Merge pull request openshift#2152 from openshift-cherrypick-robot/che…

…rry-pick-2123-to-release-4.18

[release-4.18] OCPBUGS-48502: StaticPodOperatorStatus validation should reject downgrades and concurrent node rollouts

operator/v1/tests/kubeapiservers.operator.openshift.io/AAA_ungated.yaml

@@ -14,3 +14,66 @@ tests:
         spec:
           logLevel: Normal
           operatorLogLevel: Normal
+  onUpdate:
+    - name: Should reject multiple nodes with nonzero target revisions
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: KubeAPIServer
+        spec: {} # No spec is required for a KubeAPIServer
+        status:
+          nodeStatuses:
+          - nodeName: a
+            targetRevision: 1
+          - nodeName: b
+            targetRevision: 0
+          - nodeName: c
+          - nodeName: d
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: KubeAPIServer
+        spec: {} # No spec is required for a KubeAPIServer
+        status:
+          nodeStatuses:
+          - nodeName: a
+            targetRevision: 1
+          - nodeName: b
+            targetRevision: 0
+          - nodeName: c
+            targetRevision: 2
+          - nodeName: d
+      expectedStatusError: "status.nodeStatuses: Invalid value: \"array\": no more than 1 node status may have a nonzero targetRevision"
+    - name: Should reject decreasing currentRevision
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: KubeAPIServer
+        spec: {} # No spec is required for a KubeAPIServer
+        status:
+          nodeStatuses:
+          - nodeName: a
+            currentRevision: 3
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: KubeAPIServer
+        spec: {} # No spec is required for a KubeAPIServer
+        status:
+          nodeStatuses:
+          - nodeName: a
+            currentRevision: 2
+      expectedStatusError: "status.nodeStatuses[0].currentRevision: Invalid value: \"integer\": must only increase"
+    - name: Should reject clearing currentRevision
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: KubeAPIServer
+        spec: {} # No spec is required for a KubeAPIServer
+        status:
+          nodeStatuses:
+          - nodeName: a
+            currentRevision: 3
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: KubeAPIServer
+        spec: {} # No spec is required for a KubeAPIServer
+        status:
+          nodeStatuses:
+          - nodeName: a
+      expectedStatusError: "status.nodeStatuses[0].currentRevision: Invalid value: \"object\": cannot be unset once set"

operator/v1/types.go

@@ -256,16 +256,19 @@ type StaticPodOperatorStatus struct {
 	// +listType=map
 	// +listMapKey=nodeName
 	// +optional
+	// +kubebuilder:validation:XValidation:rule="size(self.filter(status, status.?targetRevision.orValue(0) != 0)) <= 1",message="no more than 1 node status may have a nonzero targetRevision"
 	NodeStatuses []NodeStatus `json:"nodeStatuses,omitempty"`
 }
 
 // NodeStatus provides information about the current state of a particular node managed by this operator.
+// +kubebuilder:validation:XValidation:rule="has(self.currentRevision) || !has(oldSelf.currentRevision)",message="cannot be unset once set",fieldPath=".currentRevision"
 type NodeStatus struct {
 	// nodeName is the name of the node
 	// +kubebuilder:validation:Required
 	NodeName string `json:"nodeName"`
 
 	// currentRevision is the generation of the most recently successful deployment
+	// +kubebuilder:validation:XValidation:rule="self >= oldSelf",message="must only increase"
 	CurrentRevision int32 `json:"currentRevision"`
 	// targetRevision is the generation of the deployment we're trying to apply
 	TargetRevision int32 `json:"targetRevision,omitempty"`

operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-CustomNoUpgrade.crd.yaml

@@ -256,6 +256,9 @@ spec:
                         successful deployment
                       format: int32
                       type: integer
+                      x-kubernetes-validations:
+                      - message: must only increase
+                        rule: self >= oldSelf
                     lastFailedCount:
                       description: lastFailedCount is how often the installer pod
                         of the last failed revision failed.
@@ -296,10 +299,18 @@ spec:
                   required:
                   - nodeName
                   type: object
+                  x-kubernetes-validations:
+                  - fieldPath: .currentRevision
+                    message: cannot be unset once set
+                    rule: has(self.currentRevision) || !has(oldSelf.currentRevision)
                 type: array
                 x-kubernetes-list-map-keys:
                 - nodeName
                 x-kubernetes-list-type: map
+                x-kubernetes-validations:
+                - message: no more than 1 node status may have a nonzero targetRevision
+                  rule: size(self.filter(status, status.?targetRevision.orValue(0)
+                    != 0)) <= 1
               observedGeneration:
                 description: observedGeneration is the last generation change you've
                   dealt with

operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-Default.crd.yaml

@@ -243,6 +243,9 @@ spec:
                         successful deployment
                       format: int32
                       type: integer
+                      x-kubernetes-validations:
+                      - message: must only increase
+                        rule: self >= oldSelf
                     lastFailedCount:
                       description: lastFailedCount is how often the installer pod
                         of the last failed revision failed.
@@ -283,10 +286,18 @@ spec:
                   required:
                   - nodeName
                   type: object
+                  x-kubernetes-validations:
+                  - fieldPath: .currentRevision
+                    message: cannot be unset once set
+                    rule: has(self.currentRevision) || !has(oldSelf.currentRevision)
                 type: array
                 x-kubernetes-list-map-keys:
                 - nodeName
                 x-kubernetes-list-type: map
+                x-kubernetes-validations:
+                - message: no more than 1 node status may have a nonzero targetRevision
+                  rule: size(self.filter(status, status.?targetRevision.orValue(0)
+                    != 0)) <= 1
               observedGeneration:
                 description: observedGeneration is the last generation change you've
                   dealt with

operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-DevPreviewNoUpgrade.crd.yaml

@@ -256,6 +256,9 @@ spec:
                         successful deployment
                       format: int32
                       type: integer
+                      x-kubernetes-validations:
+                      - message: must only increase
+                        rule: self >= oldSelf
                     lastFailedCount:
                       description: lastFailedCount is how often the installer pod
                         of the last failed revision failed.
@@ -296,10 +299,18 @@ spec:
                   required:
                   - nodeName
                   type: object
+                  x-kubernetes-validations:
+                  - fieldPath: .currentRevision
+                    message: cannot be unset once set
+                    rule: has(self.currentRevision) || !has(oldSelf.currentRevision)
                 type: array
                 x-kubernetes-list-map-keys:
                 - nodeName
                 x-kubernetes-list-type: map
+                x-kubernetes-validations:
+                - message: no more than 1 node status may have a nonzero targetRevision
+                  rule: size(self.filter(status, status.?targetRevision.orValue(0)
+                    != 0)) <= 1
               observedGeneration:
                 description: observedGeneration is the last generation change you've
                   dealt with

operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-TechPreviewNoUpgrade.crd.yaml

@@ -256,6 +256,9 @@ spec:
                         successful deployment
                       format: int32
                       type: integer
+                      x-kubernetes-validations:
+                      - message: must only increase
+                        rule: self >= oldSelf
                     lastFailedCount:
                       description: lastFailedCount is how often the installer pod
                         of the last failed revision failed.
@@ -296,10 +299,18 @@ spec:
                   required:
                   - nodeName
                   type: object
+                  x-kubernetes-validations:
+                  - fieldPath: .currentRevision
+                    message: cannot be unset once set
+                    rule: has(self.currentRevision) || !has(oldSelf.currentRevision)
                 type: array
                 x-kubernetes-list-map-keys:
                 - nodeName
                 x-kubernetes-list-type: map
+                x-kubernetes-validations:
+                - message: no more than 1 node status may have a nonzero targetRevision
+                  rule: size(self.filter(status, status.?targetRevision.orValue(0)
+                    != 0)) <= 1
               observedGeneration:
                 description: observedGeneration is the last generation change you've
                   dealt with

operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers.crd.yaml

@@ -225,6 +225,9 @@ spec:
                         successful deployment
                       format: int32
                       type: integer
+                      x-kubernetes-validations:
+                      - message: must only increase
+                        rule: self >= oldSelf
                     lastFailedCount:
                       description: lastFailedCount is how often the installer pod
                         of the last failed revision failed.
@@ -265,10 +268,18 @@ spec:
                   required:
                   - nodeName
                   type: object
+                  x-kubernetes-validations:
+                  - fieldPath: .currentRevision
+                    message: cannot be unset once set
+                    rule: has(self.currentRevision) || !has(oldSelf.currentRevision)
                 type: array
                 x-kubernetes-list-map-keys:
                 - nodeName
                 x-kubernetes-list-type: map
+                x-kubernetes-validations:
+                - message: no more than 1 node status may have a nonzero targetRevision
+                  rule: size(self.filter(status, status.?targetRevision.orValue(0)
+                    != 0)) <= 1
               observedGeneration:
                 description: observedGeneration is the last generation change you've
                   dealt with

operator/v1/zz_generated.crd-manifests/0000_25_kube-controller-manager_01_kubecontrollermanagers.crd.yaml

@@ -234,6 +234,9 @@ spec:
                         successful deployment
                       format: int32
                       type: integer
+                      x-kubernetes-validations:
+                      - message: must only increase
+                        rule: self >= oldSelf
                     lastFailedCount:
                       description: lastFailedCount is how often the installer pod
                         of the last failed revision failed.
@@ -274,10 +277,18 @@ spec:
                   required:
                   - nodeName
                   type: object
+                  x-kubernetes-validations:
+                  - fieldPath: .currentRevision
+                    message: cannot be unset once set
+                    rule: has(self.currentRevision) || !has(oldSelf.currentRevision)
                 type: array
                 x-kubernetes-list-map-keys:
                 - nodeName
                 x-kubernetes-list-type: map
+                x-kubernetes-validations:
+                - message: no more than 1 node status may have a nonzero targetRevision
+                  rule: size(self.filter(status, status.?targetRevision.orValue(0)
+                    != 0)) <= 1
               observedGeneration:
                 description: observedGeneration is the last generation change you've
                   dealt with

operator/v1/zz_generated.crd-manifests/0000_25_kube-scheduler_01_kubeschedulers.crd.yaml

@@ -225,6 +225,9 @@ spec:
                         successful deployment
                       format: int32
                       type: integer
+                      x-kubernetes-validations:
+                      - message: must only increase
+                        rule: self >= oldSelf
                     lastFailedCount:
                       description: lastFailedCount is how often the installer pod
                         of the last failed revision failed.
@@ -265,10 +268,18 @@ spec:
                   required:
                   - nodeName
                   type: object
+                  x-kubernetes-validations:
+                  - fieldPath: .currentRevision
+                    message: cannot be unset once set
+                    rule: has(self.currentRevision) || !has(oldSelf.currentRevision)
                 type: array
                 x-kubernetes-list-map-keys:
                 - nodeName
                 x-kubernetes-list-type: map
+                x-kubernetes-validations:
+                - message: no more than 1 node status may have a nonzero targetRevision
+                  rule: size(self.filter(status, status.?targetRevision.orValue(0)
+                    != 0)) <= 1
               observedGeneration:
                 description: observedGeneration is the last generation change you've
                   dealt with

operator/v1/zz_generated.featuregated-crd-manifests/etcds.operator.openshift.io/AAA_ungated.yaml

@@ -230,6 +230,9 @@ spec:
                         successful deployment
                       format: int32
                       type: integer
+                      x-kubernetes-validations:
+                      - message: must only increase
+                        rule: self >= oldSelf
                     lastFailedCount:
                       description: lastFailedCount is how often the installer pod
                         of the last failed revision failed.
@@ -270,10 +273,18 @@ spec:
                   required:
                   - nodeName
                   type: object
+                  x-kubernetes-validations:
+                  - fieldPath: .currentRevision
+                    message: cannot be unset once set
+                    rule: has(self.currentRevision) || !has(oldSelf.currentRevision)
                 type: array
                 x-kubernetes-list-map-keys:
                 - nodeName
                 x-kubernetes-list-type: map
+                x-kubernetes-validations:
+                - message: no more than 1 node status may have a nonzero targetRevision
+                  rule: size(self.filter(status, status.?targetRevision.orValue(0)
+                    != 0)) <= 1
               observedGeneration:
                 description: observedGeneration is the last generation change you've
                   dealt with

operator/v1/zz_generated.featuregated-crd-manifests/etcds.operator.openshift.io/EtcdBackendQuota.yaml

@@ -243,6 +243,9 @@ spec:
                         successful deployment
                       format: int32
                       type: integer
+                      x-kubernetes-validations:
+                      - message: must only increase
+                        rule: self >= oldSelf
                     lastFailedCount:
                       description: lastFailedCount is how often the installer pod
                         of the last failed revision failed.
@@ -283,10 +286,18 @@ spec:
                   required:
                   - nodeName
                   type: object
+                  x-kubernetes-validations:
+                  - fieldPath: .currentRevision
+                    message: cannot be unset once set
+                    rule: has(self.currentRevision) || !has(oldSelf.currentRevision)
                 type: array
                 x-kubernetes-list-map-keys:
                 - nodeName
                 x-kubernetes-list-type: map
+                x-kubernetes-validations:
+                - message: no more than 1 node status may have a nonzero targetRevision
+                  rule: size(self.filter(status, status.?targetRevision.orValue(0)
+                    != 0)) <= 1
               observedGeneration:
                 description: observedGeneration is the last generation change you've
                   dealt with

operator/v1/zz_generated.featuregated-crd-manifests/etcds.operator.openshift.io/HardwareSpeed.yaml

@@ -243,6 +243,9 @@ spec:
                         successful deployment
                       format: int32
                       type: integer
+                      x-kubernetes-validations:
+                      - message: must only increase
+                        rule: self >= oldSelf
                     lastFailedCount:
                       description: lastFailedCount is how often the installer pod
                         of the last failed revision failed.
@@ -283,10 +286,18 @@ spec:
                   required:
                   - nodeName
                   type: object
+                  x-kubernetes-validations:
+                  - fieldPath: .currentRevision
+                    message: cannot be unset once set
+                    rule: has(self.currentRevision) || !has(oldSelf.currentRevision)
                 type: array
                 x-kubernetes-list-map-keys:
                 - nodeName
                 x-kubernetes-list-type: map
+                x-kubernetes-validations:
+                - message: no more than 1 node status may have a nonzero targetRevision
+                  rule: size(self.filter(status, status.?targetRevision.orValue(0)
+                    != 0)) <= 1
               observedGeneration:
                 description: observedGeneration is the last generation change you've
                   dealt with