config/v1/types_cluster_version: Tighten force and rollback warnings

wking · wking · commit b618d5bd8c19 · 2025-10-18T19:35:00.000-07:00
Apparently our existing wording is not sufficient to convince external
customers that forcing a rollback is a risky move.  Tighten the
wording to try to be even more clear about the potential downsides.
The guards force blasts through are designed to keep you safe!
diff --git a/config/v1/types_cluster_version.go b/config/v1/types_cluster_version.go
@@ -72,8 +72,10 @@ type ClusterVersionSpec struct {
 	//
 	// If an upgrade fails the operator will halt and report status
 	// about the failing component. Setting the desired update value back to
-	// the previous version will cause a rollback to be attempted. Not all
-	// rollbacks will succeed.
+	// the previous version will cause a rollback to be attempted if the
+	// previous version is within the current minor version. Not all
+	// rollbacks will succeed, and some may unrecoverably break the
+	// cluster.
 	//
 	// +optional
 	DesiredUpdate *Update `json:"desiredUpdate,omitempty"`
@@ -718,9 +720,13 @@ type Update struct {
 	Image string `json:"image"`
 
 	// force allows an administrator to update to an image that has failed
-	// verification or upgradeable checks. This option should only
-	// be used when the authenticity of the provided image has been verified out
-	// of band because the provided image will run with full administrative access
+	// verification or upgradeable checks that are designed to keep your
+	// cluster safe. Only use this if:
+	// * you are testing unsigned release images in short-lived test clusters or
+	// * you are working around a known bug in the cluster-version
+	//   operator and you have verified the authenticity of the provided
+	//   image yourself.
+	// The provided image will run with full administrative access
 	// to the cluster. Do not use this flag with images that comes from unknown
 	// or potentially malicious sources.
 	//
diff --git a/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml
@@ -151,8 +151,10 @@ spec:
 
                   If an upgrade fails the operator will halt and report status
                   about the failing component. Setting the desired update value back to
-                  the previous version will cause a rollback to be attempted. Not all
-                  rollbacks will succeed.
+                  the previous version will cause a rollback to be attempted if the
+                  previous version is within the current minor version. Not all
+                  rollbacks will succeed, and some may unrecoverably break the
+                  cluster.
                 properties:
                   architecture:
                     description: |-
@@ -171,9 +173,13 @@ spec:
                   force:
                     description: |-
                       force allows an administrator to update to an image that has failed
-                      verification or upgradeable checks. This option should only
-                      be used when the authenticity of the provided image has been verified out
-                      of band because the provided image will run with full administrative access
+                      verification or upgradeable checks that are designed to keep your
+                      cluster safe. Only use this if:
+                      * you are testing unsigned release images in short-lived test clusters or
+                      * you are working around a known bug in the cluster-version
+                        operator and you have verified the authenticity of the provided
+                        image yourself.
+                      The provided image will run with full administrative access
                       to the cluster. Do not use this flag with images that comes from unknown
                       or potentially malicious sources.
                     type: boolean
diff --git a/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-Default.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-Default.crd.yaml
@@ -151,8 +151,10 @@ spec:
 
                   If an upgrade fails the operator will halt and report status
                   about the failing component. Setting the desired update value back to
-                  the previous version will cause a rollback to be attempted. Not all
-                  rollbacks will succeed.
+                  the previous version will cause a rollback to be attempted if the
+                  previous version is within the current minor version. Not all
+                  rollbacks will succeed, and some may unrecoverably break the
+                  cluster.
                 properties:
                   architecture:
                     description: |-
@@ -171,9 +173,13 @@ spec:
                   force:
                     description: |-
                       force allows an administrator to update to an image that has failed
-                      verification or upgradeable checks. This option should only
-                      be used when the authenticity of the provided image has been verified out
-                      of band because the provided image will run with full administrative access
+                      verification or upgradeable checks that are designed to keep your
+                      cluster safe. Only use this if:
+                      * you are testing unsigned release images in short-lived test clusters or
+                      * you are working around a known bug in the cluster-version
+                        operator and you have verified the authenticity of the provided
+                        image yourself.
+                      The provided image will run with full administrative access
                       to the cluster. Do not use this flag with images that comes from unknown
                       or potentially malicious sources.
                     type: boolean
diff --git a/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml
@@ -151,8 +151,10 @@ spec:
 
                   If an upgrade fails the operator will halt and report status
                   about the failing component. Setting the desired update value back to
-                  the previous version will cause a rollback to be attempted. Not all
-                  rollbacks will succeed.
+                  the previous version will cause a rollback to be attempted if the
+                  previous version is within the current minor version. Not all
+                  rollbacks will succeed, and some may unrecoverably break the
+                  cluster.
                 properties:
                   architecture:
                     description: |-
@@ -171,9 +173,13 @@ spec:
                   force:
                     description: |-
                       force allows an administrator to update to an image that has failed
-                      verification or upgradeable checks. This option should only
-                      be used when the authenticity of the provided image has been verified out
-                      of band because the provided image will run with full administrative access
+                      verification or upgradeable checks that are designed to keep your
+                      cluster safe. Only use this if:
+                      * you are testing unsigned release images in short-lived test clusters or
+                      * you are working around a known bug in the cluster-version
+                        operator and you have verified the authenticity of the provided
+                        image yourself.
+                      The provided image will run with full administrative access
                       to the cluster. Do not use this flag with images that comes from unknown
                       or potentially malicious sources.
                     type: boolean
diff --git a/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-TechPreviewNoUpgrade.crd.yaml
@@ -151,8 +151,10 @@ spec:
 
                   If an upgrade fails the operator will halt and report status
                   about the failing component. Setting the desired update value back to
-                  the previous version will cause a rollback to be attempted. Not all
-                  rollbacks will succeed.
+                  the previous version will cause a rollback to be attempted if the
+                  previous version is within the current minor version. Not all
+                  rollbacks will succeed, and some may unrecoverably break the
+                  cluster.
                 properties:
                   architecture:
                     description: |-
@@ -171,9 +173,13 @@ spec:
                   force:
                     description: |-
                       force allows an administrator to update to an image that has failed
-                      verification or upgradeable checks. This option should only
-                      be used when the authenticity of the provided image has been verified out
-                      of band because the provided image will run with full administrative access
+                      verification or upgradeable checks that are designed to keep your
+                      cluster safe. Only use this if:
+                      * you are testing unsigned release images in short-lived test clusters or
+                      * you are working around a known bug in the cluster-version
+                        operator and you have verified the authenticity of the provided
+                        image yourself.
+                      The provided image will run with full administrative access
                       to the cluster. Do not use this flag with images that comes from unknown
                       or potentially malicious sources.
                     type: boolean
diff --git a/config/v1/zz_generated.featuregated-crd-manifests/clusterversions.config.openshift.io/AAA_ungated.yaml b/config/v1/zz_generated.featuregated-crd-manifests/clusterversions.config.openshift.io/AAA_ungated.yaml
@@ -153,8 +153,10 @@ spec:
 
                   If an upgrade fails the operator will halt and report status
                   about the failing component. Setting the desired update value back to
-                  the previous version will cause a rollback to be attempted. Not all
-                  rollbacks will succeed.
+                  the previous version will cause a rollback to be attempted if the
+                  previous version is within the current minor version. Not all
+                  rollbacks will succeed, and some may unrecoverably break the
+                  cluster.
                 properties:
                   architecture:
                     description: |-
@@ -173,9 +175,13 @@ spec:
                   force:
                     description: |-
                       force allows an administrator to update to an image that has failed
-                      verification or upgradeable checks. This option should only
-                      be used when the authenticity of the provided image has been verified out
-                      of band because the provided image will run with full administrative access
+                      verification or upgradeable checks that are designed to keep your
+                      cluster safe. Only use this if:
+                      * you are testing unsigned release images in short-lived test clusters or
+                      * you are working around a known bug in the cluster-version
+                        operator and you have verified the authenticity of the provided
+                        image yourself.
+                      The provided image will run with full administrative access
                       to the cluster. Do not use this flag with images that comes from unknown
                       or potentially malicious sources.
                     type: boolean
diff --git a/config/v1/zz_generated.featuregated-crd-manifests/clusterversions.config.openshift.io/ImageStreamImportMode.yaml b/config/v1/zz_generated.featuregated-crd-manifests/clusterversions.config.openshift.io/ImageStreamImportMode.yaml
@@ -153,8 +153,10 @@ spec:
 
                   If an upgrade fails the operator will halt and report status
                   about the failing component. Setting the desired update value back to
-                  the previous version will cause a rollback to be attempted. Not all
-                  rollbacks will succeed.
+                  the previous version will cause a rollback to be attempted if the
+                  previous version is within the current minor version. Not all
+                  rollbacks will succeed, and some may unrecoverably break the
+                  cluster.
                 properties:
                   architecture:
                     description: |-
@@ -173,9 +175,13 @@ spec:
                   force:
                     description: |-
                       force allows an administrator to update to an image that has failed
-                      verification or upgradeable checks. This option should only
-                      be used when the authenticity of the provided image has been verified out
-                      of band because the provided image will run with full administrative access
+                      verification or upgradeable checks that are designed to keep your
+                      cluster safe. Only use this if:
+                      * you are testing unsigned release images in short-lived test clusters or
+                      * you are working around a known bug in the cluster-version
+                        operator and you have verified the authenticity of the provided
+                        image yourself.
+                      The provided image will run with full administrative access
                       to the cluster. Do not use this flag with images that comes from unknown
                       or potentially malicious sources.
                     type: boolean
diff --git a/config/v1/zz_generated.featuregated-crd-manifests/clusterversions.config.openshift.io/SignatureStores.yaml b/config/v1/zz_generated.featuregated-crd-manifests/clusterversions.config.openshift.io/SignatureStores.yaml
@@ -153,8 +153,10 @@ spec:
 
                   If an upgrade fails the operator will halt and report status
                   about the failing component. Setting the desired update value back to
-                  the previous version will cause a rollback to be attempted. Not all
-                  rollbacks will succeed.
+                  the previous version will cause a rollback to be attempted if the
+                  previous version is within the current minor version. Not all
+                  rollbacks will succeed, and some may unrecoverably break the
+                  cluster.
                 properties:
                   architecture:
                     description: |-
@@ -173,9 +175,13 @@ spec:
                   force:
                     description: |-
                       force allows an administrator to update to an image that has failed
-                      verification or upgradeable checks. This option should only
-                      be used when the authenticity of the provided image has been verified out
-                      of band because the provided image will run with full administrative access
+                      verification or upgradeable checks that are designed to keep your
+                      cluster safe. Only use this if:
+                      * you are testing unsigned release images in short-lived test clusters or
+                      * you are working around a known bug in the cluster-version
+                        operator and you have verified the authenticity of the provided
+                        image yourself.
+                      The provided image will run with full administrative access
                       to the cluster. Do not use this flag with images that comes from unknown
                       or potentially malicious sources.
                     type: boolean
diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go
diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go
diff --git a/openapi/openapi.json b/openapi/openapi.json
