operators/v1: reject new node statuses with current or target revision set

Entries of static pod operators' node statuses are co-managed:
- A node controller, responsible for ensuring a node status entry for per control plane node
- An installer controller, responsible for managing operand revisions for each entry

New node status entries with a non-zero revision populated signals that a single client
is managing both aspects and is not intentional. This validation should serve as a pragmatic
backstop against multi-writer field errors.

Signed-off-by: Bryce Palmer <[email protected]>

Author: everettraven

openapi/generated_openapi/zz_generated.openapi.go

@@ -30736,15 +30736,13 @@
       "description": "NodeStatus provides information about the current state of a particular node managed by this operator.",
       "type": "object",
       "required": [
-        "nodeName",
-        "currentRevision"
+        "nodeName"
       ],
       "properties": {
         "currentRevision": {
-          "description": "currentRevision is the generation of the most recently successful deployment",
+          "description": "currentRevision is the generation of the most recently successful deployment. Can not be set on creation of a nodeStatus. Updates must only increase the value.",
           "type": "integer",
-          "format": "int32",
-          "default": 0
+          "format": "int32"
         },
         "lastFailedCount": {
           "description": "lastFailedCount is how often the installer pod of the last failed revision failed.",
@@ -30784,7 +30782,7 @@
           "default": ""
         },
         "targetRevision": {
-          "description": "targetRevision is the generation of the deployment we're trying to apply",
+          "description": "targetRevision is the generation of the deployment we're trying to apply. Can not be set on creation of a nodeStatus.",
           "type": "integer",
           "format": "int32"
         }

openapi/openapi.json

@@ -16,14 +16,17 @@ tests:
           operatorLogLevel: Normal
   onUpdate:
     - name: Should reject multiple nodes with nonzero target revisions
+      initialCRDPatches:
+      - op: remove
+        path: /spec/versions/0/schema/openAPIV3Schema/properties/status/properties/nodeStatuses/items/x-kubernetes-validations/2
       initial: |
         apiVersion: operator.openshift.io/v1
         kind: KubeAPIServer
         spec: {} # No spec is required for a KubeAPIServer
         status:
           nodeStatuses:
           - nodeName: a
-            targetRevision: 1
+            targetRevision: 0
           - nodeName: b
             targetRevision: 0
           - nodeName: c
@@ -43,6 +46,9 @@ tests:
           - nodeName: d
       expectedStatusError: "status.nodeStatuses: Invalid value: \"array\": no more than 1 node status may have a nonzero targetRevision"
     - name: Should reject decreasing currentRevision
+      initialCRDPatches:
+      - op: remove
+        path: /spec/versions/0/schema/openAPIV3Schema/properties/status/properties/nodeStatuses/items/x-kubernetes-validations/1
       initial: |
         apiVersion: operator.openshift.io/v1
         kind: KubeAPIServer
@@ -61,6 +67,9 @@ tests:
             currentRevision: 2
       expectedStatusError: "status.nodeStatuses[0].currentRevision: Invalid value: \"integer\": must only increase"
     - name: Should reject clearing currentRevision
+      initialCRDPatches:
+      - op: remove
+        path: /spec/versions/0/schema/openAPIV3Schema/properties/status/properties/nodeStatuses/items/x-kubernetes-validations/1
       initial: |
         apiVersion: operator.openshift.io/v1
         kind: KubeAPIServer
@@ -77,3 +86,113 @@ tests:
           nodeStatuses:
           - nodeName: a
       expectedStatusError: "status.nodeStatuses[0].currentRevision: Invalid value: \"object\": cannot be unset once set"
+    - name: Should reject setting new nodeStatus with a currentRevision
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: KubeAPIServer
+        spec: {} # No spec is required for a KubeAPIServer
+        status:
+          nodeStatuses: []
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: KubeAPIServer
+        spec: {} # No spec is required for a KubeAPIServer
+        status:
+          nodeStatuses:
+          - nodeName: a
+            currentRevision: 0
+      expectedStatusError: "status.nodeStatuses[0].currentRevision: Invalid value: \"object\": currentRevision can not be set on creation of a nodeStatus"
+    - name: Should reject setting new nodeStatus with a targetRevision
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: KubeAPIServer
+        spec: {} # No spec is required for a KubeAPIServer
+        status:
+          nodeStatuses: []
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: KubeAPIServer
+        spec: {} # No spec is required for a KubeAPIServer
+        status:
+          nodeStatuses:
+          - nodeName: a
+            targetRevision: 0
+      expectedStatusError: "status.nodeStatuses[0].targetRevision: Invalid value: \"object\": targetRevision can not be set on creation of a nodeStatus"
+    - name: Should allow adding nodes with name only
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: KubeAPIServer
+        spec: {} # No spec is required for a KubeAPIServer
+        status:
+          nodeStatuses:
+          - nodeName: a
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: KubeAPIServer
+        spec: {} # No spec is required for a KubeAPIServer
+        status:
+          nodeStatuses:
+          - nodeName: a
+          - nodeName: b
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: KubeAPIServer
+        spec:
+          logLevel: Normal
+          operatorLogLevel: Normal
+        status:
+          nodeStatuses:
+          - nodeName: a
+          - nodeName: b
+    - name: Should allow updating currentRevision of existing nodeStatus
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: KubeAPIServer
+        spec: {} # No spec is required for a KubeAPIServer
+        status:
+          nodeStatuses:
+          - nodeName: a
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: KubeAPIServer
+        spec: {} # No spec is required for a KubeAPIServer
+        status:
+          nodeStatuses:
+          - nodeName: a
+            currentRevision: 1
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: KubeAPIServer
+        spec:
+          logLevel: Normal
+          operatorLogLevel: Normal
+        status:
+          nodeStatuses:
+          - nodeName: a
+            currentRevision: 1
+    - name: Should allow updating targetRevision of existing nodeStatus
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: KubeAPIServer
+        spec: {} # No spec is required for a KubeAPIServer
+        status:
+          nodeStatuses:
+          - nodeName: a
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: KubeAPIServer
+        spec: {} # No spec is required for a KubeAPIServer
+        status:
+          nodeStatuses:
+          - nodeName: a
+            targetRevision: 1
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: KubeAPIServer
+        spec:
+          logLevel: Normal
+          operatorLogLevel: Normal
+        status:
+          nodeStatuses:
+          - nodeName: a
+            targetRevision: 1

operator/v1/tests/kubeapiservers.operator.openshift.io/AAA_ungated.yaml

@@ -258,15 +258,21 @@ type StaticPodOperatorStatus struct {
 
 // NodeStatus provides information about the current state of a particular node managed by this operator.
 // +kubebuilder:validation:XValidation:rule="has(self.currentRevision) || !has(oldSelf.currentRevision)",message="cannot be unset once set",fieldPath=".currentRevision"
+// +kubebuilder:validation:XValidation:rule="oldSelf.hasValue() || !has(self.currentRevision)",message="currentRevision can not be set on creation of a nodeStatus",optionalOldSelf=true,fieldPath=.currentRevision
+// +kubebuilder:validation:XValidation:rule="oldSelf.hasValue() || !has(self.targetRevision)",message="targetRevision can not be set on creation of a nodeStatus",optionalOldSelf=true,fieldPath=.targetRevision
 type NodeStatus struct {
 	// nodeName is the name of the node
 	// +required
 	NodeName string `json:"nodeName"`
 
-	// currentRevision is the generation of the most recently successful deployment
+	// currentRevision is the generation of the most recently successful deployment.
+	// Can not be set on creation of a nodeStatus. Updates must only increase the value.
 	// +kubebuilder:validation:XValidation:rule="self >= oldSelf",message="must only increase"
-	CurrentRevision int32 `json:"currentRevision"`
-	// targetRevision is the generation of the deployment we're trying to apply
+	// +optional
+	CurrentRevision int32 `json:"currentRevision,omitempty"`
+	// targetRevision is the generation of the deployment we're trying to apply.
+	// Can not be set on creation of a nodeStatus.
+	// +optional
 	TargetRevision int32 `json:"targetRevision,omitempty"`
 
 	// lastFailedRevision is the generation of the deployment we tried and failed to deploy.

operator/v1/types.go

@@ -252,8 +252,9 @@ spec:
                     of a particular node managed by this operator.
                   properties:
                     currentRevision:
-                      description: currentRevision is the generation of the most recently
-                        successful deployment
+                      description: |-
+                        currentRevision is the generation of the most recently successful deployment.
+                        Can not be set on creation of a nodeStatus. Updates must only increase the value.
                       format: int32
                       type: integer
                       x-kubernetes-validations:
@@ -292,8 +293,9 @@ spec:
                       description: nodeName is the name of the node
                       type: string
                     targetRevision:
-                      description: targetRevision is the generation of the deployment
-                        we're trying to apply
+                      description: |-
+                        targetRevision is the generation of the deployment we're trying to apply.
+                        Can not be set on creation of a nodeStatus.
                       format: int32
                       type: integer
                   required:
@@ -303,6 +305,14 @@ spec:
                   - fieldPath: .currentRevision
                     message: cannot be unset once set
                     rule: has(self.currentRevision) || !has(oldSelf.currentRevision)
+                  - fieldPath: .currentRevision
+                    message: currentRevision can not be set on creation of a nodeStatus
+                    optionalOldSelf: true
+                    rule: oldSelf.hasValue() || !has(self.currentRevision)
+                  - fieldPath: .targetRevision
+                    message: targetRevision can not be set on creation of a nodeStatus
+                    optionalOldSelf: true
+                    rule: oldSelf.hasValue() || !has(self.targetRevision)
                 type: array
                 x-kubernetes-list-map-keys:
                 - nodeName

operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-CustomNoUpgrade.crd.yaml

@@ -239,8 +239,9 @@ spec:
                     of a particular node managed by this operator.
                   properties:
                     currentRevision:
-                      description: currentRevision is the generation of the most recently
-                        successful deployment
+                      description: |-
+                        currentRevision is the generation of the most recently successful deployment.
+                        Can not be set on creation of a nodeStatus. Updates must only increase the value.
                       format: int32
                       type: integer
                       x-kubernetes-validations:
@@ -279,8 +280,9 @@ spec:
                       description: nodeName is the name of the node
                       type: string
                     targetRevision:
-                      description: targetRevision is the generation of the deployment
-                        we're trying to apply
+                      description: |-
+                        targetRevision is the generation of the deployment we're trying to apply.
+                        Can not be set on creation of a nodeStatus.
                       format: int32
                       type: integer
                   required:
@@ -290,6 +292,14 @@ spec:
                   - fieldPath: .currentRevision
                     message: cannot be unset once set
                     rule: has(self.currentRevision) || !has(oldSelf.currentRevision)
+                  - fieldPath: .currentRevision
+                    message: currentRevision can not be set on creation of a nodeStatus
+                    optionalOldSelf: true
+                    rule: oldSelf.hasValue() || !has(self.currentRevision)
+                  - fieldPath: .targetRevision
+                    message: targetRevision can not be set on creation of a nodeStatus
+                    optionalOldSelf: true
+                    rule: oldSelf.hasValue() || !has(self.targetRevision)
                 type: array
                 x-kubernetes-list-map-keys:
                 - nodeName

operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-Default.crd.yaml

@@ -252,8 +252,9 @@ spec:
                     of a particular node managed by this operator.
                   properties:
                     currentRevision:
-                      description: currentRevision is the generation of the most recently
-                        successful deployment
+                      description: |-
+                        currentRevision is the generation of the most recently successful deployment.
+                        Can not be set on creation of a nodeStatus. Updates must only increase the value.
                       format: int32
                       type: integer
                       x-kubernetes-validations:
@@ -292,8 +293,9 @@ spec:
                       description: nodeName is the name of the node
                       type: string
                     targetRevision:
-                      description: targetRevision is the generation of the deployment
-                        we're trying to apply
+                      description: |-
+                        targetRevision is the generation of the deployment we're trying to apply.
+                        Can not be set on creation of a nodeStatus.
                       format: int32
                       type: integer
                   required:
@@ -303,6 +305,14 @@ spec:
                   - fieldPath: .currentRevision
                     message: cannot be unset once set
                     rule: has(self.currentRevision) || !has(oldSelf.currentRevision)
+                  - fieldPath: .currentRevision
+                    message: currentRevision can not be set on creation of a nodeStatus
+                    optionalOldSelf: true
+                    rule: oldSelf.hasValue() || !has(self.currentRevision)
+                  - fieldPath: .targetRevision
+                    message: targetRevision can not be set on creation of a nodeStatus
+                    optionalOldSelf: true
+                    rule: oldSelf.hasValue() || !has(self.targetRevision)
                 type: array
                 x-kubernetes-list-map-keys:
                 - nodeName

operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-DevPreviewNoUpgrade.crd.yaml

@@ -252,8 +252,9 @@ spec:
                     of a particular node managed by this operator.
                   properties:
                     currentRevision:
-                      description: currentRevision is the generation of the most recently
-                        successful deployment
+                      description: |-
+                        currentRevision is the generation of the most recently successful deployment.
+                        Can not be set on creation of a nodeStatus. Updates must only increase the value.
                       format: int32
                       type: integer
                       x-kubernetes-validations:
@@ -292,8 +293,9 @@ spec:
                       description: nodeName is the name of the node
                       type: string
                     targetRevision:
-                      description: targetRevision is the generation of the deployment
-                        we're trying to apply
+                      description: |-
+                        targetRevision is the generation of the deployment we're trying to apply.
+                        Can not be set on creation of a nodeStatus.
                       format: int32
                       type: integer
                   required:
@@ -303,6 +305,14 @@ spec:
                   - fieldPath: .currentRevision
                     message: cannot be unset once set
                     rule: has(self.currentRevision) || !has(oldSelf.currentRevision)
+                  - fieldPath: .currentRevision
+                    message: currentRevision can not be set on creation of a nodeStatus
+                    optionalOldSelf: true
+                    rule: oldSelf.hasValue() || !has(self.currentRevision)
+                  - fieldPath: .targetRevision
+                    message: targetRevision can not be set on creation of a nodeStatus
+                    optionalOldSelf: true
+                    rule: oldSelf.hasValue() || !has(self.targetRevision)
                 type: array
                 x-kubernetes-list-map-keys:
                 - nodeName