Admission controller doc #69
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
teaglebuilt
reviewed
Dec 7, 2025
| * Utilize **`ValidatingAdmissionPolicy` (CEL)** for *stateless, context-aware* validation that needs access to `oldObject.status` or `request.userInfo`. | ||
| * Provide clear, actionable error messages at admission time. | ||
| * Support multiple certificate management strategies (cert-manager and self-contained). | ||
| * Keep webhook logic in the `data-handler` module. |
There was a problem hiding this comment.
what is the distinction of the data-handler and why here instead of resource-handler?
teaglebuilt
reviewed
Dec 7, 2025
|
|
||
| * **Pros:** Automatic certificate generation, renewal, and CA bundle injection. Industry standard. | ||
| * **Cons:** Adds a runtime dependency on `cert-manager`. | ||
| * **Implementation:** Ship `Certificate` and `Issuer` manifests in `config/webhook/cert-manager`. |
There was a problem hiding this comment.
how would we prevent the webhook from registering before the certs are ready? For example, the api server tries to call the webhook (MultiCluster CREATE/DELETE) before certs are generated
Collaborator
Author
There was a problem hiding this comment.
We sidestep the issue by enforcing a strict order of operations in main.go.
Here is how:
- First, we check if
tls.crtandtls.keyalready exist in the cert directory (e.g., mounted by cert-manager). If they do, we skip internal generation entirely and just use those files. - If no certs are found, we initialize our internal generator and run
rotator.Bootstrap(ctx). This is a blocking call. The operator won't proceed past this line until the certs are generated, written to disk, and theMutatingWebhookConfigurationis patched with the new CA bundle. - The webhook server (port 9443) is managed by
mgr. Since we haven't calledmgr.Start()yet, the binary isn't even listening on that port. If the API server tried to call us during this phase, it would just get a connection refused, not a TLS error. - On top of that, we use a
readyzcheck. Kubernetes won't send traffic to the Pod's Service until the manager is fully up and running, which only happens after that bootstrap phase succeeds.
I hope that answers your question! The code is already implemented in main if you want to go take a look.
…idation This commit updates the `admission-controller-and-defaults.md` design document to include the specific logic required for the v1alpha1 System Catalog implementation. **Changes:** * **Level 2 (CEL):** Added explicit `XValidation` rules to enforce the v1alpha1 topology constraints (Single-Database `postgres` only) and the Mandatory Default TableGroup rule (`size() == 1`). * **Level 4 (Mutation):** Detailed the "System Catalog Injection" logic within the Mutating Webhook. This ensures that empty `spec.databases` or `tableGroups` lists are automatically hydrated with the mandatory `postgres` and `default` resources before hitting the API server. * **Test Plan:** Updated integration tests to verify that `MultigresCluster` creation correctly injects these system resources when they are omitted from the spec.
Establishes a 4-tier admission control architecture (OpenAPI, Embedded CEL, ValidatingAdmissionPolicy, Webhook) to handle validation and defaulting. Key design points: - Solves "Invisible Defaults" via a Shared Resolver pattern used by both the Webhook (persistence) and Controller (in-memory fallback). - Defines stateful validation rules for Template referential integrity. - Adds backward compatibility strategy for K8s < 1.30: The Webhook will redundantly implement critical ValidatingAdmissionPolicy logic (e.g., Read-Only Child resources) to support older clusters. - Updates drawbacks to reflect the maintenance cost of this temporary logic duplication.
Collaborator
Author
|
Merging this as it explains in great detail the reasoning behind our webhook and admission controllers design. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A document detailing defaults, controller logic and where to apply it.