Merge pull request #173 from lwan-wanglin/merge-upstream-v1x-to-ocp-v1x

Merge upstream v1x to ocp v1x

Author: openshift-merge-bot[bot]

CLAUDE.md

@@ -160,8 +160,9 @@ Only one mode can be active at a time. Each mode has its own leader election ID.
 1. Webhook adds scheduling gate to pod, preventing scheduling
 2. PodReconciler watches gated pods
 3. Inspects container images to determine supported architectures
-4. Adds nodeAffinity requirement for kubernetes.io/arch
-5. Removes scheduling gate, allowing scheduler to place pod
+4. If image inspection fails and `fallbackArchitecture` is configured, uses the fallback architecture
+5. Adds nodeAffinity requirement for kubernetes.io/arch
+6. Removes scheduling gate, allowing scheduler to place pod
 
 **Image Inspection** (pkg/image/):
 - Supports multi-arch manifests (OCI, Docker v2.2)
@@ -237,6 +238,7 @@ The operator binary runs in four mutually exclusive modes (controlled by flags i
   - `logVerbosity`: Normal, Debug, Trace, TraceAll
   - `namespaceSelector`: Label selector for processed namespaces
   - `plugins`: Optional plugins configuration (e.g., NodeAffinityScoring for preferred scheduling)
+  - `fallbackArchitecture`: Architecture to use when image inspector cannot determine image architecture (arm64, amd64, ppc64le, s390x, or empty string)
 - Status conditions: Available, Progressing, Degraded, Deprovisioning, PodPlacementControllerNotRolledOut, PodPlacementWebhookNotRolledOut, MutatingWebhookConfigurationNotAvailable
 
 

Dockerfile

@@ -9,8 +9,10 @@ ARG TARGETARCH
 # This only affects the builder stage (used during compilation) and does not impact the
 # security of the final runtime image, which runs as USER 65532:65532 (non-root).
 USER 0
-RUN if which apt-get; then apt-get update && apt-get install -y libgpgme-dev && apt-get -y clean autoclean; \
-    elif which dnf; then dnf install -y gpgme-devel && dnf clean all -y; fi;
+RUN if ! pkg-config --exists gpgme 2>/dev/null; then \
+        if which apt-get; then apt-get update && apt-get install -y libgpgme-dev && apt-get -y clean autoclean; \
+        elif which dnf; then dnf install -y gpgme-devel && dnf clean all -y; fi; \
+    fi
 
 WORKDIR /workspace
 # Copy the Go Modules manifests
@@ -31,8 +33,8 @@ COPY pkg/ pkg/
 # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
 # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
 # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
-RUN CGO_ENABLED=1 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/main.go
-RUN CGO_ENABLED=1 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o enoexec-daemon cmd/enoexec-daemon/main.go
+RUN GOGC=75 CGO_ENABLED=1 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/main.go
+RUN GOGC=75 CGO_ENABLED=1 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o enoexec-daemon cmd/enoexec-daemon/main.go
 
 
 # Use UBI minimal as base image to package the manager binary
@@ -45,9 +47,9 @@ USER 65532:65532
 LABEL com.redhat.component="Multiarch Tuning Operator"
 LABEL distribution-scope="public"
 LABEL name="multiarch-tuning/multiarch-tuning-operator"
-LABEL release="1.2.2"
-LABEL version="1.2.2"
-LABEL cpe="cpe:/a:redhat:multiarch_tuning_operator:1.2::el9"
+LABEL release="1.3.0"
+LABEL version="1.3.0"
+LABEL cpe="cpe:/a:redhat:multiarch_tuning_operator:1.3::el9"
 LABEL url="https://github.com/openshift/multiarch-tuning-operator"
 LABEL vendor="Red Hat, Inc."
 LABEL description="The Multiarch Tuning Operator enhances the user experience for administrators of Openshift \

Makefile

@@ -9,7 +9,7 @@ ARTIFACT_DIR ?= ./_output
 # To re-generate a bundle for another specific version without changing the standard setup, you can:
 # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)
 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
-VERSION ?= 1.2.2
+VERSION ?= 1.3.0
 
 # CHANNELS define the bundle channels used in the bundle.
 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
@@ -71,15 +71,15 @@ IMG ?= registry.ci.openshift.org/origin/multiarch-tuning-operator:v1.x
 #### Tool Versions ####
 ### TODO: NOTE: Update these values to match the versions of the K8S API when pivoting to a new version of K8S.
 # https://github.com/kubernetes-sigs/kustomize/releases
-KUSTOMIZE_VERSION ?= v5.8.0
+KUSTOMIZE_VERSION ?= v5.8.1
 # https://github.com/kubernetes-sigs/controller-tools/releases
 CONTROLLER_TOOLS_VERSION ?= v0.19.0
 # https://github.com/kubernetes-sigs/controller-runtime/branches
 SETUP_ENVTEST_VERSION ?= release-0.22
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
 ENVTEST_K8S_VERSION = 1.34.1
 # https://github.com/golangci/golangci-lint/releases
-GOLINT_VERSION = v2.7.2
+GOLINT_VERSION = v2.10.1
 
 # TODO: We'd need an upstream builder image that includes gpgme-devel (libgpgme-dev)
 BUILD_IMAGE ?= registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.21

api/common/plugins/base_plugin.go

@@ -20,7 +20,30 @@ import "github.com/openshift/multiarch-tuning-operator/api/common"
 
 // +k8s:deepcopy-gen=package
 
-// Plugins represents the plugins configuration.
+// LocalPlugins represents the plugins configuration for podplacementconfigs resource.
+// +kubebuilder:object:generate=true
+type LocalPlugins struct {
+	NodeAffinityScoring *NodeAffinityScoring `json:"nodeAffinityScoring,omitempty"`
+}
+
+// localPluginChecks is a map that associates a plugin name with a function that can
+// safely check if that specific plugin is enabled on a LocalPlugins struct.
+var localPluginChecks = map[common.Plugin]func(lp *LocalPlugins) bool{
+	common.NodeAffinityScoringPluginName: func(lp *LocalPlugins) bool {
+		return lp.NodeAffinityScoring != nil && lp.NodeAffinityScoring.IsEnabled()
+	},
+}
+
+// PluginEnabled provides a generic and safe way to check if a specific plugin is enabled.
+// It handles the case where the LocalPlugins struct itself is nil.
+func (lp *LocalPlugins) PluginEnabled(plugin common.Plugin) bool {
+	if checkFunc, found := localPluginChecks[plugin]; found {
+		return checkFunc(lp)
+	}
+	return false
+}
+
+// Plugins represents the plugins configuration for cluster pod placement config.
 // +kubebuilder:object:generate=true
 type Plugins struct {
 	NodeAffinityScoring *NodeAffinityScoring `json:"nodeAffinityScoring,omitempty"`

api/common/plugins/nodeaffinityscoring_plugin.go

@@ -16,6 +16,8 @@ limitations under the License.
 
 package plugins
 
+import "fmt"
+
 const (
 	// PluginName for NodeAffinityScoring.
 	NodeAffinityScoringPluginName = "NodeAffinityScoring"
@@ -30,6 +32,19 @@ type NodeAffinityScoring struct {
 	Platforms []NodeAffinityScoringPlatformTerm `json:"platforms" protobuf:"bytes,2,opt,name=platforms"`
 }
 
+// ValidateArchitecturesSet checks whether duplicate architectures are set in NodeAffinityScoring
+func (n *NodeAffinityScoring) ValidateArchitecturesSet() (bool, error) {
+	seen := make(map[string]struct{})
+	for _, term := range n.Platforms {
+		if _, exists := seen[term.Architecture]; exists {
+			return false, fmt.Errorf("duplicate architecture %q found in nodeAffinityScoring.platforms", term.Architecture)
+		}
+
+		seen[term.Architecture] = struct{}{}
+	}
+	return true, nil
+}
+
 // NodeAffinityScoringPlatformTerm holds configuration for specific platforms, with required fields validated.
 type NodeAffinityScoringPlatformTerm struct {
 	// Architecture must be a list of non-empty string of arch names.

api/common/plugins/zz_generated.deepcopy.go

@@ -22,6 +22,8 @@ import (
 	multiarchv1beta1 "github.com/openshift/multiarch-tuning-operator/api/v1beta1"
 )
 
+const FallbackArchAnnotation = "multiarch.openshift.io/fallback-architecture"
+
 // ConvertTo converts this ClusterPodPlacementConfig to the Hub version v1beta1.
 func (src *ClusterPodPlacementConfig) ConvertTo(dstRaw conversion.Hub) error {
 	dst := dstRaw.(*multiarchv1beta1.ClusterPodPlacementConfig)
@@ -32,6 +34,11 @@ func (src *ClusterPodPlacementConfig) ConvertTo(dstRaw conversion.Hub) error {
 	// Spec
 	dst.Spec.LogVerbosity = src.Spec.LogVerbosity
 	dst.Spec.NamespaceSelector = src.Spec.NamespaceSelector
+	// Restore FallbackArchitecture from the annotation, if present.
+	// This ensures the value is preserved across API version conversions.
+	if arch, ok := src.Annotations[FallbackArchAnnotation]; ok {
+		dst.Spec.FallbackArchitecture = arch
+	}
 
 	// Status
 	dst.Status.Conditions = src.Status.Conditions
@@ -51,6 +58,17 @@ func (dst *ClusterPodPlacementConfig) ConvertFrom(srcRaw conversion.Hub) error {
 
 	// ObjectMeta
 	dst.ObjectMeta = src.ObjectMeta
+	// v1alpha1 does not have the FallbackArchitecture field.
+	// Preserve the value in an annotation to avoid data loss during
+	// v1beta1 -> v1alpha1 -> v1beta1 round-trip conversions.
+	if dst.Annotations == nil {
+		dst.Annotations = make(map[string]string)
+	}
+	if src.Spec.FallbackArchitecture != "" {
+		dst.Annotations[FallbackArchAnnotation] = src.Spec.FallbackArchitecture
+	} else {
+		delete(dst.Annotations, FallbackArchAnnotation)
+	}
 
 	// Spec
 	dst.Spec.LogVerbosity = src.Spec.LogVerbosity

api/v1alpha1/clusterPodPlacementConfig_conversion.go

@@ -48,6 +48,14 @@ type ClusterPodPlacementConfigSpec struct {
 	// This field is optional and will be omitted from the output if not set.
 	// +optional
 	Plugins *plugins.Plugins `json:"plugins,omitempty"`
+
+	// FallbackArchitecture defines the architecture to use if the image inspector cannot determine the image's architecture.
+	// If configured, the PodPlacementController will set the node affinity of the pod to the fallback architecture
+	// if the image inspector cannot determine the image's architecture.
+	// +optional
+	// +kubebuilder:default=""
+	// +kubebuilder:validation:Enum=arm64;amd64;ppc64le;s390x;""
+	FallbackArchitecture string `json:"fallbackArchitecture,omitempty"`
 }
 
 // ClusterPodPlacementConfigStatus defines the observed state of ClusterPodPlacementConfig

api/v1beta1/clusterpodplacementconfig_types.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2023 Red Hat, Inc.
+Copyright 2025 Red Hat, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -19,24 +19,34 @@ package v1beta1
 import (
 	"context"
 	"errors"
+	"fmt"
 
-	runtime "k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 
-// +kubebuilder:webhook:path=/validate-multiarch-openshift-io-v1beta1-clusterpodplacementconfig,mutating=false,failurePolicy=fail,sideEffects=None,groups=multiarch.openshift.io,resources=clusterpodplacementconfigs,verbs=create;update,versions=v1beta1,name=validate-clusterpodplacementconfig.multiarch.openshift.io,admissionReviewVersions=v1
+// +kubebuilder:webhook:path=/validate-multiarch-openshift-io-v1beta1-clusterpodplacementconfig,mutating=false,failurePolicy=fail,sideEffects=None,groups=multiarch.openshift.io,resources=clusterpodplacementconfigs,verbs=create;update;delete,versions=v1beta1,name=validate-clusterpodplacementconfig.multiarch.openshift.io,admissionReviewVersions=v1
 
 func (c *ClusterPodPlacementConfig) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(c).
-		WithValidator(&ClusterPodPlacementConfigValidator{}).
+		WithValidator(&ClusterPodPlacementConfigValidator{
+			Client: mgr.GetClient(),
+		}).
 		Complete()
 }
 
+// ClusterPodPlacementConfigValidator validates ClusterPodPlacementConfig resources
+// +kubebuilder:object:generate=false
 type ClusterPodPlacementConfigValidator struct {
+	Client client.Client
 }
 
+var _ webhook.CustomValidator = &ClusterPodPlacementConfigValidator{}
+
 func (v *ClusterPodPlacementConfigValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (warnings admission.Warnings, err error) {
 	return v.validate(obj)
 }
@@ -46,6 +56,14 @@ func (v *ClusterPodPlacementConfigValidator) ValidateUpdate(ctx context.Context,
 }
 
 func (v *ClusterPodPlacementConfigValidator) ValidateDelete(ctx context.Context, obj runtime.Object) (warnings admission.Warnings, err error) {
+	// Check if any local PodPlacementConfig exists. If exists, deny deletion of ClusterPodPlacementConfig.
+	existingPPCs := &PodPlacementConfigList{}
+	if err := v.Client.List(ctx, existingPPCs); err != nil {
+		return nil, fmt.Errorf("failed to list existing PodPlacementConfigs: %w", err)
+	}
+	if len(existingPPCs.Items) != 0 {
+		return nil, fmt.Errorf("cannot delete ClusterPodPlacementConfig while local PodPlacementConfigs still exist")
+	}
 	return nil, nil
 }
 

api/v1beta1/clusterpodplacementconfig_webhook.go

@@ -37,5 +37,7 @@ var (
 
 const ClusterPodPlacementConfigResource = "clusterpodplacementconfigs"
 const ClusterPodPlacementConfigKind = "ClusterPodPlacementConfig"
+const PodPlacementConfigResource = "podplacementconfigs"
+const PodPlacementConfigKind = "PodPlacementConfig"
 const ENoExecEventKind = "ENoExecEvent"
 const ENoExecEventResource = "enoexecevents"