Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CRD upgrade existing CR validation fix #3442

Merged
merged 2 commits into from
Dec 9, 2024
Merged

CRD upgrade existing CR validation fix #3442

merged 2 commits into from
Dec 9, 2024

Conversation

grokspawn
Copy link
Contributor

@grokspawn grokspawn commented Nov 18, 2024
edited
Loading

We started seeing some issues with folks who had spurious CRD incompatibility claims when updating operators. It is a failure in OLM code which validates existing CRs against incoming CRDs, recently updated in #3387.

This manifested in InstallPlan .status.Message something like:

retrying execution due to error: error validating existing CRs against new CRD's schema for \"pgadmins.postgres-operator.crunchydata.com\": error validating postgres-operator.crunchydata.com/v1beta1, Kind=PGAdmin \"openshift-operators/example-pgadmin\": updated validation is too restrictive: [].spec.tolerations[0].tolerationSeconds: Invalid value: \"number\": spec.tolerations[0].tolerationSeconds in body must be of type integer: \"number\"

The difference between the predecessor calling convention and the one introduced in #3387 appears to be that one is a pointer and the other is concrete.

old

unstructured.Unstructured{Object:map[string]interface...

new

&unstructured.Unstructured{Object:map[string]interface...

so it would seem that merely type-asserting the value and de-referencing it would yield the appropriate result, but it appears instead that it effectively disables all CR vs CRD reconciliation checks (evidenced by the fact that the unit tests multiply fail).

But k8s already dereferences pointer parameters here during validation. So that isn't it.

And the validate.ValidateCustomResource interface is terrifyingly permissive in allowing customResource as interface{} here. So we cannot derive guidance from it.

Taking a page from k8s' use of the validation API, which uses unstructured.UnstructuredContent() to convert the unstructured.Unstructured into a map[string]interface{} here then we achieve the desired results.

Description of the change:

Motivation for the change:

Architectural changes:

Testing remarks:

Reviewer Checklist

  • Implementation matches the proposed design, or proposal is updated to match implementation
  • Sufficient unit test coverage
  • Sufficient end-to-end test coverage
  • Bug fixes are accompanied by regression test(s)
  • e2e tests and flake fixes are accompanied evidence of flake testing, e.g. executing the test 100(0) times
  • tech debt/todo is accompanied by issue link(s) in comments in the surrounding code
  • Tests are comprehensible, e.g. Ginkgo DSL is being used appropriately
  • Docs updated or added to /doc
  • Commit messages sensible and descriptive
  • Tests marked as [FLAKE] are truly flaky and have an issue
  • Code is properly formatted

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 18, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Nov 18, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@grokspawn grokspawn force-pushed the lister-investigation branch 3 times, most recently from f32f49b to 425f614 Compare December 5, 2024 16:29
@grokspawn grokspawn marked this pull request as ready for review December 6, 2024 18:55
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 6, 2024
@grokspawn grokspawn changed the title DNM: investigation CRD upgrade existing CR validation fix Dec 6, 2024
@grokspawn grokspawn requested a review from joelanford December 9, 2024 14:03
@grokspawn
fixed to pass map[string]interface instead of unstructured.Unstructured
6405543 
We started seeing some issues with folks who had spurious CRD incompatibility claims when updating operators.  It is a failure in OLM code which validates existing CRs against incoming CRDs, recently updated in operator-framework#3387.

This manifested in `InstallPlan` `.status.Message` something like:
```
retrying execution due to error: error validating existing CRs against new CRD's schema for \"pgadmins.postgres-operator.crunchydata.com\": error validating postgres-operator.crunchydata.com/v1beta1, Kind=PGAdmin \"openshift-operators/example-pgadmin\": updated validation is too restrictive: [].spec.tolerations[0].tolerationSeconds: Invalid value: \"number\": spec.tolerations[0].tolerationSeconds in body must be of type integer: \"number\"
```

The difference between the predecessor calling convention and the one introduced in operator-framework#3387 appears to be that one is a pointer and the other is concrete.

old
```golang
unstructured.Unstructured{Object:map[string]interface...
```

new
```golang
&unstructured.Unstructured{Object:map[string]interface...
```

so it would seem that merely type-asserting the value and de-referencing it would yield the appropriate result, but it appears instead that it effectively disables all CR vs CRD reconciliation checks (evidenced by the fact that the unit tests multiply fail).

But k8s already dereferences pointer parameters [here](https://github.com/kubernetes/kube-openapi/blob/master/pkg/validation/validate/schema.go#L139-L141) during validation.  So that isn't it.

And the `validate.ValidateCustomResource` interface is terrifyingly permissive in allowing `customResource` as `interface{}` [here](https://pkg.go.dev/k8s.io/[email protected]/pkg/apiserver/validation#ValidateCustomResource). So we cannot derive guidance from it.

Taking a page from k8s' use of the validation API, which uses `unstructured.UnstructuredContent()` to convert the `unstructured.Unstructured` into a `map[string]interface{}` [here](https://github.com/kubernetes/kubernetes/blob/1504f10e7946f95a8b1da35e28e4c7453ff62775/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresource/validator.go#L54) then we achieve the desired results.

Signed-off-by: Jordan Keister <[email protected]>
@grokspawn
adding tests
8b90dab 
Signed-off-by: Jordan Keister <[email protected]>
@grokspawn grokspawn force-pushed the lister-investigation branch from 8c34a0c to 8b90dab Compare December 9, 2024 15:08
tmshort
tmshort approved these changes Dec 9, 2024
View reviewed changes
Copy link
Contributor

@tmshort tmshort left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Dec 9, 2024
@grokspawn grokspawn added this pull request to the merge queue Dec 9, 2024
Merged via the queue into operator-framework:master with commit 1cfabfe Dec 9, 2024
12 checks passed
@grokspawn grokspawn deleted the lister-investigation branch December 10, 2024 13:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tmshort tmshort tmshort approved these changes

@akihikokuroda akihikokuroda Awaiting requested review from akihikokuroda

@anik120 anik120 Awaiting requested review from anik120

@joelanford joelanford Awaiting requested review from joelanford

Assignees

@tmshort tmshort

Labels
lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@grokspawn @tmshort