MCO-1443: Promote onclusterbuild to GA

[yuqi-zhang]

Opened for testing. Based on guidance this is currently the first step: create new v1 API, gate remains off, v1 API is excluded from the image manifests

Also adds in: #2089

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

Hello @yuqi-zhang! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: yuqi-zhang
Once this PR has been reviewed and has the lgtm label, please assign sjenning for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[yuqi-zhang]

/test all

[yuqi-zhang]

/test all

[openshift-ci-robot]

@yuqi-zhang: This pull request references MCO-1443 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.18.0" version, but no target version was set.

In response to this:

Opened for testing. Based on guidance this is currently the first step: create new v1 API, gate remains off, v1 API is excluded from the image manifests

Also adds in: #2089

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[JoelSpeed]

Can we take this promotion opportunity to go through the API thoroughly and improve validations and godocs please

[JoelSpeed]

No longer tech preview? I know it kind of is, but, we aren't likely to remember to update this when we update the gate, so this will become disjoint

[JoelSpeed]

No longer TP

[JoelSpeed]

I'm not following how this interoperates, in particular, with ConfigGeneration? Can you remind me?

[yuqi-zhang]

I think the original intent was that they track a corresponding MachineOSConfig generation to do rebuilds, but in techpreview the implementation hasn't leveraged either field (hard set to 1). Let me check that and get back to you.

[JoelSpeed]

The message here references digest, but it's not in the example?

[JoelSpeed]

Godoc for this field is wrong, it's talking about a different field name?

[JoelSpeed]

What is this? Can we expand this documentation?

[JoelSpeed]

Are we sure we want this defaulted? What if we need to change this in the future as we decide there's a better, default image build method that doesn't rely on today's pod based image builder?

[yuqi-zhang]

Is it difficult to change the default here in the API if we wanted to change it in the future?

[JoelSpeed]

When you have a default inside the API, you have to consider that this value will be written out to disk, and so, any existing instance of this API, will get this value and be stuck with it. If you wanted to, say, change blanketly even those instances that are already existing, then this makes it very difficult to change in the future.

We typically have a patten of "when omitted, this means no opinion, and the platform is left to choose a reasonable default, which is subject to change over time", which may be a better fit if you want a default here.

That said, I think the latest version of the API requires the user to specify this explicitly, which I think makes this a moot point

[JoelSpeed]

This line almost says the same thing twice, perhaps this should consolidate into one?

[yuqi-zhang]

Updated based on comments:
- Removed Version and ConfigGeneration from MOSB as they were unused
- Updated relatedobjects list
- Changed all optional,omitempty structs to pointers
- Removed default for ImageBuilderType, but keeping default build arch
to noarch as we don’t foresee changing that.
- Fixed RenderedImagePushspec validators to match description

Also temporarily reverted using format.dns1123subdomain() library while figuring out how it works

[yuqi-zhang]

/test e2e-aws-serial-techpreview

[umohnani8]

Should this be renamed to JobBuilder as well?

[cheesesashimi]

I'm not sure that BuilderStatus makes sense here because this is mostly just a reference to the build executor which doesn't include any kind of status message (to my knowledge). Maybe something like JobImageBuilderRef or something like that would be more appropriate? Better yet, this could just be ImageBuilderRef. That, coupled with the value in ImageBuilderType, should be enough.

[djoshy]

I think the comment above this field might need an update to reflect that it is a reference as well.

Stepping back a bit, I'm guessing the reason we are using a union here is we could have different builders, and they could need different types(other than ObjectReference) to represent their reference? If we are always going to use ObjectReference for multiple kind of builders, then maybe we don't even need to have to a union discriminator? It could be just two fields within this struct as Zack suggested: type and ref.

[cheesesashimi]

Those values are arguably common to all image builders. There could be some additional information that may be desired specific to each type of image builder, but we can add that onto this later as a specific type.

[cheesesashimi]

And taking a step back from this, if the ObjectReference includes GVK (Group Version Kind) information, we could potentially eliminate the ImageBuilderType field here since I see that as being primarily user-facing.

[yuqi-zhang]

Ok, so instead of having individual ImageBuilderRef's, I'll just make it one optional field here to encompass all potential object references.

[JoelSpeed]

Where is the default cluster wide pull-secret specified? Is this something users need to be aware of or is this something that is always set up and available?

Are there any security implications of relying on the default pull secret that we need to be aware of?

[yuqi-zhang]

The cluster pull secret is the one in openshift-config namespace (just a secret called pull-secret). There shouldn't be any security implications - this is widely used, and is on-disk for every node as well as referenced in various MCO objects, and doesn't give any push access in most cases.

[JoelSpeed]

So maybe this should read something along the lines of, though, I'm not sure what registries it actually has read access to, does it have access to the in-cluster registry?

Suggested change

	// defaults to using the cluster-wide pull secret if not specified.
	// Defaults to using the cluster-wide pull secret, that was provided at install time.
	// The default secret will provide read only access to registries <such as in cluster? RH owned? I don't know what this actually gives>.

[yuqi-zhang]

I'll update the description in the v1 API. It does not, but we expect users to use the base shipped payload RHCOS image as the base image most of the time, so it should not be necessary.

[JoelSpeed]

ImageSecretObjectReference is a struct right? To actually omit this, it needs to be a pointer

[yuqi-zhang]

Ah, will update that as well. I originally updated the v1alpha1 API first via the first commit before updated it all to the correct version in v1. I don't think this is technically needed anymore?

Basically the v1 API has all the updates from comments, and we will remove the v1alpha1 API after we switch all references, hence why I haven't updated the v1alpha1 API. Is that generally the expected pattern?

[JoelSpeed]

Yeah generally you can leave the v1alpha1 API alone, I just checked it as you had made changes in it. You shouldn't need to add this here if it's being added strictly to the new v1 API

[JoelSpeed]

You could enforce that using CEL, IIUC, a condition marking this as failed, makes the list immutable?

How is it enforced by MCO today?

// +kubebuilder:validation:XValidation:rule="self.exists(x, x.type == 'Failed') ? self == oldSelf : true",message="once a Failed condition is set, conditions are immutable"

[yuqi-zhang]

The expectation is that only the MCO will be creating MachineOSBuild objects (so the user cannot directly create a build like that, they must create a config from which build objects are created by the MCO as it does the builds). In that sense, this status is monitored and updated by the MCO.

Do you think it's strictly necessary given the context?

[JoelSpeed]

Yeah I would still add the validation. Users have access to APIs, and may do unexpected things. Controllers also have bugs, that make them do weird things. The more we can put into the API validation to make sure it meets our expectations, the better, even in status

[cheesesashimi]

I agree. I'd also like to point out that Interrupted should also be considered an immutable state.

[JoelSpeed]

Is a Pushspec a thing or should this be PushSpec?

[yuqi-zhang]

Thanks for the thorough review. Addressed most of the comments, left a few questions, and will follow up on the 3 points above.

I see the o/k PR for adding the format library has merged. Will try to incorporate that into the next set of changes as well.

[yuqi-zhang]

Pushed another set of updates:

• Failed and Interrupted will now cause MOSBuild conditions to be immutable
• Updated Arch enum to be PascalCase (kept x86_64 though)
• Updated relatedObject go doc based on suggestion
• Add validation for buildEnd > buildStart (did not add ordering requirement, as buildStart is a required field, and will be applied before or at the same time of buildEnd)
• Removed conditions field from MOSConfig -> the build object is supposed to reflect conditions instead, so this is not needed at this time
• Use dns1123 format check for all strings that match, and otherwise switch pattern checks to validation rules where appropriate
• Updated godocs a bit more for formatting

Tested on the latest 4.18 nightly and can confirm both CRDs are valid with the new format library

[JoelSpeed]

You don't need the second onCreate here

[JoelSpeed]

Remove additional onCreates, only expecting one in the file

[JoelSpeed]

Do we really want the repetition of imageBuilder and imageBuilderType? And in the enum value as well?

imageBuilder:
  type: Job

[JoelSpeed]

Push stuff feels more like an output to me?

[yuqi-zhang]

The user should be specifying where to push to here, so it is user input

[JoelSpeed]

Could you include the earlier part of the error that shows which field this pertains to, that way it's easier to find the broken field when reviewing this later

[JoelSpeed]

As a user of this API, how would I know what a BaseOSExtensions vs BaseOS vs Base image means?

I'm wondering if we can clean this API up a bit, there's a lot of, what appears to a naive eye at least, redundancy?

images:
  base: <>
  baseOS: <>
  baseOSExtensions: <>
pullSecret:
  name: <>
pushSecret:
  name: <>
builder:
  type: Job
  job:
    name: <>
pushSpec: <>
releaseVersion: <>
containerFiles: []

Or if we moved up to spec, some of this might look like

sourceImages:
  pullSecret: <> # For pulling these images
  base: <>
  baseOS: <>
  baseOSExtensions: <>
buildOutputs:
  pullSecret: 
    name: <> # For pulling the pushed image
  pushSecret:
    name: <> # For pushing the built image
  imagePushSpec: <>
builder:
  type: Job
  job:
    name: <>
releaseVersion: <>
containerFiles: []

[JoelSpeed]

Why do we have these duplicates? That means an end user can configure the same meaning, in multiple ways, that's confusing, we should avoid that

Suggested change

	// +kubebuilder:validation:Enum:=ARM64;AMD64;PPC64LE;S390X;AArch64;x86_64;NoArch
	// +kubebuilder:validation:Enum:=ARM64;AMD64;PPC64LE;S390X;NoArch

[JoelSpeed]

What does it mean to specify multiple images? Why would an end user want to do that?

[JoelSpeed]

When this struct is used, it's called something like imageBuilder, maybe we avoid the repetition here and go for just type for the field within here?

[JoelSpeed]

Should update this to match the others I suggested, including the at most 253 characters part

[openshift-ci]

@yuqi-zhang: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-serial	0741c21	link	true	/test e2e-aws-serial
ci/prow/e2e-aws-ovn-hypershift	0741c21	link	true	/test e2e-aws-ovn-hypershift
ci/prow/e2e-gcp	0741c21	link	false	/test e2e-gcp
ci/prow/e2e-aws-serial-techpreview	0741c21	link	true	/test e2e-aws-serial-techpreview
ci/prow/integration	8f073d7	link	true	/test integration

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.