kubeadm: add the "config validate" subcommand #118013
Conversation
cmd/kubeadm/app/cmd/config.go
Outdated
| This command lets you validate a kubeadm configuration API file and report any warnings and errors. | ||
| If there are no errors the exit status will be zero, otherwise it will be non-zero. | ||
| Any unmarshaling problems such as unknown API fields will trigger warnings. Unknown API versions and | ||
| fields with invalid values will trigger fatal errors. Any other errors or warnings may be reported | ||
| depending on contents of the input file. | ||
|
|
||
| In this version of kubeadm, the following API versions are supported: | ||
| - %s |
There was a problem hiding this comment.
this behavior is exactly the same as any kubeadm command that accepts a --config flag. same for "kubeadm config migrate". my thinking was that we don't want to make e.g. warnings into errors when validating but instead keep the validation behavior consistent across commands. warnings are shown with klog on stderr, so it is possible for the user to check if stderr is empty on bash from the command line.
for feedback
There was a problem hiding this comment.
also please check these comments about printing to stdout
#118013 (comment)
cmd/kubeadm/app/cmd/config.go
Outdated
| // MigrateOldConfig performs conversion to internal type, strict unmarshaling, | ||
| // defaulting and validation. It can be used for the validation purpose with output bytes | ||
| // ignored. | ||
| if _, err = configutil.MigrateOldConfig(cfgBytes); err != nil { |
There was a problem hiding this comment.
this is essentially reusing the migrate backend and ignoring the output.
LMK, if you think we should refactor it for more clarity.
There was a problem hiding this comment.
+1 to define another func for this command even if it just calls MigrateOldConfig instead.
There was a problem hiding this comment.
I tried this command, one thing might worth to discuss here is that if only unknown obj defined in the cfg, there is no warning at all.
e.g. the config is defined as this,
kind: unknownKind
apiVersion: kubeadm.k8s.io/v1beta3
unknowkey: unknownvalue
kubeadm config validate --config /home/davche02/backup/config/kubeadm/bootstrapfake.cfg
validation passed in this case.
We'd better to thrown a warning here.
There was a problem hiding this comment.
we should throw an error for unknown GVK.
IIRC, the code paths for init, join do that.
There was a problem hiding this comment.
+1 to define another func for this command even if it just calls
MigrateOldConfiginstead.
there could be migrate and validate funcs that share a common backend.
the validate func will not have the marshaling / output.
There was a problem hiding this comment.
+1 to define another func for this command even if it just calls MigrateOldConfig instead.
added a new ValidateConfig util function now.
There was a problem hiding this comment.
--- apiVersion: foo/v1beta1 kind: Bar
Should we add this to the unit test case?
BTW, an empty file would be a test case as well.
There was a problem hiding this comment.
With the latest code 0d85d67, there is no warning if the configuration is not match Join/Init/Cluster according to https://github.com/kubernetes/kubernetes/pull/118013/files#diff-5569e71dfa98866b583171d92e018cf11680c6e1ab16e55ecd0c1e2a0f1f4f4eR250-R264.
There was a problem hiding this comment.
Should we add this to the unit test case?
it's just a warning on stderr (klog) so there is no straightforward way to test it. we could switch it to error and it would be easier to unit test.
With the latest code 0d85d67, there is no warning
i think the problem is that i did not test just unknown GVK. it was combined with known GVK. the logic needs update..
There was a problem hiding this comment.
updated, see new PR description and release note amend.
- unknown APIs (GVK) and unknown fields now throw errors in migrate/validate commands
- other commands like init/join are not affected
- added better unit tests for both new commands
|
/hold |
|
/retest untelated test failures |
|
/assign |
cmd/kubeadm/app/cmd/config.go
Outdated
| // MigrateOldConfig performs conversion to internal type, strict unmarshaling, | ||
| // defaulting and validation. It can be used for the validation purpose with output bytes | ||
| // ignored. | ||
| if _, err = configutil.MigrateOldConfig(cfgBytes); err != nil { |
There was a problem hiding this comment.
+1 to define another func for this command even if it just calls MigrateOldConfig instead.
| // ignored. | ||
| if _, err = configutil.MigrateOldConfig(cfgBytes); err != nil { | ||
| return err | ||
| } |
There was a problem hiding this comment.
I'd prefer to print something if the validation is okay, nothing output to stdout now if everything is good.
There was a problem hiding this comment.
perhaps, we should. i'd like to get more opinions on this. the exit code 0 / 1 may be sufficient.
There was a problem hiding this comment.
looks like there are no comments on this. my preference is to not print on stdout on "OK", similarly to some go tools.
There was a problem hiding this comment.
If making it like the dry-run, we can print a result for each configuration in the file
[root@daocloud ~]# ./kubeadm-dev config validate --config kubeadmcfg.yaml
InitConfiguration validated
ClusterConfiguration validated
Bar unknown
This would be much clear if there are multi items in the configuration files.
Or, we can just print OK/Validated/Done when there is no error/warning. This is also good.
There was a problem hiding this comment.
actually, there is no clean way to detect if a warning was printed. it just goes to stderr from klog. non warnings go there too.
printing per validated config is possible but it will complicate the plumbing of functions a bit. we don't want to print the same messages during normal init/join...but the backend functions are the same.
i will check what options work well.
There was a problem hiding this comment.
updated to just print "ok" if validation has no errors.
cmd/kubeadm/app/cmd/config.go
Outdated
| // MigrateOldConfig performs conversion to internal type, strict unmarshaling, | ||
| // defaulting and validation. It can be used for the validation purpose with output bytes | ||
| // ignored. | ||
| if _, err = configutil.MigrateOldConfig(cfgBytes); err != nil { |
There was a problem hiding this comment.
I tried this command, one thing might worth to discuss here is that if only unknown obj defined in the cfg, there is no warning at all.
e.g. the config is defined as this,
kind: unknownKind
apiVersion: kubeadm.k8s.io/v1beta3
unknowkey: unknownvalue
kubeadm config validate --config /home/davche02/backup/config/kubeadm/bootstrapfake.cfg
validation passed in this case.
We'd better to thrown a warning here.
|
/cc |
6e19f0a
to
0d85d67
Compare
0d85d67
to
ed1e45b
Compare
| @@ -190,8 +191,37 @@ func ChooseAPIServerBindAddress(bindAddress net.IP) (net.IP, error) { | |||
| return ip, nil | |||
| } | |||
|
|
|||
| // verifyKnownGVKs takes a list of GVKs and verifies if they are known in kubeadm or component config schemes | |||
| func verifyKnownGVKs(gvks []schema.GroupVersionKind) error { | |||
There was a problem hiding this comment.
documentMapTo{Init|Join}Configuration() calls VerifyUnmarshalStrict() which contains similar logic to test for known GVKs. having verifyKnownGVKs() and calling it early in MigrateOldConfig() and ValidateConfig() has the benefits of exiting early for unknown GVKs. logic is a bit duplicated, yet for both migrate/validate commands we want a common method to check if an API is known early on and include component config in there as well. during VerifyUnmarshalStrict() for documentMapToJoinConfiguration() component config is not considered.
please LMK, if someone has strong opinions for refactors here.
| gvks = append(gvks, gvk) | ||
| } | ||
|
|
||
| if err := verifyKnownGVKs(gvks); err != nil { |
There was a problem hiding this comment.
When a user is using the v1beta2, it will just be shown as unknown.
For kubeadm config migrate, it will show the message that you can migrate v1beta2 to v1beta3 using kubeadm v1.22. I think the message helps when validating an old version of the kubeadm configuration.
Using validateSupportedVersion can show that message.
There was a problem hiding this comment.
i also think the message is valuable.
this is a bit problematic because the validateSupportedVersion function only validates a known GroupVersion. it does not know what Kinds existed in the version.
i need to think what is best here.
There was a problem hiding this comment.
updated to keep legacy versions in mind.
ed1e45b
to
797e726
Compare
|
/lgtm The current behavior and warning messages are LGTM. |
|
LGTM label has been added. Git tree hash: 81efb3435b92bb18176b93d022747b35927a02b1
|
| return err | ||
| } | ||
|
|
||
| // Migrate InitConfiguration and ClusterConfiguration if there are any in the config |
There was a problem hiding this comment.
Looks like these comments is from MigrateOldConfig, it is a little confusion here to say Migrate?
There was a problem hiding this comment.
changed comments to // Validate ...
| } | ||
| } | ||
|
|
||
| // Migrate JoinConfiguration if there is any |
The command can be used to validate an input --config and throw
warnings and errors.
Add a new argument strctErrors to the functions
documentMapTo{Init|Join}Configuration(). This allows
to return errors from the calls to VerifyUnmarshalStrict().
Add a new function verifyKnownGVKs() in config/common.go
that is used to verify if a list of GVKs in a config file is
known. This function is used by the "validate" and "migrate"
commands.
Both commands now throw errors for unknown APIs or fields.
797e726
to
72e4c9a
Compare
|
LGTM label has been added. Git tree hash: 5e2a878812ce3011bb60b479e3fec3853ef3775a
|
|
/unhold |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: chendave, neolit123, pacoxu The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
What this PR does / why we need it:
kubeadm: add the "config validate" subcommand
The command can be used to validate an input --config and throw
warnings and errors.
Add a new argument strctErrors to the functions
documentMapTo{Init|Join}Configuration(). This allows
to return errors from the calls to VerifyUnmarshalStrict().
Add a new function verifyKnownGVKs() in config/common.go
that is used to verify if a list of GVKs in a config file is
known. This function is used by the "validate" and "migrate"
commands.
Both commands now throw errors for unknown APIs or fields.
Which issue(s) this PR fixes:
Fixes kubernetes/kubeadm#2871
Special notes for your reviewer:
NONE
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: