fix: consider plugin changes while evaluating instance rollout (cloudnative-pg#7126)

Introduce the `EVALUATE` verb to enable a plugin to trigger a rollout
if the desired Pod specification differs from the current one.

Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
Co-authored-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>

Author: armru

go.mod

@@ -9,7 +9,7 @@ require (
 	github.com/blang/semver v3.5.1+incompatible
 	github.com/cheynewallace/tabby v1.1.1
 	github.com/cloudnative-pg/barman-cloud v0.1.0
-	github.com/cloudnative-pg/cnpg-i v0.1.0
+	github.com/cloudnative-pg/cnpg-i v0.1.1-0.20250321093050-de4ab51537cb
 	github.com/cloudnative-pg/machinery v0.1.0
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
 	github.com/evanphx/json-patch/v5 v5.9.11

go.sum

@@ -20,8 +20,8 @@ github.com/cheynewallace/tabby v1.1.1 h1:JvUR8waht4Y0S3JF17G6Vhyt+FRhnqVCkk8l4Yr
 github.com/cheynewallace/tabby v1.1.1/go.mod h1:Pba/6cUL8uYqvOc9RkyvFbHGrQ9wShyrn6/S/1OYVys=
 github.com/cloudnative-pg/barman-cloud v0.1.0 h1:e/z52CehMBIh1LjZqNBJnncWJbS+1JYvRMBR8Js6Uiw=
 github.com/cloudnative-pg/barman-cloud v0.1.0/go.mod h1:rJUJO/f1yNckLZiVxHAyRmKY+4EPJkYRJsGbTZRJQSY=
-github.com/cloudnative-pg/cnpg-i v0.1.0 h1:QH2xTsrODMhEEc6B25GbOYe7ZIttDmSkYvXotfU5dfs=
-github.com/cloudnative-pg/cnpg-i v0.1.0/go.mod h1:G28BhgUEHqrxEyyQeHz8BbpMVAsGuLhJm/tHUbDi8Sw=
+github.com/cloudnative-pg/cnpg-i v0.1.1-0.20250321093050-de4ab51537cb h1:FPORwCxjZwlnKnF7dOkuOAz0GBSQ3Hrn+8lm4uMiWeM=
+github.com/cloudnative-pg/cnpg-i v0.1.1-0.20250321093050-de4ab51537cb/go.mod h1:n+kbHm3rzRCY5IJKuE1tGMbG6JaeYz8yycYoLt7BeKo=
 github.com/cloudnative-pg/machinery v0.1.0 h1:tjRmsqQmsO/OlaT0uFmkEtVqgr+SGPM88cKZOHYKLBo=
 github.com/cloudnative-pg/machinery v0.1.0/go.mod h1:0V3vm44FaIsY+x4pm8ORry7xCC3AJiO+ebfPNxeP5Ck=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=

internal/cnpi/plugin/mapping.go

@@ -22,15 +22,16 @@ import (
 	"github.com/cloudnative-pg/cnpg-i/pkg/lifecycle"
 )
 
-// The OperationVerb corresponds to the Kubernetes API method
+// The OperationVerb corresponds to the CNPG-I lifecycle operation verb
 type OperationVerb string
 
-// A Kubernetes operation verb
+// A lifecycle operation verb
 const (
-	OperationVerbPatch  OperationVerb = "PATCH"
-	OperationVerbUpdate OperationVerb = "UPDATE"
-	OperationVerbCreate OperationVerb = "CREATE"
-	OperationVerbDelete OperationVerb = "DELETE"
+	OperationVerbPatch    OperationVerb = "PATCH"
+	OperationVerbUpdate   OperationVerb = "UPDATE"
+	OperationVerbCreate   OperationVerb = "CREATE"
+	OperationVerbDelete   OperationVerb = "DELETE"
+	OperationVerbEvaluate OperationVerb = "EVALUATE"
 )
 
 // ToOperationType_Type converts an OperationVerb into a lifecycle.OperationType_Type
@@ -45,6 +46,8 @@ func (o OperationVerb) ToOperationType_Type() (lifecycle.OperatorOperationType_T
 		return lifecycle.OperatorOperationType_TYPE_CREATE, nil
 	case OperationVerbUpdate:
 		return lifecycle.OperatorOperationType_TYPE_UPDATE, nil
+	case OperationVerbEvaluate:
+		return lifecycle.OperatorOperationType_TYPE_EVALUATE, nil
 	}
 
 	return lifecycle.OperatorOperationType_Type(0), fmt.Errorf("unknown operation type: '%s'", o)

internal/controller/cluster_create.go

@@ -1307,7 +1307,7 @@ func (r *ClusterReconciler) ensureInstancesAreCreated(
 ) (ctrl.Result, error) {
 	contextLogger := log.FromContext(ctx)
 
-	instanceToCreate, err := findInstancePodToCreate(cluster, instancesStatus, resources.pvcs.Items)
+	instanceToCreate, err := findInstancePodToCreate(ctx, cluster, instancesStatus, resources.pvcs.Items)
 	if err != nil {
 		return ctrl.Result{}, err
 	}
@@ -1394,6 +1394,7 @@ func (r *ClusterReconciler) ensureInstancesAreCreated(
 
 // we elect a current instance that doesn't exist for creation
 func findInstancePodToCreate(
+	ctx context.Context,
 	cluster *apiv1.Cluster,
 	instancesStatus postgres.PostgresqlStatusList,
 	pvcs []corev1.PersistentVolumeClaim,
@@ -1440,7 +1441,7 @@ func findInstancePodToCreate(
 		if err != nil {
 			return nil, err
 		}
-		return specs.PodWithExistingStorage(*cluster, serial)
+		return specs.NewInstance(ctx, *cluster, serial, true)
 	}
 
 	return nil, nil

internal/controller/cluster_upgrade.go

@@ -276,6 +276,7 @@ type rollout struct {
 }
 
 type rolloutChecker func(
+	ctx context.Context,
 	pod *corev1.Pod,
 	cluster *apiv1.Cluster,
 ) (rollout, error)
@@ -335,7 +336,7 @@ func isPodNeedingRollout(
 	contextLogger := log.FromContext(ctx)
 	applyCheckers := func(checkers map[string]rolloutChecker) rollout {
 		for message, check := range checkers {
-			podRollout, err := check(pod, cluster)
+			podRollout, err := check(ctx, pod, cluster)
 			if err != nil {
 				contextLogger.Error(err, "while checking if pod needs rollout")
 				continue
@@ -380,10 +381,10 @@ func isPodNeedingRollout(
 
 	// These checks are subsumed by the PodSpec checker
 	checkers = map[string]rolloutChecker{
-		"pod environment is outdated":    checkPodEnvironmentIsOutdated,
-		"pod scheduler is outdated":      checkSchedulerIsOutdated,
-		"pod needs updated topology":     checkPodNeedsUpdatedTopology,
-		"pod init container is outdated": checkPodInitContainerIsOutdated,
+		"pod environment is outdated":         checkPodEnvironmentIsOutdated,
+		"pod scheduler is outdated":           checkSchedulerIsOutdated,
+		"pod needs updated topology":          checkPodNeedsUpdatedTopology,
+		"pod bootstrap container is outdated": checkPodBootstrapImage,
 	}
 	podRollout = applyCheckers(checkers)
 	if podRollout.required {
@@ -403,7 +404,7 @@ func hasValidPodSpec(pod *corev1.Pod) bool {
 	return err == nil
 }
 
-func checkHasResizingPVC(pod *corev1.Pod, cluster *apiv1.Cluster) (rollout, error) {
+func checkHasResizingPVC(_ context.Context, pod *corev1.Pod, cluster *apiv1.Cluster) (rollout, error) {
 	if configuration.Current.EnableAzurePVCUpdates {
 		for _, pvcName := range cluster.Status.ResizingPVC {
 			// This code works on the assumption that the PVC begins with the name of the pod using it.
@@ -418,7 +419,7 @@ func checkHasResizingPVC(pod *corev1.Pod, cluster *apiv1.Cluster) (rollout, erro
 	return rollout{}, nil
 }
 
-func checkPodNeedsUpdatedTopology(pod *corev1.Pod, cluster *apiv1.Cluster) (rollout, error) {
+func checkPodNeedsUpdatedTopology(_ context.Context, pod *corev1.Pod, cluster *apiv1.Cluster) (rollout, error) {
 	if reflect.DeepEqual(cluster.Spec.TopologySpreadConstraints, pod.Spec.TopologySpreadConstraints) {
 		return rollout{}, nil
 	}
@@ -432,7 +433,7 @@ func checkPodNeedsUpdatedTopology(pod *corev1.Pod, cluster *apiv1.Cluster) (roll
 	}, nil
 }
 
-func checkSchedulerIsOutdated(pod *corev1.Pod, cluster *apiv1.Cluster) (rollout, error) {
+func checkSchedulerIsOutdated(_ context.Context, pod *corev1.Pod, cluster *apiv1.Cluster) (rollout, error) {
 	if cluster.Spec.SchedulerName == "" || cluster.Spec.SchedulerName == pod.Spec.SchedulerName {
 		return rollout{}, nil
 	}
@@ -447,7 +448,7 @@ func checkSchedulerIsOutdated(pod *corev1.Pod, cluster *apiv1.Cluster) (rollout,
 	}, nil
 }
 
-func checkProjectedVolumeIsOutdated(pod *corev1.Pod, cluster *apiv1.Cluster) (rollout, error) {
+func checkProjectedVolumeIsOutdated(_ context.Context, pod *corev1.Pod, cluster *apiv1.Cluster) (rollout, error) {
 	isNilOrZero := func(vs *corev1.ProjectedVolumeSource) bool {
 		return vs == nil || len(vs.Sources) == 0
 	}
@@ -490,7 +491,7 @@ func getProjectedVolumeConfigurationFromPod(pod corev1.Pod) *corev1.ProjectedVol
 	return nil
 }
 
-func checkPodImageIsOutdated(pod *corev1.Pod, cluster *apiv1.Cluster) (rollout, error) {
+func checkPodImageIsOutdated(_ context.Context, pod *corev1.Pod, cluster *apiv1.Cluster) (rollout, error) {
 	targetImageName := cluster.GetImageName()
 
 	pgCurrentImageName, err := specs.GetPostgresImageName(*pod)
@@ -510,7 +511,7 @@ func checkPodImageIsOutdated(pod *corev1.Pod, cluster *apiv1.Cluster) (rollout,
 	}, nil
 }
 
-func checkPodInitContainerIsOutdated(pod *corev1.Pod, _ *apiv1.Cluster) (rollout, error) {
+func checkPodBootstrapImage(_ context.Context, pod *corev1.Pod, _ *apiv1.Cluster) (rollout, error) {
 	if configuration.Current.EnableInstanceManagerInplaceUpdates {
 		return rollout{}, nil
 	}
@@ -527,13 +528,13 @@ func checkPodInitContainerIsOutdated(pod *corev1.Pod, _ *apiv1.Cluster) (rollout
 	// We need to apply a different version of the instance manager
 	return rollout{
 		required: true,
-		reason: fmt.Sprintf("the instance is using an old init container image: %s -> %s",
+		reason: fmt.Sprintf("the instance is using an old bootstrap container image: %s -> %s",
 			opCurrentImageName, configuration.Current.OperatorImageName),
 		needsChangeOperatorImage: true,
 	}, nil
 }
 
-func checkHasMissingPVCs(pod *corev1.Pod, cluster *apiv1.Cluster) (rollout, error) {
+func checkHasMissingPVCs(_ context.Context, pod *corev1.Pod, cluster *apiv1.Cluster) (rollout, error) {
 	if persistentvolumeclaim.InstanceHasMissingMounts(cluster, pod) {
 		return rollout{
 			required:             true,
@@ -544,7 +545,11 @@ func checkHasMissingPVCs(pod *corev1.Pod, cluster *apiv1.Cluster) (rollout, erro
 	return rollout{}, nil
 }
 
-func checkClusterHasDifferentRestartAnnotation(pod *corev1.Pod, cluster *apiv1.Cluster) (rollout, error) {
+func checkClusterHasDifferentRestartAnnotation(
+	_ context.Context,
+	pod *corev1.Pod,
+	cluster *apiv1.Cluster,
+) (rollout, error) {
 	// If the pod restart value doesn't match with the one contained in the cluster, restart the pod.
 	if clusterRestart, ok := cluster.Annotations[utils.ClusterRestartAnnotationName]; ok {
 		podRestart := pod.Annotations[utils.ClusterRestartAnnotationName]
@@ -560,7 +565,9 @@ func checkClusterHasDifferentRestartAnnotation(pod *corev1.Pod, cluster *apiv1.C
 	return rollout{}, nil
 }
 
-func checkPodEnvironmentIsOutdated(pod *corev1.Pod, cluster *apiv1.Cluster) (rollout, error) {
+// checkPodEnvironmentIsOutdated checks if the environment variables in the pod have changed.
+// Deprecated: this function doesn't take into account plugin changes, use PodSpec annotation.
+func checkPodEnvironmentIsOutdated(_ context.Context, pod *corev1.Pod, cluster *apiv1.Cluster) (rollout, error) {
 	// Check if there is a change in the environment section
 	envConfig := specs.CreatePodEnvConfig(*cluster, pod.Name)
 
@@ -605,7 +612,11 @@ func checkPodEnvironmentIsOutdated(pod *corev1.Pod, cluster *apiv1.Cluster) (rol
 	return rollout{}, nil
 }
 
-func checkPodSpecIsOutdated(pod *corev1.Pod, cluster *apiv1.Cluster) (rollout, error) {
+func checkPodSpecIsOutdated(
+	ctx context.Context,
+	pod *corev1.Pod,
+	cluster *apiv1.Cluster,
+) (rollout, error) {
 	podSpecAnnotation, ok := pod.ObjectMeta.Annotations[utils.PodSpecAnnotationName]
 	if !ok {
 		return rollout{}, nil
@@ -616,10 +627,18 @@ func checkPodSpecIsOutdated(pod *corev1.Pod, cluster *apiv1.Cluster) (rollout, e
 	if err != nil {
 		return rollout{}, fmt.Errorf("while unmarshaling the pod resources annotation: %w", err)
 	}
-	envConfig := specs.CreatePodEnvConfig(*cluster, pod.Name)
-	gracePeriod := int64(cluster.GetMaxStopDelay())
+
 	tlsEnabled := remote.GetStatusSchemeFromPod(pod).IsHTTPS()
-	targetPodSpec := specs.CreateClusterPodSpec(pod.Name, *cluster, envConfig, gracePeriod, tlsEnabled)
+
+	serial, err := utils.GetClusterSerialValue(pod.Annotations)
+	if err != nil {
+		return rollout{}, fmt.Errorf("while getting the pod serial value: %w", err)
+	}
+
+	targetPod, err := specs.NewInstance(ctx, *cluster, serial, tlsEnabled)
+	if err != nil {
+		return rollout{}, fmt.Errorf("while creating a new pod to check podSpec: %w", err)
+	}
 
 	// the bootstrap init-container could change image after an operator upgrade.
 	// If in-place upgrades of the instance manager are enabled, we don't need rollout.
@@ -631,17 +650,13 @@ func checkPodSpecIsOutdated(pod *corev1.Pod, cluster *apiv1.Cluster) (rollout, e
 		!configuration.Current.EnableInstanceManagerInplaceUpdates {
 		return rollout{
 			required: true,
-			reason: fmt.Sprintf("the instance is using an old init container image: %s -> %s",
+			reason: fmt.Sprintf("the instance is using an old bootstrap container image: %s -> %s",
 				opCurrentImageName, configuration.Current.OperatorImageName),
 			needsChangeOperatorImage: true,
 		}, nil
 	}
 
-	// from here we don't care about drift in the init containers: avoid checking them
-	storedPodSpec.InitContainers = nil
-	targetPodSpec.InitContainers = nil
-
-	match, diff := specs.ComparePodSpecs(storedPodSpec, targetPodSpec)
+	match, diff := specs.ComparePodSpecs(storedPodSpec, targetPod.Spec)
 	if !match {
 		return rollout{
 			required: true,