OPNET-512: config/v1/types_infrastructure: change set to atomic for networks

[mkowalski]

In order to handle ownership of network addresses in a more elegant way,
we are switching list type from set to atomic. Thanks to this the
whole list will be managed as one, instead of different owners for every
entry on the list.

We are adding CEL validation to fields in PlatformStatus for the
consistency. As this field has already been validated by o/installer,
this should not affect CRs with PlatformStatus already populated.

[openshift-ci]

Hello @mkowalski! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[JoelSpeed]

Need CEL to keep set semantic here and on every other MachineNetworks

[mkowalski]

Right, adding

// +kubebuilder:validation:XValidation:rule="self.all(x, self.exists_one(y, x == y))"

and testing. Can you confirm it's okay to have CEL only in Spec and leave it out of Status as only the former is supposed to accept user input?

[JoelSpeed]

Prefer to have it in both, because while only spec is supposed to be accessible by user, they can still edit status

[mkowalski]

Fair enough. Given that API and Ingress VIP have CELs only in Spec, do you want me to also add them to Status in this PR ?

[JoelSpeed]

If we are confident that isn't going to break anything, then yes.

The no breaking way to add it is to add ratcheting, prefix with self == oldSelf ||

[JoelSpeed]

I think "confident" is a stretch because in the past this field was basically copy-pasted from install-config.yaml and all the validations were happening in o/installer. I believe it wouldn't break anything, but it's more faith than certainty

Was the installer doing any validation?

Yes, we have https://github.com/openshift/cluster-network-operator/blob/master/pkg/controller/infrastructureconfig/validations.go#L40-L50 that is validating that if you provide more than 1 VIP, you need to have multiple IP families. So we will not allow setting 2 IPs that are IPv4-only or IPv6-only

At what stage does this occur? Does it cause the cluster to degrade or anything?

[mkowalski]

Was the installer doing any validation?

Yes, o/installer should prevent you from adding 2 VIPs of the same IP stack to the install-config.yaml

At what stage does this occur? Does it cause the cluster to degrade or anything?

This happens in a controller inside CNO which reconciles Infrastructure CR. So if you edit Infra with "illegal" values, the output of oc get co will show you that Network Operator is degraded and the message will be something around 2 vips of the same ip stack are not allowed

[JoelSpeed]

Ok, and when were these APIs introduced as GA? I think we are safe to copy the validation to the status provided the installer has already validated this and you go degraded if the status gets edited.

If the status gets edited to invalid, does it get put back by anything?

[mkowalski]

when were these APIs introduced as GA

#1152 (merged in August 2022) + openshift/enhancements#1048 (looks like 4.11)

If the status gets edited to invalid, does it get put back by anything?

Yes. In the master branch of CNO if you modify Status without modifying Spec, Status will get reverted because operator reconciles Status to match Spec. So for a scenario

1. start from valid Spec and Status
2. update with invalid Status (without modifying Spec)

you end up with no changes applied because Spec is authoritative over Status. You would need to modify Spec and Status, but then Spec is validated via CEL already now and that will stop you.

Hope this explanation is enough to support statement "we have no way of introducing illegal values into Status"

[JoelSpeed]

Ack, SGTM, lets copy over the validation from spec to status and enforce in the same way there too

Edit: I see you've done that before I commented

[openshift-ci-robot]

@mkowalski: This pull request references OPNET-512 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to this:

In order to handle ownership of network addresses in a more elegant way, we are switching list type from set to atomic. Thanks to this the whole list will be managed as one, instead of different owners for every entry on the list.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mkowalski]

/cc @cybertron

[mkowalski]

/test e2e-metal-ipi

[openshift-ci]

@mkowalski: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

• /test build
• /test e2e-aws-ovn
• /test e2e-aws-ovn-hypershift
• /test e2e-aws-ovn-techpreview
• /test e2e-aws-serial
• /test e2e-aws-serial-techpreview
• /test e2e-upgrade
• /test e2e-upgrade-minor
• /test images
• /test integration
• /test unit
• /test verify
• /test verify-client-go
• /test verify-crd-schema
• /test verify-deps

The following commands are available to trigger optional jobs:

• /test e2e-azure
• /test e2e-gcp

Use /test all to run all jobs.

In response to this:

/test e2e-metal-ipi

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[mkowalski]

The current version of the PR has been tested using the following procedure

• ask clusterbot to build a release from this PR
• spawn dev-scripts cluster with custom OPENSHIFT_RELEASE_IMAGE value of what clusterbot produced (e.g. registry.build03.ci.openshift.org/ci-ln-jc2mt8b/release:latest)
• modify Infra CR using oc edit infrastructure cluster and modify API VIP in PlatformSpec from fd2e:6f44:5dd8:c956::5 to e.g. fd2e:6f44:5dd8:c956::51, and Ingress VIP respectively
• use oc get co to confirm Network Operator is not degraded
• use oc get infrastructure cluster --show-managed-fields -o yaml to confirm PlatformStatus has been updated correctly

[mkowalski]

/retest-required

[openshift-ci-robot]

@mkowalski: This pull request references OPNET-512 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to this:

In order to handle ownership of network addresses in a more elegant way,
we are switching list type from set to atomic. Thanks to this the
whole list will be managed as one, instead of different owners for every
entry on the list.

We are adding CEL validation to fields in PlatformStatus for the
consistency. As this field has already been validated by o/installer,
this should not affect CRs with PlatformStatus already populated.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mkowalski]

/retest-required

[JoelSpeed]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JoelSpeed, mkowalski

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [JoelSpeed]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@mkowalski: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-bot]

[ART PR BUILD NOTIFIER]

This PR has been included in build ose-cluster-config-api-container-v4.16.0-202404291547.p0.gac9356b.assembly.stream.el9 for distgit ose-cluster-config-api.
All builds following this will include this PR.