Merge pull request #42318 from adellape/410_constraints

Author: adellape

modules/olm-bundle-format-dependencies-file.adoc

@@ -0,0 +1,40 @@
+// Module included in the following assemblies:
+//
+// * operators/understanding/olm-packaging-format.adoc
+// * operators/understanding/olm/olm-understanding-dependency-resolution.adoc
+
+:_content-type: CONCEPT
+[id="olm-dependencies_{context}"]
+ifeval::["{context}" == "olm-packaging-format"]
+= Dependencies
+endif::[]
+ifeval::["{context}" != "olm-packaging-format"]
+= Operator dependencies
+endif::[]
+
+The dependencies of an Operator are listed in a `dependencies.yaml` file in the `metadata/` folder of a bundle. This file is optional and currently only used to specify explicit Operator-version dependencies.
+
+The dependency list contains a `type` field for each item to specify what kind of dependency this is. The following types of Operator dependencies are supported:
+
+`olm.package`:: This type indicates a dependency for a specific Operator version. The dependency information must include the package name and the version of the package in semver format. For example, you can specify an exact version such as `0.5.2` or a range of versions such as `>0.5.1`.
+
+`olm.gvk`:: With this type, the author can specify a dependency with group/version/kind (GVK) information, similar to existing CRD and API-based usage in a CSV. This is a path to enable Operator authors to consolidate all dependencies, API or explicit versions, to be in the same place.
+
+`olm.constraint`:: This type declares generic constraints on arbitrary Operator properties.
+
+In the following example, dependencies are specified for a Prometheus Operator and etcd CRDs:
+
+.Example `dependencies.yaml` file
+[source,yaml]
+----
+dependencies:
+  - type: olm.package
+    value:
+      packageName: prometheus
+      version: ">0.27.0"
+  - type: olm.gvk
+    value:
+      group: etcd.database.coreos.com
+      kind: EtcdCluster
+      version: v1beta2
+----

modules/olm-dependencies.adoc

@@ -6,11 +6,19 @@
 [id="olm-dependency-resolution-about_{context}"]
 = About dependency resolution
 
-OLM manages the dependency resolution and upgrade lifecycle of running Operators. In many ways, the problems OLM faces are similar to other operating system package managers like `yum` and `rpm`.
+Operator Lifecycle Manager (OLM) manages the dependency resolution and upgrade lifecycle of running Operators. In many ways, the problems OLM faces are similar to other system or language package managers, such as `yum` and `rpm`.
 
 However, there is one constraint that similar systems do not generally have that OLM does: because Operators are always running, OLM attempts to ensure that you are never left with a set of Operators that do not work with each other.
 
-This means that OLM must never do the following:
+As a result, OLM must never create the following scenarios:
 
-- Install a set of Operators that require APIs that cannot be provided.
-- Update an Operator in a way that breaks another that depends upon it.
+- Install a set of Operators that require APIs that cannot be provided
+- Update an Operator in a way that breaks another that depends upon it
+
+This is made possible with two types of data:
+
+[horizontal]
+Properties:: Typed metadata about the Operator that constitutes the public interface for it in the dependency resolver. Examples include the group/version/kind (GVK) of the APIs provided by the Operator and the semantic version (semver) of the Operator.
+Constraints or dependencies:: An Operator's requirements that should be satisfied by other Operators that might or might not have already been installed on the target cluster. These act as queries or filters over all available Operators and constrain the selection during dependency resolution and installation. Examples include requiring a specific API to be available on the cluster or expecting a particular Operator with a particular version to be installed.
+
+OLM converts these properties and constraints into a system of Boolean formulas and passes them to a SAT solver, a program that establishes Boolean satisfiability, which does the work of determining what Operators should be installed.

modules/olm-dependency-resolution-about.adoc

@@ -0,0 +1,174 @@
+// Module included in the following assemblies:
+//
+// * operators/understanding/olm/olm-understanding-dependency-resolution.adoc
+
+:_content-type: CONCEPT
+[id="olm-generic-constraints_{context}"]
+= Generic constraints
+
+An `olm.constraint` property declares a dependency constraint of a particular type, differentiating non-constraint and constraint properties. Its `value` field is an object containing a `failureMessage` field holding a string-representation of the constraint message. This message is surfaced as an informative comment to users if the constraint is not satisfiable at runtime.
+
+The following keys denote the available constraint types:
+
+`gvk`:: Type whose value and interpretation is identical to the `olm.gvk` type
+
+`package`:: Type whose value and interpretation is identical to the `olm.package` type
+
+`cel`:: A Common Expression Language (CEL) expression evaluated at runtime by the Operator Lifecycle Manager (OLM) resolver over arbitrary bundle properties and cluster information
+
+`all`, `any`, `not`:: Conjunction, disjunction, and negation constraints, respectively, containing one or more concrete constraints, such as `gvk` or a nested compound constraint
+
+[id="olm-cel_{context}"]
+== Common Expression Language (CEL) constraints
+
+The `cel` constraint type supports link:https://github.com/google/cel-go[Common Expression Language (CEL)] as the expression language. The `cel` struct has a `rule` field which contains the CEL expression string that is evaluated against Operator properties at runtime to determine if the Operator satisfies the constraint.
+
+.Example `cel` constraint
+[source,yaml]
+----
+type: olm.constraint
+value:
+  failureMessage: 'require to have "certified"'
+  cel:
+    rule: 'properties.exists(p, p.type == "certified")'
+----
+
+The CEL syntax supports a wide range of logical operators, such as `AND` and `OR`. As a result, a single CEL expression can have multiple rules for multiple conditions that are linked together by these logical operators. These rules are evaluated against a dataset of multiple different properties from a bundle or any given source, and the output is solved into a single bundle or Operator that satisfies all of those rules within a single constraint.
+
+.Example `cel` constraint with multiple rules
+[source,yaml]
+----
+type: olm.constraint
+value:
+  failureMessage: 'require to have "certified" and "stable" properties'
+  cel:
+    rule: 'properties.exists(p, p.type == "certified") && properties.exists(p, p.type == "stable")'
+----
+
+[id="olm-compound-constraints_{context}"]
+== Compound constraints (all, any, not)
+
+Compound constraint types are evaluated following their logical definitions.
+
+The following is an example of a conjunctive constraint (`all`) of two packages and one GVK. That is, they must all be satisfied by installed bundles:
+
+.Example `all` constraint
+[source,yaml]
+----
+schema: olm.bundle
+name: red.v1.0.0
+properties:
+- type: olm.constraint
+  value:
+    failureMessage: All are required for Red because...
+    all:
+      constraints:
+      - failureMessage: Package blue is needed for...
+        package:
+          name: blue
+          versionRange: '>=1.0.0'
+      - failureMessage: GVK Green/v1 is needed for...
+        gvk:
+          group: greens.example.com
+          version: v1
+          kind: Green
+----
+
+The following is an example of a disjunctive constraint (`any`) of three versions of the same GVK. That is, at least one must be satisfied by installed bundles:
+
+.Example `any` constraint
+[source,yaml]
+----
+schema: olm.bundle
+name: red.v1.0.0
+properties:
+- type: olm.constraint
+  value:
+    failureMessage: Any are required for Red because...
+    any:
+      constraints:
+      - gvk:
+          group: blues.example.com
+          version: v1beta1
+          kind: Blue
+      - gvk:
+          group: blues.example.com
+          version: v1beta2
+          kind: Blue
+      - gvk:
+          group: blues.example.com
+          version: v1
+          kind: Blue
+----
+
+The following is an example of a negation constraint (`not`) of one version of a GVK. That is, this GVK cannot be provided by any bundle in the result set:
+
+.Example `not` constraint
+[source,yaml]
+----
+schema: olm.bundle
+name: red.v1.0.0
+properties:
+- type: olm.constraint
+  value:
+  all:
+    constraints:
+    - failureMessage: Package blue is needed for...
+      package:
+        name: blue
+        versionRange: '>=1.0.0'
+    - failureMessage: Cannot be required for Red because...
+      not:
+        constraints:
+        - gvk:
+            group: greens.example.com
+            version: v1alpha1
+            kind: greens
+----
+
+The negation semantics might appear unclear in the `not` constraint context. To clarify, the negation is really instructing the resolver to remove any possible solution that includes a particular GVK, package at a version, or satisfies some child compound constraint from the result set.
+
+As a corollary, the `not` compound constraint should only be used within `all` or `any` constraints, because negating without first selecting a possible set of dependencies does not make sense.
+
+[id="olm-nested-compound_{context}"]
+== Nested compound constraints
+
+A nested compound constraint, one that contains at least one child compound constraint along with zero or more simple constraints, is evaluated from the bottom up following the procedures for each previously described constraint type.
+
+The following is an example of a disjunction of conjunctions, where one, the other, or both can satisfy the constraint:
+
+.Example nested compound constraint
+[source,yaml]
+----
+schema: olm.bundle
+name: red.v1.0.0
+properties:
+- type: olm.constraint
+  value:
+    failureMessage: Required for Red because...
+    any:
+      constraints:
+      - all:
+          constraints:
+          - package:
+              name: blue
+              versionRange: '>=1.0.0'
+          - gvk:
+              group: blues.example.com
+              version: v1
+              kind: Blue
+      - all:
+          constraints:
+          - package:
+              name: blue
+              versionRange: '<1.0.0'
+          - gvk:
+              group: blues.example.com
+              version: v1beta1
+              kind: Blue
+----
+
+[NOTE]
+====
+The maximum raw size of an `olm.constraint` type is 64KB to limit resource exhaustion attacks.
+====

modules/olm-generic-constraints.adoc

@@ -0,0 +1,56 @@
+// Module included in the following assemblies:
+//
+// * operators/understanding/olm/olm-understanding-dependency-resolution.adoc
+
+:_content-type: CONCEPT
+[id="olm-properties_{context}"]
+ifeval::["{context}" == "olm-packaging-format"]
+= Properties
+endif::[]
+ifeval::["{context}" != "olm-packaging-format"]
+= Operator properties
+endif::[]
+
+All Operators in a catalog have the following properties:
+
+`olm.package`:: Includes the name of the package and the version of the Operator
+
+`olm.gvk`:: A single property for each provided API from the cluster service version (CSV)
+
+Additional properties can also be directly declared by an Operator author by including a `properties.yaml` file in the `metadata/` directory of the Operator bundle.
+
+.Example arbitrary property
+[source,yaml]
+----
+properties:
+- type: olm.kubeversion
+  value:
+    version: "1.16.0"
+----
+
+[id="olm-arbitrary-properties_{context}"]
+== Arbitrary properties
+
+Operator authors can declare arbitrary properties in a `properties.yaml` file in the `metadata/` directory of the Operator bundle. These properties are translated into a map data structure that is used as an input to the Operator Lifecycle Manager (OLM) resolver at runtime.
+
+These properties are opaque to the resolver as it does not understand the properties, but it can evaluate the generic constraints against those properties to determine if the constraints can be satisfied given the properties list.
+
+.Example arbitrary properties
+[source,yaml]
+----
+properties:
+  - property:
+      type: color
+      value: red
+  - property:
+      type: shape
+      value: square
+  - property:
+      type: olm.gvk
+      value:
+        group: olm.coreos.io
+        version: v1alpha1
+        kind: myresource
+----
+
+This structure can be used to construct a Common Expression Language (CEL) expression for generic constraints.

modules/olm-properties.adoc

@@ -15,7 +15,7 @@ Support for the legacy _package manifest format_ for Operators is removed in {pr
 //Consider updating this during the 4.10 to 4.11 version scrub.
 
 include::modules/olm-bundle-format.adoc[leveloffset=+1]
-include::modules/olm-bundle-format-dependencies-file.adoc[leveloffset=+2]
+include::modules/olm-dependencies.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 .Additional resources

operators/understanding/olm-packaging-format.adoc

@@ -9,7 +9,12 @@ toc::[]
 This guide outlines dependency resolution and custom resource definition (CRD) upgrade lifecycles with Operator Lifecycle Manager (OLM) in {product-title}.
 
 include::modules/olm-dependency-resolution-about.adoc[leveloffset=+1]
-include::modules/olm-bundle-format-dependencies-file.adoc[leveloffset=+1]
+include::modules/olm-properties.adoc[leveloffset=+1]
+.Additional resources
+* xref:../../../operators/understanding/olm/olm-understanding-dependency-resolution.adoc#olm-cel_olm-understanding-dependency-resolution[Common Expression Language (CEL) constraints]
+
+include::modules/olm-dependencies.adoc[leveloffset=+1]
+include::modules/olm-generic-constraints.adoc[leveloffset=+1]
 include::modules/olm-dependency-resolution-preferences.adoc[leveloffset=+1]
 include::modules/olm-dependency-resolution-crd-upgrades.adoc[leveloffset=+1]