Allow Discovered Upstreams to skip Validating Admission Webhook

Version

1.12.x (beta)

Is your feature request related to a problem? Please describe.

The Gloo Discovery component dynamically creates Upstream resources, to be used as routable destinations for VirtualServices and RouteTables.

Gloo Edge maintains a validation webhook to validate resources changes before they are persisted in etcd. In Gloo 1.9.0 (https://github.com/solo-io/gloo/pull/5301) Upstreams were added to the set of resources that are validated by the webhook.

The implication is that if discovery is running, it is generating and modifying Upstreams, and now those are subject to validation by the webhook. In order to validate Upstream modifications, an entire translation loop is executed. The effect of validating Upstreams generated by the discovery component is two-fold:

The processing increases resource utilization as the system is constantly processing changes, and re-running translation
The processing produces logging which makes it challenging to understand what the system is doing.

Describe the solution you'd like

You could argue that Upstreams which are maintained by Gloo controllers should not be subject to the same strict validation that user-defined Upstreams are. However, it may be best to make this configurable by a user.

Allow users to define in their Discovery configuration the ability to not run validation on upstreams generated by the discovery component.

We already support an annotation to skip resource validation which dynamically generated upstreams could be configured with

Describe alternatives you've considered

No response

Additional Context

@bdecoste raised this in an internal Slack discussion and would be a good point person.

To reproduce this issue, just run Gloo with discovery enabled and tail the logs

solo-io / gloo