Update webhook failurePolicy from Ignore to Fail

Updates katib-controller webhook for operator and manifests to set failurePolicy to Fail. This allows for greater visibility on errors.
kubeflow · Jan 19, 2022 · d3c3f08 · d3c3f08
1 parent f5abfd0
commit d3c3f08
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 18 deletions.
diff --git a/manifests/v1beta1/components/webhook/webhooks.yaml b/manifests/v1beta1/components/webhook/webhooks.yaml
@@ -5,7 +5,7 @@ metadata:
 webhooks:
   - name: validator.experiment.katib.kubeflow.org
     sideEffects: None
-    failurePolicy: Ignore
+    failurePolicy: Fail
     admissionReviewVersions:
       - v1
     clientConfig:
@@ -32,7 +32,7 @@ metadata:
 webhooks:
   - name: defaulter.experiment.katib.kubeflow.org
     sideEffects: None
-    failurePolicy: Ignore
+    failurePolicy: Fail
     admissionReviewVersions:
       - v1
     clientConfig:
@@ -53,7 +53,7 @@ webhooks:
           - experiments
   - name: mutator.pod.katib.kubeflow.org
     sideEffects: None
-    failurePolicy: Ignore
+    failurePolicy: Fail
     admissionReviewVersions:
       - v1
     clientConfig:

diff --git a/operators/katib-controller/requirements.txt b/operators/katib-controller/requirements.txt
@@ -1,2 +1,3 @@
-ops==1.2.0
+jinja2<3.1
 oci-image==1.0.0
+ops==1.2.0
diff --git a/operators/katib-controller/src/charm.py b/operators/katib-controller/src/charm.py
@@ -1,10 +1,12 @@
 #!/usr/bin/env python3
 
 import logging
+from base64 import b64encode
 from pathlib import Path
 from subprocess import check_call
 
 import yaml
+from jinja2 import Environment, FileSystemLoader
 from oci_image import OCIImageResource, OCIImageResourceError
 from ops.charm import CharmBase
 from ops.framework import StoredState
@@ -49,7 +51,16 @@ def set_pod_spec(self, event):
             self.model.unit.status = check_failed.status
             return
 
-        validating, mutating = yaml.safe_load_all(Path("src/webhooks.yaml").read_text())
+        ca_bundle = b64encode(self._stored.cert.encode("utf-8")).decode("utf-8")
+        env = Environment(loader=FileSystemLoader("src"))
+        t = env.get_template("webhooks.yaml.j2")
+        rendered = t.render(
+            ca_bundle=ca_bundle,
+            name=self.model.app.name,
+            namespace=self.model.name,
+            port=self.model.config["webhook-port"],
+        )
+        validating, mutating = yaml.safe_load_all(rendered)
 
         self.model.pod.set_spec(
             {

diff --git a/operators/katib-controller/src/webhooks.yaml → ...ors/katib-controller/src/webhooks.yaml.j2 b/operators/katib-controller/src/webhooks.yaml → ...ors/katib-controller/src/webhooks.yaml.j2
@@ -5,15 +5,16 @@ metadata:
 webhooks:
   - name: validator.experiment.katib.kubeflow.org
     sideEffects: None
-    failurePolicy: Ignore
+    failurePolicy: Fail
     # TODO (andreyvelich): Migrate to v1 ?
     admissionReviewVersions:
       - v1beta1
     clientConfig:
-      caBundle: Cg==
+      caBundle: {{ ca_bundle }}
       service:
-        name: katib-controller
-        namespace: kubeflow
+        name: {{ name }}
+        namespace: {{ namespace }}
+        port: {{ port }}
         path: /validate-experiment
     rules:
       - apiGroups:
@@ -33,14 +34,15 @@ metadata:
 webhooks:
   - name: defaulter.experiment.katib.kubeflow.org
     sideEffects: None
-    failurePolicy: Ignore
+    failurePolicy: Fail
     admissionReviewVersions:
       - v1beta1
     clientConfig:
-      caBundle: Cg==
+      caBundle: {{ ca_bundle }}
       service:
-        name: katib-controller
-        namespace: kubeflow
+        name: {{ name }}
+        namespace: {{ namespace }}
+        port: {{ port }}
         path: /mutate-experiment
     rules:
       - apiGroups:
@@ -54,14 +56,15 @@ webhooks:
           - experiments
   - name: mutator.pod.katib.kubeflow.org
     sideEffects: None
-    failurePolicy: Ignore
+    failurePolicy: Fail
     admissionReviewVersions:
       - v1beta1
     clientConfig:
-      caBundle: Cg==
+      caBundle: {{ ca_bundle }}
       service:
-        name: katib-controller
-        namespace: kubeflow
+        name: {{ name }}
+        namespace: {{ namespace }}
+        port: {{ port }}
         path: /mutate-pod
     namespaceSelector:
       matchLabels:

diff --git a/operators/katib-ui/requirements.txt b/operators/katib-ui/requirements.txt
@@ -1,3 +1,3 @@
 ops==1.2.0
 oci-image==1.0.0
-serialized-data-interface==0.2.2
+serialized-data-interface<0.4