Add a CEL validation to deny setting "v1" for cgroupMode field

- Cgroupsv1 support is removed from OCP 4.19. Hence, denying the user when
  the `nodes.config` object's `cgroupMode` field is set to `"v1"`
- Added integration tests to validate the newly introduced CEL
  validation on the cgroupMode field

Signed-off-by: Sai Ramesh Vanka <[email protected]>

Author: sairameshv

config/v1/tests/nodes.config.openshift.io/AAA_ungated.yaml

@@ -12,3 +12,99 @@ tests:
         apiVersion: config.openshift.io/v1
         kind: Node
         spec: {}
+    - name: Should be able to create a Node object with cgroupMode set to "v2"
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Node
+        spec:
+          cgroupMode: "v2"
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: Node
+        spec:
+          cgroupMode: "v2"
+    - name: Should not allow to create a Node object with the cgroupMode set to "v1"
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Node
+        spec:
+          cgroupMode: "v1"
+      expectedError: "cgroupMode \"v1\" is not supported, please update to cgroupMode \"v2\""
+    - name: Should not allow to create a Node object with the cgroupMode set to some random value
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Node
+        spec:
+          cgroupMode: "unknown"
+      expectedError: "spec.cgroupMode: Unsupported value: \"unknown\""
+  onUpdate:
+    - name: Should be able to update a Node object with cgroupMode set to "v2"
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Node
+        spec: {}
+      updated: |
+        apiVersion: config.openshift.io/v1
+        kind: Node
+        spec:
+          cgroupMode: "v2"
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: Node
+        spec:
+          cgroupMode: "v2"
+    - name: Should not allow update of cgroupMode from "v2" to "v1"
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Node
+        spec:
+          cgroupMode: "v2"
+      updated: |
+        apiVersion: config.openshift.io/v1
+        kind: Node
+        spec:
+          cgroupMode: "v1"
+      expectedError: "cgroupMode \"v1\" is not supported, please update to cgroupMode \"v2\""
+    - name: Should allow changing other fields when a persisted value is no longer valid
+      initialCRDPatches:
+        - op: remove
+          path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/cgroupMode/x-kubernetes-validations
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Node
+        spec:
+          cgroupMode: "v1"
+      updated: |
+        apiVersion: config.openshift.io/v1
+        kind: Node
+        spec:
+          cgroupMode: "v1"
+          workerLatencyProfile: "MediumUpdateAverageReaction"
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: Node
+        spec:
+          cgroupMode: "v1"
+          workerLatencyProfile: "MediumUpdateAverageReaction"
+    - name: Should allow updating a persisted value that is no longer valid to a valid value
+      initialCRDPatches:
+        - op: remove
+          path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/cgroupMode/x-kubernetes-validations
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Node
+        spec:
+          cgroupMode: "v1"
+          workerLatencyProfile: "MediumUpdateAverageReaction"
+      updated: |
+        apiVersion: config.openshift.io/v1
+        kind: Node
+        spec:
+          cgroupMode: "v2"
+          workerLatencyProfile: "MediumUpdateAverageReaction"
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: Node
+        spec:
+          cgroupMode: "v2"
+          workerLatencyProfile: "MediumUpdateAverageReaction"

config/v1/types_node.go

@@ -77,6 +77,7 @@ type NodeStatus struct {
 }
 
 // +kubebuilder:validation:Enum=v1;v2;""
+// +kubebuilder:validation:XValidation:rule="self != \"v1\"",message="cgroupMode \"v1\" is not supported, please update to cgroupMode \"v2\""
 type CgroupMode string
 
 const (

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml

@@ -53,6 +53,10 @@ spec:
                 - v2
                 - ""
                 type: string
+                x-kubernetes-validations:
+                - message: cgroupMode "v1" is not supported, please update to cgroupMode
+                    "v2"
+                  rule: self != "v1"
               minimumKubeletVersion:
                 description: |-
                   minimumKubeletVersion is the lowest version of a kubelet that can join the cluster.

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-Default.crd.yaml

@@ -53,6 +53,10 @@ spec:
                 - v2
                 - ""
                 type: string
+                x-kubernetes-validations:
+                - message: cgroupMode "v1" is not supported, please update to cgroupMode
+                    "v2"
+                  rule: self != "v1"
               workerLatencyProfile:
                 description: |-
                   workerLatencyProfile determins the how fast the kubelet is updating

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-DevPreviewNoUpgrade.crd.yaml

@@ -53,6 +53,10 @@ spec:
                 - v2
                 - ""
                 type: string
+                x-kubernetes-validations:
+                - message: cgroupMode "v1" is not supported, please update to cgroupMode
+                    "v2"
+                  rule: self != "v1"
               minimumKubeletVersion:
                 description: |-
                   minimumKubeletVersion is the lowest version of a kubelet that can join the cluster.

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-TechPreviewNoUpgrade.crd.yaml

@@ -53,6 +53,10 @@ spec:
                 - v2
                 - ""
                 type: string
+                x-kubernetes-validations:
+                - message: cgroupMode "v1" is not supported, please update to cgroupMode
+                    "v2"
+                  rule: self != "v1"
               minimumKubeletVersion:
                 description: |-
                   minimumKubeletVersion is the lowest version of a kubelet that can join the cluster.

config/v1/zz_generated.featuregated-crd-manifests/nodes.config.openshift.io/AAA_ungated.yaml

@@ -53,6 +53,10 @@ spec:
                 - v2
                 - ""
                 type: string
+                x-kubernetes-validations:
+                - message: cgroupMode "v1" is not supported, please update to cgroupMode
+                    "v2"
+                  rule: self != "v1"
               workerLatencyProfile:
                 description: |-
                   workerLatencyProfile determins the how fast the kubelet is updating

config/v1/zz_generated.featuregated-crd-manifests/nodes.config.openshift.io/MinimumKubeletVersion.yaml

@@ -53,6 +53,10 @@ spec:
                 - v2
                 - ""
                 type: string
+                x-kubernetes-validations:
+                - message: cgroupMode "v1" is not supported, please update to cgroupMode
+                    "v2"
+                  rule: self != "v1"
               minimumKubeletVersion:
                 description: |-
                   minimumKubeletVersion is the lowest version of a kubelet that can join the cluster.

payload-manifests/crds/0000_10_config-operator_01_nodes-CustomNoUpgrade.crd.yaml

@@ -53,6 +53,10 @@ spec:
                 - v2
                 - ""
                 type: string
+                x-kubernetes-validations:
+                - message: cgroupMode "v1" is not supported, please update to cgroupMode
+                    "v2"
+                  rule: self != "v1"
               minimumKubeletVersion:
                 description: |-
                   minimumKubeletVersion is the lowest version of a kubelet that can join the cluster.

payload-manifests/crds/0000_10_config-operator_01_nodes-Default.crd.yaml

@@ -53,6 +53,10 @@ spec:
                 - v2
                 - ""
                 type: string
+                x-kubernetes-validations:
+                - message: cgroupMode "v1" is not supported, please update to cgroupMode
+                    "v2"
+                  rule: self != "v1"
               workerLatencyProfile:
                 description: |-
                   workerLatencyProfile determins the how fast the kubelet is updating