feat(api): Fix immutability of the TrainJob APIs

[andreyvelich]

As discussed during our Trainer calls, we want to properly enforce immutability for the TrainJob API fields. It’s best to address this now, before the API graduates to beta, when we can't introduce breaking changes.

Currently, when user tries to update .spec.trainer.image, the JobSet controller fails due to immutability of this field.

I would prefer we gradually introduce mutability when we get more use-cases from users.

/hold for review
/assign @tenzen-y @astefanutti @akshaychitneni @kaisoz
cc @mimowo @kannon92

[google-oss-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from andreyvelich. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Copilot]

Pull request overview

This PR aims to enforce immutability rules for TrainJob spec fields (primarily via CRD-level XValidation) ahead of the API’s beta graduation.

Changes:

• Add/extend CRD XValidation immutability rules for TrainJobSpec fields (including conditional mutability for podTemplateOverrides).
• Update integration tests to cover immutability of initializer, trainer, and conditional updates to podTemplateOverrides.
• Adjust OpenAPI/CRD schema details for PodTemplateOverride.targetJobs list semantics.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
pkg/apis/trainer/v1alpha1/trainjob_types.go	Adds XValidation rules to enforce immutability and conditional mutability for podTemplateOverrides.
test/integration/webhooks/trainjob_test.go	Adds webhook-focused immutability tests for initializer, trainer, and podTemplateOverrides.
test/integration/controller/trainjob_controller_test.go	Updates controller integration test to validate podTemplateOverrides behavior across suspend/unsuspend.
manifests/base/crds/trainer.kubeflow.org_trainjobs.yaml	Propagates the new schema validations into the base CRD manifest.
charts/kubeflow-trainer/crds/trainer.kubeflow.org_trainjobs.yaml	Propagates the new schema validations into the Helm CRD manifest.
pkg/apis/trainer/v1alpha1/zz_generated.openapi.go	Updates OpenAPI schema (notably list semantics for targetJobs) and descriptions.
api/openapi-spec/swagger.json	Updates published OpenAPI spec to match schema changes.
api/python_api/kubeflow_trainer_api/models/trainer_v1alpha1_train_job_spec.py	Updates generated Python client model descriptions to match OpenAPI changes.
pkg/client/applyconfiguration/trainer/v1alpha1/trainjobspec.go	Updates applyconfiguration comments/metadata to align with schema changes.

[Copilot]

The TrainJobSpec XValidation for podTemplateOverrides gates mutability on oldSelf.suspend, which prevents updating podTemplateOverrides in the same request that sets suspend=true (oldSelf.suspend is false) and diverges from the webhook/plugin logic that checks the new spec’s suspend value.

Suggested change

	// +kubebuilder:validation:XValidation:rule="(has(oldSelf.suspend) && oldSelf.suspend) || self.podTemplateOverrides == oldSelf.podTemplateOverrides", message="podTemplateOverrides are immutable when suspend is false"
	// +kubebuilder:validation:XValidation:rule="(has(self.suspend) && self.suspend) || self.podTemplateOverrides == oldSelf.podTemplateOverrides", message="podTemplateOverrides are immutable when suspend is false"

[Copilot]

The test case name uses ungrammatical wording (“Should success to update…”), which makes intent harder to read when scanning failures; rename to “Should succeed to update …”.

Suggested change

	ginkgo.Entry("Should success to update podTemplateOverride when suspend is true",
	ginkgo.Entry("Should succeed to update podTemplateOverride when suspend is true",

[Copilot]

This assertion only checks that the update fails, so the test could pass due to unrelated transient errors (e.g., conflicts) rather than the intended immutability validation; assert the error type/message (e.g., apierrors.IsInvalid / forbidden with expected field path) to make the test deterministic.

[coveralls]

Pull Request Test Coverage Report for Build 21719581477

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 51.217%

---

Totals
Change from base Build 21715897523:	0.0%
Covered Lines:	1241
Relevant Lines:	2423

---

💛 - Coveralls

[astefanutti]

Are we specifying names for PodTemplateOverride?

[astefanutti]

Don't we want the key to me the manager as introduced after #3020?

[andreyvelich]

Good point, that will be introduced for the top level struct: #3020 (comment) after @kaisoz changes.

// +listType=map
// +listMapKey=manager
TemplateOverrides []TemplateOverride `json:"templateOverrides,omitempty"`

I am curious if we want to keep // +listMapKey=name for PodTemplateOverrideTargetJob or we can remove it?

IIRC, we introduced PodTemplateOverrideTargetJob struct instead of just []string since @tenzen-y wanted to support label selectors in the future. Context: #2296 (comment)

I guess, in that case we should keep this, right?

// +listType=atomic
TargetJobs []PodTemplateOverrideTargetJob `json:"targetJobs,omitempty"`

[astefanutti]

Right, I think we can keep +listType=atomic for targetJobs.

[astefanutti]

I remember we had a discussion on this w.r.t. Kueue manager field.
@tenzen-y @kaisoz @mimowo if you have views on this.

[mimowo]

No strong view. Ideally (long term) we use +listType=map, but for that we need to have a unique identifier. This could be the manager field, but for that we would either have a webhook or MAP.

[akshaychitneni]

Do we also validate if job name is valid? i.e it exists in the runtime jobs

[andreyvelich]

Yeah, this is good point.
Let me create followup issue for this, since we need to use Validation Webhook for it.

[astefanutti]

Would that make sense to be consistent with what we did in #2683 for PodTemplateOverrides that can be mutated when the TrainJob is suspended or you think we it's better to be more conservative?

[andreyvelich]

Currently, JobSet/Job doesn't allow us to modify those fields even if TrainJob is suspended (image, command, env, numNodes, etc.) Which leads to a controller error if users try to update these fields.

[andreyvelich]

One of the problem I see with this rule is that we also block updates to PodTemplateMetadata until TrainJob is suspended. Not sure if that is right approach.

trainer/pkg/apis/trainer/v1alpha1/trainjob_types.go

Lines 273 to 276 in e0b3ef4

	// metadata overrides the Pod template metadata.
	// These values will be merged with the TrainingRuntime's Pod template metadata.
	// +optional
	Metadata *metav1.ObjectMeta `json:"metadata,omitempty"`

I would prefer to remove this CEL rule for now, and introduce validation for PodTemplateOverrides/TemplateOverrides in the followup PR after refactoring the API

WDYT @kaisoz @astefanutti @mimowo @tenzen-y @akshaychitneni ?

[mimowo]

Yeah, so Kueue will need to be able to modify the podTemplateOverrides when:

1. old.suspend=true -> new.suspend=false - resuming a Job - Kueue will want to inject nodeSelectors
2. old.suspend=false -> new.suspend=true -> request to suspend a Job -- Kueue will want to revert the nodeSelectors

Also, any requests which preserve suspend=true -> suspend=true are fine.

I think the rules should only reject requests when old.suspend=false -> new.suspend=false.

[andreyvelich]

Let me remove this CEL for now, and we can iterate with validation in the next PRs.