Admission controller doc #69
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
teaglebuilt
reviewed
Dec 7, 2025
| * Utilize **`ValidatingAdmissionPolicy` (CEL)** for *stateless, context-aware* validation that needs access to `oldObject.status` or `request.userInfo`. | ||
| * Provide clear, actionable error messages at admission time. | ||
| * Support multiple certificate management strategies (cert-manager and self-contained). | ||
| * Keep webhook logic in the `data-handler` module. |
There was a problem hiding this comment.
what is the distinction of the data-handler and why here instead of resource-handler?
teaglebuilt
reviewed
Dec 7, 2025
|
|
||
| * **Pros:** Automatic certificate generation, renewal, and CA bundle injection. Industry standard. | ||
| * **Cons:** Adds a runtime dependency on `cert-manager`. | ||
| * **Implementation:** Ship `Certificate` and `Issuer` manifests in `config/webhook/cert-manager`. |
There was a problem hiding this comment.
how would we prevent the webhook from registering before the certs are ready? For example, the api server tries to call the webhook (MultiCluster CREATE/DELETE) before certs are generated
…idation This commit updates the `admission-controller-and-defaults.md` design document to include the specific logic required for the v1alpha1 System Catalog implementation. **Changes:** * **Level 2 (CEL):** Added explicit `XValidation` rules to enforce the v1alpha1 topology constraints (Single-Database `postgres` only) and the Mandatory Default TableGroup rule (`size() == 1`). * **Level 4 (Mutation):** Detailed the "System Catalog Injection" logic within the Mutating Webhook. This ensures that empty `spec.databases` or `tableGroups` lists are automatically hydrated with the mandatory `postgres` and `default` resources before hitting the API server. * **Test Plan:** Updated integration tests to verify that `MultigresCluster` creation correctly injects these system resources when they are omitted from the spec.
Establishes a 4-tier admission control architecture (OpenAPI, Embedded CEL, ValidatingAdmissionPolicy, Webhook) to handle validation and defaulting. Key design points: - Solves "Invisible Defaults" via a Shared Resolver pattern used by both the Webhook (persistence) and Controller (in-memory fallback). - Defines stateful validation rules for Template referential integrity. - Adds backward compatibility strategy for K8s < 1.30: The Webhook will redundantly implement critical ValidatingAdmissionPolicy logic (e.g., Read-Only Child resources) to support older clusters. - Updates drawbacks to reflect the maintenance cost of this temporary logic duplication.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A document detailing defaults, controller logic and where to apply it.