Vap for updates

[chris-kaiser-7]

What type of PR is this?

/kind feature

What this PR does / why we need it:
This is required for the release changes https://docs.google.com/document/d/1iG6RKVJFZUxG1mZ4NbUL5Tm09n_zDck-LukYmUXoQ7c/edit?tab=t.0

Which issue(s) this PR fixes:

Fixes #
VAP for Upgrades #4162

Does this PR introduce a user-facing change?:

Adds a VAP that prohibits the following:
- Installation of experimental CRDs on top of standard channel CRDs (within the same API group)
- Installation of monthly releases
- Installation of older releases

[k8s-ci-robot]

Hi @chris-kaiser-7. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[kflynn]

Couple of very minor nits -- thanks very much for digging into this!

[kflynn]

🤔 Should we drop the domain here?

[chris-kaiser-7]

You think it should be named "safe-upgrades.gateway.networking.k8s.io"? Yea it is a little redundant to have gateway api twice.

[robscott]

You think it should be named "safe-upgrades.gateway.networking.k8s.io"? Yea it is a little redundant to have gateway api twice.

Yep, I think that would be a nice simplification here

[kflynn]

/approve

Looks good to me with a couple of minor comments, leaving the final LGTM for someone else -- thanks, @chris-kaiser-7! 🙂

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: chris-kaiser-7, kflynn
Once this PR has been reviewed and has the lgtm label, please assign aojea for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kflynn]

/ok-to-test

[howardjohn]

this doesn't block XListenerSet, XMesh, etc. Is that intended?

[chris-kaiser-7]

No its not. I'll fix that.

[robscott]

Thanks @chris-kaiser-7, this is a really great change! Any chance that you could include some basic tests for this VAP?

I'm thinking that we'd want them to validate the following behavior when the VAP is installed:

1. Experimental CRDs that are part of x-k8s.io can be installed
2. Experimental CRDs that are part of k8s.io can NOT be installed
3. Standard CRDs with an old version can NOT be installed
4. Standard CRDs with the current version can be installed

It might actually be possible in https://github.com/kubernetes-sigs/gateway-api/blob/150554d3a55b731d3261525cf265bc930d2d5d85/pkg/test/crd/crd_test.go, but I'll defer to @rikatz on the best home for this.

[robscott]

Mind adding a note to RELEASE.md to include a step to update this value?

[chris-kaiser-7]

Oh yea good idea. The logic is a bit weird because CEL doesn't allow match groups in regex as far as I can tell so the regex gets a bit long.

[chris-kaiser-7]

I added a note in RELEASE.md. I was thinking I could add a script in hack to update this regex based on the bundle version. That would make the process easier.

[robscott]

I'm not 100% sure if this should be part of a release channel or not. Fine for now, but may want to adjust if we make a VAP that is meant to be included with both release channels.

[chris-kaiser-7]

I was wondering about this too.

[robscott]

Same comment as above - unsure if this is necessary

[rikatz]

/cc
/assign

[chris-kaiser-7]

Thanks @chris-kaiser-7, this is a really great change! Any chance that you could include some basic tests for this VAP?

I'm thinking that we'd want them to validate the following behavior when the VAP is installed:

1. Experimental CRDs that are part of x-k8s.io can be installed
2. Experimental CRDs that are part of k8s.io can NOT be installed
3. Standard CRDs with an old version can NOT be installed
4. Standard CRDs with the current version can be installed

It might actually be possible in https://github.com/kubernetes-sigs/gateway-api/blob/150554d3a55b731d3261525cf265bc930d2d5d85/pkg/test/crd/crd_test.go, but I'll defer to @rikatz on the best home for this.

Thanks for the review. I just started working on the tests.

[rikatz]

is this something required or something that was on file and was left behind?

[chris-kaiser-7]

Yea I didn't notice that. I cleaned it up.

[rikatz]

maybe add the object selector of CRDs here?

[rikatz]

I would say something like:

spec.matchResources.resourceRules.apiGroups = apiextensions.k8s.io
spec.matchResources...apiVersions=v1
spec.matchResources...resources=customresourcedefinitions

Not sure this would properly work, but if so the idea is at least to filter out this binding and not send every resource validation to our VAP

[chris-kaiser-7]

I did look into this but had issues selecting crds with this. I'll look into again tho.

[chris-kaiser-7]

OK never mind it seems to be working as you said. I must have done something wrong before when testing resourcerRules in binding.

[chris-kaiser-7]

Thanks @chris-kaiser-7, this is a really great change! Any chance that you could include some basic tests for this VAP?

I'm thinking that we'd want them to validate the following behavior when the VAP is installed:

1. Experimental CRDs that are part of x-k8s.io can be installed
2. Experimental CRDs that are part of k8s.io can NOT be installed
3. Standard CRDs with an old version can NOT be installed
4. Standard CRDs with the current version can be installed

It might actually be possible in https://github.com/kubernetes-sigs/gateway-api/blob/150554d3a55b731d3261525cf265bc930d2d5d85/pkg/test/crd/crd_test.go, but I'll defer to @rikatz on the best home for this.

I pushed some tests in CRD_test. I can move them to a separate test file if that is better. I also made a few changes to that. I pulled some of the init tests up a level so you can run isolated tests like. "make test.crds-validation GO_TEST_FLAGS="-run TestCRDValidation/safeupgrades_VAP_should_validate_correctly"".

[chris-kaiser-7]

I noticed a race condition and spent a while trying to fix it without time.sleep. I'm going to look at this some more but figured I should push what I got.

[chris-kaiser-7]

@rikatz @robscott See anything else that needs fixing?

[robscott]

Thanks @chris-kaiser-7!

[robscott]

Instead of including the entire release manifest from previous releases, let's just add some very lightweight manifests with a variety of annotations (different release channels, versions, etc).

[rikatz]

+1! Or pick some existing manifest from https://github.com/kubernetes-sigs/gateway-api/tree/main/config/crd and mutate it accordingly.

[chris-kaiser-7]

good call! I work on this.

[robscott]

Any reason for removing this?

[chris-kaiser-7]

I put this logic in the parent test so that you could run targeted tests without issue. for example "make test.crds-validation GO_TEST_FLAGS="-run TestCRDValidation/safeupgrades_VAP_should_validate_correctly"". would not work as well as a few other tests because it depended on logic in this test.

[rikatz]

I think the goal here is to block the installation of older CRDs (avoid downgrade), right?

Can we add a note/comment that on Kubernetes 1.37 we should migrate this to something like https://kubernetes.io/docs/reference/using-api/cel/#kubernetes-semver-library instead?

This way, instead of having this bump as part of the release process, we can probably extract the version directly and check if it is older than the current existing.

[chris-kaiser-7]

Yea this is good. I didn't know this was in CEL for Kubernetes. I was just working off the base CEL documentation and that was kind of frustrating to say the least. I'll update it to this for 1.37. There is a lot of other good stuff in that doc too I didn't know about.

[rikatz]

As this will be released with main, should we make this v1.5.0?

[chris-kaiser-7]

Yea that makes sense. I'll fix that.

[rikatz]

overall lgtm, thanks.

I just want to be sure that:

• We have a comment and an action item to use the semver library on vap once we can safely rely on it (eg.: Kubernetes 1.34 added it, once 1.37 is released we could rely on it as we would drop support for 1.33).
• The CRD generation can be much much smaller as Rob pointed out. or even use the existing one, but do some "inplace replacement" just of the annotation (like some strings.Replace)

[chris-kaiser-7]

overall lgtm, thanks.

I just want to be sure that:

• We have a comment and an action item to use the semver library on vap once we can safely rely on it (eg.: Kubernetes 1.34 added it, once 1.37 is released we could rely on it as we would drop support for 1.33).
• The CRD generation can be much much smaller as Rob pointed out. or even use the existing one, but do some "inplace replacement" just of the annotation (like some strings.Replace)

@rikatz @robscott
Thanks for the feedback. I was considering using logic like strings.Replace but I was a bit worried about the integrity of the test if it has logical dependencies like that but that might be a little to nit. Though if you're both ok with that I can definitely do that.