OCPBUGS-81627: Load ClusterResourceQuota CRD before CVO manifests

[zaneb]

The CRD ClusterResourceQuota is required by kube-apiserver in order to access any namespaced resource. Therefore, during bootstrapping it must be applied prior to serveral of the resource manifests that are contributed by the Cluster Version Operator, which (creates a Deployment and several related resources in the cluster-version-operator namespace). This can result in the apiserver failing its startup checks before the ClusterResourceQuota is applied, and going into a failure loop from which it never recovers.

Therefore rename the manifest file from 0000_03_config-operator_... to 0000_00_apiserver_... to ensure that it sorts before the 0000_00_cluster-version-operator_* manifests.

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Hello @zaneb! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[openshift-ci-robot]

@zaneb: This pull request references Jira Issue OCPBUGS-81627, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @dis016

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

The CRD ClusterResourceQuota is required by kube-apiserver in order to access any namespaced resource. Therefore, during bootstrapping it must be applied prior to serveral of the resource manifests that are contributed by the Cluster Version Operator, which (creates a Deployment and several related resources in the cluster-version-operator namespace). This can result in the apiserver failing its startup checks before the ClusterResourceQuota is applied, and going into a failure loop from which it never recovers.

Therefore rename the manifest file from 0000_03_config-operator_... to 0000_00_apiserver_... to ensure that it sorts before the 0000_00_cluster-version-operator_* manifests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: d569bf21-068f-4a87-852e-f64be5de51f8

📥 Commits

Reviewing files that changed from the base of the PR and between 7b2e6a6 and e63c0d5.

⛔ Files ignored due to path filters (2)

• quota/v1/zz_generated.crd-manifests/0000_00_apiserver_01_clusterresourcequotas.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• quota/v1/zz_generated.featuregated-crd-manifests/clusterresourcequotas.quota.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**

📒 Files selected for processing (5)

• hack/update-payload-crds.sh
• payload-manifests/crds/0000_00_apiserver_01_clusterresourcequotas.crd.yaml
• quota/v1/generated.proto
• quota/v1/types.go
• quota/v1/zz_generated.featuregated-crd-manifests.yaml

✅ Files skipped from review due to trivial changes (2)

• quota/v1/types.go
• quota/v1/generated.proto

🚧 Files skipped from review as they are similar to previous changes (2)

• hack/update-payload-crds.sh
• quota/v1/zz_generated.featuregated-crd-manifests.yaml

---

📝 Walkthrough

Walkthrough

The pull request reassigns the ClusterResourceQuota CRD ownership from config-operator to apiserver by updating the kubebuilder/OpenShift +openshift:file-pattern annotation in quota/v1/types.go and the corresponding entry in the generated CRD manifest. The run level is changed from 0000_03 to 0000_00. Additionally, the hack/update-payload-crds.sh script's glob for quota/v1/zz_generated.crd-manifests/ was changed to select *.crd.yaml files.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.4)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

Review Summary by Qodo

Load ClusterResourceQuota CRD before Cluster Version Operator manifests

🐞 Bug fix

Walkthroughs

Description

• Reorder ClusterResourceQuota CRD manifest loading before CVO manifests
• Change CRD run level from 0000_03 to 0000_00 for earlier bootstrap
• Update operator name from config-operator to apiserver
• Fix manifest glob pattern in update-payload-crds.sh script

Diagram

flowchart LR
  A["ClusterResourceQuota CRD"] -->|"run level: 0000_00"| B["Early Bootstrap"]
  B -->|"before"| C["CVO Manifests 0000_00"]
  C -->|"enables"| D["kube-apiserver startup"]

Loading

File Changes

1. quota/v1/types.go ⚙️ Configuration changes +1/-1

Update CRD file-pattern annotation for early bootstrap

• Updated openshift:file-pattern annotation to reflect new load order
• Changed cvoRunLevel from 0000_03 to 0000_00
• Changed operatorName from config-operator to apiserver

quota/v1/types.go

---

2. hack/update-payload-crds.sh ⚙️ Configuration changes +1/-1

Update quota CRD manifest glob pattern

• Modified quota CRD glob pattern from operator-specific to generic
• Changed from *_config-operator_*.crd*yaml to *.crd.yaml
• Allows quota CRD to be picked up with new naming convention

hack/update-payload-crds.sh

---

3. quota/v1/zz_generated.featuregated-crd-manifests.yaml Miscellaneous +2/-2

Update generated CRD manifest metadata

• Updated FilenameOperatorName from config-operator to apiserver
• Updated FilenameRunLevel from 0000_03 to 0000_00
• Reflects new manifest load order priority

quota/v1/zz_generated.featuregated-crd-manifests.yaml

---

View more (3)

4. quota/v1/zz_generated.featuregated-crd-manifests/clusterresourcequotas.quota.openshift.io/AAA_ungated.yaml Miscellaneous +2/-2

Update CRD manifest annotations for load order

• Updated api.openshift.io/filename-cvo-runlevel annotation from 0000_03 to 0000_00
• Updated api.openshift.io/filename-operator annotation from config-operator to apiserver
• Ensures CRD loads before CVO during cluster bootstrap

quota/v1/zz_generated.featuregated-crd-manifests/clusterresourcequotas.quota.openshift.io/AAA_ungated.yaml

---

5. payload-manifests/crds/0000_00_apiserver_01_clusterresourcequotas.crd.yaml Additional files +0/-0

...

payload-manifests/crds/0000_00_apiserver_01_clusterresourcequotas.crd.yaml

---

6. quota/v1/zz_generated.crd-manifests/0000_00_apiserver_01_clusterresourcequotas.crd.yaml Additional files +0/-0

...

quota/v1/zz_generated.crd-manifests/0000_00_apiserver_01_clusterresourcequotas.crd.yaml

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

Great, no issues found!

Qodo reviewed your code and found no material issues that require review

ⓘ The new review experience is currently in Beta. Learn more

[openshift-ci]

@zaneb: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/verify-crd-schema	e63c0d5	link	true	/test verify-crd-schema

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[zaneb]

/payload-job periodic-ci-openshift-release-main-nightly-4.22-e2e-agent-compact-fips

[openshift-ci]

@zaneb: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-nightly-4.22-e2e-agent-compact-fips

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/90910a40-3246-11f1-9929-2c73dfa108b9-0

[wking]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: wking
Once this PR has been reviewed and has the lgtm label, please assign everettraven for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-hypershift
/test e2e-aws-ovn-hypershift-conformance
/test e2e-aws-ovn-techpreview
/test e2e-aws-serial-1of2
/test e2e-aws-serial-2of2
/test e2e-aws-serial-techpreview-1of2
/test e2e-aws-serial-techpreview-2of2
/test e2e-azure
/test e2e-gcp
/test e2e-upgrade
/test e2e-upgrade-out-of-change
/test minor-e2e-upgrade-minor