[OTA-1545] Extend ClusterVersion for accepted risks

[hongkailiu]

The API extensions is proposed in openshift/enhancements#1807

• Add a new field 'clusterversion.spec.desiredUpdate.accept': It contains
  the names of conditional update risks that are considered acceptable.
• Move clusterversion.status.conditionalUpdates.risks two levels up as
  clusterversion.status.conditionalUpdateRisks. It contains all the risks
  for clusterversion.status.conditionalUpdates.
• Add new field 'clusterversion.status.conditionalUpdates.riskNames': It
  contains the names of risk for the conditional update. It deprecates
  clusterversion.status.conditionalUpdates.risks.
• Add a new field 'clusterversion.status.conditionalUpdateRisks.conditions':
  It contains the observations of the conditional update risk's current
  status.

[openshift-ci]

Hello @hongkailiu! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: hongkailiu
Once this PR has been reviewed and has the lgtm label, please assign joelspeed for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[hongkailiu]

/retest-required

[hongkailiu]

/retest-required

[petr-muller]

I am aware I am late to the party, so feel free to dismiss everything and treat it as an unwanted drive-by. Mostly just voicing my thoughts as I read the structs, but I admit have not yet read the enhancement.

[petr-muller]

nit

Suggested change

	// The cluster-version operator will evaluate these risks and only accept the update if there is at least one risk and for every risk it is either not applied to the cluster or considered acceptable by the cluster administrator.
	// The cluster version operator will evaluate these risks and only accept the update if there is at least one risk and for every risk it is either not applied to the cluster or considered acceptable by the cluster administrator.

But maybe the API documentation should not make assumptions about how the controller that manages it is named, and we should simply talk about the expected behavior given an API shape? "An update will only be 'accepted' (whatever that means?) if..."

Also the "if there is at least one risk" is confusing to me. Why would having zero risks be unacceptable?

[hongkailiu]

Why would having zero risks be unacceptable?

This is a very valid question.
Is it possible that a ConditionalUpdate has no risk at all? I think No. It should be aligned with the next field Risks:

api/config/v1/types_cluster_version.go

Lines 821 to 833 in 9b52e32

	// risks represents the range of issues associated with
	// updating to the target release. The cluster-version
	// operator will evaluate all entries, and only recommend the
	// update if there is at least one entry and all entries
	// recommend the update.
	// Deprecated: the risks has been deprecated by riskNames.
	// +kubebuilder:validation:MinItems=1
	// +patchMergeKey=name
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=name
	// +required
	Risks []ConditionalUpdateRisk `json:"risks" patchStrategy:"merge" patchMergeKey:"name"`

Made the following change as well:

+optional
--->
// +kubebuilder:validation:MinItems=1 and // +required

[everettraven]

You cannot add a new required field. That is a breaking change to users/clients and invalidates all existing instances/expectations of the API. This field must be optional. You can still add the minimum items requirement but it should always be possible for this field to be unspecified.

[hongkailiu]

Reverted back to +optional.

You can still add the minimum items requirement

+kubebuilder:validation:MinItems=1 is still left there.

Is this understanding correct?
+optional and +kubebuilder:validation:MinItems=1 mean:

• riskNames is not specified in the object. Valid up to +optional.
• riskNames is the empty set. Invalid up to +kubebuilder:validation:MinItems=1.
• riskNames is not empty. Valid as the expected case for the API extension.

[hongkailiu]

Also added the omitempty label because otherwise:

config/v1/types_cluster_version.go:820:2: optionalfields: field RiskNames is optional and does not allow the zero value. It must have the omitempty tag. (kubeapilinter)

[hongkailiu]

Added 2 tests for the first 2 cases above.

See #2360 (comment)

[hongkailiu]

Thanks for the feedback. @petr-muller

I will address your comments today or tomorrow.

[hongkailiu]

At the moment, there are 9 cases added for the extended API.

git --no-pager log --pretty=oneline -1 
6dd18c02beebc16a21d0da35be372665df491371 (HEAD -> OTA-1545, hongkailiu/OTA-1545) make update

$ diff -Naupr config/v1/tests/clusterversions.config.openshift.io/AAA_ungated.yaml config/v1/tests/clusterversions.config.openshift.io/ClusterUpdateAcceptedRisks.yaml | rg '\+    - name:|\+      expected.*Error:'
+    - name: Should be able to set accepted risks
+    - name: A risk name greater than 256 characters is not allowed
+      expectedError: "Too long: may not be more than 256 bytes"
+    - name: Risk names from the accept field must be unique
+      expectedError: 'Duplicate value: "RiskA"'
+    - name: The riskNames field might be unspecified
+    - name: Should be able to update fields related to accepted risks
+    - name: More than a single condition on an update risk is not allowed
+      expectedStatusError: "conditions: Too many: 2: must have at most 1 item"
+    - name: Risk names of a conditional update must be unique
+      expectedStatusError: 'Duplicate value: "DualStackNeedsController"'
+    - name: The type of a risk condition must be Applies
+      expectedStatusError: "type must be 'Applies'"
+    - name: The value of riskNames cannot be the empty set
+      expectedStatusError: "should have at least 1 items"

[openshift-ci]

@hongkailiu: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[everettraven]

Noticed a small thing related to some of the description changes related to the feature showing up for the default CRDs that will get applied even when the feature isn't enabled.

This is probably OK, but it is a bit funky. Easiest workaround is wait until GA to add these description changes to the existing fields - especially the deprecation one.

Aside from that, I think this looks good and is ready for @JoelSpeed to take a pass. Joel, what are your thoughts on the description changes for pre-existing fields here?

[everettraven]

Something worth noting - this shows up on the non-featuregated version of the API.

I'm not sure there is much of a workaround for this unless you wait to add this deprecation text until you actually go to promote the feature-gate that deprecates this to GA.

I would probably recommend removing this for now.

[everettraven]

Similarly, this change also appears in the default CRD. You may want to include that this part of the description only applies when the particular feature gate is enabled or drop it from the description until you GA the feature.

[JoelSpeed]

Joel, what are your thoughts on the description changes for pre-existing fields here?

Not yet looked at the specific case, but in theory, we could have a marker that applies additional description only when a certain feature gate is enabled 🤔 I'm not sure how that would work if you had multiple gates though, you'd have to do what we do with the enum and specify the combinations. I don't this is likely a big enough issue for us to worry about right now

[JoelSpeed]

Just trying to understand the changes here, can someone confirm if this is correct?

At the moment, each update risk is listed within the conditional update that it relates to. With the change here, we move all of the risks together to a higher level, and instead, add a list of riskNames to the conditional update.

Centralising all of the risk information but meaning that when looking at a conditional update, I now have to go and find the information somewhere else?

It doesn't look like we are actually adding any new information here apart from adding a spec list of accepted risk names?

[JoelSpeed]

Double plural reads oddly to me, WDYT?

Suggested change

	// The risk's names in the list must be unique.
	// The risk names in the list must be unique.

[JoelSpeed]

Not valid for CRDs, please remove

[JoelSpeed]

Suggested change

	ConditionalUpdateRisks []ConditionalUpdateRisk `json:"conditionalUpdateRisks,omitempty" patchStrategy:"merge" patchMergeKey:"name"`
	ConditionalUpdateRisks []ConditionalUpdateRisk `json:"conditionalUpdateRisks,omitempty"`

[JoelSpeed]

Out of interest, why not acceptedRisks to match with the history version of this field?

[JoelSpeed]

Suggested change

	// Deprecated: the risks has been deprecated by riskNames.
	// Deprecated: the risks field has been deprecated in favour of riskNames.

[JoelSpeed]

So this is an odd direction for a change. Why are we moving from a list of structured objects to a list of strings? Normally, I see this the other way around?

[JoelSpeed]

What does it mean to set both risks and riskNames?

[JoelSpeed]

MinItems too please