Perform migrations via Job (#1086)

Originating issues: [IBMPrivateCloud/roadmap#67379](https://github.ibm.com/IBMPrivateCloud/roadmap/issues/67379), [IBMPrivateCloud/roadmap#67424](https://github.ibm.com/IBMPrivateCloud/roadmap/issues/67424)

In order to work around limitations imposed by shipping OLM bundles, migration behaviors previously handled via a goroutine in the Authentication controller are now instead by a dedicated Job.

Additionally, the check performed for whether to use the `idauth` Route for SAML flows has also been broken out into a Job that is run in the event that the `MASTER_PATH` variable has not been set in the `platform-auth-idp` ConfigMap.

---------

Signed-off-by: Rob Hundley <[email protected]>

Author: rwhundley

api/operator/v1alpha1/authentication_types.go

@@ -18,7 +18,6 @@ package v1alpha1
 
 import (
 	"context"
-	"fmt"
 	"reflect"
 	"sync"
 
@@ -220,15 +219,8 @@ const ReasonMigrationsInProgress string = "InProgress"
 const ReasonMigrationsDone string = "Done"
 const ReasonMigrationFailure string = "Failed"
 
-func NewMigrationCompleteCondition() *metav1.Condition {
-	return &metav1.Condition{
-		Type:    ConditionMigrated,
-		Status:  metav1.ConditionTrue,
-		Reason:  ReasonMigrationComplete,
-		Message: MessageMigrationSuccess,
-	}
-}
-
+// Creates a new ConditionMigrationsRunning condition for when the migration Job
+// is still running.
 func NewMigrationInProgressCondition() *metav1.Condition {
 	return &metav1.Condition{
 		Type:    ConditionMigrationsRunning,
@@ -238,6 +230,8 @@ func NewMigrationInProgressCondition() *metav1.Condition {
 	}
 }
 
+// Creates a new ConditionMigrationsRunning condition for when the migration Job
+// has stopped running.
 func NewMigrationFinishedCondition() *metav1.Condition {
 	return &metav1.Condition{
 		Type:    ConditionMigrationsRunning,
@@ -247,8 +241,33 @@ func NewMigrationFinishedCondition() *metav1.Condition {
 	}
 }
 
-func NewMigrationFailureCondition(name string) *metav1.Condition {
-	message := fmt.Sprintf("Migration %q failed; review the IM Operator \"migration_worker\" logs for more information", name)
+// Creates a new ConditionMigrated condition for when the migration Job has
+// succeeded.
+func NewMigrationCompleteCondition() *metav1.Condition {
+	return &metav1.Condition{
+		Type:    ConditionMigrated,
+		Status:  metav1.ConditionTrue,
+		Reason:  ReasonMigrationComplete,
+		Message: MessageMigrationSuccess,
+	}
+}
+
+// Creates a new ConditionMigrated condition for when the migration Job has yet
+// to run at all; should not be set unless the previous status is
+// `metav1.ConditionTrue`.
+func NewMigrationYetToBeCompleteCondition() *metav1.Condition {
+	message := "The \"ibm-im-db-migration\" Job is not yet complete"
+	return &metav1.Condition{
+		Type:    ConditionMigrated,
+		Status:  metav1.ConditionFalse,
+		Reason:  ReasonMigrationsInProgress,
+		Message: message,
+	}
+}
+
+// Creates a new ConditionMigrated condition for when the migration Job fails.
+func NewMigrationFailureCondition() *metav1.Condition {
+	message := "Migration failed; review the \"ibm-im-db-migrator\" Job logs for more information"
 	return &metav1.Condition{
 		Type:    ConditionMigrated,
 		Status:  metav1.ConditionFalse,

bundle/manifests/ibm-iam-operator.clusterserviceversion.yaml

@@ -57,6 +57,8 @@ metadata:
               }
             },
             "config": {
+              "auditSecret": "",
+              "auditUrl": "",
               "authUniqueHosts": "internal-ip1 internal-ip2 mycluster.icp",
               "bootstrapUserId": "kubeadmin",
               "claimsMap": "name=\"givenName\" family_name=\"givenName\" given_name=\"givenName\" preferred_username=\"displayName\" display_name=\"displayName\"",
@@ -79,8 +81,6 @@ metadata:
               "openshiftPort": 443,
               "preferredLogin": "",
               "providerIssuerURL": "",
-              "auditUrl": "",
-              "auditSecret": "",
               "roksEnabled": true,
               "roksURL": "https://roks.domain.name:443",
               "roksUserPrefix": "changeme",
@@ -154,7 +154,7 @@ metadata:
     categories: Security
     certified: "false"
     containerImage: icr.io/cpopen/ibm-iam-operator:4.14.0
-    createdAt: "2025-08-18T18:56:37Z"
+    createdAt: "2025-08-28T15:02:42Z"
     description: The IAM operator provides a simple Kubernetes CRD-Based API to manage the lifecycle of IAM services. With this operator, you can simply deploy and upgrade the IAM services
     features.operators.openshift.io/disconnected: "true"
     features.operators.openshift.io/fips-compliant: "true"
@@ -315,6 +315,8 @@ spec:
                         value: icr.io/cpopen/cpfs/icp-identity-manager:4.14.0
                       - name: IM_INITCONTAINER_IMAGE
                         value: icr.io/cpopen/cpfs/im-initcontainer:4.14.0
+                      - name: IM_DB_MIGRATOR_IMAGE
+                        value: icr.io/cpopen/cpfs/ibm-im-db-migrator:0.0.1
                     image: icr.io/cpopen/ibm-iam-operator:4.14.0
                     imagePullPolicy: IfNotPresent
                     livenessProbe:

bundle/manifests/operator.ibm.com_authentications.yaml

@@ -172,6 +172,10 @@ spec:
                 properties:
                   attrMappingFromConfig:
                     type: boolean
+                  auditSecret:
+                    type: string
+                  auditUrl:
+                    type: string
                   authUniqueHosts:
                     type: string
                   bootstrapUserId:
@@ -228,10 +232,6 @@ spec:
                     type: string
                   providerIssuerURL:
                     type: string
-                  auditUrl:
-                    type: string
-                  auditSecret:
-                    type: string
                   roksEnabled:
                     type: boolean
                   roksURL:

config/manager/overlays/prod/image_env_vars_patch.yaml

@@ -18,6 +18,11 @@
   value:
     name: IM_INITCONTAINER_IMAGE
     value: icr.io/cpopen/cpfs/im-initcontainer:4.14.0
+- op: add
+  path: /spec/template/spec/containers/0/env/-
+  value:
+    name: IM_DB_MIGRATOR_IMAGE
+    value: icr.io/cpopen/cpfs/ibm-im-db-migrator:0.0.1
 - op: replace
   path: /spec/template/spec/containers/0/imagePullPolicy
   value: IfNotPresent

internal/controller/operator/authentication_controller.go

@@ -25,8 +25,6 @@ import (
 
 	certmgr "github.com/IBM/ibm-iam-operator/internal/api/certmanager/v1"
 	ctrlcommon "github.com/IBM/ibm-iam-operator/internal/controller/common"
-	dbconn "github.com/IBM/ibm-iam-operator/internal/database/connectors"
-	"github.com/IBM/ibm-iam-operator/internal/database/migration"
 	"github.com/IBM/ibm-iam-operator/internal/version"
 	routev1 "github.com/openshift/api/route/v1"
 	appsv1 "k8s.io/api/apps/v1"
@@ -36,9 +34,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	netv1 "k8s.io/api/networking/v1"
 	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/apimachinery/pkg/api/resource"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/discovery"
@@ -79,9 +75,6 @@ var memory550 = resource.NewQuantity(550*1024*1024, resource.BinarySI)   // 550M
 var memory650 = resource.NewQuantity(650*1024*1024, resource.BinarySI)   // 650Mi
 var memory1024 = resource.NewQuantity(1024*1024*1024, resource.BinarySI) // 1024Mi
 
-// migrationWait is used when still waiting on a result to be produced by the migration worker
-var migrationWait time.Duration = 10 * time.Second
-
 // opreqWait is used for the resources that interact with and originate from OperandRequests
 var opreqWait time.Duration = 100 * time.Millisecond
 
@@ -91,29 +84,6 @@ var defaultLowerWait time.Duration = 5 * time.Millisecond
 // finalizerName is the finalizer appended to the Authentication CR
 var finalizerName = "authentication.operator.ibm.com"
 
-func (r *AuthenticationReconciler) loopUntilConditionsSet(ctx context.Context, req ctrl.Request, conditions ...*metav1.Condition) {
-	reqLogger := logf.FromContext(ctx)
-	conditionsSet := false
-	for !conditionsSet {
-		authCR := &operatorv1alpha1.Authentication{}
-		if result, err := r.getLatestAuthentication(ctx, req, authCR); subreconciler.ShouldHaltOrRequeue(result, err) {
-			reqLogger.Info("Failed to retrieve Authentication CR for status update; retrying")
-			continue
-		}
-		for _, condition := range conditions {
-			if condition == nil {
-				continue
-			}
-			meta.SetStatusCondition(&authCR.Status.Conditions, *condition)
-		}
-		if err := r.Client.Status().Update(ctx, authCR); err != nil {
-			reqLogger.Error(err, "Failed to set conditions on Authentication; retrying", "conditions", conditions)
-			continue
-		}
-		conditionsSet = true
-	}
-}
-
 func (r *AuthenticationReconciler) getLatestAuthentication(ctx context.Context, req ctrl.Request, authentication *operatorv1alpha1.Authentication) (result *ctrl.Result, err error) {
 	reqLogger := logf.FromContext(ctx)
 	if err := r.Get(ctx, req.NamespacedName, authentication); err != nil {
@@ -174,10 +144,7 @@ type AuthenticationReconciler struct {
 	DiscoveryClient discovery.DiscoveryClient
 	Mutex           sync.Mutex
 	clusterType     ctrlcommon.ClusterType
-	dbSetupChan     chan *migration.Result
 	needsRollout    bool
-	GetPostgresDB   func(client.Client, context.Context, ctrl.Request) (dbconn.DBConn, error)
-	GetMongoDB      func(client.Client, context.Context, ctrl.Request) (dbconn.DBConn, error)
 }
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
@@ -284,19 +251,6 @@ func (r *AuthenticationReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		return subreconciler.Evaluate(subResult, err)
 	}
 
-	// perform any migrations that may be needed before Deployments run
-	if subResult, err := r.handleMigrations(reconcileCtx, req); subreconciler.ShouldHaltOrRequeue(subResult, err) {
-		return subreconciler.Evaluate(subResult, err)
-	}
-
-	if subResult, err := r.setMigrationCompleteStatus(reconcileCtx, req); subreconciler.ShouldHaltOrRequeue(subResult, err) {
-		return subreconciler.Evaluate(subResult, err)
-	}
-
-	if result, err := r.handleMongoDBCleanup(reconcileCtx, req); subreconciler.ShouldHaltOrRequeue(result, err) {
-		return subreconciler.Evaluate(result, err)
-	}
-
 	reqLogger.Info("Creating ibm-iam-operand-restricted serviceaccount")
 	currentSA := &corev1.ServiceAccount{}
 	err = r.createSA(instance, currentSA, &needToRequeue)
@@ -307,6 +261,14 @@ func (r *AuthenticationReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 	r.createRole(instance)
 	r.createRoleBinding(instance)
 
+	if subResult, err := r.ensureMigrationJobRuns(reconcileCtx, req); subreconciler.ShouldHaltOrRequeue(subResult, err) {
+		return subreconciler.Evaluate(subResult, err)
+	}
+
+	if subResult, err := r.checkSAMLPresence(reconcileCtx, req); subreconciler.ShouldHaltOrRequeue(subResult, err) {
+		return subreconciler.Evaluate(subResult, err)
+	}
+
 	// Check if this Certificate already exists and create it if it doesn't
 	if subResult, err := r.handleCertificates(ctx, req); subreconciler.ShouldHaltOrRequeue(subResult, err) {
 		return subreconciler.Evaluate(subResult, err)
@@ -319,6 +281,11 @@ func (r *AuthenticationReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		return
 	}
 
+	// Check if this Job already exists and create it if it doesn't
+	if subResult, err := r.ensureOIDCClientRegistrationJobRuns(reconcileCtx, req); subreconciler.ShouldHaltOrRequeue(subResult, err) {
+		return subreconciler.Evaluate(subResult, err)
+	}
+
 	// Check if this Secret already exists and create it if it doesn't
 	if subResult, err = r.handleSecrets(ctx, req); subreconciler.ShouldHaltOrRequeue(subResult, err) {
 		return subreconciler.Evaluate(subResult, err)
@@ -332,12 +299,6 @@ func (r *AuthenticationReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		return subreconciler.Evaluate(subResult, err)
 	}
 
-	// Check if this Job already exists and create it if it doesn't
-	currentJob := &batchv1.Job{}
-	err = r.handleJob(instance, currentJob, &needToRequeue)
-	if err != nil {
-		return
-	}
 	// create clusterrole and clusterrolebinding
 	if subResult, err := r.handleClusterRoles(reconcileCtx, req); subreconciler.ShouldHaltOrRequeue(subResult, err) {
 		return subreconciler.Evaluate(subResult, err)
@@ -351,6 +312,10 @@ func (r *AuthenticationReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 	// updates redirecturi annotations to serviceaccount
 	r.handleServiceAccount(instance, &needToRequeue)
 
+	if subResult, err = r.ensureMigrationJobSucceeded(ctx, req); subreconciler.ShouldHaltOrRequeue(subResult, err) {
+		return subreconciler.Evaluate(subResult, err)
+	}
+
 	if subResult, err := r.handleDeployments(reconcileCtx, req); subreconciler.ShouldHaltOrRequeue(subResult, err) {
 		return subreconciler.Evaluate(subResult, err)
 	}
@@ -371,6 +336,10 @@ func (r *AuthenticationReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		return subreconciler.Evaluate(subResult, err)
 	}
 
+	if result, err := r.handleMongoDBCleanup(reconcileCtx, req); subreconciler.ShouldHaltOrRequeue(result, err) {
+		return subreconciler.Evaluate(result, err)
+	}
+
 	return subreconciler.Evaluate(subreconciler.DoNotRequeue())
 }
 
@@ -448,12 +417,6 @@ func (r *AuthenticationReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		return o.GetLabels()[ctrlcommon.ManagerVersionLabel] == version.Version
 	})
 
-	r.GetPostgresDB = func(c client.Client, ctx context.Context, req ctrl.Request) (d dbconn.DBConn, err error) {
-		return GetPostgresDB(c, ctx, req)
-	}
-	r.GetMongoDB = func(c client.Client, ctx context.Context, req ctrl.Request) (d dbconn.DBConn, err error) {
-		return GetMongoDB(c, ctx, req)
-	}
 	authCtrl.Watches(&operatorv1alpha1.Authentication{}, &handler.EnqueueRequestForObject{}, builder.WithPredicates(bootstrappedPred))
 	return authCtrl.Named("controller_authentication").
 		Complete(r)