-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[PSA] Potential pitfalls with dependency bumps #123744
Labels
area/code-organization
Issues or PRs related to kubernetes code organization
sig/architecture
Categorizes an issue or PR as relevant to SIG Architecture.
triage/accepted
Indicates an issue or PR is ready to be actively worked on.
Comments
k8s-ci-robot
added
sig/architecture
Categorizes an issue or PR as relevant to SIG Architecture.
area/code-organization
Issues or PRs related to kubernetes code organization
triage/accepted
Indicates an issue or PR is ready to be actively worked on.
labels
Mar 6, 2024
Fantastic write-up, thanks for laying everything out so clearly |
Thank you for the write up. This will be really helpful when we engage with OSS projects asking to bump go versions back down where possible. |
Definitely appreciate the explanation and path to resolution. |
💯 Thank you very much! |
updated description, the Go proposal was accepted and is targeting Go 1.23 |
This was referenced Apr 23, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/code-organization
Issues or PRs related to kubernetes code organization
sig/architecture
Categorizes an issue or PR as relevant to SIG Architecture.
triage/accepted
Indicates an issue or PR is ready to be actively worked on.
_Note: this issue is only meant to document the situation that currently exists because discussions in slack are ephemeral and hard to discover.
TL;DR
golang/go#65573 is a proposal accepted and targeting Go 1.23 that will address the issue being described here!
In the meantime, please exercise extra caution in the following scenarios:
go
directives are in these dependencies before we backport them.go
directives in community owned, single branch dependencies such as k/utils, k/gengo, k/kube-openapi etc.Context
go1.21 introduced 2 immensely helpful features:
GODEBUG
settings are now taken based on thego
directive ingo.mod
s (ref: https://go.dev/doc/godebug). This is particularly helpful to maintain compatibility behaviour when Go makes breaking(-but-compatible) changes as part of its minor releases. This is also especially important since Kubernetes now bumps minor versions of Go on its release branches: https://github.com/kubernetes/enhancements/tree/master/keps/sig-release/3744-stay-on-supported-go-versionsgo
directive ingo.mod
now specifies the minimum go version required to build your own code. We couldn't do this before, and that meant older go toolchains were allowed to compile code that was meant for newer go versions, even though it would lead to breaking changes: https://go.dev/blog/toolchainThe Problem
While (1) is highly desirable, (2) interferes with its efficacy of being able to default
GODEBUG
settings, illustrated below.The currently supported release branches of Kubernetes have their versions of Go bumped to go1.21.x (same as
master
). What this means is code is tested, built and released using go1.21.x:However, the
go
directive ingo.mod
is as follows for the currently supported Kubernetes versions:go 1.20
go 1.20
go 1.21
Essentially, we leave the
go
directive in thego.mod
s to indicate the Go version with which a Kubernetes minor was first shipped. Because of go1.21'sGODEBUG
defaulting, we get to preserve that behaviour for our users even though we now continue to build with higher versions of Go (to stay well within the support window of Go).However, many of the fixes needed to bump minor versions of Go on release branches involves backporting dependency bumps, for example:
If dependency
D
has ago
directive in itsgo.mod
ofgo 1.21
, was bumped atmaster
to fix a bug and we need to backport this to our release branches that has ago
directive ofgo 1.20
, the bump will essentially force thego
directive in our release branches togo 1.21
because of (2) - thego
directive required is going to be themax(all dep. go directives)
. This is not desirable since we now also loose the compatibility behaviour of go1.20 that our users would expect.What Do We Do?
golang/go#65573 is a proposal that is being worked on in the Go community to address this dichotomy between (1) and (2) and will hopefully land in go1.23.
In the meantime, we need to exercise extra caution in the following scenarios:
go
directives are in these dependencies before we backport them.go
directives in community owned, single branch dependencies such as k/utils, k/gengo, k/kube-openapi etc. If we bump thego
directive here and later need to absorb a fix in one of these dependencies into k/k via backporting, we will run into the same issue.There is also work happening to safeguard accidental bumps:
go
directive bump kube-openapi#463go
directive bump gengo#264/sig architecture
/area code-organization
/triage accepted
/cc @kubernetes/dep-approvers
The text was updated successfully, but these errors were encountered: