OTA-1010: release extract: --include works for a minor level update

Author: hongkailiu

credentials-requests/0000_30_machine-api-operator_00_credentials-request.yaml

@@ -0,0 +1,63 @@
+---
+apiVersion: cloudcredential.openshift.io/v1
+kind: CredentialsRequest
+metadata:
+  annotations:
+    capability.openshift.io/name: MachineAPI
+    exclude.release.openshift.io/internal-openshift-hosted: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: openshift-machine-api-aws
+  namespace: openshift-cloud-credential-operator
+spec:
+  providerSpec:
+    apiVersion: cloudcredential.openshift.io/v1
+    kind: AWSProviderSpec
+    statementEntries:
+    - action:
+      - ec2:CreateTags
+      - ec2:DescribeAvailabilityZones
+      - ec2:DescribeDhcpOptions
+      - ec2:DescribeImages
+      - ec2:DescribeInstances
+      - ec2:DescribeInstanceTypes
+      - ec2:DescribeInternetGateways
+      - ec2:DescribeSecurityGroups
+      - ec2:DescribeRegions
+      - ec2:DescribeSubnets
+      - ec2:DescribeVpcs
+      - ec2:RunInstances
+      - ec2:TerminateInstances
+      - elasticloadbalancing:DescribeLoadBalancers
+      - elasticloadbalancing:DescribeTargetGroups
+      - elasticloadbalancing:DescribeTargetHealth
+      - elasticloadbalancing:RegisterInstancesWithLoadBalancer
+      - elasticloadbalancing:RegisterTargets
+      - elasticloadbalancing:DeregisterTargets
+      - iam:PassRole
+      - iam:CreateServiceLinkedRole
+      effect: Allow
+      resource: '*'
+    - action:
+      - kms:Decrypt
+      - kms:Encrypt
+      - kms:GenerateDataKey
+      - kms:GenerateDataKeyWithoutPlainText
+      - kms:DescribeKey
+      effect: Allow
+      resource: '*'
+    - action:
+      - kms:RevokeGrant
+      - kms:CreateGrant
+      - kms:ListGrants
+      effect: Allow
+      policyCondition:
+        Bool:
+          kms:GrantIsForAWSResource: true
+      resource: '*'
+  secretRef:
+    name: aws-cloud-credentials
+    namespace: openshift-machine-api
+  serviceAccountNames:
+  - machine-api-controllers

credentials-requests/0000_50_cloud-credential-operator_05-iam-ro-credentialsrequest.yaml

@@ -0,0 +1,25 @@
+---
+apiVersion: cloudcredential.openshift.io/v1
+kind: CredentialsRequest
+metadata:
+  annotations:
+    exclude.release.openshift.io/internal-openshift-hosted: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+  name: cloud-credential-operator-iam-ro
+  namespace: openshift-cloud-credential-operator
+spec:
+  providerSpec:
+    apiVersion: cloudcredential.openshift.io/v1
+    kind: AWSProviderSpec
+    statementEntries:
+    - action:
+      - iam:GetUser
+      - iam:GetUserPolicy
+      - iam:ListAccessKeys
+      effect: Allow
+      resource: '*'
+  secretRef:
+    name: cloud-credential-operator-iam-ro-creds
+    namespace: openshift-cloud-credential-operator
+  serviceAccountNames:
+  - cloud-credential-operator

credentials-requests/0000_50_cluster-image-registry-operator_01-registry-credentials-request.yaml

@@ -0,0 +1,45 @@
+---
+apiVersion: cloudcredential.openshift.io/v1
+kind: CredentialsRequest
+metadata:
+  annotations:
+    capability.openshift.io/name: ImageRegistry
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: openshift-image-registry
+  namespace: openshift-cloud-credential-operator
+spec:
+  providerSpec:
+    apiVersion: cloudcredential.openshift.io/v1
+    kind: AWSProviderSpec
+    statementEntries:
+    - action:
+      - s3:CreateBucket
+      - s3:DeleteBucket
+      - s3:PutBucketTagging
+      - s3:GetBucketTagging
+      - s3:PutBucketPublicAccessBlock
+      - s3:GetBucketPublicAccessBlock
+      - s3:PutEncryptionConfiguration
+      - s3:GetEncryptionConfiguration
+      - s3:PutLifecycleConfiguration
+      - s3:GetLifecycleConfiguration
+      - s3:GetBucketLocation
+      - s3:ListBucket
+      - s3:GetObject
+      - s3:PutObject
+      - s3:DeleteObject
+      - s3:ListBucketMultipartUploads
+      - s3:AbortMultipartUpload
+      - s3:ListMultipartUploadParts
+      effect: Allow
+      resource: '*'
+  secretRef:
+    name: installer-cloud-credentials
+    namespace: openshift-image-registry
+  serviceAccountNames:
+  - cluster-image-registry-operator
+  - registry

credentials-requests/0000_50_cluster-ingress-operator_00-ingress-credentials-request.yaml

@@ -0,0 +1,31 @@
+---
+apiVersion: cloudcredential.openshift.io/v1
+kind: CredentialsRequest
+metadata:
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+  labels:
+    controller-tools.k8s.io: "1.0"
+  name: openshift-ingress
+  namespace: openshift-cloud-credential-operator
+spec:
+  providerSpec:
+    apiVersion: cloudcredential.openshift.io/v1
+    kind: AWSProviderSpec
+    statementEntries:
+    - action:
+      - elasticloadbalancing:DescribeLoadBalancers
+      - route53:ListHostedZones
+      - route53:ListTagsForResources
+      - route53:ChangeResourceRecordSets
+      - tag:GetResources
+      - sts:AssumeRole
+      effect: Allow
+      resource: '*'
+  secretRef:
+    name: cloud-credentials
+    namespace: openshift-ingress-operator
+  serviceAccountNames:
+  - ingress-operator

credentials-requests/0000_50_cluster-network-operator_02-cncc-credentials.yaml

@@ -0,0 +1,32 @@
+---
+apiVersion: cloudcredential.openshift.io/v1
+kind: CredentialsRequest
+metadata:
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+  name: openshift-cloud-network-config-controller-aws
+  namespace: openshift-cloud-credential-operator
+spec:
+  providerSpec:
+    apiVersion: cloudcredential.openshift.io/v1
+    kind: AWSProviderSpec
+    statementEntries:
+    - action:
+      - ec2:DescribeInstances
+      - ec2:DescribeInstanceStatus
+      - ec2:DescribeInstanceTypes
+      - ec2:UnassignPrivateIpAddresses
+      - ec2:AssignPrivateIpAddresses
+      - ec2:UnassignIpv6Addresses
+      - ec2:AssignIpv6Addresses
+      - ec2:DescribeSubnets
+      - ec2:DescribeNetworkInterfaces
+      effect: Allow
+      resource: '*'
+  secretRef:
+    name: cloud-credentials
+    namespace: openshift-cloud-network-config-controller
+  serviceAccountNames:
+  - cloud-network-config-controller

credentials-requests/0000_50_cluster-storage-operator_03_credentials_request_aws.yaml

@@ -0,0 +1,58 @@
+---
+apiVersion: cloudcredential.openshift.io/v1
+kind: CredentialsRequest
+metadata:
+  annotations:
+    capability.openshift.io/name: Storage
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+  name: aws-ebs-csi-driver-operator
+  namespace: openshift-cloud-credential-operator
+spec:
+  providerSpec:
+    apiVersion: cloudcredential.openshift.io/v1
+    kind: AWSProviderSpec
+    statementEntries:
+    - action:
+      - ec2:AttachVolume
+      - ec2:CreateSnapshot
+      - ec2:CreateTags
+      - ec2:CreateVolume
+      - ec2:DeleteSnapshot
+      - ec2:DeleteTags
+      - ec2:DeleteVolume
+      - ec2:DescribeInstances
+      - ec2:DescribeSnapshots
+      - ec2:DescribeTags
+      - ec2:DescribeVolumes
+      - ec2:DescribeVolumesModifications
+      - ec2:DetachVolume
+      - ec2:ModifyVolume
+      - ec2:DescribeAvailabilityZones
+      - ec2:EnableFastSnapshotRestores
+      effect: Allow
+      resource: '*'
+    - action:
+      - kms:ReEncrypt*
+      - kms:Decrypt
+      - kms:Encrypt
+      - kms:GenerateDataKey
+      - kms:GenerateDataKeyWithoutPlainText
+      - kms:DescribeKey
+      effect: Allow
+      resource: '*'
+    - action:
+      - kms:RevokeGrant
+      - kms:CreateGrant
+      - kms:ListGrants
+      effect: Allow
+      policyCondition:
+        Bool:
+          kms:GrantIsForAWSResource: true
+      resource: '*'
+  secretRef:
+    name: ebs-cloud-credentials
+    namespace: openshift-cluster-csi-drivers
+  serviceAccountNames:
+  - aws-ebs-csi-driver-operator
+  - aws-ebs-csi-driver-controller-sa

pkg/cli/admin/release/extract.go

@@ -94,7 +94,8 @@ func NewExtract(f kcmdutil.Factory, streams genericiooptions.IOStreams) *cobra.C
 			If --install-config is set, it will be used to determine the expected cluster configuration,
 			otherwise the command will interrogate your current cluster to determine its configuration.
 			This command is most accurate when the version of the extracting client matches the version
-			of the cluster under consideration.
+			of the cluster under consideration. Otherwise, for example, newly introduced capacities in
+            the version of the extracting client are considered enabled.
 
 			Instead of extracting the manifests, you can specify --git=DIR to perform a Git
 			checkout of the source code that comprises the release. A warning will be printed

pkg/cli/admin/release/extract_tools.go

@@ -14,7 +14,6 @@ import (
 	"io"
 	"os"
 	"path/filepath"
-	"regexp"
 	"runtime"
 	"sort"
 	"strings"
@@ -1238,18 +1237,33 @@ func findClusterIncludeConfig(ctx context.Context, restConfig *rest.Config) (man
 		config.Overrides = clusterVersion.Spec.Overrides
 		config.Capabilities = &clusterVersion.Status.Capabilities
 
-		// FIXME: eventually pull in GetImplicitlyEnabledCapabilities from https://github.com/openshift/cluster-version-operator/blob/86e24d66119a73f50282b66a8d6f2e3518aa0e15/pkg/payload/payload.go#L237-L240 for cases where a minor update would implicitly enable some additional capabilities.  For now, 4.13 to 4.14 will always enable MachineAPI, ImageRegistry, etc..
-		currentVersion := clusterVersion.Status.Desired.Version
-		matches := regexp.MustCompile(`^(\d+[.]\d+)[.].*`).FindStringSubmatch(currentVersion)
-		if len(matches) < 2 {
-			return config, fmt.Errorf("failed to parse major.minor version from ClusterVersion status.desired.version %q", currentVersion)
-		} else if matches[1] == "4.13" {
-			build := configv1.ClusterVersionCapability("Build")
-			deploymentConfig := configv1.ClusterVersionCapability("DeploymentConfig")
-			imageRegistry := configv1.ClusterVersionCapability("ImageRegistry")
-			config.Capabilities.EnabledCapabilities = append(config.Capabilities.EnabledCapabilities, configv1.ClusterVersionCapabilityMachineAPI, build, deploymentConfig, imageRegistry)
-			config.Capabilities.KnownCapabilities = append(config.Capabilities.KnownCapabilities, configv1.ClusterVersionCapabilityMachineAPI, build, deploymentConfig, imageRegistry)
+		// The set of the capabilities defined in configv1.ClusterVersionCapabilitySets may grow over time.
+		// Here we refresh "known" and "enabled" from lib so the new capabilities are included.
+		known := sets.New[configv1.ClusterVersionCapability]()
+		for _, s := range configv1.ClusterVersionCapabilitySets {
+			known.Insert(s...)
 		}
+		previouslyKnown := sets.New[configv1.ClusterVersionCapability](config.Capabilities.KnownCapabilities...)
+		config.Capabilities.KnownCapabilities = previouslyKnown.Union(known).UnsortedList()
+
+		key := configv1.ClusterVersionCapabilitySetCurrent
+		if clusterVersion.Spec.Capabilities != nil && clusterVersion.Spec.Capabilities.BaselineCapabilitySet != "" {
+			key = clusterVersion.Spec.Capabilities.BaselineCapabilitySet
+		}
+		enabled := sets.New[configv1.ClusterVersionCapability](configv1.ClusterVersionCapabilitySets[key]...)
+		// Without downloading the payload that is running on the cluster, it is hard to collect all the enabled capabilities.
+		// We may create a manifest in dry-run mode on the cluster and check if the output contains the existing error
+		// which indicates the capabilities of the manifest are all enabled. We have to wait until all manifests are checked
+		// this way to collect the complete set of enabled capabilities.It might not be worth the effort to calculate the
+		// exact enabled capabilities.
+		// Instead, newly introduced capabilities are blindly enabled and some of them might not be actually enabled on the cluster.
+		// As a result, unexpected manifests could be included. The number of such manifests is likely small, provided that
+		// only a small amount of capabilities are added over time and that happens only for minor level updates:
+		// #C(4.11)=4 -> #C(4.17)=15, averagely less than two per minor update.
+		// https://docs.openshift.com/container-platform/4.17/installing/overview/cluster-capabilities.html
+		deltaKnown := known.Difference(previouslyKnown)
+		enabled = enabled.Union(deltaKnown)
+		config.Capabilities.EnabledCapabilities = sets.New[configv1.ClusterVersionCapability](config.Capabilities.EnabledCapabilities...).Union(enabled).UnsortedList()
 	}
 
 	if infrastructure, err := client.Infrastructures().Get(ctx, "cluster", metav1.GetOptions{}); err != nil {