|
| 1 | +# Automatic Dependency Version Downgrades |
| 2 | + |
| 3 | +* Owner: Ezgi Demirel Karabag (@ezgidemirel) |
| 4 | +* Reviewers: Crossplane Maintainers |
| 5 | +* Status: Accepted |
| 6 | + |
| 7 | +## Background |
| 8 | + |
| 9 | +Crossplane's package manager has traditionally handled missing dependencies by installing the latest valid versions |
| 10 | +available using the lock Kubernetes object and a controller reconciles on it. This straightforward approach allowed for |
| 11 | +quick setup but could not handle dynamic environments where dependency version change is required. In cases where the |
| 12 | +dependency was installed but the constraints were no longer satisfied, the lock reconciler gives no error and package |
| 13 | +revision reconciler notices the invalid version issue and returns an error to the user for manual intervention. |
| 14 | + |
| 15 | +[With recent updates](https://github.com/crossplane/crossplane/pull/6017), the package manager has gained the capability |
| 16 | +to upgrade dependencies to the minimum valid version rather than the latest, reducing the likelihood of breaking changes |
| 17 | +in existing environments. If no version meets the constraints, the lock reconciler now displays the error message in the |
| 18 | +lock object’s status, complementing the error messages from the package revision reconciler. |
| 19 | + |
| 20 | +It was deliberately decided not to downgrade the dependencies automatically to prevent unexpected behaviours in the |
| 21 | +existing environments. However, this approach has its own drawbacks. The user has to manually intervene to downgrade the |
| 22 | +dependencies, which is not a good user experience and is not suitable for GitOps workflows. This proposal aims to |
| 23 | +address this issue by introducing automatic dependency version downgrades as a configuration option. |
| 24 | + |
| 25 | +<img src="images/package-manager.png" alt="Package Manager diagram" width="650" /> |
| 26 | + |
| 27 | +## Possible Issues |
| 28 | + |
| 29 | +During dependency version downgrades, the following issues may occur: |
| 30 | + |
| 31 | +1) Missing CRDs |
| 32 | +2) Missing CRD fields |
| 33 | +3) CRD storage version changes |
| 34 | + |
| 35 | +Please note that these issues may also occur during package upgrades. But in that case, we assume the user is aware of |
| 36 | +the changes and accepts the risks. |
| 37 | + |
| 38 | +Detecting these issues in the package manager before downgrading dependencies would significantly complicate the package |
| 39 | +manager's logic and increase the implementation complexity. It would also require downloading the package base layer |
| 40 | +multiple times with different versions, leading to slower performance. Therefore, we suggest not implementing pre-checks |
| 41 | +for these issues before downgrading dependencies. Instead, we will document the potential issues and risks, providing |
| 42 | +users with the necessary information to make informed decisions. |
| 43 | + |
| 44 | +### Missing CRDs |
| 45 | + |
| 46 | +The CRDs installed with the newer version may not exist in the older one. This can result in custom resources |
| 47 | +without associated controllers, potentially causing unexpected behavior, such as lack of updates on the cloud |
| 48 | +provider's side after updating the MR. Updating the parent package to upgrade its dependencies to the newer version |
| 49 | +resolves this issue. |
| 50 | + |
| 51 | +### Missing CRD Fields |
| 52 | + |
| 53 | +CRD fields may change between versions. If the newer version introduces additional fields, the older version will remove |
| 54 | +them. Downgrading the package can lead to the loss of these values, and upgrading back to the newer version |
| 55 | +cannot restore them to their previously assigned states. |
| 56 | + |
| 57 | +### CRD Storage Version Changes |
| 58 | + |
| 59 | +CRD storage versions may change between versions. If the storage version is upgraded in the newer version, trying to |
| 60 | +downgrade the package will not automatically change the storage version on Kubernetes and fail. Some providers, such as |
| 61 | +the ones in the [Upbound Official program](https://marketplace.upbound.io/providers?tier=official), prevent this issue |
| 62 | +by ensuring the storage version is not changed between minor versions. However, this is not guaranteed for all Crossplane |
| 63 | +providers. |
| 64 | + |
| 65 | +## Proposal |
| 66 | + |
| 67 | +The automatic dependency version downgrade feature will be implemented as a configuration option. The user can enable this |
| 68 | +configuration via a helm to set the `AutomaticDependencyDowngrade` environment variable as `true` in the package manager |
| 69 | +configuration. This functionality will be disabled by default and needs to be enabled together with the |
| 70 | +`--enable-dependency-version-upgrades` feature flag. Enabling the configuration means that users accept the risks |
| 71 | +associated with automatic dependency version downgrades. |
| 72 | + |
| 73 | +For example, suppose configuration A, which depends on package X with the constraint `>=v0.0.0`, is installed on the |
| 74 | +control plane. In this case, the package manager installs the latest version of package X, such as `v3.0.0`. Later, you |
| 75 | +decide to install configuration Y, which depends on package X with the constraint `<=v2.0.0`. Since version `v2.0.0` |
| 76 | +satisfies both conditions, package X must be downgraded to allow the installation of configuration Y. |
| 77 | +## Future Work |
| 78 | + |
| 79 | +To provide a better user experience, we can introduce a new subcommand to the Crossplane CLI that allows users to |
| 80 | +give a target Crossplane package and its version together with kubernetes cluster access and returns the list of |
| 81 | +packages that need version changes with CRD diffs. This will help users to understand the changes before applying them |
| 82 | +and acknowledge the risks. |
| 83 | + |
| 84 | +[pkg-mgr-diagram]: images/package-manager.png |
0 commit comments