Add support for Server-Side Apply finalizer management

[enarha]

This improves performance and load on the k8s API by decreasing the number of re-tries, especially on objects managed by multiple controllers. The feature is opt-in and the current use of merge patch is still the default behavior.
We introduce three controller options:

• UseServerSideApplyForFinalizers used to enable that functionality.
• FinalizerFieldManager to specify finalizer field manager, required when SSA is enabled.
• ForceApplyFinalizers to set the force option on the apply patch (default disabled).

Changes

• 🎁 Add support for Server-Side Apply finalizer management
  This improves performance and load on the k8s API by decreasing the number of re-tries, especially on objects managed by multiple controllers. The feature is opt-in and the current use of merge patch is still the default behavior.
  We introduce three controller options:
• UseServerSideApplyForFinalizers used to enable that functionality.
• FinalizerFieldManager to specify finalizer field manager, required when SSA is enabled.
• ForceApplyFinalizers to set the force option on the apply patch (default disabled).

/kind api-change

Fixes #2128

Release Note

Added support Server-Side Apply finalizer management. The feature is opt-in and the current use of merge patch is still the default behavior. Here is an example of controller options which enable and configure that functionality:

controller.Options{
    FinalizerName: "my-finalizer",
    UseServerSideApplyForFinalizers: true,
    FinalizerFieldManager: "my-finalizer-manager"
}

`UseServerSideApplyForFinalizers` enables the use Server-Side Apply for the finalizer management. If enabled, `FinalizerFieldManager` must also be provided. Use unique finalizer name and finalizer field manager to avoid conflicts. If you need to force the finalizer update, you can also add the `ForceApplyFinalizers` option and set it to `true`. That's usually not a good idea and different controllers should use different finalizer name and field manager.

IMPORTANT: 
If your controller is managing other fields using Server-Side Apply as part of its reconciliation loop (e.g. annotations), make sure you are using different filed manager for each (e.g. "my-controller/finalizers", "my-controller/annotations") to avoid accidental removal.
When switching from Merge Patch strategy to Server-Side Apply, objects caught in flight (existing on the cluster during transition) will need extra attention. Finalizer set using Merge Patch can't be removed using Server-Side Apply because filed manager (used with Server-Side Apply) does not own that field. In that case the finalizer must be removed manually.

Docs

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: enarha / name: Emil Natan (0e36a17)

[knative-prow]

Welcome @enarha! It looks like this is your first PR to knative/pkg 🎉

[knative-prow]

Hi @enarha. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[cardil]

/assign @dprotaso

[dsimansk]

/ok-to-test

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.58%. Comparing base (aadc6f6) to head (0e36a17).
⚠️ Report is 8 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3275      +/-   ##
==========================================
- Coverage   74.93%   74.58%   -0.36%     
==========================================
  Files         188      188              
  Lines       10263     8184    -2079     
==========================================
- Hits         7691     6104    -1587     
+ Misses       2332     1840     -492     
  Partials      240      240              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[dprotaso]

/hold

pkg release-1.20 branch was cut today. Let's revisit this after the 1.20 release next week

[enarha]

Can this PR get some attention please. I'll be happy to elaborate if you have any questions. Thank you.

[nader-ziada]

added some comments in the updateFinalizersFilteredServerSideApply func which is repeated in a bunch of places as far as I can see

[nader-ziada]

Should use %w for error wrapping

[enarha]

Here we do not return the error, just print it, so the simpler %v makes more sense and it is also consistent with the original code (merge patch). I updated the case where we return the error to use %w which allows unwrapping. If you still think I should update this one, I'll do.

[nader-ziada]

Should use %w for error wrapping

[enarha]

done

[nader-ziada]

This GVK lookup logic is duplicated below in the else condition

[enarha]

Indeed it has. It could be called before the if clause, but then it should be called on each reconciliation cycle. Instead we call it just twice in the lifetime of the object, once to set it and once to remove it, while the reconciliation loop is called 10-20 or even more times, at least on the controllers I work on. That's why I think less calls is worth the duplication, but I'll be happy to change it you think otherwise.

[enarha]

Nevermind, I moved it after the else block.

[enarha]

Updated.

[nader-ziada]

Should use %w for error wrapping

[enarha]

Agree, that makes sense as we return error.

[nader-ziada]

This patch operation logic is duplicated below as well

[enarha]

Indeed. It could be moved after the else clause with the only penalty of having less accurate log message "failed to add/remove finalizer" and "Added/removed finalizer" compared to "failed to update finalizer" and "updated finalizer". Personally I prefer the former, but I'll update so it's also inline with the merge patch method.

[enarha]

Updated. Much cleaner now.

[nader-ziada]

Is force necessary here?

[enarha]

By default it's not set as the value is set to false. We expose the ForceApplyFinalizers controller option though, so the controller implementation can set that to true. Force apply is often discussed in the context of server-side apply, so I decided to provide that flexibility to the controller implementation.

[dprotaso]

/hold cancel

[dprotaso]

Testing this downstream with - knative/serving#16217

[dprotaso]

Downstream test ran successfully. I'm good to merge once Nader's feedback is addressed.

[nader-ziada]

/lgtm

[nader-ziada]

thanks for the updates @enarha

@dprotaso good from my side, you will need to approve it if you are good

[dprotaso]

/approve

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dprotaso, enarha

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [dprotaso]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment