Fix OpenAPI validations by adding API list markers

[erikgb]

What type of PR is this?

/kind cleanup

What this PR does / why we need it:

Our openapi generator also generates a report of violations of the Kubernetes API best practices. This report is "thrown away" now, but this PR suggests adding it to Git to raise awareness of the importance of API array metadata. I have also tried to fix all reported violations in our APIs, but please review carefully! UPDATE: For now, all new list type markers are set to atomic (default without the marker), and I have created a WIP PR (#3972) for the proposed bugfixes that we can consider after merging this.

I have also reorganized the markers on some of the affected fields, as I think it's clearer to have a consistent order of the markers.

Which issue(s) this PR fixes:

Fixes #2942

Does this PR introduce a user-facing change?:

Add missing OpenAPI schema metadata to array fields in APIs

[rikatz]

hey @erikgb

As we are moving with the enablement of automated API validations, can you please check #3917 and https://docs.google.com/document/d/1DSyP7Vt9E9wX2ku1C0AvCLqQe9cCiDPCLiPP0wXFYQw/edit?disco=AAABnQWiOX8

and maybe add https://github.com/kubernetes-sigs/kube-api-linter/blob/main/pkg/analysis/ssatags/ to the analyzers list to validate the behavior during CI/CD?

Regarding this being a breaking change or not, per Joel's comment on the document we need to check with API Machinery if this change can represent any harm for already implemented or in use Gateway API resources.

Thanks!

[erikgb]

As we are moving with the enablement of automated API validations, can you please check #3917 and https://docs.google.com/document/d/1DSyP7Vt9E9wX2ku1C0AvCLqQe9cCiDPCLiPP0wXFYQw/edit?disco=AAABnQWiOX8

and maybe add https://github.com/kubernetes-sigs/kube-api-linter/blob/main/pkg/analysis/ssatags/ to the analyzers list to validate the behavior during CI/CD?

Cool! I didn't know that you were in the process of adding KAL to Gateway API. I will definitely take a look and see if we can validate more in CI/CD.

Regarding this being a breaking change or not, per Joel's comment on the document we need to check with API Machinery if this change can represent any harm for already implemented or in use Gateway API resources.

Understood! I am a bit curious myself, as we are in the process of adding missing API list markers to cert-manager APIs. So, in general, it would be good to know which changes can be made non-breaking. Of course, the safest would be to mark all lists as atomic, which is the current default behavior, but that would be too defensive IMO. WDYT @rikatz?

[erikgb]

@rikatz, I have now enabled the ssatags analyzer in the KAL configuration, and it reports no issues. I have also reached out to sig-api-machinery on Slack and am waiting for someone to hopefully respond.

[rikatz]

@rikatz, I have now enabled the ssatags analyzer in the KAL configuration, and it reports no issues. I have also reached out to sig-api-machinery on Slack and am waiting for someone to hopefully respond.

thank you!

About your questions on what is safer or not, I need to defer to people who actually know what they are doing (which is not me!)

@youngnick @robscott do you see any issue here? On a previous review on the linter proposal document, @JoelSpeed suggested that we keep the atomic for now to keep backward compatibility. I don't really know the impact here for controllers on changing things from atomic (the default) to something else.

@erikgb once you have some answer from apimachinery as well, let's see how this fits on the proposal.

Thank you!

[JoelSpeed]

Pre-existing validation that ensures that these are unique?

[erikgb]

I cannot find such validation. Is this a strict requirement? Probably yes, as the api-server will reject a request with duplicate values (if changing this to set)?

[JoelSpeed]

I believe this could be breaking otherwise yes. Unless we can prove that the CRD ratcheting validation would cover this change?

[erikgb]

Even if the change is technically breaking, I think the key questions are:

1. Does it make sense with duplicate values in this list?
2. Does the order of the values in the list matter?
3. Must the list be owned by a single SSA field manager?

If the answer to all the questions is NO, then I think it could be justified to "break" this as a bug fix.

[robscott]

I agree that this could/should be considered a bug fix. To keep things clean, I'd recommend starting with +listType=atomic in this PR to match the current and unfortunately flawed spec today, and then file a follow up PR to fix this after this initial PR has merged. That will make it easier to point our release notes to a single small PR for the breaking changes that swap atomic to set.

[erikgb]

Sounds like a good approach. I will update this PR.

[erikgb]

@robscott I have now updated the PR, setting all list types to atomic for now, and prepared another branch with my proposed "breaking" changes. PTAL!

[erikgb]

And here is the WIP PR that I will rebase after this PR is merged: #3972

[erikgb]

@robscott I have now rebased #3972. PTAL!

[youngnick]

Changes LGTM, just one question about the exceptions file.

[JoelSpeed]

/lgtm

[robscott]

Thanks @erikgb!

/lgtm

[youngnick]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: erikgb, youngnick

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [youngnick]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment