Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regression in 4.10.3 and up related to the customize hook #842

Open
rolandkool opened this issue Aug 18, 2023 · 5 comments
Open

Regression in 4.10.3 and up related to the customize hook #842

rolandkool opened this issue Aug 18, 2023 · 5 comments

Comments

@rolandkool
Copy link

rolandkool commented Aug 18, 2023
edited

Hi,

Metacontroller version 4.10.3 has a regression compared to 4.10.2 when it comes to how the customize hook works.

One of our controllers is a decorator controller that acts on Deployment. In order to generate the child resource, it requires data (labels) from the namepace the Deployment is in. Our code contains this simple code:

    def customize(self, namespace: str) -> dict:
        return [
            {
                "apiVersion": "v1",
                "resource": "namespaces",
                "names": [namespace],
            }
        ]

When we run this against 4.10.2, the namespace data is returned correctly. When we run the same code against 4.10.3 or up, no namespace data is returned. No changes were done to our python code.
Tested it also with a composite controller that does a similar lookup, same behavior.

I've tried to reproduce it with the SecretPropagation example, but that seems to not be affected. Perhaps it is related to the parent resource being a cluster scoped resource instead of a namespace scoped one?

4.10.3 was released with some changes to support the v2 API for the customize hook, so it's probably related to that.
@newtondev newtondev mentioned this issue Aug 18, 2023
Closed
@grzesuav
Copy link
Contributor

#345

hmm I do not belive it was supported....

@rolandkool
Copy link
Author

It did work before 4.10.3. Was it a bug in all versions prior to 4.10.3?
Being able to retrieve data from the namespace the object is in is quite useful. May I assume the v2 customize hook API will support it?

@newtondev
Copy link
Collaborator

I managed to replicate the issue by switching from Cluster scope to Namespaced. Prior to 4.10.3 it would return the list of namespaces, whereas now it is limited to the namespace of the parent resoure's namespace.

This seems like it could cause data leakage and not the intended behavior of a Namespaced scope resource. We could possibly only allow an exception for namespaces to be read and no other resources in the customize hook outside of the namespaced parent.

@newtondev
Copy link
Collaborator

newtondev commented Aug 21, 2023
edited

The documentation also clearly states that Related resources for a Namespaced controller would only be for the same namespace as the parent.

We could we possibly add a feature flag that would allow for this? I did see some issues that were related to this.

image

See: https://metacontroller.github.io/metacontroller/guide/best-practices.html

@grzesuav
Copy link
Contributor

This is already a feature request for that. The fact it was working like that was because the code and flow is bit complicated and changes are scattered along the code, which makes subtle behavior being harder to implement or test properly.

I am working on implementing handling of v2 request/response, which make it possible to work again with cluster scope related resources (actually have some time this week so started on that part) it just consumes some time

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(hooks): Allow cluster resources in related result newtondev/metacontroller
3 participants
@newtondev @rolandkool @grzesuav