Group migrator

Author: mrMigles

.github/charts-values-update-config.yaml

@@ -14,4 +14,5 @@ charts:
       - ghcr.io/netcracker/qubership-docker-zookeeper:${release}
       - ghcr.io/netcracker/qubership-zookeeper-monitoring:${release}
       - ghcr.io/netcracker/qubership-zookeeper-backup-daemon:${release}
-      - ghcr.io/netcracker/qubership-zookeeper-integration-tests:${release}
+      - ghcr.io/netcracker/qubership-zookeeper-integration-tests:${release}
+      - ghcr.io/netcracker/qubership-docker-kubectl:#latest

operator/charts/helm/zookeeper-service/templates/_helpers.tpl

@@ -236,6 +236,14 @@ Find a zookeeper image in various places.
     {{- printf "%s" .Values.zooKeeper.dockerImage -}}
 {{- end -}}
 
+{{/*
+Find a kubectl image in various places.
+*/}}
+{{- define "kubectl.image" -}}
+    {{- printf "%s" .Values.groupMigration.image -}}
+{{- end -}}
+
+
 {{/*
 ZooKeeper admin username.
 */}}

operator/charts/helm/zookeeper-service/templates/pre-deploy/ownerref-migrator-job.yaml

@@ -0,0 +1,103 @@
+{{- if .Values.groupMigration.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Release.Name }}-ownerref-migrator
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "0"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      serviceAccountName: {{ .Release.Name }}-ownerref-migrator
+      restartPolicy: OnFailure
+      {{- if .Values.groupMigration.runAsNonRoot }}
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile: { type: RuntimeDefault }
+      {{- end }}
+      containers:
+        - name: migrator
+          image: {{ template "kubectl.image" . }}
+          imagePullPolicy: {{ .Values.groupMigration.imagePullPolicy | default "IfNotPresent" }}
+          command: ["/bin/sh","-c"]
+          args:
+            - |
+              set -euo pipefail
+
+              # Ensure jq is present
+              command -v jq >/dev/null 2>&1 || { echo "[migrator] jq is required"; exit 1; }
+
+              # Config
+              KUBECTL="kubectl"
+              NS="{{ .Release.Namespace }}"
+              RESOURCES="${RESOURCES:-deployments,statefulsets,configmaps,secrets,services,persistentvolumeclaims}"
+              SELECTOR="{{ .Values.groupMigration.labelSelector }}"
+              OLD_GROUP="{{ .Values.groupMigration.oldGroupPrefix }}"
+
+              # Build optional selector flag
+              if [ -n "${SELECTOR}" ]; then SEL="-l ${SELECTOR}"; else SEL=""; fi
+
+              IFS=','; for r in $RESOURCES; do
+                r="$(echo "$r" | xargs)"; [ -z "$r" ] && continue
+
+                # Get items JSON; on RBAC/list error warn and continue
+                ITEMS_JSON="$($KUBECTL -n "$NS" get "$r" $SEL -o json 2>/dev/null || true)"
+                if [ -z "$ITEMS_JSON" ]; then
+                  echo "[migrator][WARN] cannot list $r (RBAC or not found)"; continue
+                fi
+
+                # Extract names having ownerRefs with apiVersion starting with OLD_GROUP
+                NAMES="$(printf "%s" "$ITEMS_JSON" \
+                  | jq -r --arg grp "$OLD_GROUP" '.items[]
+                        | select([(.metadata.ownerReferences // [])[]?
+                                  | .apiVersion|tostring
+                                  | startswith($grp)] | any)
+                        | .metadata.name')"
+
+                [ -z "$NAMES" ] && continue
+                # Iterate names without here-strings (portable for /bin/sh)
+                printf "%s\n" "$NAMES" | while IFS= read -r name; do
+                  [ -z "$name" ] && continue
+
+                  OBJ_JSON="$($KUBECTL -n "$NS" get "$r" "$name" -o json 2>/dev/null || true)"
+                  if [ -z "$OBJ_JSON" ]; then
+                    echo "[migrator][WARN] cannot get $r/$name"; continue
+                  fi
+
+                  # Build merge-patch that removes matching ownerRefs
+                  PATCH="$(printf "%s" "$OBJ_JSON" | jq -c --arg grp "$OLD_GROUP" '
+                    {"metadata":{"ownerReferences":[
+                      (.metadata.ownerReferences // [])[]
+                      | select((.apiVersion|tostring)|startswith($grp)|not)
+                    ]}}')"
+
+                  if $KUBECTL -n "$NS" patch "$r" "$name" --type=merge -p "$PATCH" >/dev/null 2>&1; then
+                    echo "[migrator] $r/$name patched"
+                  else
+                    echo "[migrator][WARN] patch failed for $r/$name"
+                  fi
+                done
+              done
+
+              echo "[migrator] done"
+          resources:
+            limits:
+              cpu: {{ .Values.groupMigration.resources.limits.cpu  }}
+              memory: {{ .Values.groupMigration.resources.limits.memory }}
+            requests:
+              cpu: {{ .Values.operator.resources.requests.cpu }}
+              memory: {{ .Values.operator.resources.requests.memory }}
+          {{- if .Values.groupMigration.runAsNonRoot }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities: { drop: ["ALL"] }
+          {{- end }}
+{{- end }}

operator/charts/helm/zookeeper-service/templates/pre-deploy/ownerref-migrator-rbac.yaml

@@ -0,0 +1,40 @@
+{{- if .Values.groupMigration.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-ownerref-migrator
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-190"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+rules:
+  - apiGroups: ["apps"]
+    resources: ["deployments","statefulsets"]
+    verbs: ["get","list","patch","update"]
+  - apiGroups: [""]
+    resources: ["configmaps","secrets","services","persistentvolumeclaims"]
+    verbs: ["get","list","patch","update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Release.Name }}-ownerref-migrator
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-180"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    "argocd.argoproj.io/hook": PreSync
+    "argocd.argoproj.io/hook-delete-policy": HookSucceeded
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Release.Name }}-ownerref-migrator
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Release.Name }}-ownerref-migrator
+{{- end }}

operator/charts/helm/zookeeper-service/templates/pre-deploy/ownerref-migrator-sa.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.groupMigration.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}-ownerref-migrator
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-200"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+{{- end }}

operator/charts/helm/zookeeper-service/values.yaml

@@ -368,6 +368,22 @@ integrationTests:
   customLabels: {}
   securityContext: {}
 
+groupMigration:
+  enabled: true
+  oldGroupPrefix: "qubership.org/"
+  # labelSelector: "app.kubernetes.io/part-of=app-name"
+  labelSelector: ""
+  resources:
+    requests:
+      memory: 64Mi
+      cpu: 20m
+    limits:
+      memory: 256Mi
+      cpu: 100m
+  image: "ghcr.io/netcracker/qubership-docker-kubectl:main"
+  imagePullPolicy: Always
+  runAsNonRoot: true
+
 # Cloud Release Integration
 # The name of the Service exposed for the database.
 SERVICE_NAME: "zookeeper-service"