TriggerAuth-podIdentity.identityId - validation removed (operator)

[radekfojtik]

TriggerAuthentication.podIdentity - validation of identityId (empty string "") removed (operator)

• validation remains only in webhook

Checklist

• When introducing a new scaler, I agree with the scaling governance policy
• I have verified that my change is according to the deprecations & breaking changes policy
• Tests have been added
• Changelog has been updated and is aligned with our changelog requirements
• A PR is opened to update our Helm chart (repo) (if applicable, ie. when deployment manifests are modified)
• A PR is opened to update the documentation on (repo) (if applicable)
• Commits are signed with Developer Certificate of Origin (DCO - learn more)

Fixes #5109

Relates to #

[github-actions]

Thank you for your contribution! 🙏 We will review your PR as soon as possible.

While you are waiting, make sure to:

• Add an entry in our changelog in alphabetical order and link related issue
• Update the documentation, if needed
• Add unit & e2e tests for your changes
• GitHub checks are passing
• Is the DCO check failing? Here is how you can fix DCO issues

Learn more about:

• Our contribution guide

[radekfojtik]

@JorTurFer @tomkerkhove please take a look guys

[josefkarasek]

I tested the PR locally with:

1. Install keda v2.11.0 with helm
2. Create TriggerAuthentication with identityId: ""
3. Upgrade to keda v.2.12.0 - I was able to reproduce the issue
4. Deploy patched keda and validation webhook images, include ValidatingWebhookConfiguration from charts:main branch

Old TriggerAuthentications with identityId: "" don't cause issues and the validation webhook blocks the creation of new ones.

[josefkarasek]

Util functions like this one have a high potential for code duplicity. Can you add a new file to pkg/util and move the function there? Ideally with generics, something like

func IsDefaultValue[T comparable](value *T) bool {
	var def T
	return value != nil && *value == def
}

[josefkarasek]

Suggested change

	return fmt.Errorf("identityid of PodIdentity should not be empty. If it's set, identityId has to be different than \"\"")
	return fmt.Errorf("identityId of PodIdentity should not be empty. If it's set, identityId has to be different than \"\"")

[zroubalik]

Just a side note, we shouldn't rely on validation webhooks that much. If possible, this should work withouth validation as well.

[tomkerkhove]

100%

[JorTurFer]

Just a side note, we shouldn't rely on validation webhooks that much. If possible, this should work withouth validation as well.

I have to disagree with this point. KEDA has to work properly handling the scenario, but the data validation is the responsibility of the webhooks, don't you think? I mean, why do we use validating webhooks for validating the data plane, if we are going to raise validation messages in the operator too?

KEDA operator will fail with a handled error if the user is providing the item wrongly (it won't panic), so other validations over the data constraints should be managed by the webhooks and users have to assume that validations are done by webhooks. As user, you can't skip the validating webhooks and also expect a well-formed validation with a lot of info about the validating error

[JorTurFer]

LGTM but let's wait until @zroubalik and @tomkerkhove agree with it (or not xD), because this moves the responsibility from the operator to webhooks

[tomkerkhove]

I have to disagree with this point. KEDA has to work properly handling the scenario, but the data validation is the responsibility of the webhooks, don't you think?
[...]
As user, you can't skip the validating webhooks and also expect a well-formed validation with a lot of info about the validating error

No, because webhooks are optional. If it would be mandatory then I'd agree.

Validation webhooks are more for enforcing best practices in the current state of KEDA, not for ensuring things are valid. If we want to go that route than making it mandatory is the only viable option.

[radekfojtik]

@zroubalik @tomkerkhove Having this validation on the operator side is a breaking change introduced in v2.12 (is not backwards-compatible). I would say it needs to be removed now anyway. Alternatively, it is possible to add a warning and introduce the validation in a later version. But interesting - the operator will warn the user about a non-valid value that was not added by the user but by default by the operator.

[radekfojtik]

I tested the PR locally with:

1. Install keda v2.11.0 with helm
2. Create TriggerAuthentication with identityId: ""
3. Upgrade to keda v.2.12.0 - I was able to reproduce the issue
4. Deploy patched keda and validation webhook images, include ValidatingWebhookConfiguration from charts:main branch

Old TriggerAuthentications with identityId: "" don't cause issues and the validation webhook blocks the creation of new ones.

@josefkarasek There is no need to set the identityId: "", the operator does it for you in case you omit this property (when the finalizer is added). Thanks for suggestions.

[zroubalik]

@JorTurFer could you please look at this? We should resolve this already :) Thanks

[JorTurFer]

@JorTurFer could you please look at this? We should resolve this already :) Thanks

I reviewed here: #5142 (comment)

From my perspective, webhooks have to validate the information and the operator has to just handle errors if they are. No having VALIDATING webhooks IMHO explicitly means that you don't have validations (because you are not installing them), just fails if you introduce something wrong.
In my opinion, this removal is 100% correct:

It moves the responsibility from the operator to the webhooks. If the operator sees and empty pod identity, it doesn't matter who sets it, and it continues with its work, failing if it has to fail

[JorTurFer]

We should push this topic @zroubalik @tomkerkhove

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

[zroubalik]

@JorTurFer let's add it to the agenda for the next meeting

[tomkerkhove]

Sorry, I did not see the pings - Let's discuss indeed