[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aborilov

The full list of commands accepted by this bot can be found here.

The pull request process is described here

/retest

/retest

I've gone over the whole PR again. Please address the comment, I've left a few of my own. Afterward, I'll lgtm it; it's almost done except for a few nits/legibility here and there.

I think I've done all of them except defaulting webhook, as for now, we have only validation webhook? do you think it's a good idea to change it to defaulting webhook in this PR?

/retest

/retest

/retest

I'm still worried about validation and error handling. Currently, only in the kubecarrier CRD, the API server validation is being checked. Not in the API Server CRD, which the user can create, nor in the apiserver.Manifests resource generation. If no/multiple auth options are specified per line in any one of those the failure shall be silent and ignored --> the most bite you in the ass type.

What I'm suggesting is creating: func validateAPIServerSpec(*operatorv1alpha1.APIServerSpec) error and defaultAPIServerSpec(*operatorv1alpha1.APIServerSpec) error helper functions which can and should be used in 3 places:

(maybe placing those functions close to the API definitions, or even make them member function for the operatorv1alpha1.APIServerSpec object? .Validate() error .Default() error)

• Kubecarrier CRD webooks
• API Server CRD webhooks (this doesn't exists for now)
• apiserver.Manifests function (especially here, since it's the last point before silent failure)

What do you think?

Otherwise, this is a great PR, well written, and tested!

I'm still worried about validation and error handling. Currently, only in the kubecarrier CRD, the API server validation is being checked. Not in the API Server CRD, which the user can create, nor in the apiserver.Manifests resource generation. If no/multiple auth options are specified per line in any one of those the failure shall be silent and ignored --> the most bite you in the ass type.

@nmiculinic The worrying is completely valid, and I agree that this may become an issue in the future, but for now I think it is fine. The reason are as following:

1. In the usecase that we offer KubeCarrier, users don't have permission to interact with operator API group, so this should be fine.
2. In the usercase that someone install KubeCarrier, and play around with it. Mistakes in APIServerCRD and also in apiserver.Manifests will be kind of "ignored" , this is because KubeCarrier operator controller will reconcile the object with the default KubeCarrer config from CLI, and for that one we have a webhook to reject all mistakes.

I don't like to overcomplicate things, in our case users don't interact with APIserver configuration directly, so I don't think we need to add webhooks to apiserver operator. I will add defaulting webhook for KubeCarrier operator and I like the idea of Default and Validate methods for APIServiceSpec, will also do that. Later, if we decide to add webhooks for APIserver operator, we can easily use them

@aborilov , that's what I meant, adding APIserver webhooks is too much for this PR. Adding checks in apiserver.Manifests should be all I ask for. Those validate functions shall be called in two places -- kubecarrier webook and apiserver.Manifests and all is good!

@aborilov , that's what I meant, adding APIserver webhooks is too much for this PR. Adding checks in apiserver.Manifests should be all I ask for. Those validate functions shall be called in two places -- kubecarrier webook and apiserver.Manifests and all is good!

yep, that's done

/retest

/lgtm

LGTM label has been added.