✨ Add CRD migrator, deprecate clusterctl upgrade CRD storage version migration

[sbueringer]

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #11894

[sbueringer]

/test pull-cluster-api-e2e-main

[sbueringer]

/test pull-cluster-api-e2e-main

[JoelSpeed]

There are quite a few new files with the license stating 2024 as the year they were introduced, not sure if you wanted to update those, added a nit for one, left the others

[JoelSpeed]

Have you considered making this a string slice and allowing it to be specified with multiple values? Would all us to drop the All and mean that if we add a third phase at some point this won't become awkward

[sbueringer]

cc @fabriziopandini As you maybe have an additional opinion on this flag :)

[sbueringer]

I mostly added the All to allow folks to entire disable the CRD migrator without worrying about the phases.

The current flag supports a comma-separated list, so in general All is also not required at the moment.

[JoelSpeed]

If it can accept CSV then the string slice part of my comment isn't so important

I can see the argument for All, though, do we want users to be conscious of new phases that we discover and acknowledge that they are skipping them?

I'm not entirely sure why anyone would skip the phases, they are an important part of the lifecycle

[sbueringer]

I'm not entirely sure why anyone would skip the phases, they are an important part of the lifecycle

I think this could be interesting if:

• folks want to use the storage version migrator from upstream k/k instead of our implementation here
• have another way to handle migration between apiVersions (also in general thinking about folks that don't run conversion webhooks, even though I don't exactly know how they handle all of this :))

[fabriziopandini]

I'm ok if we want make it a slice
I also think it is acceptable to ask users to be explicit in choosing what they want skip and thus dropping All (we also have only two phases, so it will not be a long list)

[sbueringer]

Sounds good. Made it a slice and dropped All

[chrischdi]

not yet done with the review, but first finding

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sbueringer]

/test pull-cluster-api-e2e-main

[sbueringer]

/test pull-cluster-api-e2e-main

[chrischdi]

just one nit and one future idea, otherwise lgtm.

[chrischdi]

Flake:

  [FAILED] Timed out after 120.001s.
  The function passed to Eventually failed at /home/prow/go/src/sigs.k8s.io/cluster-api/test/framework/crdmigration_helpers.go:61 with:
  CustomResourceDefinition clusterclasses.cluster.x-k8s.io should have observed generation annotation with correct value
  Expected
      <map[string]string | len:2>: {
          "controller-gen.kubebuilder.io/version": "v0.17.2",
          "cert-manager.io/inject-ca-from": "capi-system/capi-serving-cert",
      }
  to have {key: value}
      <map[interface {}]interface {} | len:1>: {
          <string>"crd-migration.cluster.x-k8s.io/observed-generation": <string>"3",
      }
  In [It] at: /home/prow/go/src/sigs.k8s.io/cluster-api/test/framework/crdmigration_helpers.go:78 @ 02/26/25 20:32:05.997
  Full Stack Trace
    sigs.k8s.io/cluster-api/test/framework.ValidateCRDMigration({0x3108588, 0xc000565ea0}, {0x3120df0, 0xc000039880}, {0xc003bdd470, 0x12}, {0xc00136df20?, 0xc0016a2480?}, 0x2dfd9e8, 0xc0016042d0)
    	/home/prow/go/src/sigs.k8s.io/cluster-api/test/framework/crdmigration_helpers.go:78 +0x153
    sigs.k8s.io/cluster-api/test/e2e.init.func11.1.1({0x3120df0, 0xc000039880}, {0xc003bdd470, 0x12}, {0xc0014e4930, 0x22})
    	/home/prow/go/src/sigs.k8s.io/cluster-api/test/e2e/clusterctl_upgrade_test.go:103 +0xb7
    sigs.k8s.io/cluster-api/test/e2e.ClusterctlUpgradeSpec.func2()
    	/home/prow/go/src/sigs.k8s.io/cluster-api/test/e2e/clusterctl_upgrade.go:705 +0x463f

[sbueringer]

Not sure if it's a flake. Had the same error yesterday, improved the error message slightly. Now going to debug it though :)

[sbueringer]

Not sure what we want to do with providers. At the moment it doesn't matter because it's v1alpha3 and we don't touch it at all

[chrischdi]

maybe make it a overwritable func?

But also good enough to fixup once we start using it in a provider e2e

[sbueringer]

This whole thing is already overridable / configurable if a infra provider runs this test :)

What I meant with providers is the providers CRD. Currently I. did not configure any CRDMigrator to migrate the providers CRD (literally the CRD with the name: providers.clusterctl.cluster.x-k8s.io)

[sbueringer]

Okay that was an easy fix

									// ClusterTopology feature is disabled via the CLUSTER_TOPOLOGY variable below,
									// so we can't expect the CRD migrator to migrate the ClusterClass CRD.
									crd.Name != "clusterclasses.cluster.x-k8s.io"

[sbueringer]

/test pull-cluster-api-e2e-main

[fabriziopandini]

Awesome work, the integration test alone is a amazing.

[fabriziopandini]

I'm ok if we want make it a slice
I also think it is acceptable to ask users to be explicit in choosing what they want skip and thus dropping All (we also have only two phases, so it will not be a long list)

[sbueringer]

Findings should be all addressed. Thx everyone for the reviews!

I'll run the e2e test locally to see what's going on there

[sbueringer]

Should be hopefully green now

/test pull-cluster-api-e2e-main

[sbueringer]

@JoelSpeed @fabriziopandini @chrischdi

e2e tests are now also all green. Findings should be addressed, PTAL :)

[JoelSpeed]

I wonder if we want to try and condense the CRD rbac by setting the resource name multiple times. It appears the RBAC generator doesn't do any sort of condensing of duplicate rules that only differ by resource name entries

[sbueringer]

/test pull-cluster-api-e2e-main