Account for mutating webhooks with side effects when batch dry-run server-side apply

lib/krane/cluster_resource_discovery.rb

@@ -61,6 +61,16 @@ def fetch_resources(namespaced: false)
       end
     end
 
+    def fetch_mutating_webhook_configurations
+      command = %w(get mutatingwebhookconfigurations)
+      raw_json, err, st = kubectl.run(*command, output: "json", attempts: 5, use_namespace: false)
+      if st.success?
+        JSON.parse(raw_json)["items"]
+      else
+        raise FatalKubeAPIError, "Error retrieving mutatingwebhookconfigurations: #{err}"
+      end
+    end
+
     private
 
     # kubectl api-versions returns a list of group/version strings e.g. autoscaling/v2beta2

lib/krane/deploy_task.rb

@@ -277,16 +277,42 @@ def validate_configuration(prune:)
     end
     measure_method(:validate_configuration)
 
+    def partition_dry_run_resources(resources)
+      individuals = []
+      mutating_webhooks = cluster_resource_discoverer.fetch_mutating_webhook_configurations
+      mutating_webhooks.each do |spec|
+        spec.dig('webhooks').each do |webhook|
+          match_policy = webhook.dig('matchPolicy')
+          webhook.dig('rules').each do |rule|
+            next if %w(None NoneOnDryRun).include?(rule.dig('sideEffects'))
+            groups = rule.dig('apiGroups')
+            versions = rule.dig('apiVersions')
+            kinds = rule.dig('resources').map(&:singularize)
+            groups.each do |group|
+              versions.each do |version|
+                kinds.each do |kind|
+                  individuals += resources.select do |r|
+                    (r.group == group || group == '*' || match_policy == "Equivalent") &&
+                    (r.version == version || version == '*' || match_policy == "Equivalent") &&
+                    (r.type.downcase == kind.downcase)
+                  end
+                  resources -= individuals
+                end
+              end
+            end
+          end
+        end
+      end
+      [resources, individuals]
+    end
+
     def validate_resources(resources)
       validate_globals(resources)
-      batch_dry_run_success = kubectl.server_dry_run_enabled? && validate_dry_run(resources)
-      Krane::Concurrency.split_across_threads(resources) do |r|
-        # No need to pass in kubectl (and do per-resource dry run apply) if batch dry run succeeded
-        if batch_dry_run_success
-          r.validate_definition(kubectl: nil, selector: @selector, dry_run: false)
-        else
-          r.validate_definition(kubectl: kubectl, selector: @selector, dry_run: true)
-        end
+      batchable_resources, individuals = partition_dry_run_resources(resources)
+      batch_dry_run_success = kubectl.server_dry_run_enabled? && validate_dry_run(batchable_resources)
+      individuals += batchable_resources unless batch_dry_run_success
+      Krane::Concurrency.split_across_threads(individuals) do |r|
+        r.validate_definition(kubectl: kubectl, selector: @selector, dry_run: true)
       end
       failed_resources = resources.select(&:validation_failed?)
       if failed_resources.present?

lib/krane/kubernetes_resource.rb

@@ -226,6 +226,11 @@ def group
       version ? grouping : "core"
     end
 
+    def version
+      prefix, version = @definition.dig("apiVersion").split("/")
+      version ? version : prefix
+    end
+
     def kubectl_resource_type
       type
     end

lib/krane/kubernetes_resource/config_map.rb

@@ -7,10 +7,6 @@ def deploy_succeeded?
       exists?
     end
 
-    def status
-      exists? ? "Available" : "Not Found"
-    end
-
     def deploy_failed?
       false
     end

lib/krane/resource_deployer.rb

@@ -161,7 +161,6 @@ def apply_all(resources, prune, dry_run: false)
         global_mode = resources.all?(&:global?)
         out, err, st = kubectl.run(*command, log_failure: false, output_is_sensitive: output_is_sensitive,
           attempts: 2, use_namespace: !global_mode)
-
         tags = statsd_tags + (dry_run ? ['dry_run:true'] : ['dry_run:false'])
         Krane::StatsD.client.distribution('apply_all.duration', Krane::StatsD.duration(start), tags: tags)
         if st.success?

test/fixtures/for_serial_deploy_tests/ingress_hook.json

@@ -0,0 +1,71 @@
+{
+  "apiVersion": "v1",
+  "items": [
+    {
+      "apiVersion": "admissionregistration.k8s.io/v1",
+      "kind": "MutatingWebhookConfiguration",
+      "metadata": {
+        "creationTimestamp": "2020-08-04T19:49:44Z",
+        "generation": 2,
+        "name": "oauthboss-webhook-configuration",
+        "resourceVersion": "3115431",
+        "selfLink": "/apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations/oauthboss-webhook-configuration",
+        "uid": "7afce875-5175-430d-95aa-de8ec97f15b0"
+      },
+      "webhooks": [
+        {
+          "admissionReviewVersions": [
+              "v1beta1"
+          ],
+          "clientConfig": {
+              "caBundle": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMwakNDQWJxZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFhTVJnd0ZnWURWUVFERXc5M1pXSm8KYjI5ckxXTmxjblF0WTJFd0hoY05NakF3T0RBME1UazBPVFExV2hjTk16QXdPREF5TVRrME9UUTFXakFhTVJndwpGZ1lEVlFRREV3OTNaV0pvYjI5ckxXTmxjblF0WTJFd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3CmdnRUtBb0lCQVFDOGs1MjNobEFsald4RitITk8wWk9qQTZ4MGNSa1RQVHdkZm9nK3JGOXZ3Y21XRTBFT3kyYlUKZ3BNRU5SQzVpVzRxS1pCYUJ6MEU1bXcvbWNjcGNrbXR1V05pODVML0hzUjVlbWR2aWdUamJYb0RMeWxEdjNMLwpRSlVWOVRIYWFhaXh5cmFMNWhIRUw4bTBhTFNZcWc5MktxODJnWXB0aTB5azBnU1BqdjhUTHBFazhvdWp2L01YCnVJZWtQQzZOTWFDaU1BY1FBTVRyc1NiSmZqL0x0WGpwWk9FM2xCNWpTazNDUW1sT0t5Mm8zaDd6WTZ1RFNtN28KY3orMkhiUXhybCt1SkcrY1B4WVdoWXZReXpLWGViWU11ajd5Wm5FRmI2WFc3dC9ROVo2VmFzMi9DS1Z4Yll4LwppdXEvbU1xZk4xZnNvUitJTmVXVlJ3YlJ0dUJ5VkljRkFnTUJBQUdqSXpBaE1BNEdBMVVkRHdFQi93UUVBd0lDCnBEQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQXc4VWQwOWRYR09kQkwKYnQ5M3JuYk41VzBkMkJUZk43OXJ6SVpadHlmMjREQVQ1SGc1QVV2Qmc4QjJNaFRqdU50VlN6dzN4bGV3TDk3aQo0Wk9JWGJPL3hZTWp3OXRibldDY2o0MlVKRnJUOEN2eVZEekExeS9VVE1lMFpyU3lOUGpWTlBaMmUrb3IvRFdkCmRtbmg0THZ6c3VNbVBPZk96NmUwZmljMzdtLzZjL3JZV0l6aTJYWWRwSllHa1J1eW51UlVUbDZpUjBOa0xXaGYKc25aNll6TnFXT2YvNi9xdHduNkhVckttYWN3L2Q3blBNSDRpQTFId1MyZFh6WkxVR3NVZkZIREFkU2FVSWR3cApsZDFUUjErQjVyMnhiUW95eVo4YnhuTk5Ud04rU2dFZGc5MjJKUFlaRkZFWldDL1NXOWVYcUZnTWM3RlQyMHh4ClE1NW1qdHRICi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K",
+              "service": {
+                  "name": "oauthboss",
+                  "namespace": "cloudbosses",
+                  "path": "/oauthboss",
+                  "port": 443
+              }
+          },
+          "failurePolicy": "Ignore",
+          "matchPolicy": "Exact",
+          "name": "oauthboss.cloudbosses.admission.online.shopify.com",
+          "namespaceSelector": {
+              "matchExpressions": [
+                  {
+                      "key": "control-plane",
+                      "operator": "DoesNotExist"
+                  }
+              ]
+          },
+          "objectSelector": {},
+          "reinvocationPolicy": "Never",
+          "rules": [
+              {
+                  "apiGroups": [
+                      "extensions"
+                  ],
+                  "apiVersions": [
+                      "v1beta1"
+                  ],
+                  "operations": [
+                      "CREATE",
+                      "UPDATE"
+                  ],
+                  "resources": [
+                      "ingresses"
+                  ],
+                  "scope": "*"
+              }
+            ],
+          "sideEffects": "Unknown",
+          "timeoutSeconds": 30
+        }
+      ]
+    }
+  ],
+  "kind": "List",
+  "metadata": {
+      "resourceVersion": "",
+      "selfLink": ""
+  }
+}

test/fixtures/for_serial_deploy_tests/secret_hook.json

@@ -0,0 +1,71 @@
+{
+  "apiVersion": "v1",
+  "items": [
+    {
+      "apiVersion": "admissionregistration.k8s.io/v1",
+      "kind": "MutatingWebhookConfiguration",
+      "metadata": {
+        "creationTimestamp": "2020-08-04T19:49:44Z",
+        "generation": 2,
+        "name": "oauthboss-webhook-configuration",
+        "resourceVersion": "3115431",
+        "selfLink": "/apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations/oauthboss-webhook-configuration",
+        "uid": "7afce875-5175-430d-95aa-de8ec97f15b0"
+      },
+      "webhooks": [
+        {
+          "admissionReviewVersions": [
+              "v1beta1"
+          ],
+          "clientConfig": {
+              "caBundle": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMwakNDQWJxZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFhTVJnd0ZnWURWUVFERXc5M1pXSm8KYjI5ckxXTmxjblF0WTJFd0hoY05NakF3T0RBME1UazBPVFExV2hjTk16QXdPREF5TVRrME9UUTFXakFhTVJndwpGZ1lEVlFRREV3OTNaV0pvYjI5ckxXTmxjblF0WTJFd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3CmdnRUtBb0lCQVFDOGs1MjNobEFsald4RitITk8wWk9qQTZ4MGNSa1RQVHdkZm9nK3JGOXZ3Y21XRTBFT3kyYlUKZ3BNRU5SQzVpVzRxS1pCYUJ6MEU1bXcvbWNjcGNrbXR1V05pODVML0hzUjVlbWR2aWdUamJYb0RMeWxEdjNMLwpRSlVWOVRIYWFhaXh5cmFMNWhIRUw4bTBhTFNZcWc5MktxODJnWXB0aTB5azBnU1BqdjhUTHBFazhvdWp2L01YCnVJZWtQQzZOTWFDaU1BY1FBTVRyc1NiSmZqL0x0WGpwWk9FM2xCNWpTazNDUW1sT0t5Mm8zaDd6WTZ1RFNtN28KY3orMkhiUXhybCt1SkcrY1B4WVdoWXZReXpLWGViWU11ajd5Wm5FRmI2WFc3dC9ROVo2VmFzMi9DS1Z4Yll4LwppdXEvbU1xZk4xZnNvUitJTmVXVlJ3YlJ0dUJ5VkljRkFnTUJBQUdqSXpBaE1BNEdBMVVkRHdFQi93UUVBd0lDCnBEQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQXc4VWQwOWRYR09kQkwKYnQ5M3JuYk41VzBkMkJUZk43OXJ6SVpadHlmMjREQVQ1SGc1QVV2Qmc4QjJNaFRqdU50VlN6dzN4bGV3TDk3aQo0Wk9JWGJPL3hZTWp3OXRibldDY2o0MlVKRnJUOEN2eVZEekExeS9VVE1lMFpyU3lOUGpWTlBaMmUrb3IvRFdkCmRtbmg0THZ6c3VNbVBPZk96NmUwZmljMzdtLzZjL3JZV0l6aTJYWWRwSllHa1J1eW51UlVUbDZpUjBOa0xXaGYKc25aNll6TnFXT2YvNi9xdHduNkhVckttYWN3L2Q3blBNSDRpQTFId1MyZFh6WkxVR3NVZkZIREFkU2FVSWR3cApsZDFUUjErQjVyMnhiUW95eVo4YnhuTk5Ud04rU2dFZGc5MjJKUFlaRkZFWldDL1NXOWVYcUZnTWM3RlQyMHh4ClE1NW1qdHRICi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K",
+              "service": {
+                  "name": "oauthboss",
+                  "namespace": "cloudbosses",
+                  "path": "/oauthboss",
+                  "port": 443
+              }
+          },
+          "failurePolicy": "Ignore",
+          "matchPolicy": "Equivalent",
+          "name": "oauthboss.cloudbosses.admission.online.shopify.com",
+          "namespaceSelector": {
+              "matchExpressions": [
+                  {
+                      "key": "control-plane",
+                      "operator": "DoesNotExist"
+                  }
+              ]
+          },
+          "objectSelector": {},
+          "reinvocationPolicy": "Never",
+          "rules": [
+              {
+                  "apiGroups": [
+                      "core"
+                  ],
+                  "apiVersions": [
+                      "v1"
+                  ],
+                  "operations": [
+                      "CREATE",
+                      "UPDATE"
+                  ],
+                  "resources": [
+                      "secrets"
+                  ],
+                  "scope": "*"
+              }
+            ],
+          "sideEffects": "Unknown",
+          "timeoutSeconds": 30
+        }
+      ]
+    }
+  ],
+  "kind": "List",
+  "metadata": {
+      "resourceVersion": "",
+      "selfLink": ""
+  }
+}

test/integration-serial/serial_deploy_test.rb

@@ -525,12 +525,35 @@ def test_batch_dry_run_apply_failure_falls_back_to_individual_resource_dry_run_v
   end
 
   def test_batch_dry_run_apply_success_precludes_individual_resource_dry_run_validation
-    Krane::KubernetesResource.any_instance.expects(:validate_definition).with do |kwargs|
-      kwargs[:kubectl].nil? && !kwargs[:dry_run]
-    end
+    Krane::KubernetesResource.any_instance.expects(:validate_definition).times(0)
     deploy_fixtures("hello-cloud", subset: %w(secret.yml))
   end
 
+  def test_resources_with_side_effect_inducing_webhooks_are_not_batched_server_side_dry_run
+    resp = JSON.parse(File.read(File.join(fixture_path("for_serial_deploy_tests"), "ingress_hook.json")))["items"]
+    Krane::ClusterResourceDiscovery.any_instance.expects(:fetch_mutating_webhook_configurations).returns(resp)
+    Krane::ResourceDeployer.any_instance.expects(:dry_run).with do |params|
+      params.length == 2 && (params.map(&:type) - ["Deployment", "Service"]).empty?
+    end
+    Krane::Ingress.any_instance.expects(:validate_definition)
+    result = deploy_fixtures('hello-cloud', subset: %w(web.yml.erb), render_erb: true)
+  end
+
+  def test_resources_with_side_effect_inducing_webhooks_with_transitive_dependency_does_not_fail_batch_running
+    resp = JSON.parse(File.read(File.join(fixture_path("for_serial_deploy_tests"), "secret_hook.json")))["items"]
+    Krane::ClusterResourceDiscovery.any_instance.expects(:fetch_mutating_webhook_configurations).returns(resp)
+    Krane::KubernetesResource.any_instance.expects(:validate_definition).times(1) # Only secret should call this
+    deploy_fixtures('hello-cloud', subset: %w(web.yml.erb secret.yml), render_erb: true) do |fixtures|
+      container = fixtures['web.yml.erb']['Deployment'][0]['spec']['template']['spec']
+      container['volumes'] = [{
+        'name' => 'secret',
+        'secret' => {
+          'secretName' => fixtures['secret.yml']["Secret"][0]['metadata']['name'],
+        },
+      }]
+    end
+  end
+
   private
 
   def rollout_conditions_annotation_key