a kube2e test, but it's tricky to test, given that we still update generation and other metadata fields, so its hard to identify if the auto-accept of status does anything. Ill keep working on one siince I think it will be necessary to prove out/ensure we don't have a regression.

[kdorosh]

rather than do it this way... should we hash it instead and compare hashes? that is what hashing was intended for

[kdorosh]

i see we hash the spec, but i mean hash the whole resource with our generated hash functions.. just like our emitters

[kdorosh]

this should ignore the status but also ignore any fields on the spec we want opted out here as well (which could cause similar issues)

[nfuden]

If we do that and there are new fields on the CRD that our current version of gloo doesnt care about then it will still generate validations.

[nfuden]

but hashing is faster agreed

[sam-heilbron]

Yeah I think that's cleaner. I think I'll need to pass in the typed resource into the function for the 'oldResource'. I'll update!

[sam-heilbron]

/kick https://storage.googleapis.com/solo-public-build-logs/logs.html?buildid=f78e19e9-dcd9-4065-9a5b-d14f4bff3bf2 consul works as expected

[EItanya]

These changes make sense to me!

[jenshu]

LGTM as well