✨ WIP Add feature gate marker support for conditional CRD field inclusion #1259
Conversation
k8s-ci-robot
added
the
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: wazery The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
cncf-cla: no
|
Welcome @wazery! |
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @wazery. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
size/L
There was a problem hiding this comment.
I'm keen to seen progress on this issue, thanks @wazery for starting the push forward.
Feature gating is complex when it comes to CRDs. I'd be keen to see if we can also work out a plan for how we will gate specific markers, is that something we can align on as a project before we move forward?
Specifically I've seen needs for feature gated different enum sets, different feature gated XValidations and different values for things like Min/Max items that are feature gated.
But perhaps we actually need to be able to support gating all of the various markers we support?
/ok-to-test
| // isFeatureGateEnabled checks if a feature gate is enabled. | ||
| func (fg FeatureGateMap) isEnabled(gateName string) bool { | ||
| enabled, exists := fg[gateName] | ||
| return exists && enabled | ||
| } |
There was a problem hiding this comment.
This means the absence of a feature gate in the list of provided gates automatically means its disabled, right?
Do we want to be more explicit about this behaviour and make it an error if the generator finds a gate for which it doesn't have an opinion?
There was a problem hiding this comment.
yes you are right this is more like a silent disable, imho it's simple and predictable, yet it would allow typos in feature gate names to go unnoticed, I can switch that to explicitly error which will force decisions about every gate and would give user more clarity on possible issues, wdyt?
There was a problem hiding this comment.
I think it would be safer to force a decision for each gate
My concern is that someone might accidentally miss one gate, generate an updated set of CRDs, and then publish a breaking change because they didn't review properly and notice that a gated field got removed
pkg/crd/markers/featuregate.go
Outdated
| Category: "CRD feature gates", | ||
| DetailedHelp: markers.DetailedHelp{ | ||
| Summary: "marks a field to be conditionally included based on feature gate enablement", | ||
| Details: "Fields marked with +kubebuilder:feature-gate will only be included in generated CRDs when the specified feature gate is enabled via --feature-gates flag.", |
There was a problem hiding this comment.
Is the description here accurate, is it --feature-gates as a flag?
There was a problem hiding this comment.
you are right, I just fixed it, thanks for spotting it.
| if featureGateMarker := field.Markers.Get("kubebuilder:feature-gate"); featureGateMarker != nil { | ||
| if featureGate, ok := featureGateMarker.(crdmarkers.FeatureGate); ok { | ||
| gateName := string(featureGate) | ||
| if !ctx.featureGates.isEnabled(gateName) { | ||
| // Skip this field as its feature gate is not enabled | ||
| continue | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
I have examples of APIs where they are gated on multiple feature gates, is that something we would be able to support?
I have seen combinations in the past where both below cases are true:
enable this field if feature A OR feature B are enabledenable this field if feature A AND feature B are enabled
Do we want to support those here?
There was a problem hiding this comment.
yes this behaviour is supported by the current implementation.
There was a problem hiding this comment.
Can you provide an example? Of how I might do both the OR and AND scenarios?
k8s-ci-robot
added
ok-to-test
|
@wazery: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
wazery
changed the title
wazery
force-pushed
the
w-feature-gate-support
branch
from
3001605 to
b15c521
Compare
k8s-ci-robot
added
cncf-cla: yes
Implements +kubebuilder:feature-gate=<gate-name> marker that allows fields to be conditionally included in generated CRDs based on enabled feature gates. - Add FeatureGate marker type in pkg/crd/markers/featuregate.go - Register feature gate markers in marker registry - Add CLI parameter crd:featureGates=gate1=true,gate2=false - Implement conditional field inclusion in schema generation - Add feature gate context to Parser struct Addresses kubernetes-sigs#1238
- Add FeatureGates field to Generator struct - Implement parseFeatureGates function for CLI integration - Add FeatureGate marker type for field-level gating - Update schema generation to conditionally include fields - Add comprehensive integration tests - Support single and multi-gate syntax: featureGates="alpha=true,beta=true"
wazery
force-pushed
the
w-feature-gate-support
branch
from
b15c521 to
de2450b
Compare
Thanks a lot Joel for your review, I truly appreciate it and learn much from it. As you can see in the current implementation it's very initial, and allows only binary field inclusion so either the entire field is in or out. Yet we can enhance the implementation further to address your cases:
For example: Option A: Inline Feature Gate SyntaxOption B: Dedicated Feature Gate MarkersOption C: Block-based Feature GatingI love to hear your thoughts on how do you think we have to move forward on this PR, and truly appreciated your help 🙇. |
Based on feedback from PR kubernetes-sigs#1259 review comments, enhance RBAC feature gates with: - Support for complex feature gate expressions using OR (|) and AND (&) logic - Enhanced documentation with clear usage examples - Validation for feature gate expressions with proper error handling - Comprehensive test coverage for multiple gate scenarios New feature gate syntax: - Single gate: featureGate=alpha - OR logic: featureGate=alpha|beta (enabled if ANY gate is true) - AND logic: featureGate=alpha&beta (enabled if ALL gates are true) Examples: // +kubebuilder:rbac:featureGate=alpha|beta,groups=apps,resources=deployments,verbs=get;list // +kubebuilder:rbac:featureGate=alpha&beta,groups="",resources=services,verbs=get;list Addresses maintainer feedback on expression validation, multiple gate support, and improved documentation clarity.
k8s-ci-robot
added
cncf-cla: no
- Add featureGate parameter to +kubebuilder:rbac marker - Enable conditional RBAC rule generation based on feature gates - Add FeatureGate field to Rule struct and Generator struct - Implement feature gate parsing and filtering logic - Update GenerateRoles function to accept feature gates parameter - Add comprehensive test suite for feature gate functionality - Maintain backward compatibility with existing RBAC generation Example usage: // +kubebuilder:rbac:featureGate=alpha,groups=apps,resources=deployments,verbs=get;list controller-gen 'rbac:roleName=manager,featureGates="alpha=true,beta=false"' paths=./...
Based on feedback from PR kubernetes-sigs#1259 review comments, enhance RBAC feature gates with: - Support for complex feature gate expressions using OR (|) and AND (&) logic - Enhanced documentation with clear usage examples - Validation for feature gate expressions with proper error handling - Comprehensive test coverage for multiple gate scenarios New feature gate syntax: - Single gate: featureGate=alpha - OR logic: featureGate=alpha|beta (enabled if ANY gate is true) - AND logic: featureGate=alpha&beta (enabled if ALL gates are true) Examples: // +kubebuilder:rbac:featureGate=alpha|beta,groups=apps,resources=deployments,verbs=get;list // +kubebuilder:rbac:featureGate=alpha&beta,groups="",resources=services,verbs=get;list Addresses maintainer feedback on expression validation, multiple gate support, and improved documentation clarity.
Add feature gate support to webhook generation allowing conditional inclusion of webhooks based on enabled feature gates. Key features: - Single gate: featureGate=alpha - OR logic: featureGate=alpha|beta (include if ANY gate enabled) - AND logic: featureGate=alpha&beta (include if ALL gates enabled) - CLI parameter: controller-gen webhook featureGates="alpha=true,beta=false" - Expression validation with clear error messages - Comprehensive test coverage Maintains backward compatibility - webhooks without feature gates are always included. Follows same patterns as RBAC feature gates for API consistency.
wazery
force-pushed
the
w-feature-gate-support
branch
from
ff80782 to
cc41ffa
Compare
k8s-ci-robot
added
cncf-cla: yes
|
From your suggestions, I'd be interested to see if we can move towards Option A, though I don't know how simple that is for markers where we currently don't have keyed values. So for example, in XValidation, it's easy to add another value as it's already a multi-value marker. For the single value markers, adding an optional additional field isn't something I've looked into (not recently at least), but from the UX perspective sounds like the best IMO Interested to see if other maintainers have opinions on this project @alvaroaleman @sbueringer (and @everettraven who is a colleague who helps me with API review at RH) |
| @@ -10,6 +10,7 @@ require ( | |||
| github.com/onsi/gomega v1.38.0 | |||
| github.com/spf13/cobra v1.9.1 | |||
| github.com/spf13/pflag v1.0.7 | |||
| github.com/stretchr/testify v1.10.0 | |||
There was a problem hiding this comment.
We do not use assert on the tests, give a look at the others.
You will see that the sintax is a little different but not hard to comply with.
| // isFeatureGateEnabled checks if a feature gate is enabled. | ||
| func (fg FeatureGateMap) isEnabled(gateName string) bool { | ||
| enabled, exists := fg[gateName] | ||
| return exists && enabled | ||
| } |
There was a problem hiding this comment.
I think it would be safer to force a decision for each gate
My concern is that someone might accidentally miss one gate, generate an updated set of CRDs, and then publish a breaking change because they didn't review properly and notice that a gated field got removed
| if featureGateMarker := field.Markers.Get("kubebuilder:feature-gate"); featureGateMarker != nil { | ||
| if featureGate, ok := featureGateMarker.(crdmarkers.FeatureGate); ok { | ||
| gateName := string(featureGate) | ||
| if !ctx.featureGates.isEnabled(gateName) { | ||
| // Skip this field as its feature gate is not enabled | ||
| continue | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
Can you provide an example? Of how I might do both the OR and AND scenarios?
| // Alpha-gated field - only included when alpha gate is enabled | ||
| // +kubebuilder:feature-gate=alpha | ||
| AlphaFeature *string `json:"alphaFeature,omitempty"` | ||
|
|
||
| // Beta-gated field - only included when beta gate is enabled | ||
| // +kubebuilder:feature-gate=beta | ||
| BetaFeature *string `json:"betaFeature,omitempty"` |
There was a problem hiding this comment.
What would happen if I wanted one of these fields to be on when either gate was enabled, and then another field only when both were enabled?
I can see the | and & logic in the rbac, do we have that for the fields/markers as well?
| {name: "single gate", expression: "alpha", shouldError: false}, | ||
| {name: "OR expression", expression: "alpha|beta", shouldError: false}, | ||
| {name: "AND expression", expression: "alpha&beta", shouldError: false}, | ||
| {name: "mixed operators", expression: "alpha&beta|gamma", shouldError: true}, |
There was a problem hiding this comment.
What's wrong with mixed operators?
| @@ -440,6 +453,98 @@ func (Generator) RegisterMarkers(into *markers.Registry) error { | |||
| return nil | |||
| } | |||
|
|
|||
| // FeatureGateMap represents enabled feature gates as a map for efficient lookup | |||
| type FeatureGateMap map[string]bool | |||
There was a problem hiding this comment.
The feature gate parsing logic appears to be needed in several places, should we create a centralised utility for this so that we only have to implement it once?
| // Check for mixing AND and OR operators | ||
| hasAnd := strings.Contains(expr, "&") | ||
| hasOr := strings.Contains(expr, "|") | ||
| if hasAnd && hasOr { | ||
| return fmt.Errorf("cannot mix '&' and '|' operators in feature gate expression: %s", expr) | ||
| } |
There was a problem hiding this comment.
I don't know if I've seen a use case for this, but in most logic I'd expect to be able to do (A&B)|C which would be equivalent to omitting the () since OR takes precedence over AND in the ordering, right?
| // Handle OR logic (any gate can be enabled) | ||
| if strings.Contains(featureGateExpr, "|") { | ||
| gates := strings.Split(featureGateExpr, "|") | ||
| for _, gate := range gates { |
There was a problem hiding this comment.
Are you familiar with the K8s sets utility?
If you were to turn the list of enabled feature gates into a set, I believe the HasAny and HasAll would simplify this a lot
Take a look at https://pkg.go.dev/k8s.io/apimachinery/pkg/util/sets
In the implementation I have downstream, we keep sets of All, Enabled and Disabled, so that every gate we find in a marker can be checked if we first know the state (It exists in the All set), and then if it's Enabled or not. Disabled doesn't come into this part of the use case thinking about it.
Might want something similar here?
| } | ||
|
|
||
| // Single gate logic | ||
| enabled, exists := enabledGates[featureGateExpr] |
There was a problem hiding this comment.
Either the AND or the OR logic would actually pass this through as well 🤔
Another example of similar logic in https://github.com/openshift/kubernetes-sigs-controller-tools/blob/94812131024363d66cd1680f866bf694c560db39/pkg/crd/markers/patch_validation.go#L135-L147
In that example we have the OR options as m.FeatureGateNames and the AND options as m.RequiredFeatureGateNames
When there's only one gate to handle, it is a singleton in the OR set, but it could be in either set and still be functionally equivalent
| featureGateExpr := config.FeatureGate | ||
|
|
||
| // Handle AND logic (all gates must be enabled) | ||
| if strings.Contains(featureGateExpr, "&") { |
There was a problem hiding this comment.
This logic should also be centralised, perhaps we want the util to have centralised parsing and then a centralised IsEnabledByFeatureGates that would take whatever the featureGate value is from the marker/webhook/rbac and return a boolean to act upon?
Implements
+kubebuilder:feature-gate=<gate-name>marker that allows fields to be conditionally included in generated CRDs based on enabled feature gates.Addresses #1238