🌱 Improve dry run for server side apply using an annotation

[fabriziopandini]

What this PR does / why we need it:
This proposes an improvement on how we implement dry run for server side apply by introducing an annotation.

The proposed implementation has the following advantages

• dry run is executed in memory, without additional access to the api server
• the diff logic doesn't rely on managedFields, which we are considering at this stage an internal of SSA instead of an API we can rely on
• the diff logic is self-contained and thus resilient to operation not preserving the managedFields, like backup and restore or move, or to users/other controllers modifying managed fields in an unexpected way
• the diff logic is less impacted by schema changes

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please ask for approval from fabriziopandini after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sbueringer]

First round of review (everything except diff package)
Now continuing with the diff package

[sbueringer]

Just that I get it right:

The output of this func for the Path

"spec", "template", "spec"

is a Path

"spec", "template", "spec[]"

I somehow can't map the method name to the functionality. Isn't it rather something like ToArray or AsArray??

Path{"a","b","c"}.ToArray() => Path{"a","b","c[]"}

Should we add a unit test?

[sbueringer]

nit: Should we just do diff.NewCRDSchemaCache(r.Client) in serverSideApplyPatchHelperFactory? The func already has the client and seems like a good way to avoid having to create the CRDSchemaCache on all callsites

[sbueringer]

Suggested change

	return func(ctx context.Context, original, modified client.Object, opts ...structuredmerge.HelperOption) (structuredmerge.PatchHelper, error) {
	return func(_ context.Context, original, modified client.Object, opts ...structuredmerge.HelperOption) (structuredmerge.PatchHelper, error) {

nit

[sbueringer]

I assume this back and forth is because AddCurrentIntentAnnotation only supports Unstructured, correct?

[sbueringer]

nice!

Can we please propagate ctx also into cleanupLegacyManagedFields?

[sbueringer]

I was initially thinking that the controller is always restarted after relevant CRDs change.

But I think this is only true for core CRDs (https://storage.googleapis.com/kubernetes-jenkins/logs/periodic-cluster-api-e2e-upgrade-v0-3-to-main/1539927677492793344/artifacts/clusters/clusterctl-upgrade-9ovu0z/clusterctl-upgrade.log).

After the core controller and it's CRDs are updated we are updating all other providers. During that CRDs are patched, if providers add new fields to existing apiVersions which frequently happens we will probably have a stale cache here.

What about additionally using the CRD resourceVersion as part of the cache key to avoid this issue?

Potential follow-up issue: Do we care about evicting stale cache entries over time? I think it's not a factor as we assume that CAPI is updated frequently enough so we won't have too many stale entries to run into issues, right?

[sbueringer]

I'm kind of fine with making that assumption. But should we note somewhere that this might not work with all providers?

We wanted to check if all providers are naming their CRDs correctly in: #5686

[sbueringer]

Suggested change

	// Stores che current intent as last applied intent.
	// Stores the current intent as last applied intent.

nit

[sbueringer]

Should we just stop caring about what happens to managed fields?

[sbueringer]

mid 2nd-round of review

[sbueringer]

Suggested change

	return nil, errors.Wrap(err, "failed to create gzip reader forprevious intent")
	return nil, errors.Wrap(err, "failed to create gzip reader for previous intent")

nit

[sbueringer]

Suggested change

	return nil, errors.Wrap(err, "failed to copy from gzip reader")
	return nil, errors.Wrap(err, "failed to copy previous intent from gzip reader")

nit

[sbueringer]

Suggested change

	return nil, errors.Wrap(err, "failed to close gzip reader for managed fields")
	return nil, errors.Wrap(err, "failed to close gzip reader for previous intent")

[sbueringer]

Suggested change

	return nil, errors.Wrap(err, "failed to unmarshal managed fields")
	return nil, errors.Wrap(err, "failed to unmarshal previous intent")

[sbueringer]

Do we have to use the Kubernetes decoder? Otherwise we should run into the int64 vs float64 issue (xref: #6668)

[sbueringer]

Isn't keys actually a map?

[sbueringer]

Suggested change

	// Otherwise, if not present, it retrieves the corresponding CRD definition, infer the CRDSchema, stores it, returns it.
	// Otherwise, if not present, it retrieves the corresponding CRD definition, infers the CRDSchema, stores it and returns it.

[sbueringer]

Repeating this here essentially means calling load before is redundant.

We could get rid of load and store move the mutex up to LoadOrStore and keep the schema calculation in a util func if we want

[sbueringer]

nit: should we just use the CRD name in the error? Seems easier to understand

[sbueringer]

Q: Shouldn't it be an error if we can't find a schema for GVK?

[chrischdi]

Some new / broken test cases, same for #6710 (and maybe main), these testcases should result in the object not getting created.

	t.Run("Error on object which has another uid due to immutability", func(t *testing.T) {
		g := NewWithT(t)

		// Get the current object (assumes tests to be run in sequence).
		original := obj.DeepCopy()
		g.Expect(env.GetAPIReader().Get(ctx, client.ObjectKeyFromObject(original), original)).To(Succeed())

		// Create a patch helper for a modified object with some changes to what previously applied by th topology manager.
		modified := obj.DeepCopy()
		g.Expect(unstructured.SetNestedField(modified.Object, "changed", "spec", "controlPlaneEndpoint", "host")).To(Succeed())
		g.Expect(unstructured.SetNestedField(modified.Object, "changed-by-topology-controller", "spec", "bar")).To(Succeed())

		// Set an other uid to original
		original.SetUID("a-wrong-one")
		modified.SetUID("")

		// Create a patch helper which should fail because original's real UID changed.
		_, err := NewServerSidePatchHelper(ctx, original, modified, env.GetClient(), schemaCache)
		g.Expect(err).To(HaveOccurred())
	})
	t.Run("Error on object which does not exist (anymore) but was expected to get updated", func(t *testing.T) {
		original := builder.TestInfrastructureCluster(ns.Name, "obj3").WithSpecFields(map[string]interface{}{
			"spec.controlPlaneEndpoint.host": "1.2.3.4",
			"spec.controlPlaneEndpoint.port": int64(1234),
			"spec.foo":                       "", // this field is then explicitly ignored by the patch helper
		}).Build()

		modified := original.DeepCopy()

		// Set a not existing uid to the not existing original object
		original.SetUID("does-not-exist")

		// Create a patch helper which should fail because original does not exist.
		_, err = NewServerSidePatchHelper(ctx, original, modified, env.GetClient(), schemaCache)
		g.Expect(err).To(HaveOccurred())
	})

[fabriziopandini]

/hold
while we discuss if to proceed with this approach or the one proposed in #6710

[k8s-ci-robot]

@fabriziopandini: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sbueringer]

@fabriziopandini I think we can close this PR, given we chose SSA dry-run?

[fabriziopandini]

yes!
/close

[k8s-ci-robot]

@fabriziopandini: Closed this PR.

In response to this:

yes!
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.