CRD migration: add option for storage version migration via status

Author: sbueringer

bootstrap/kubeadm/main.go

@@ -365,7 +365,7 @@ func setupReconcilers(ctx context.Context, mgr ctrl.Manager) {
 		// Note: The kubebuilder RBAC markers above has to be kept in sync
 		// with the CRDs that should be migrated by this provider.
 		Config: map[client.Object]crdmigrator.ByObjectConfig{
-			&bootstrapv1.KubeadmConfig{}:         {UseCache: true},
+			&bootstrapv1.KubeadmConfig{}:         {UseCache: true, UseStatusForStorageVersionMigration: true},
 			&bootstrapv1.KubeadmConfigTemplate{}: {UseCache: false},
 		},
 		// The CRDMigrator is run with only concurrency 1 to ensure we don't overwhelm the apiserver by patching a

config/rbac/role.yaml

@@ -159,6 +159,13 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - ipam.cluster.x-k8s.io
+  resources:
+  - ipaddressclaims/status
+  verbs:
+  - patch
+  - update
 - apiGroups:
   - runtime.cluster.x-k8s.io
   resources:

controllers/crdmigrator/crd_migrator.go

@@ -102,6 +102,12 @@ type ByObjectConfig struct {
 	// Note: If this is enabled, we will use the corresponding Go type of the object for Get & List calls to avoid
 	// creating additional informers for UnstructuredList/PartialObjectMetadataList.
 	UseCache bool
+
+	// UseStatusForStorageVersionMigration configures if the storage version migration for this CRD should
+	// be triggered via the status endpoint instead of an update on the CRs directly (which is the default).
+	// As mutating and validating webhooks are usually not configured on the status subresource this can help to
+	// avoid mutating & validation webhook errors that would block the no-op updates and thus the storage migration.
+	UseStatusForStorageVersionMigration bool
 }
 
 func (r *CRDMigrator) SetupWithManager(ctx context.Context, mgr ctrl.Manager, controllerOptions controller.Options) error {
@@ -231,7 +237,7 @@ func (r *CRDMigrator) Reconcile(ctx context.Context, req ctrl.Request) (_ ctrl.R
 
 	// If phase should be run and .status.storedVersions != [storageVersion], run storage version migration.
 	if r.crdMigrationPhasesToRun.Has(StorageVersionMigrationPhase) && storageVersionMigrationRequired(crd, storageVersion) {
-		if err := r.reconcileStorageVersionMigration(ctx, crd, customResourceObjects, storageVersion); err != nil {
+		if err := r.reconcileStorageVersionMigration(ctx, crd, migrationConfig, customResourceObjects, storageVersion); err != nil {
 			return ctrl.Result{}, err
 		}
 
@@ -253,18 +259,13 @@ func (r *CRDMigrator) Reconcile(ctx context.Context, req ctrl.Request) (_ ctrl.R
 }
 
 func storageVersionForCRD(crd *apiextensionsv1.CustomResourceDefinition) (string, error) {
-	var storageVersion string
 	for _, v := range crd.Spec.Versions {
 		if v.Storage {
-			storageVersion = v.Name
-			break
+			return v.Name, nil
 		}
 	}
-	if storageVersion == "" {
-		return "", errors.Errorf("could not find storage version for CustomResourceDefinition %s", crd.Name)
-	}
 
-	return storageVersion, nil
+	return "", errors.Errorf("could not find storage version for CustomResourceDefinition %s", crd.Name)
 }
 
 func storageVersionMigrationRequired(crd *apiextensionsv1.CustomResourceDefinition, storageVersion string) bool {
@@ -361,7 +362,7 @@ func listObjectsFromAPIReader(ctx context.Context, c client.Reader, objectList c
 	return objs, nil
 }
 
-func (r *CRDMigrator) reconcileStorageVersionMigration(ctx context.Context, crd *apiextensionsv1.CustomResourceDefinition, customResourceObjects []client.Object, storageVersion string) error {
+func (r *CRDMigrator) reconcileStorageVersionMigration(ctx context.Context, crd *apiextensionsv1.CustomResourceDefinition, migrationConfig ByObjectConfig, customResourceObjects []client.Object, storageVersion string) error {
 	if len(customResourceObjects) == 0 {
 		return nil
 	}
@@ -407,7 +408,12 @@ func (r *CRDMigrator) reconcileStorageVersionMigration(ctx context.Context, crd
 		u.SetResourceVersion(obj.GetResourceVersion())
 
 		log.V(4).Info("Migrating to new storage version", gvk.Kind, klog.KObj(u))
-		err := r.Client.Patch(ctx, u, client.Apply, client.FieldOwner("crdmigrator"))
+		var err error
+		if migrationConfig.UseStatusForStorageVersionMigration {
+			err = r.Client.Status().Patch(ctx, u, client.Apply, client.FieldOwner("crdmigrator"))
+		} else {
+			err = r.Client.Patch(ctx, u, client.Apply, client.FieldOwner("crdmigrator"))
+		}
 		// If we got a NotFound error, the object no longer exists so no need to update it.
 		// If we got a Conflict error, another client wrote the object already so no need to update it.
 		if err != nil && !apierrors.IsNotFound(err) && !apierrors.IsConflict(err) {

controllers/crdmigrator/crd_migrator_test.go

@@ -63,43 +63,63 @@ func TestReconcile(t *testing.T) {
 	crdObjectKey := client.ObjectKey{Name: crdName}
 
 	tests := []struct {
-		name                   string
-		skipCRDMigrationPhases []Phase
-		useCache               bool
+		name                                string
+		skipCRDMigrationPhases              []Phase
+		useCache                            bool
+		useStatusForStorageVersionMigration bool
 	}{
 		{
-			name:                   "run both StorageVersionMigration and CleanupManagedFields with cache",
-			skipCRDMigrationPhases: nil,
-			useCache:               true,
+			name:                                "run both StorageVersionMigration and CleanupManagedFields with cache",
+			skipCRDMigrationPhases:              nil,
+			useCache:                            true,
+			useStatusForStorageVersionMigration: false,
 		},
 		{
-			name:                   "run both StorageVersionMigration and CleanupManagedFields without cache",
-			skipCRDMigrationPhases: nil,
-			useCache:               false,
+			name:                                "run both StorageVersionMigration and CleanupManagedFields without cache",
+			skipCRDMigrationPhases:              nil,
+			useCache:                            false,
+			useStatusForStorageVersionMigration: false,
 		},
 		{
-			name:                   "run only CleanupManagedFields with cache",
-			skipCRDMigrationPhases: []Phase{StorageVersionMigrationPhase},
-			useCache:               true,
+			name:                                "run both StorageVersionMigration and CleanupManagedFields with cache (using status)",
+			skipCRDMigrationPhases:              nil,
+			useCache:                            true,
+			useStatusForStorageVersionMigration: true,
 		},
 		{
-			name:                   "run only CleanupManagedFields without cache",
-			skipCRDMigrationPhases: []Phase{StorageVersionMigrationPhase},
-			useCache:               false,
+			name:                                "run both StorageVersionMigration and CleanupManagedFields without cache (using status)",
+			skipCRDMigrationPhases:              nil,
+			useCache:                            false,
+			useStatusForStorageVersionMigration: true,
 		},
 		{
-			name:                   "run only StorageVersionMigration with cache",
-			skipCRDMigrationPhases: []Phase{CleanupManagedFieldsPhase},
-			useCache:               true,
+			name:                                "run only CleanupManagedFields with cache",
+			skipCRDMigrationPhases:              []Phase{StorageVersionMigrationPhase},
+			useCache:                            true,
+			useStatusForStorageVersionMigration: false,
 		},
 		{
-			name:                   "run only StorageVersionMigration without cache",
-			skipCRDMigrationPhases: []Phase{CleanupManagedFieldsPhase},
-			useCache:               false,
+			name:                                "run only CleanupManagedFields without cache",
+			skipCRDMigrationPhases:              []Phase{StorageVersionMigrationPhase},
+			useCache:                            false,
+			useStatusForStorageVersionMigration: false,
 		},
 		{
-			name:                   "skip all",
-			skipCRDMigrationPhases: []Phase{StorageVersionMigrationPhase, CleanupManagedFieldsPhase},
+			name:                                "run only StorageVersionMigration with cache",
+			skipCRDMigrationPhases:              []Phase{CleanupManagedFieldsPhase},
+			useCache:                            true,
+			useStatusForStorageVersionMigration: false,
+		},
+		{
+			name:                                "run only StorageVersionMigration without cache",
+			skipCRDMigrationPhases:              []Phase{CleanupManagedFieldsPhase},
+			useCache:                            false,
+			useStatusForStorageVersionMigration: false,
+		},
+		{
+			name:                                "skip all",
+			skipCRDMigrationPhases:              []Phase{StorageVersionMigrationPhase, CleanupManagedFieldsPhase},
+			useStatusForStorageVersionMigration: false,
 		},
 	}
 	for _, tt := range tests {
@@ -127,19 +147,19 @@ func TestReconcile(t *testing.T) {
 			// Create manager for all steps.
 			skipCRDMigrationPhases := sets.Set[Phase]{}.Insert(tt.skipCRDMigrationPhases...)
 			managerT1, err := createManagerWithCRDMigrator(tt.skipCRDMigrationPhases, map[client.Object]ByObjectConfig{
-				&t1v1beta1.TestCluster{}: {UseCache: tt.useCache},
+				&t1v1beta1.TestCluster{}: {UseCache: tt.useCache, UseStatusForStorageVersionMigration: tt.useStatusForStorageVersionMigration},
 			}, t1v1beta1.AddToScheme)
 			g.Expect(err).ToNot(HaveOccurred())
 			managerT2, err := createManagerWithCRDMigrator(tt.skipCRDMigrationPhases, map[client.Object]ByObjectConfig{
-				&t2v1beta2.TestCluster{}: {UseCache: tt.useCache},
+				&t2v1beta2.TestCluster{}: {UseCache: tt.useCache, UseStatusForStorageVersionMigration: tt.useStatusForStorageVersionMigration},
 			}, t2v1beta2.AddToScheme)
 			g.Expect(err).ToNot(HaveOccurred())
 			managerT3, err := createManagerWithCRDMigrator(tt.skipCRDMigrationPhases, map[client.Object]ByObjectConfig{
-				&t3v1beta2.TestCluster{}: {UseCache: tt.useCache},
+				&t3v1beta2.TestCluster{}: {UseCache: tt.useCache, UseStatusForStorageVersionMigration: tt.useStatusForStorageVersionMigration},
 			}, t3v1beta2.AddToScheme)
 			g.Expect(err).ToNot(HaveOccurred())
 			managerT4, err := createManagerWithCRDMigrator(tt.skipCRDMigrationPhases, map[client.Object]ByObjectConfig{
-				&t4v1beta2.TestCluster{}: {UseCache: tt.useCache},
+				&t4v1beta2.TestCluster{}: {UseCache: tt.useCache, UseStatusForStorageVersionMigration: tt.useStatusForStorageVersionMigration},
 			}, t4v1beta2.AddToScheme)
 			g.Expect(err).ToNot(HaveOccurred())
 

controlplane/kubeadm/main.go

@@ -408,7 +408,7 @@ func setupReconcilers(ctx context.Context, mgr ctrl.Manager) {
 		// Note: The kubebuilder RBAC markers above has to be kept in sync
 		// with the CRDs that should be migrated by this provider.
 		Config: map[client.Object]crdmigrator.ByObjectConfig{
-			&controlplanev1.KubeadmControlPlane{}:         {UseCache: true},
+			&controlplanev1.KubeadmControlPlane{}:         {UseCache: true, UseStatusForStorageVersionMigration: true},
 			&controlplanev1.KubeadmControlPlaneTemplate{}: {UseCache: false},
 		},
 		// The CRDMigrator is run with only concurrency 1 to ensure we don't overwhelm the apiserver by patching a

docs/book/src/developer/providers/migrations/v1.9-to-v1.10.md

@@ -39,3 +39,4 @@ maintainers of providers and consumers of our Go API.
         - Note: The CRD migrator will add the `crd-migration.cluster.x-k8s.io/observed-generation` annotation on the CRD object,
                 please ensure that if these CRD objects are deployed with a tool like kapp / Argo / Flux the annotation is not continuously removed.
       - For all CRs that should be migrated by the `CRDMigrator`: verbs: `get;list;watch;patch;update`
+      - For all CRs with `UseStatusForStorageVersionMigration: true` verbs: `update;patch` on their `/status` resource (e.g. `ipaddressclaims/status`)

main.go

@@ -286,6 +286,7 @@ func InitFlags(fs *pflag.FlagSet) {
 // +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions;customresourcedefinitions/status,verbs=update;patch,resourceNames=clusterclasses.cluster.x-k8s.io;clusterresourcesetbindings.addons.cluster.x-k8s.io;clusterresourcesets.addons.cluster.x-k8s.io;clusters.cluster.x-k8s.io;extensionconfigs.runtime.cluster.x-k8s.io;ipaddressclaims.ipam.cluster.x-k8s.io;ipaddresses.ipam.cluster.x-k8s.io;machinedeployments.cluster.x-k8s.io;machinedrainrules.cluster.x-k8s.io;machinehealthchecks.cluster.x-k8s.io;machinepools.cluster.x-k8s.io;machines.cluster.x-k8s.io;machinesets.cluster.x-k8s.io
 // ADD CR RBAC for CRD Migrator.
 // +kubebuilder:rbac:groups=ipam.cluster.x-k8s.io,resources=ipaddresses;ipaddressclaims,verbs=get;list;watch;patch;update
+// +kubebuilder:rbac:groups=ipam.cluster.x-k8s.io,resources=ipaddressclaims/status,verbs=patch;update
 // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinedrainrules,verbs=get;list;watch;patch;update
 
 func main() {
@@ -491,24 +492,24 @@ func setupReconcilers(ctx context.Context, mgr ctrl.Manager, watchNamespaces map
 	// with the CRDs that should be migrated by this provider.
 	crdMigratorConfig := map[client.Object]crdmigrator.ByObjectConfig{
 		&addonsv1.ClusterResourceSetBinding{}: {UseCache: true},
-		&addonsv1.ClusterResourceSet{}:        {UseCache: true},
-		&clusterv1.Cluster{}:                  {UseCache: true},
-		&clusterv1.MachineDeployment{}:        {UseCache: true},
+		&addonsv1.ClusterResourceSet{}:        {UseCache: true, UseStatusForStorageVersionMigration: true},
+		&clusterv1.Cluster{}:                  {UseCache: true, UseStatusForStorageVersionMigration: true},
+		&clusterv1.MachineDeployment{}:        {UseCache: true, UseStatusForStorageVersionMigration: true},
 		&clusterv1.MachineDrainRule{}:         {UseCache: true},
-		&clusterv1.MachineHealthCheck{}:       {UseCache: true},
-		&clusterv1.Machine{}:                  {UseCache: true},
-		&clusterv1.MachineSet{}:               {UseCache: true},
+		&clusterv1.MachineHealthCheck{}:       {UseCache: true, UseStatusForStorageVersionMigration: true},
+		&clusterv1.Machine{}:                  {UseCache: true, UseStatusForStorageVersionMigration: true},
+		&clusterv1.MachineSet{}:               {UseCache: true, UseStatusForStorageVersionMigration: true},
 		&ipamv1.IPAddress{}:                   {UseCache: false},
-		&ipamv1.IPAddressClaim{}:              {UseCache: false},
+		&ipamv1.IPAddressClaim{}:              {UseCache: false, UseStatusForStorageVersionMigration: true},
 	}
 	if feature.Gates.Enabled(feature.ClusterTopology) {
-		crdMigratorConfig[&clusterv1.ClusterClass{}] = crdmigrator.ByObjectConfig{UseCache: true}
+		crdMigratorConfig[&clusterv1.ClusterClass{}] = crdmigrator.ByObjectConfig{UseCache: true, UseStatusForStorageVersionMigration: true}
 	}
 	if feature.Gates.Enabled(feature.RuntimeSDK) {
-		crdMigratorConfig[&runtimev1.ExtensionConfig{}] = crdmigrator.ByObjectConfig{UseCache: true}
+		crdMigratorConfig[&runtimev1.ExtensionConfig{}] = crdmigrator.ByObjectConfig{UseCache: true, UseStatusForStorageVersionMigration: true}
 	}
 	if feature.Gates.Enabled(feature.MachinePool) {
-		crdMigratorConfig[&expv1.MachinePool{}] = crdmigrator.ByObjectConfig{UseCache: true}
+		crdMigratorConfig[&expv1.MachinePool{}] = crdmigrator.ByObjectConfig{UseCache: true, UseStatusForStorageVersionMigration: true}
 	}
 	crdMigratorSkipPhases := []crdmigrator.Phase{}
 	for _, p := range skipCRDMigrationPhases {

test/infrastructure/docker/main.go

@@ -383,13 +383,13 @@ func setupReconcilers(ctx context.Context, mgr ctrl.Manager) {
 	// Note: The kubebuilder RBAC markers above has to be kept in sync
 	// with the CRDs that should be migrated by this provider.
 	crdMigratorConfig := map[client.Object]crdmigrator.ByObjectConfig{
-		&infrav1.DockerCluster{}:         {UseCache: true},
+		&infrav1.DockerCluster{}:         {UseCache: true, UseStatusForStorageVersionMigration: true},
 		&infrav1.DockerClusterTemplate{}: {UseCache: false},
-		&infrav1.DockerMachine{}:         {UseCache: true},
+		&infrav1.DockerMachine{}:         {UseCache: true, UseStatusForStorageVersionMigration: true},
 		&infrav1.DockerMachineTemplate{}: {UseCache: false},
-		&infrav1.DevCluster{}:            {UseCache: true},
+		&infrav1.DevCluster{}:            {UseCache: true, UseStatusForStorageVersionMigration: true},
 		&infrav1.DevClusterTemplate{}:    {UseCache: false},
-		&infrav1.DevMachine{}:            {UseCache: true},
+		&infrav1.DevMachine{}:            {UseCache: true, UseStatusForStorageVersionMigration: true},
 		&infrav1.DevMachineTemplate{}:    {UseCache: false},
 	}
 	if feature.Gates.Enabled(feature.MachinePool) {