Problem
Per-backend directors (#11, PR #33) made backend indices non-stable across reconciles: `_0` may map to a different pod after every endpoint change. Users are advised to migrate VCL snippets from `set req.backend_hint = plone_0;` → `set req.backend_hint = plone.backend();`.
Today, users who miss the docs migration get silent breakage: their VCL compiles against `_0` (because that name happens to exist in the current pod set), then breaks when a rollout renumbers pods. The breakage manifests as a Varnish VCL load failure — caught at push time, not as a clear "you're using a deprecated pattern" message.
Proposed fix
In the admission webhook validator: scan `spec.vcl.snippets.*` for the regex `\b_\d+\b` (where `` iterates over `spec.backends[].name`). If a match is found, return an admission warning (not an error — keeps backward-compat) suggesting the migration to `.backend()`.
Implementation sketch
```go
// In ValidateVinylCache, after the existing checks:
for , backend := range vc.Spec.Backends {
pat := regexp.MustCompile(`\b` + regexp.QuoteMeta(backend.Name) + `\d+\b`)
for field, snippet := range allSnippets(vc.Spec.VCL.Snippets) {
if pat.MatchString(snippet) {
warnings = append(warnings,
fmt.Sprintf("%s contains literal '%s_N' references; "+
"these are non-stable across rollouts. Use '%s.backend()' instead.",
field, backend.Name, backend.Name))
}
}
}
return warnings, nil
```
`admission.Warnings` surface in `kubectl apply` output without rejecting the resource.
References
Problem
Per-backend directors (#11, PR #33) made backend indices non-stable across reconciles: `_0` may map to a different pod after every endpoint change. Users are advised to migrate VCL snippets from `set req.backend_hint = plone_0;` → `set req.backend_hint = plone.backend();`.
Today, users who miss the docs migration get silent breakage: their VCL compiles against `_0` (because that name happens to exist in the current pod set), then breaks when a rollout renumbers pods. The breakage manifests as a Varnish VCL load failure — caught at push time, not as a clear "you're using a deprecated pattern" message.
Proposed fix
In the admission webhook validator: scan `spec.vcl.snippets.*` for the regex `\b_\d+\b` (where `` iterates over `spec.backends[].name`). If a match is found, return an admission warning (not an error — keeps backward-compat) suggesting the migration to `.backend()`.
Implementation sketch
```go
// In ValidateVinylCache, after the existing checks:
for , backend := range vc.Spec.Backends {
pat := regexp.MustCompile(`\b` + regexp.QuoteMeta(backend.Name) + `\d+\b`)
for field, snippet := range allSnippets(vc.Spec.VCL.Snippets) {
if pat.MatchString(snippet) {
warnings = append(warnings,
fmt.Sprintf("%s contains literal '%s_N' references; "+
"these are non-stable across rollouts. Use '%s.backend()' instead.",
field, backend.Name, backend.Name))
}
}
}
return warnings, nil
```
`admission.Warnings` surface in `kubectl apply` output without rejecting the resource.
References