HPA implementation (#1029)

* HPA implementation

Author: Tirumalavasa

apis/operator/v1alpha1/authentication_types.go

@@ -48,6 +48,7 @@ type AuthenticationSpec struct {
 	ClientRegistration            ClientRegistrationSpec `json:"clientRegistration"`
 	Config                        ConfigSpec             `json:"config"`
 	EnableInstanaMetricCollection bool                   `json:"enableInstanaMetricCollection,omitempty"`
+	AutoScaleConfig               bool                   `json:"autoScaleConfig,omitempty"`
 }
 
 type AuditServiceSpec struct {

bundle/manifests/ibm-iam-operator.clusterserviceversion.yaml

@@ -152,7 +152,7 @@ metadata:
     categories: Security
     certified: "false"
     containerImage: icr.io/cpopen/ibm-iam-operator:4.12.0
-    createdAt: "2025-05-15T13:06:28Z"
+    createdAt: "2025-05-15T13:42:55Z"
     description: The IAM operator provides a simple Kubernetes CRD-Based API to manage the lifecycle of IAM services. With this operator, you can simply deploy and upgrade the IAM services
     features.operators.openshift.io/disconnected: "true"
     features.operators.openshift.io/fips-compliant: "true"
@@ -577,6 +577,18 @@ spec:
                 - patch
                 - update
                 - watch
+            - apiGroups:
+                - autoscaling
+              resources:
+                - horizontalpodautoscalers
+              verbs:
+                - create
+                - delete
+                - get
+                - list
+                - patch
+                - update
+                - watch
           serviceAccountName: ibm-iam-operator
     strategy: deployment
   installModes:

bundle/manifests/operator.ibm.com_authentications.yaml

@@ -125,6 +125,9 @@ spec:
                 - ldapsCACert
                 - routerCertSecret
                 type: object
+              autoScaleConfig:
+                description: AutoScaleConfig is a boolean to enable or disable HPA
+                type: boolean
               clientRegistration:
                 properties:
                   imageName:

config/crd/bases/operator.ibm.com_authentications.yaml

@@ -125,6 +125,9 @@ spec:
                 - ldapsCACert
                 - routerCertSecret
                 type: object
+              autoScaleConfig:
+                description: AutoScaleConfig is a boolean to enable or disable HPA
+                type: boolean
               clientRegistration:
                 properties:
                   imageName:

config/rbac/role.yaml

@@ -246,6 +246,18 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - autoscaling
+  resources:
+  - horizontalpodautoscalers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

controllers/operator/authentication_controller.go

@@ -30,6 +30,7 @@ import (
 	routev1 "github.com/openshift/api/route/v1"
 	appsv1 "k8s.io/api/apps/v1"
 	authorizationv1 "k8s.io/api/authorization/v1"
+	autoscalingv2 "k8s.io/api/autoscaling/v2"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	net "k8s.io/api/networking/v1"
@@ -370,6 +371,10 @@ func (r *AuthenticationReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		return subreconciler.Evaluate(subResult, err)
 	}
 
+	if subResult, err := r.handleHPAs(ctx, req); subreconciler.ShouldHaltOrRequeue(subResult, err) {
+		return subreconciler.Evaluate(subResult, err)
+	}
+
 	return subreconciler.Evaluate(subreconciler.DoNotRequeue())
 }
 
@@ -383,7 +388,8 @@ func (r *AuthenticationReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		Owns(&batchv1.Job{}).
 		Owns(&corev1.Service{}).
 		Owns(&net.Ingress{}).
-		Owns(&appsv1.Deployment{})
+		Owns(&appsv1.Deployment{}).
+		Owns(&autoscalingv2.HorizontalPodAutoscaler{})
 
 	//Add routes
 	if ctrlcommon.ClusterHasOpenShiftConfigGroupVerison(&r.DiscoveryClient) {

controllers/operator/deployment.go

@@ -778,7 +778,13 @@ func specsDiffer(observed, generated *appsv1.Deployment) (different bool, err er
 func modifyDeployment(needsRollout bool) ctrlcommon.ModifyFn[*appsv1.Deployment] {
 	return func(s ctrlcommon.SecondaryReconciler, ctx context.Context, observed, generated *appsv1.Deployment) (modified bool, err error) {
 		preserveObservedFields(observed, generated)
-
+		authCR, ok := s.GetPrimary().(*operatorv1alpha1.Authentication)
+		if !ok {
+			return
+		}
+		if authCR.Spec.AutoScaleConfig {
+			generated.Spec.Replicas = observed.Spec.Replicas
+		}
 		if val, ok := observed.Labels["operator.ibm.com/bindinfoRefresh"]; !ok || val != "enabled" {
 			observed.Labels["operator.ibm.com/bindinfoRefresh"] = "enabled"
 			modified = true

controllers/operator/hpa.go

@@ -0,0 +1,223 @@
+//
+// Copyright 2025 IBM Corporation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package operator
+
+import (
+	"context"
+
+	operatorv1alpha1 "github.com/IBM/ibm-iam-operator/apis/operator/v1alpha1"
+	"github.com/IBM/ibm-iam-operator/controllers/common"
+	ctrlcommon "github.com/IBM/ibm-iam-operator/controllers/common"
+	"github.com/opdev/subreconciler"
+	appsv1 "k8s.io/api/apps/v1"
+	autoscalingv2 "k8s.io/api/autoscaling/v2"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+func (r *AuthenticationReconciler) handleHPAs(ctx context.Context, req ctrl.Request) (result *ctrl.Result, err error) {
+	reqLogger := logf.FromContext(ctx).WithValues("subreconciler", "handleHPAs")
+	hpaCtx := logf.IntoContext(ctx, reqLogger)
+	authCR := &operatorv1alpha1.Authentication{}
+	if result, err = r.getLatestAuthentication(hpaCtx, req, authCR); subreconciler.ShouldHaltOrRequeue(result, err) {
+		return
+	}
+	deployments := []string{"platform-auth-service", "platform-identity-provider", "platform-identity-management"}
+
+	authCRNS := authCR.Namespace
+	autoScaleEnabled := authCR.Spec.AutoScaleConfig
+	replicas := authCR.Spec.Replicas
+	if autoScaleEnabled {
+		subRecs := []ctrlcommon.SecondaryReconciler{}
+		results := []*ctrl.Result{}
+		errs := []error{}
+
+		for _, deployName := range deployments {
+			// Build the HPA reconciler
+			builder := ctrlcommon.NewSecondaryReconcilerBuilder[*autoscalingv2.HorizontalPodAutoscaler]().
+				WithName(deployName + "-hpa").
+				WithGenerateFns(generateHPAObject(authCR, deployName))
+
+			subRecs = append(subRecs, builder.
+				WithNamespace(authCRNS).
+				WithPrimary(authCR).
+				WithClient(r.Client).
+				MustBuild())
+		}
+
+		for _, subRec := range subRecs {
+			subResult, subErr := subRec.Reconcile(hpaCtx)
+			results = append(results, subResult)
+			errs = append(errs, subErr)
+		}
+
+		result, err = common.ReduceSubreconcilerResultsAndErrors(results, errs)
+		if err == nil {
+			r.needsRollout = false
+		}
+		if subreconciler.ShouldRequeue(result, err) {
+			reqLogger.Info("Cluster state has been modified; requeueing")
+			return
+		}
+		return subreconciler.ContinueReconciling()
+	} else {
+		// HPA is disabled - delete any existing HPA and set fixed replicas
+		for _, deployName := range deployments {
+			hpa := &autoscalingv2.HorizontalPodAutoscaler{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      deployName + "-hpa",
+					Namespace: authCRNS,
+				},
+			}
+			err := r.Get(ctx, types.NamespacedName{Name: deployName + "-hpa", Namespace: authCRNS}, hpa)
+			if err == nil {
+				reqLogger.Info("HPA is disabled, Deleting existing HPAs")
+				if err := r.Delete(ctx, hpa); err == nil {
+					r.UpdateDeploymentReplicas(hpaCtx, deployName, authCRNS, replicas)
+				}
+			} else if !errors.IsNotFound(err) {
+				return subreconciler.RequeueWithDelay(defaultLowerWait)
+			}
+		}
+	}
+	return
+}
+
+func generateHPAObject(instance *operatorv1alpha1.Authentication, deploymentName string) ctrlcommon.GenerateFn[*autoscalingv2.HorizontalPodAutoscaler] {
+	return func(s ctrlcommon.SecondaryReconciler, ctx context.Context, hpa *autoscalingv2.HorizontalPodAutoscaler) (err error) {
+
+		// Fetch Deployment
+		reqLogger := logf.FromContext(ctx)
+		deploy := &appsv1.Deployment{}
+		minReplicas := instance.Spec.Replicas
+		err = s.GetClient().Get(ctx, types.NamespacedName{Name: deploymentName, Namespace: instance.Namespace}, deploy)
+		if err != nil {
+			reqLogger.Error(err, "Failed to fetch Deployment", "DeploymentName", deploymentName)
+			return
+		}
+		// Extract memory and CPU requests and limits
+		if len(deploy.Spec.Template.Spec.Containers) == 0 {
+			reqLogger.Error(err, "Deployment has no containers")
+			return
+		}
+
+		container := deploy.Spec.Template.Spec.Containers[0]
+		currentReplicas := deploy.Spec.Replicas
+		maxReplicas := 2*(*currentReplicas) + 1
+
+		memRequest := container.Resources.Requests.Memory().Value()
+		memLimit := container.Resources.Limits.Memory().Value()
+		cpuRequest := container.Resources.Requests.Cpu().MilliValue()
+		cpuLimit := container.Resources.Limits.Cpu().MilliValue()
+
+		// Compute average utilization
+		avgUtilMem := calculateUtilization(memRequest, memLimit)
+		avgUtilCPU := calculateUtilization(cpuRequest, cpuLimit)
+
+		// Define HPA
+		*hpa = autoscalingv2.HorizontalPodAutoscaler{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      deploymentName + "-hpa",
+				Namespace: instance.Namespace,
+				Labels:    instance.Labels,
+				OwnerReferences: []metav1.OwnerReference{
+					{
+						APIVersion: instance.APIVersion,
+						Kind:       instance.Kind,
+						Name:       instance.Name,
+						UID:        instance.UID,
+					},
+				},
+			},
+			Spec: autoscalingv2.HorizontalPodAutoscalerSpec{
+				ScaleTargetRef: autoscalingv2.CrossVersionObjectReference{
+					APIVersion: "apps/v1",
+					Kind:       "Deployment",
+					Name:       deploymentName,
+				},
+				MinReplicas: &minReplicas,
+				MaxReplicas: maxReplicas,
+				Metrics: []autoscalingv2.MetricSpec{
+					{
+						Type: autoscalingv2.ResourceMetricSourceType,
+						Resource: &autoscalingv2.ResourceMetricSource{
+							Name: "memory",
+							Target: autoscalingv2.MetricTarget{
+								Type:               autoscalingv2.UtilizationMetricType,
+								AverageUtilization: &avgUtilMem,
+							},
+						},
+					},
+					{
+						Type: autoscalingv2.ResourceMetricSourceType,
+						Resource: &autoscalingv2.ResourceMetricSource{
+							Name: "cpu",
+							Target: autoscalingv2.MetricTarget{
+								Type:               autoscalingv2.UtilizationMetricType,
+								AverageUtilization: &avgUtilCPU,
+							},
+						},
+					},
+				},
+			},
+		}
+
+		// Set owner reference for garbage collection
+		err = controllerutil.SetControllerReference(instance, hpa, s.GetClient().Scheme())
+		if err != nil {
+			reqLogger.Error(err, "Failed to set owner reference for HPA")
+			return
+		}
+
+		return nil
+	}
+}
+
+func calculateUtilization(request int64, limit int64) int32 {
+	utilizationRatio := (float64(limit) / float64(request)) * 100
+
+	if utilizationRatio < 130 {
+		return 90
+	}
+	return int32((float64(limit) * 0.7 / float64(request)) * 100)
+}
+
+func (r *AuthenticationReconciler) UpdateDeploymentReplicas(ctx context.Context, deploymentName, namespace string, fixedReplicas int32) error {
+
+	reqLogger := logf.FromContext(ctx)
+	deploy := &appsv1.Deployment{}
+	err := r.Get(ctx, types.NamespacedName{Name: deploymentName, Namespace: namespace}, deploy)
+	if err != nil {
+		return err
+	}
+	// Update only if the existing replica count is different
+	if deploy.Spec.Replicas == nil || *deploy.Spec.Replicas != fixedReplicas {
+		replicas := fixedReplicas
+		deploy.Spec.Replicas = &replicas
+		if err := r.Update(ctx, deploy); err != nil {
+			reqLogger.Error(err, "failed to update deployment replicas", "deployment", deploy.Name, "desiredReplicas", replicas)
+			return err
+		}
+	} else {
+		reqLogger.Info("Deployment already has the correct replicas")
+	}
+
+	return nil
+}

helm-cluster-scoped/templates/00_operator.ibm.com_authentications.yaml

@@ -126,6 +126,9 @@ spec:
                 - ldapsCACert
                 - routerCertSecret
                 type: object
+              autoScaleConfig:
+                description: AutoScaleConfig is a boolean to enable or disable HPA
+                type: boolean
               clientRegistration:
                 properties:
                   imageName:

helm/templates/00-rbac.yaml

@@ -272,6 +272,18 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - autoscaling
+  resources:
+  - horizontalpodautoscalers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding