[WIP] Add cluster runtime constraint handling

[perdasilva]

Signed-off-by: Per G. da Silva [email protected]

Description of the change:
This PR introduces a backdoor way adding cluster runtime constraints to the resolver. The mechanism will look for a yaml file containing olm.constraints that will be parsed into the cache.Predicates and considered during the resolution.

Current Resolution Integration Approach
I've come up with a couple of strategies:

1. Apply a global filter to the cache (I've added code for this but it's commented out)
2. Set any installable violating any runtime constraint to prohibited in the addInvariants method.

Option 2. seems the most reasonable since 1. adds a bit of hidden behaviour to the cache and it mightn't always be clear what is being applied and when.

Motivation for the change:
OLM will needs to support cluster runtime contraints. We are currently working on a fully fledged solution but it won't be ready in time to unblock our users. This approach gives downstreams a way to side-load runtime constraints in the mean time.

Reviewer Checklist

• Implementation matches the proposed design, or proposal is updated to match implementation
• Sufficient unit test coverage
• Sufficient end-to-end test coverage
• Docs updated or added to /doc
• Commit messages sensible and descriptive

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: perdasilva
To complete the pull request process, please assign dinhxuanvu after the PR has been reviewed.
You can assign the PR to them by writing /assign @dinhxuanvu in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[dinhxuanvu]

Looking promising.
I have a few comments. Plus, there is a bundles.json file and not sure what is it for?

[dinhxuanvu]

We need to decide if this property or a dependency so we can use either PropertiesFile or DependenciesFile. Honestly, it is just wording but it is a decision to be made for syntax sake.

[dinhxuanvu]

Did you test how this file-reading code will work in real life? How is this file gonna be "injected" into the process?

[perdasilva]

I've tested it manually. I still need to add unit tests for this. I'm thinking the way to side-load it should be we have an environment variable that points to the path of the constraints file. Downstream, the file will be baked in to the olm operator image and we'll update the deployment to include the env var. This way, if people want to turn it off, it's doable. I'm not sure how this strategy fits with support, etc. E.g. if they turn it off would that mean the customer is in an unmanaged state?

[njhale]

if they turn it off would that mean the customer is in an unmanaged state?

it does

[dinhxuanvu]

Reasonable restriction to avoid abusing. Make sure this number is known and noticed upon the completion of this work.

[perdasilva]

Looking promising. I have a few comments. Plus, there is a bundles.json file and not sure what is it for?

Thank you ^^ I've removed the bundles.json. That was a mistake.

[njhale]

So this is very similar to an injection method we rejected a while back: https://github.com/operator-framework/operator-lifecycle-manager/pull/2360/files

OLM will needs to support cluster runtime contraints. We are currently working on a fully fledged solution but it won't be ready in time to unblock our users. This approach gives downstreams a way to side-load runtime constraints in the mean time.

Which users are blocked without a method to side load global constraints? If we're talking about OpenShift users and the MaxOpenShiftVersion property, then I'd like to avoid adding new upstream APIs for them to be immediately superseded. We can carry a patch downstream that injects such specific constraints. In fact, I have some prior art there: openshift/operator-framework-olm#194

[njhale]

Seems like something that could be part of the OLMConfig CR instead of a file.

[perdasilva]

I think this could be much nicer. I just don't know what it means for the longer term vision of deppy and olm, etc. If this is still the way we'll want to handle these types of constraints. My thinking right now is to keep the "under-the-covers" way of doing it (baking this file in the downstream operator images) because it's super easy to roll-back and it buys us time to be more deliberate about how we want to handle these constraints in a first-class way. @joelanford @kevinrizza wdyt?

[njhale]

it might require more refactoring, but we probably want to inject these dependencies.

[njhale]

if they turn it off would that mean the customer is in an unmanaged state?

it does

[perdasilva]

OLM will needs to support cluster runtime contraints. We are currently working on a fully fledged solution but it won't be ready in time to unblock our users. This approach gives downstreams a way to side-load runtime constraints in the mean time.

Which users are blocked without a method to side load global constraints? If we're talking about OpenShift users and the MaxOpenShiftVersion property, then I'd like to avoid adding new upstream APIs for them to be immediately superseded. We can carry a patch downstream that injects such specific constraints. In fact, I have some prior art there: openshift/operator-framework-olm#194

Yeah, the main targets at the moment are OpenShift and IBM. I don't think we will be targetting anything other than OCP version. But, personally, I don't think we are making too many throw away changes. I think being able to inject these constraints (somehow) and have them understood by the resolver already adds value to the upstream, even if we don't offer a nice interface (yet) to define those. It also puts it in the hand of the community to test, evaluate, use our way of side-loading, come up with their own, etc. So, I think I'd push back a bit on the idea of a downstream (code) patch atm.

[perdasilva]

closing in favor of #2523