Merge pull request #527 from jianzhangbjz/bug-58462

OCPBUGS-61890: 🐛 CRD upgrade safety fixes and ratcheting (#2123)

Author: openshift-merge-bot[bot]

go.mod

@@ -44,7 +44,7 @@ require (
 	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
 	sigs.k8s.io/controller-runtime v0.21.0
 	sigs.k8s.io/controller-tools v0.18.0
-	sigs.k8s.io/crdify v0.4.1-0.20250613143457-398e4483fb58
+	sigs.k8s.io/crdify v0.4.1-0.20250825182107-69e65223aee0
 	sigs.k8s.io/yaml v1.6.0
 )
 

go.sum

@@ -765,8 +765,8 @@ sigs.k8s.io/controller-runtime v0.21.0 h1:CYfjpEuicjUecRk+KAeyYh+ouUBn4llGyDYytI
 sigs.k8s.io/controller-runtime v0.21.0/go.mod h1:OSg14+F65eWqIu4DceX7k/+QRAbTTvxeQSNSOQpukWM=
 sigs.k8s.io/controller-tools v0.18.0 h1:rGxGZCZTV2wJreeRgqVoWab/mfcumTMmSwKzoM9xrsE=
 sigs.k8s.io/controller-tools v0.18.0/go.mod h1:gLKoiGBriyNh+x1rWtUQnakUYEujErjXs9pf+x/8n1U=
-sigs.k8s.io/crdify v0.4.1-0.20250613143457-398e4483fb58 h1:VTvhbqgZMVoDpHHPuZLaOgzjjsJBhO8+vDKA1COuLCY=
-sigs.k8s.io/crdify v0.4.1-0.20250613143457-398e4483fb58/go.mod h1:ZIFxaYNgKYmFtZCLPysncXQ8oqwnNlHQbRUfxJHZwzU=
+sigs.k8s.io/crdify v0.4.1-0.20250825182107-69e65223aee0 h1:jfBjW0kwwx2ULnzRrs+Jnepn345JbpAVqzekHBeIGgY=
+sigs.k8s.io/crdify v0.4.1-0.20250825182107-69e65223aee0/go.mod h1:ZIFxaYNgKYmFtZCLPysncXQ8oqwnNlHQbRUfxJHZwzU=
 sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM=
 sigs.k8s.io/gateway-api v1.1.0/go.mod h1:ZH4lHrL2sDi0FHZ9jjneb8kKnGzFWyrTya35sWUTrRs=
 sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=

internal/operator-controller/rukpak/preflights/crdupgradesafety/crdupgradesafety.go

@@ -15,6 +15,7 @@ import (
 	"sigs.k8s.io/crdify/pkg/config"
 	"sigs.k8s.io/crdify/pkg/runner"
 	"sigs.k8s.io/crdify/pkg/validations"
+	"sigs.k8s.io/crdify/pkg/validations/property"
 
 	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/util"
 )
@@ -131,6 +132,13 @@ func defaultConfig() *config.Config {
 				Name:        "description",
 				Enforcement: config.EnforcementPolicyNone,
 			},
+			{
+				Name:        "enum",
+				Enforcement: config.EnforcementPolicyError,
+				Configuration: map[string]interface{}{
+					"additionPolicy": property.AdditionPolicyAllow,
+				},
+			},
 		},
 	}
 }

internal/operator-controller/rukpak/preflights/crdupgradesafety/crdupgradesafety_test.go

@@ -39,7 +39,7 @@ func newMockPreflight(crd *apiextensionsv1.CustomResourceDefinition, err error)
 	}, preflightOpts...)
 }
 
-const crdFolder string = "../../../../../testdata/manifests"
+const crdFolder string = "testdata/manifests"
 
 func getCrdFromManifestFile(t *testing.T, oldCrdFile string) *apiextensionsv1.CustomResourceDefinition {
 	if oldCrdFile == "" {
@@ -67,14 +67,22 @@ func getManifestString(t *testing.T, crdFile string) string {
 	return string(buff)
 }
 
+func wantErrorMsgs(wantMsgs []string) require.ErrorAssertionFunc {
+	return func(t require.TestingT, haveErr error, _ ...interface{}) {
+		for _, wantMsg := range wantMsgs {
+			require.ErrorContains(t, haveErr, wantMsg)
+		}
+	}
+}
+
 // TestInstall exists only for completeness as Install() is currently a no-op. It can be used as
 // a template for real tests in the future if the func is implemented.
 func TestInstall(t *testing.T) {
 	tests := []struct {
 		name          string
 		oldCrdPath    string
 		release       *release.Release
-		wantErrMsgs   []string
+		requireErr    require.ErrorAssertionFunc
 		wantCrdGetErr error
 	}{
 		{
@@ -92,7 +100,7 @@ func TestInstall(t *testing.T) {
 				Name:     "test-release",
 				Manifest: "abcd",
 			},
-			wantErrMsgs: []string{"json: cannot unmarshal string into Go value of type unstructured.detector"},
+			requireErr: wantErrorMsgs([]string{"json: cannot unmarshal string into Go value of type unstructured.detector"}),
 		},
 		{
 			name: "release with no CRD objects",
@@ -108,7 +116,7 @@ func TestInstall(t *testing.T) {
 				Manifest: getManifestString(t, "crd-valid-upgrade.json"),
 			},
 			wantCrdGetErr: fmt.Errorf("error!"),
-			wantErrMsgs:   []string{"error!"},
+			requireErr:    wantErrorMsgs([]string{"error!"}),
 		},
 		{
 			name: "fail to get old crd, not found error",
@@ -124,7 +132,7 @@ func TestInstall(t *testing.T) {
 				Name:     "test-release",
 				Manifest: getManifestString(t, "crd-invalid"),
 			},
-			wantErrMsgs: []string{"json: cannot unmarshal"},
+			requireErr: wantErrorMsgs([]string{"json: cannot unmarshal"}),
 		},
 		{
 			name:       "valid upgrade",
@@ -143,7 +151,7 @@ func TestInstall(t *testing.T) {
 				Name:     "test-release",
 				Manifest: getManifestString(t, "crd-invalid-upgrade.json"),
 			},
-			wantErrMsgs: []string{
+			requireErr: wantErrorMsgs([]string{
 				`scope:`,
 				`storedVersionRemoval:`,
 				`enum:`,
@@ -157,7 +165,7 @@ func TestInstall(t *testing.T) {
 				`minLength:`,
 				`minProperties:`,
 				`default:`,
-			},
+			}),
 		},
 		{
 			name: "new crd validation failure for existing field removal",
@@ -168,9 +176,9 @@ func TestInstall(t *testing.T) {
 				Name:     "test-release",
 				Manifest: getManifestString(t, "crd-field-removed.json"),
 			},
-			wantErrMsgs: []string{
+			requireErr: wantErrorMsgs([]string{
 				`existingFieldRemoval:`,
-			},
+			}),
 		},
 		{
 			name: "new crd validation should not fail on description changes",
@@ -188,10 +196,8 @@ func TestInstall(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			preflight := newMockPreflight(getCrdFromManifestFile(t, tc.oldCrdPath), tc.wantCrdGetErr)
 			err := preflight.Install(context.Background(), tc.release)
-			if len(tc.wantErrMsgs) != 0 {
-				for _, expectedErrMsg := range tc.wantErrMsgs {
-					require.ErrorContains(t, err, expectedErrMsg)
-				}
+			if tc.requireErr != nil {
+				tc.requireErr(t, err)
 			} else {
 				require.NoError(t, err)
 			}
@@ -204,7 +210,7 @@ func TestUpgrade(t *testing.T) {
 		name          string
 		oldCrdPath    string
 		release       *release.Release
-		wantErrMsgs   []string
+		requireErr    require.ErrorAssertionFunc
 		wantCrdGetErr error
 	}{
 		{
@@ -222,7 +228,7 @@ func TestUpgrade(t *testing.T) {
 				Name:     "test-release",
 				Manifest: "abcd",
 			},
-			wantErrMsgs: []string{"json: cannot unmarshal string into Go value of type unstructured.detector"},
+			requireErr: wantErrorMsgs([]string{"json: cannot unmarshal string into Go value of type unstructured.detector"}),
 		},
 		{
 			name: "release with no CRD objects",
@@ -238,7 +244,7 @@ func TestUpgrade(t *testing.T) {
 				Manifest: getManifestString(t, "crd-valid-upgrade.json"),
 			},
 			wantCrdGetErr: fmt.Errorf("error!"),
-			wantErrMsgs:   []string{"error!"},
+			requireErr:    wantErrorMsgs([]string{"error!"}),
 		},
 		{
 			name: "fail to get old crd, not found error",
@@ -254,7 +260,7 @@ func TestUpgrade(t *testing.T) {
 				Name:     "test-release",
 				Manifest: getManifestString(t, "crd-invalid"),
 			},
-			wantErrMsgs: []string{"json: cannot unmarshal"},
+			requireErr: wantErrorMsgs([]string{"json: cannot unmarshal"}),
 		},
 		{
 			name:       "valid upgrade",
@@ -273,7 +279,7 @@ func TestUpgrade(t *testing.T) {
 				Name:     "test-release",
 				Manifest: getManifestString(t, "crd-invalid-upgrade.json"),
 			},
-			wantErrMsgs: []string{
+			requireErr: wantErrorMsgs([]string{
 				`scope:`,
 				`storedVersionRemoval:`,
 				`enum:`,
@@ -287,7 +293,7 @@ func TestUpgrade(t *testing.T) {
 				`minLength:`,
 				`minProperties:`,
 				`default:`,
-			},
+			}),
 		},
 		{
 			name: "new crd validation failure for existing field removal",
@@ -298,9 +304,9 @@ func TestUpgrade(t *testing.T) {
 				Name:     "test-release",
 				Manifest: getManifestString(t, "crd-field-removed.json"),
 			},
-			wantErrMsgs: []string{
+			requireErr: wantErrorMsgs([]string{
 				`existingFieldRemoval:`,
-			},
+			}),
 		},
 		{
 			name:       "webhook conversion strategy exists",
@@ -317,9 +323,9 @@ func TestUpgrade(t *testing.T) {
 				Name:     "test-release",
 				Manifest: getManifestString(t, "crd-conversion-no-webhook.json"),
 			},
-			wantErrMsgs: []string{
-				`validating upgrade for CRD "crontabs.stable.example.com": v1 <-> v2: ^.spec.foobarbaz: enum: allowed enum values removed`,
-			},
+			requireErr: wantErrorMsgs([]string{
+				`validating upgrade for CRD "crontabs.stable.example.com": v1 -> v2: ^.spec.foobarbaz: enum: allowed enum values removed`,
+			}),
 		},
 		{
 			name: "new crd validation should not fail on description changes",
@@ -331,16 +337,43 @@ func TestUpgrade(t *testing.T) {
 				Manifest: getManifestString(t, "crd-description-changed.json"),
 			},
 		},
+		{
+			name:       "success when old crd and new crd contain the exact same validation issues",
+			oldCrdPath: "crd-conversion-no-webhook.json",
+			release: &release.Release{
+				Name:     "test-release",
+				Manifest: getManifestString(t, "crd-conversion-no-webhook.json"),
+			},
+		},
+		{
+			name:       "failure when old crd and new crd contain the exact same validation issues, but new crd introduces another validation issue",
+			oldCrdPath: "crd-conversion-no-webhook.json",
+			release: &release.Release{
+				Name:     "test-release",
+				Manifest: getManifestString(t, "crd-conversion-no-webhook-extra-issue.json"),
+			},
+			requireErr: func(t require.TestingT, err error, _ ...interface{}) {
+				require.ErrorContains(t, err,
+					`validating upgrade for CRD "crontabs.stable.example.com":`,
+				)
+				// The newly introduced issue is reported
+				require.Contains(t, err.Error(),
+					`v1 -> v2: ^.spec.extraField: type: type changed : "boolean" -> "string"`,
+				)
+				// The existing issue is not reported
+				require.NotContains(t, err.Error(),
+					`v1 -> v2: ^.spec.foobarbaz: enum: allowed enum values removed`,
+				)
+			},
+		},
 	}
 
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
 			preflight := newMockPreflight(getCrdFromManifestFile(t, tc.oldCrdPath), tc.wantCrdGetErr)
 			err := preflight.Upgrade(context.Background(), tc.release)
-			if len(tc.wantErrMsgs) != 0 {
-				for _, expectedErrMsg := range tc.wantErrMsgs {
-					require.ErrorContains(t, err, expectedErrMsg)
-				}
+			if tc.requireErr != nil {
+				tc.requireErr(t, err)
 			} else {
 				require.NoError(t, err)
 			}

internal/operator-controller/rukpak/preflights/crdupgradesafety/testdata/manifests/crd-conversion-no-webhook-extra-issue.json

@@ -0,0 +1,76 @@
+{
+    "apiVersion": "apiextensions.k8s.io/v1",
+    "kind": "CustomResourceDefinition",
+    "metadata": {
+        "name": "crontabs.stable.example.com"
+    },
+    "spec": {
+        "group": "stable.example.com",
+        "versions": [
+            {
+                "name": "v2",
+                "served": true,
+                "storage": false,
+                "schema": {
+                    "openAPIV3Schema": {
+                        "type": "object",
+                        "properties": {
+                            "spec": {
+                                "type": "object",
+                                "properties": {
+                                    "foobarbaz": {
+                                        "type":"string",
+                                        "enum":[
+                                            "bark",
+                                            "woof"
+                                        ]
+                                    },
+                                    "extraField": {
+                                        "type":"string"
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            },
+            {
+                "name": "v1",
+                "served": true,
+                "storage": false,
+                "schema": {
+                    "openAPIV3Schema": {
+                        "type": "object",
+                        "properties": {
+                            "spec": {
+                                "type": "object",
+                                "properties": {
+                                    "foobarbaz": {
+                                        "type":"string",
+                                        "enum":[
+                                            "foo",
+                                            "bar",
+                                            "baz"
+                                        ]
+                                    },
+                                    "extraField": {
+                                        "type":"boolean"
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        ],
+        "scope": "Cluster",
+        "names": {
+            "plural": "crontabs",
+            "singular": "crontab",
+            "kind": "CronTab",
+            "shortNames": [
+                "ct"
+            ]
+        }
+    }
+}

testdata/manifests/crd-conversion-no-webhook.json renamed to internal/operator-controller/rukpak/preflights/crdupgradesafety/testdata/manifests/crd-conversion-no-webhook.json

@@ -23,7 +23,8 @@
                                         "type":"integer"
                                     },
                                     "enum": {
-                                        "type":"integer"
+                                        "type": "string",
+                                        "enum": ["a", "b", "c"]
                                     },
                                     "minMaxValue": {
                                         "type":"integer"
@@ -70,7 +71,8 @@
                                         "type":"integer"
                                     },
                                     "enum": {
-                                        "type":"integer"
+                                        "type": "string",
+                                        "enum": ["a", "b", "c"]
                                     },
                                     "minMaxValue": {
                                         "type":"integer"

testdata/manifests/crd-conversion-webhook-old.json renamed to internal/operator-controller/rukpak/preflights/crdupgradesafety/testdata/manifests/crd-conversion-webhook-old.json

@@ -22,7 +22,8 @@
                                         "type":"integer"
                                     },
                                     "enum": {
-                                        "type":"integer"
+                                        "type": "string",
+                                        "enum": ["a", "b", "c"]
                                     },
                                     "minMaxValue": {
                                         "type":"integer"
@@ -66,7 +67,8 @@
                                 "type": "object",
                                 "properties": {
                                     "enum": {
-                                        "type":"integer"
+                                        "type": "string",
+                                        "enum": ["a", "b", "c"]
                                     },
                                     "minMaxValue": {
                                         "type":"integer"