OCPNODE-3029: features: add requiredMinimumComponentVersion

.golangci.yaml

@@ -23,3 +23,5 @@ issues:
   # Want to make sure that those adding new fields have an
   # opportunity to fix them when running the linter locally.
   max-issues-per-linter: 1000
+  exclude-dirs:
+    - features

config/v1/tests/featuregates.config.openshift.io/MinimumKubeletVersion.yaml

@@ -0,0 +1,125 @@
+apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
+name: "FeatureGate"
+crdName: featuregates.config.openshift.io
+featureGate: MinimumKubeletVersion
+tests:
+  onCreate:
+    - name: Should be able to create a minimal FeatureGate
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec: {} # No spec is required for a FeatureGate
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec: {}
+    - name: Can create TechPreview
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: TechPreviewNoUpgrade
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: TechPreviewNoUpgrade
+    - name: Must reject unsupported value of a FeatureGate
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: bar
+      expectedError: "spec.featureSet: Unsupported value: \"bar\": supported values: \"CustomNoUpgrade\", \"DevPreviewNoUpgrade\", \"TechPreviewNoUpgrade\", \"\""
+  onUpdate:
+    - name: Default to TechPreview
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: ""
+      updated: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: TechPreviewNoUpgrade
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: TechPreviewNoUpgrade
+    - name: TechPreview to Default
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: TechPreviewNoUpgrade
+      updated: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: ""
+      expectedError: "TechPreviewNoUpgrade may not be changed"
+    - name: TechPreview to Removed
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: TechPreviewNoUpgrade
+      updated: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec: {}
+      expectedError: ".spec.featureSet cannot be removed"
+    - name: TechPreview to Custom
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: TechPreviewNoUpgrade
+      updated: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: CustomNoUpgrade
+      expectedError: "TechPreviewNoUpgrade may not be changed"
+    - name: Default to Custom
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: ""
+      updated: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: CustomNoUpgrade
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: CustomNoUpgrade
+    - name: Custom to Default
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: CustomNoUpgrade
+      updated: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: ""
+      expectedError: "CustomNoUpgrade may not be changed"
+    - name: Must reject an update if unsupported value of a FeatureGate is provided
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: ""
+      updated: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: "bar"
+      expectedError: "spec.featureSet: Unsupported value: \"bar\": supported values: \"CustomNoUpgrade\", \"DevPreviewNoUpgrade\", \"TechPreviewNoUpgrade\", \"\""

config/v1/types_feature.go

@@ -125,18 +125,64 @@ type FeatureGateDetails struct {
 	// disabled is a list of all feature gates that are disabled in the cluster for the named version.
 	// +optional
 	Disabled []FeatureGateAttributes `json:"disabled"`
+	// renderedMinimumComponentVersions are the component versions that the feature gate list of this status were rendered from.
+	// Currently, the only supported component is Kubelet, and setting the MinimumComponentVersion.Component to "Kubelet" will mean
+	// feature set was rendered given the minimumKubeletVersion in the nodes.config object was lower than or equal to the given MinimumComponentVersion.Version
+	// +kubebuilder:validation:MaxItems=1
+	// +listType=map
+	// +listMapKey=component
+	// +openshift:enable:FeatureGate=MinimumKubeletVersion
+	// +optional
+	RenderedMinimumComponentVersions []MinimumComponentVersion `json:"renderedMinimumComponentVersions,omitempty"`
 }
 
 type FeatureGateAttributes struct {
 	// name is the name of the FeatureGate.
 	// +required
 	Name FeatureGateName `json:"name"`
 
+	// requiredMinimumComponentVersions is a list of component/version pairs that declares the is the lowest version the given
+	// component may be in this cluster to have this feature turned on in the Default featureset.
+	// Currently, the only supported component is Kubelet, and setting the MinimumComponentVersion.Component to "Kubelet" will mean
+	// this feature will be added to the Default set if the minimumKubeletVersion in the nodes.config object is lower than
+	// or equal to the given MinimumComponentVersion.Version
+	// +kubebuilder:validation:MaxItems=1
+	// +listType=map
+	// +listMapKey=component
+	// +openshift:enable:FeatureGate=MinimumKubeletVersion
+	// +optional
+	RequiredMinimumComponentVersions []MinimumComponentVersion `json:"requiredMinimumComponentVersions,omitempty"`
+
 	// possible (probable?) future additions include
 	// 1. support level (Stable, ServiceDeliveryOnly, TechPreview, DevPreview)
 	// 2. description
 }
 
+// MinimumComponentVersion is a pair of Component and Version that specifies the required minimum Version of the given Component
+// to enable this feature.
+type MinimumComponentVersion struct {
+	// component is the entity whose version must be above a certain version.
+	// The only valid value is Kubelet
+	// +required
+	Component MinimumComponent `json:"component"`
+	// version is the minimum version the given component may be in this cluster.
+	// version must be in semver format (x.y.z) and must consist only of numbers and periods (.).
+	// Note: this is the version of the component, not Openshift. For instance, when Component is "Kubelet", it is a required version of the Kubelet (i.e: kubernetes version, like 1.32.0),
+	// not the corresponding Openshift version (4.19.0)
+	// +kubebuilder:validation:MaxLength=8
+	// +required
+	Version string `json:"version"`
+}
+
+// MinimumComponent is a type defining a component that can have a minimum version declared.
+// Currently, the only supported value is "Kubelet".
+// +kubebuilder:validation:Enum:=Kubelet
+type MinimumComponent string
+
+// MinimumComponentKubelet can be used to define the required minimum version for kubelets.
+// It will be compared against the "minimumKubeletVersion" field in the nodes.config.openshift.io object.
+var MinimumComponentKubelet MinimumComponent = "Kubelet"
+
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).

config/v1/types_node.go

@@ -72,6 +72,28 @@ type NodeStatus struct {
 	// +listMapKey=type
 	// +optional
 	Conditions []metav1.Condition `json:"conditions,omitempty"`
+
+	// minimumKubeletVersion is the lowest version of a kubelet that can join the cluster.
+	// Specifically, the apiserver will deny most authorization requests of kubelets that are older
+	// than the specified version, only allowing the kubelet to get and update its node object, and perform
+	// subjectaccessreviews.
+	// This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads,
+	// and will eventually be marked as not ready.
+	// Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99".
+	// Since the kubelet reports the version of the kubernetes release, not Openshift, this field references
+	// the underlying kubernetes version this version of Openshift is based off of.
+	// In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then
+	// they should set the minimumKubeletVersion to 1.30.0.
+	// When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version.
+	// Thus, a kubelet with version "1.0.0-ec.0" will be compatible with minimumKubeletVersion "1.0.0" or earlier.
+	// This status field is used to reflect the actualized minimum kubelet version, which can be interpreted from the
+	// FeatureGateStatus.RenderedMinimumComponentVersion when Component == Kubelet, after that FeatureGateStatus finishes rolling out to
+	// all kubelets.
+	// +kubebuilder:validation:XValidation:rule="self.matches('^[0-9]*.[0-9]*.[0-9]*$')",message="minmumKubeletVersion must be in a semver compatible format of x.y.z, or empty"
+	// +kubebuilder:validation:MaxLength:=8
+	// +openshift:enable:FeatureGate=MinimumKubeletVersion
+	// +optional
+	MinimumKubeletVersion string `json:"minimumKubeletVersion,omitempty"`
 }
 
 // +kubebuilder:validation:Enum=v1;v2;""