feat: add support for kueue to work with VAP on OCP 4.16+

[zdtsw]

• only add VAP specific manifests into list if latest OCP version in history is over 16 in min version
• add check OCP function to get OCP version during main startup, and value can be access by components also show in the dsc status

Description

https://issues.redhat.com/browse/RHOAIENG-16133

How Has This Been Tested?

manual test on quay.io/wenzhou/opendatahub-operator-catalog:v2.17.1613315
spin up two clusters

• 4.17.9:
  create DSCI, DSC only enable kueue
  kueue CR ready, 2 new resource VAP and VAPB created
  change VAPB action from Deny to Warn, it keeps new value
  disable kueue
  kueue CR removed, VAP removed, VAPB remains
• 4.15.6 then upgrade to 4.16.27: cretae DSCI, DSC only enable kueue
  kueue CR ready, no API registered in cluster for VAP/VAPB CRD, operator pod not throw error

Screenshot or short clip

Merge criteria

• You have read the contributors guide.
• Commit messages are meaningful - have a clear and concise summary and detailed explanation of what was changed and why.
• Pull Request contains a description of the solution, a link to the JIRA issue, and to any dependent or related Pull Request.
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has manually tested the changes and verified that the changes work

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from zdtsw. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[lburgazzoli]

• need to uplift to go-client 0.29.2 whichi is the latest one has SwitchMetrics for leaderelection

What is this about ?

• need to uplift k8s.io/api to 0.30.4 which start to have VAP included

Is this actually needed? we use unstructured objects so the current version should work too

[zdtsw]

• need to uplift to go-client 0.29.2 whichi is the latest one has SwitchMetrics for leaderelection

What is this about ?

• need to uplift k8s.io/api to 0.30.4 which start to have VAP included

Is this actually needed? we use unstructured objects so the current version should work too

i should revert the uplift for api part, at least was using &admissionregistrationv1.ValidatingAdmissionPolicyBinding which only contain these 2 from 0.30.4
but since now i changed to use watchsgvk the uplift is not needed any more
and go-client change was due to api uplift, can revert back as well.

[lburgazzoli]

same as above

[lburgazzoli]

This can probably be computed at startup

[zdtsw]

did some change, moved this call a bit up to the main

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 65 lines in your changes missing coverage. Please review.

Project coverage is 19.78%. Comparing base (ad20d38) to head (c8372c6).
Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/cluster/cluster_config.go	0.00%	37 Missing ⚠️
controllers/components/kueue/kueue_controller.go	0.00%	11 Missing ⚠️
...llers/components/kueue/kueue_controller_actions.go	0.00%	11 Missing ⚠️
controllers/components/kueue/kueue_support.go	0.00%	6 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1480      +/-   ##
==========================================
- Coverage   19.88%   19.78%   -0.11%     
==========================================
  Files         160      160              
  Lines       10818    10874      +56     
==========================================
  Hits         2151     2151              
- Misses       8440     8496      +56     
  Partials      227      227              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[ChristianZaccaria]

This looks brilliant Wen, thank you!!

Just making sure. The ValidatingAdmissionPolicyBinding resource should be configurable, i.e., by the Cluster Admin. This resource should have a similar behaviour to how ConfigMaps are handled. - Let me know if this makes sense

[zdtsw]

This looks brilliant Wen, thank you!!

Just making sure. The ValidatingAdmissionPolicyBinding resource should be configurable, i.e., by the Cluster Admin. This resource should have a similar behaviour to how ConfigMaps are handled. - Let me know if this makes sense

i was not aware of this requirement.
so VAP is static but VAPB will be user configurable?
but why not instead user create another VAPB instance? e.g if the binding is to filter on more matching part or the action should be "warn"/"audit" ?

[ChristianZaccaria]

so VAP is static but VAPB will be user configurable?

@zdtsw For reference after our async discussion:

• VAPB CR, should be first deployed with default values from manifests. Then the Admin can decide on configuration, or simply keep the defaults.
• VAPB CR, wont be reconcile if user updates its contents.
• VAP CR is static.

[ChristianZaccaria]

/lgtm tested and works as expected. Thank you for the brilliant work!

[lburgazzoli]

to make things a little but more clear, maybe we should have a constant for the minimum version and use SemVer.GTE

var V4_17 = semver.MustParse("4.17")

func vapPredicate(context.Context, *odhtypes.ReconciliationRequest) bool {
  return cluster.GetClusterInfo().Version.GTE(V4_17)
}

[lburgazzoli]

this check shold probably me moved to the t.Run block, like:

t.Run("Validate Kueue Dynamically create VAP", func(t *testing.T) {
        if !cluster.GetClusterInfo().Version.GTE(semver.MustParse("4.17.0") {
            t.Skip("Disabled as requires OpenShift >= 4.17")
            return
        }
        
	err = kueueCtx.validateVAPReady()
	require.NoError(t, err, "Kueue instance is not Ready")
})

[zdtsw]

yep, doing rebase now, need local test before push the final change

[lburgazzoli]

would be better to use gomega's Eventually so that it won't fail in case the resource takes a little time to become available

[lburgazzoli]

would be better to use gomega's Eventually so that it won't fail in case the resource takes a little time to become available

[lburgazzoli]

We also probably need a negative test so that it validated that no VAP resources are created on an unsupported openshift verions

[lburgazzoli]

since enableVAP is a package variable, it may be better to set it as part of the init() function

[lburgazzoli]

this probably should use Eventually as the other one

[lburgazzoli]

Is there any specific reason to wait only 1 second ?

[zdtsw]

i moved this test case after "ValidateUpdateDeploymentsResources" test.
i think no need to wait DefaultTimeout 2mins here, if component is ready but VAP/VAPB not found

[lburgazzoli]

/test opendatahub-operator-e2e

[zdtsw]

/test opendatahub-operator-e2e

[ChristianZaccaria]

I've tested latest changes from this PR. This continues to work as expected, thanks!