feat(validate): enforce artifact apiVersion compatibility#1387
Conversation
Coverage Report ✅
Coverage BadgeMerging this branch will increase overall coverage
Coverage by fileChanged files (no unit tests)
Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Enterprise Run ID: 📒 Files selected for processing (15)
📝 WalkthroughWalkthroughThis PR establishes a single source of truth for the AICR artifact Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
The artifact apiVersion (aicr.nvidia.com/v1alpha1) was redefined as
several independent string literals and was never enforced on read:
snapshot loading ignored it entirely and recipe loading checked only
Kind. A mismatched or incompatible artifact loaded silently and could
surface later as a confusing validation failure.
- Single source of truth: add header.GroupVersion (+ APIGroup,
APIVersionV1Alpha1) and repoint snapshotter.FullAPIVersion,
recipe.RecipeAPIVersion, recipe.RecipeCriteriaAPIVersion, and
config.APIVersion to it.
- Compatibility gate: header.IsSupportedAPIVersion drives accept-known
/ reject-unknown enforcement. The recipe loader and a new
context-aware snapshotter.LoadFromFile{,WithKubeconfig} (which
validate, query, and diff route through) reject a non-empty
unsupported apiVersion with ErrCodeInvalidRequest. Empty is tolerated
for older artifacts that predate the field.
- ADR-011 documents the single-source rule, additive-only-within-version
evolution policy, the reject-unknown gate, and the transition-window
approach for a future bump (no bump to v1alpha2 now).
Closes #1385
147db76 to
62fb2b1
Compare
Summary
Make the AICR artifact
apiVersiona single-sourced, enforced compatibility contract: consolidate the duplicate literals intoheader.GroupVersion, and gate the recipe and snapshot loaders to reject artifacts stamped with an unsupportedapiVersion.Motivation / Context
The artifact
apiVersion(aicr.nvidia.com/v1alpha1) was redefined as ~5 independent string literals (snapshotter, recipe result + criteria, config) and was never enforced on read — snapshot loading ignored it entirely, recipe loading checked onlyKind. A mismatched or incompatible artifact loaded silently and could surface later as a confusing validation failure. This is the durable, schema-level follow-up to the advisory binary-version warning in #1386.Fixes: #1385
Related: #1386
Type of Change
Component(s) Affected
cmd/aicr,pkg/cli)pkg/recipe)pkg/collector,pkg/snapshotter)pkg/errors,pkg/k8s) —pkg/header,pkg/configdocs/,examples/)Implementation Notes
pkg/headergainsAPIGroup,APIVersionV1Alpha1, and canonicalGroupVersion.snapshotter.FullAPIVersion,recipe.RecipeAPIVersion,recipe.RecipeCriteriaAPIVersion, andconfig.APIVersionnow alias it.header.IsSupportedAPIVersiondrives enforcement. The recipe loader (LoadFromFileWithProvider, shared by CLI + server viapkg/client/v1) and a new context-awaresnapshotter.LoadFromFile{,WithKubeconfig}reject a non-empty unsupportedapiVersionwithErrCodeInvalidRequest.validate,query, anddiffroute snapshot loads through the new loader. EmptyapiVersionstays accepted for older artifacts (mirrors the existing empty-Kindtolerance).v1alpha2: no breaking schema change is made; bumping with no change would orphan existing artifacts. ADR-011 documents the evolution policy and the transition-window approach for a future bump.Testing
New table-driven tests: recipe + snapshot loaders (accept known/empty, reject unknown), and
header.IsSupportedAPIVersion/GroupVersion.Risk Assessment
v1alpha1or empty). Adds a fail-closed gate only for unsupported versions; easy to revert.Rollout notes: No new flags. An artifact with an unsupported
apiVersionnow fails at load with an actionable error instead of failing obscurely downstream.Checklist
make testwith-race)make lint)git commit -S)