docs: add documentation for adding a new API fields with validation using DV tags only and testing#8906
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
size/XL
aaron-prindle
force-pushed
the
dv-adding-a-new-field-docs-v2
branch
from
d11a786 to
bf0efac
Compare
|
/assign @thockin |
| rule, prefer handwritten validation for that field rather than mixing DV and | ||
| handwritten validation for the same field. |
There was a problem hiding this comment.
Do we prefer handwritten if part of the validation on the same field can be DV?
There was a problem hiding this comment.
Yes, my understanding from our last sync meeting on Friday is that API reviewers want new APIs fields validation to be all DV or no DV for the validations of a given new field.
There was a problem hiding this comment.
Updated the text to be:
If DV can cover some of the new field's checks but cannot cover all of them,
prefer handwritten validation for that field rather than splitting one field's
checks between DV and handwritten validation.
|
|
||
| While the goal is to express as much validation declaratively as possible, some complex or validation rules might still require manual implementation in `validation.go`. | ||
|
|
||
| #### Adding a new API field with DV-native validation |
There was a problem hiding this comment.
It is straightforward for adding a "new API type". But a bit tricky when it comes to a new API field:
If this type already migrated some existing fields to DV. Do we still support? Once the strategy add the WithDeclarativeEnforcement(), non-prefixed tag would become authoritative and handwritten counterpart needs to be deleted; otherwise, the migrated fields need to add the k8s:beta(or alpha?) prefix to enable explicitly shadowing.
There was a problem hiding this comment.
I clarified the scope of this section with an additional small paragraph around this
This guidance assumes the API type is plumbed for declarative
validation. If the type already has existing DV migrated/shadowed fields (+k8s:alpha/+k8s:beta) and still relies on fields w/ handwritten validation and/or shadowed DV, those older fields can continue to
exist as-is, but do not introduce that split for the new field covered by this
section.
| * gate off, field specified | ||
| * gate off, field omitted | ||
| * gate off, old value unchanged on update | ||
| * gate off, old value changed on update |
There was a problem hiding this comment.
The last case, gate off, old value changed on update, we should have a fobidden error right? I think we can extend this a bit about what should be the expected test result.
There was a problem hiding this comment.
I updated the test guidance to make the expected result explicit. Now is a table:
| Case | Expected result |
|---|---|
| gate on, field specified | Allowed if the value is valid. |
| gate on, field omitted | Allowed. |
| gate on, invalid value specified | Rejected with the field's normal validation error, such as NotSupported, Invalid, TooLong, or TooMany. |
| gate off, field specified | Rejected. With the standard ifDisabled(...)=+k8s:forbidden pattern, expect a forbidden error. |
| gate off, field omitted | Allowed. |
| gate off, old value unchanged on update | Allowed due to ratcheting. |
| gate off, old value changed on update | Rejected. With the standard ifDisabled(...)=+k8s:forbidden pattern, expect a forbidden error because the update is attempting to write a disabled field value. |
aaron-prindle
force-pushed
the
dv-adding-a-new-field-docs-v2
branch
2 times, most recently
from
962fe20 to
78e1c1a
Compare
|
/area api-validation |
|
@aaron-prindle: The label(s) DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Addressed the initial review comments there, PTAL the updated docs @yongruilin |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
aaron-prindle
force-pushed
the
dv-adding-a-new-field-docs-v2
branch
from
78e1c1a to
d4e3229
Compare
k8s-ci-robot
removed
the
lgtm
|
New changes are detected. LGTM label has been removed. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: aaron-prindle The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
aaron-prindle
force-pushed
the
dv-adding-a-new-field-docs-v2
branch
from
d4e3229 to
91932a6
Compare
…sing DV tags only and testing
aaron-prindle
force-pushed
the
dv-adding-a-new-field-docs-v2
branch
from
91932a6 to
6580962
Compare
| // +k8s:ifEnabled("Frobber2D")=+k8s:optional | ||
| // +k8s:ifEnabled("Frobber2D")=+k8s:maximum=128 |
There was a problem hiding this comment.
feedback from sig-arch conversation, we wouldn't make validation conditional like this ... if there is data in the field, we validate it
There was a problem hiding this comment.
| // +k8s:ifEnabled("Frobber2D")=+k8s:optional | |
| // +k8s:ifEnabled("Frobber2D")=+k8s:maximum=128 | |
| // +k8s:optional | |
| // +k8s:maximum=128 |
Then here it is. And whether to have +k8s:forbidden depends on whether it is really the case for this specific new field.
| // +featureGate=Frobber2D | ||
| // +optional | ||
| // +k8s:optional | ||
| // +k8s:ifDisabled("Frobber2D")=+k8s:forbidden |
There was a problem hiding this comment.
feedback from sig-arch conversation, this belongs more to the feature-gate-informed wipe (or forbid) pass done before getting to validation
…g the feature gates for validation but also calling out how you could for special cases
5 participants
This updates api_changes.md with a prescriptive section for the CUJ: “add a new API field and validate it with declarative validation”. It documents the DV plumbing prerequisites, DV tag authoring, feature gate and strategy wiring, codegen checks, status subresource handling, current workarounds like +k8s:validation-gen-nolint, and copy-paste snippets + testing guidance for declarative_validation_test.go and strategy_test.go.
Which issue(s) this PR fixes:
Fixes #
N/A