Add CP orchestrated in-place upgrade controller

[HomayoonAlimohammadi]

Overview

This PR adds the orchestrated in-place upgrade controller to the control plane provider.
After annotating the CK8sControlPlane object with inplace-upgrade-to annotation, this controller will make sure that each control plane machine is upgraded to the specified version.
By design, this controller does not allow parallel upgrades to ensure that the control plane stays responsive (prevent breaking HA, quorum, etc.)

Details

• A lock (which is just a glorified configMap) prevents multiple control plane nodes getting upgraded
• Some of the common functionality is moved to pkg/upgrade/inplace. We should use these functionalities for the MachineDeploymentReconciler as well (instead of separately implementing them, which is what we're doing right now).
  • Also the MachineDeploymentReconciler should get renamed to resemble its responsibilities more closely (e.g. bootstrapControllers.OrchestratedInPlaceUpgradeController) in the future.

[berkayoz]

Amazing work! Can you explain in short form how the lock flow works, especially around failures and retries.

[berkayoz]

What happens on if upgrade is failed on the machine, do we wait/hold the lock until it succeds?

[HomayoonAlimohammadi]

Thanks for pointing this out, I noticed that I had to move the IsMachineUpgradeFailed check a bit higher.

In short, yes. Lemme explain a bit further:

Scenario 1: Not locked

• Let's say the upgrade process is not locked. We select a machine to upgrade (let's call it M) and lock the upgrade process while mentioning in the lock object that machine M is upgrading.

Scenario 2: Locked and the machine is upgraded

• We see that the process is locked, so we get machine M and notice that it is upgraded (release annotation). We unlock and requeue the reconciliation.

Scenario 3: Locked and the machine is not upgraded (still upgrading)

• We requeue the reconciliation.

Scenario 4: A machine that we tried to upgrade before is not there any more (somehow deleted)

• The lock config map has the machine information and tries to obtain it but notices that it's not there, so the IsLocked won't return an upgradingMachine, the lock config map is deleted (Unlock is called) and we continue on to select a fresh machine to upgrade.

Scenario 5: Locked and the machine does not have any upgrade instructions

• This is a weird situation (maybe the admin deleted the annotations accidentally), but can happen nonetheless. We consider that a stale lock and Unlock and requeue.

Scenario 6: Locked and the machine upgrade failed

• We mark the CK8sControlPlane object with failed status and publish the respective event and retry the process (basically the underlying single machine in-place upgrade reconciler is doing the retry and we just wait).

[bschimke95]

Thanks for the list - this was very helpful for the review.

[bschimke95]

Generally LGTM but please create some unittests for the inplace package and an integration test that verifies the happy path of this feature.

[bschimke95]

LGTM, thanks for adding the integration test!

[eaudetcobello]

Fantastic work, thanks Hue