
Rubynetes: Using OpenAPI to validate Kubernetes configs - neilwilson
https://www.brightbox.com/blog/2020/02/17/using-openapi-to-validate-kubernetes-configs/
======
jacques_chester
I am just today wrestling with the OpenAPI-generated libraries for Java and,
summarising: I hate it.

I even went as far as trying to set up my own code generator using the OpenAPI
generator toolkit. It is not my favourite code. Everything is deeply nested
inheritance hierarchies with humptyjillion methods that do oddly specific
stuff. I eventually gave up on it.

Now I am at the point where, to map the generated types to the same types
described in the original OpenAPI YAML, I have about 50 goofy lines of string
juggling and chasing data structures through 4 or 5 levels of nullable
references.

I don't know how we wound up here but I wish we hadn't.

~~~
eropple
IME that's more of a problem between Java and the generator than it is
OpenAPI. Expressing things feels clunky when generating Java code in general.
Which, I stress, is not to say it's not a problem, and it super sucks when you
hit it.

The languages I tend to consume OpenAPI in the most are TypeScript (great),
Ruby (pretty good), and on-demand JavaScript (really flexible and comfortable)
via openapi-js. I've had some luck with the Kotlin generator on the JVM, too.

~~~
jacques_chester
As it happens, my main code is in Kotlin. I found myself thinking "maybe I
could do a better generator" and then my fingers and toes began to tingle
ominously.

~~~
eropple
You very well may. The generators are, right now, the worst part of the entire
OpenAPI experience. But they're getting steadily better.

------
jrockway
Ultimately, you have to ask the API server because of things like admission
webhooks:

[https://kubernetes.io/docs/reference/access-authn-
authz/exte...](https://kubernetes.io/docs/reference/access-authn-
authz/extensible-admission-controllers/)

~~~
atombender
And also because the API schema doesn't express state machine constraints.

For example, you can't modify some fields of a statefulset or a job after
they've been created. The read-only state of certain fields depend on the
status of the object.

Validating purely with OpenAPI also won't catch things like a volume mount
referencing a secret that doesn't exist.

At the company I work for, I built some tools for deploying apps that wrap
around kubectl, Helm, etc. To "lint" a Kubernetes manifest for deploy, the
tool pipes the data through "kubectl apply --server-dry-run" first. (You can
also use --dry-run for pure client-side validation.) Works pretty good.

