Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 64 additions & 0 deletions .github/workflows/openapi-schema-check.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
name: OpenAPI Schema Check

on:
schedule:
# Run daily at 7:00 AM UTC
- cron: '0 7 * * *'
workflow_dispatch: # Allow manual trigger

permissions:
contents: write
pull-requests: write
Comment on lines +10 to +11

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there finer grained permissions that can be granted. These are pretty broad.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are already the minimum required permissions for peter-evans/create-pull-request - contents: write to push the commit and pull-requests: write to create the PR. This matches the permissions used by doc-updater.yml in this repo. There are no finer-grained alternatives for this use case where we want to automatically create PRs.

What restrictions/rules did you have in mind?


jobs:
check-schemas:
name: Check OpenAPI Schemas
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false

- name: Install dependencies
run: |
YQ_VERSION="v4.53.2"
YQ_SHA256="d56bf5c6819e8e696340c312bd70f849dc1678a7cda9c2ad63eebd906371d56b"
curl -sL "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -o /usr/local/bin/yq
echo "${YQ_SHA256} /usr/local/bin/yq" | sha256sum -c -
Comment thread
imiller0 marked this conversation as resolved.
chmod +x /usr/local/bin/yq
pip install PyYAML==6.0.2

- name: Regenerate OpenAPI schemas
run: make generate-openapi-schemas

- name: Create Pull Request
uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11
with:
token: ${{ secrets.GITHUB_TOKEN }}
commit-message: 'chore: Update OpenAPI schemas for PolicyGenerator'
committer: GitHub Actions Bot <actions@github.com>
author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
branch: update-openapi-schemas
delete-branch: true
title: 'Update OpenAPI schemas for PolicyGenerator list merging'
body: |
## Automated OpenAPI Schema Update

The `schema.openapi` files used by ACM PolicyGenerator for strategic
list merging are out of date with respect to the current Subscription
channels and upstream CRDs.

### Changed files
- `hack/crd-schema-config.json` — updated channels / refs
- `telco-ran/.../acmpolicygenerator/schema.openapi`
- `telco-core/configuration/schema.openapi`

### How to Review
- Verify the updated refs match the expected operator release branches
- Check that merge keys are still correct for the new CRD versions

---
*This PR was automatically generated by `make generate-openapi-schemas`.*
labels: |
automated
25 changes: 25 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,31 @@ test-kustomize: ## Validate all kustomization.yaml files can build
test-shellcheck: ## Validate shell scripts with shellcheck
./hack/test-shellcheck.sh

.PHONY: generate-schema-config
generate-schema-config: ## Regenerate hack/crd-schema-config.json from Subscription CRs
python3 hack/generate-schema-config.py

.PHONY: generate-openapi-schemas
generate-openapi-schemas: generate-schema-config ## Regenerate schema.openapi files from CRDs for ACM PolicyGenerator
python3 hack/extract-schema.py --config hack/crd-schema-config.json --component ran \
-o telco-ran/configuration/argocd/example/acmpolicygenerator/schema.openapi
cp telco-ran/configuration/argocd/example/acmpolicygenerator/schema.openapi \
telco-ran/configuration/argocd/example/acmpolicygenerator/hub-side-templating/schema.openapi
python3 hack/extract-schema.py --config hack/crd-schema-config.json --component core \
-o telco-core/configuration/schema.openapi

.PHONY: check-openapi-schemas
check-openapi-schemas: generate-openapi-schemas ## Verify schema.openapi files are up-to-date
@if ! git diff --exit-code hack/crd-schema-config.json \
telco-ran/configuration/argocd/example/acmpolicygenerator/schema.openapi \
telco-ran/configuration/argocd/example/acmpolicygenerator/hub-side-templating/schema.openapi \
telco-core/configuration/schema.openapi; then \
echo ""; \
echo "ERROR: OpenAPI schema files are out of date."; \
echo "Run 'make generate-openapi-schemas' and commit the result."; \
exit 1; \
fi

ci-validate: lintCheck check-reference-core check-reference-ran check-reference-hub

.PHONY: check-reference-core
Expand Down
25 changes: 20 additions & 5 deletions VERSION_UPDATE_GUIDE.md
Original file line number Diff line number Diff line change
Expand Up @@ -77,14 +77,29 @@ patches:
- Update PolicyGenerator placement specifications which use version
- Policy generator policy names MUST use version numbers which match the OpenShift version number (e.g., `core-cluster-config-4.23`)

### 3. Image references
### 3. OpenAPI Schema for PolicyGenerator List Merging

Regenerate the OpenAPI schemas for PolicyGenerator list merging:

```bash
make generate-openapi-schemas
```

This first regenerates `hack/crd-schema-config.json` from the Subscription CRs
(picking up updated channels and refs), then regenerates the `schema.openapi`
files in `telco-ran` and `telco-core` from upstream CRDs. If an operator's
GitHub branch naming convention does not match its Subscription channel (e.g.,
the branch is `v6.5` instead of `release-6.5`), manually update the `ref` field
for that CRD entry in `hack/crd-schema-config.json`.

### 4. Image references
The reference configuration includes image pullspecs in several places which use version specific tags for the image. These must be updated. These pullspecs may be in the reference-crs or in PolicyGenerator patches. Common places where image tags are used include:
- CatalogSource images -- Update both the reference-cr and the PolicyGenerator overlay patch to align with the OpenShift version
- Numa Resources Operator (NROP) -- Update image spec in the Scheduler (sched.yaml) and PolicyGenerator overlay patch to align with the OpenShift version
- Upgrade policy -- Update the version and image pull spec in the PolicyGenerator overlay patch to align with the OpenShift version
- The telco-hub reference includes a plugins Policy CR with image pullspec references which must be updated to the correct versions. The ztp-site-generate image aligns with OpenShift. The multicluster-operator image aligns with MCE.

### 4. ACM AgentServiceConfig
### 5. ACM AgentServiceConfig

Add new OpenShift version osImages entries and remove the oldest version to maintain only 3 versions:

Expand Down Expand Up @@ -115,15 +130,15 @@ osImages:

**Note**: The kube-compare variant uses templating and doesn't require manual entry removal - it renders from the actual config.

### 5. Mirror Registry Configuration
### 6. Mirror Registry Configuration

**File**: `telco-hub/install/mirror-registry/imageset-config.yaml`

The versions of each component in the mirror configuration must be updated. These versions must align with the changes made in corresponding Subscription updates.
- Mirroring versions MUST match the Subscription versions for each operator
- The additional images MUST include the images specified in the Hub reference plugins Policy

### 6. Installation Examples (ClusterInstance)
### 7. Installation Examples (ClusterInstance)

Find all ClusterInstance CRs (`kind: ClusterInstance`) and update clusterImageSetNameRef to align with the OpenShift version:

Expand All @@ -138,7 +153,7 @@ Find all ClusterInstance CRs (`kind: ClusterInstance`) and update clusterImageSe
Change: `clusterImageSetNameRef: "openshift-4.22"` → `"openshift-4.23"`


### 7. Other locations
### 8. Other locations
Other versioning information to be reviewed and updated
- Annotations added in PolicyGenerator overlay patches to trigger non-compliance, eg `noop-for-triggering-noncompliance: "22"`
- Descriptive text in metadata.yaml, eg `This reference was designed for OpenShift 4.22`
Expand Down
138 changes: 138 additions & 0 deletions hack/crd-schema-config.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
{
"_comment": [
"Single source of truth for OpenAPI schema generation.",
"Static fields (source, merge_keys, version, package_name, ref_rule)",
"are manually maintained.",
"Dynamic fields (subscription_channel, components, source.github.ref)",
"are updated by: python3 hack/generate-schema-config.py",
Comment on lines +4 to +7

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it make sense to separate the static and dynamic/derived data into separate files? Perhaps yaml file listing the static (human generated) data.
Do we need persistence of the dynamic data, or is it for archival/informational purposes (ie a log of what was found)?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The dynamic fields (subscription_channel, components, source.github.ref) are needed by extract-schema.py to know which GitHub branch to fetch CRDs from - they're not just informational. generate-schema-config.py updates them in-place while preserving the static fields (source.github.{owner,repo,path},merge_keys, version, ref_rule).

Splitting into two files would add complexity to the merge/read logic, since the round-trip update preserves static fields and git diff shows exactly what changed. The _comment block at the top documents which fields are static vs dynamic.

We can revisit if the config grows significantly, but for 6 CRD entries the single file keeps things simple.
WDYT?

"To regenerate schemas: make generate-openapi-schemas"
],
"crds": [
{
"name": "PtpConfig",
"package_name": "ptp-operator",
"ref_rule": "release-ocp",
"components": [
"ran"
],
"subscription_channel": "stable",
"source": {
"github": {
"owner": "openshift",
"repo": "ptp-operator",
"ref": "release-4.22",
"path": "config/crd/bases/ptp.openshift.io_ptpconfigs.yaml"
}
},
"merge_keys": {
"spec.profile": "name",
"spec.recommend": "profile",
"status.matchList": "nodeName"
}
},
{
"name": "ClusterLogForwarder",
"package_name": "cluster-logging",
"ref_rule": "release-channel",
"components": [
"core",
"ran"
],
"subscription_channel": "stable-6.5",
"source": {
"github": {
"owner": "openshift",
"repo": "cluster-logging-operator",
"ref": "release-6.5",
"path": "config/crd/bases/observability.openshift.io_clusterlogforwarders.yaml"
}
},
"merge_keys": {
"spec.filters": "name",
"spec.inputs": "name",
"spec.outputs": "name",
"spec.pipelines": "name"
}
},
{
"name": "Tuned",
"ref_rule": "release-ocp",
"components": [
"core",
"ran"
],
"subscription_channel": "built-in (NTO)",
"source": {
"github": {
"owner": "openshift",
"repo": "cluster-node-tuning-operator",
"ref": "release-4.22",
"path": "manifests/20-tuned.crd.yaml"
}
},
"merge_keys": {
"spec.profile": "name",
"spec.recommend": "profile"
}
},
{
"name": "PerformanceProfile",
"version": "v2",
"ref_rule": "release-ocp",
"components": [
"core",
"ran"
],
"subscription_channel": "built-in (NTO)",
"source": {
"github": {
"owner": "openshift",
"repo": "cluster-node-tuning-operator",
"ref": "release-4.22",
"path": "manifests/20-performance-profile.crd.yaml"
}
},
"merge_keys": {}
},
{
"name": "NUMAResourcesOperator",
"package_name": "numaresources-operator",
"ref_rule": "release-ocp",
"components": [
"core"
],
"subscription_channel": "4.22",
"source": {
"github": {
"owner": "openshift-kni",
"repo": "numaresources-operator",
"ref": "release-4.22",
"path": "config/crd/bases/nodetopology.openshift.io_numaresourcesoperators.yaml"
}
},
"merge_keys": {
"spec.nodeGroups": "poolName"
}
},
{
"name": "ImageDigestMirrorSet",
"ref_rule": "release-ocp",
"components": [
"core",
"ran"
],
"subscription_channel": "built-in (OCP)",
"source": {
"github": {
"owner": "openshift",
"repo": "api",
"ref": "release-4.22",
"path": "config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagedigestmirrorsets.crd.yaml"
}
},
"merge_keys": {
"spec.imageDigestMirrors": "source"
}
}
]
}
Loading
Loading