Add KafkaProtocolFilterReconciler (kroxylicious#1971)

* Add KafkaProtocolFilterReconciler
* RBAC
* Serve /livez before operator start; operator can be healthy while starting
* Log if we're returning 400 from /livez

Signed-off-by: Tom Bentley <[email protected]>
Co-authored-by: Robert Young <[email protected]>

Author: tombentley

kroxylicious-operator/install/01.ClusterRole.kroxylicious-operator-watched.yaml

@@ -14,7 +14,8 @@ metadata:
     app.kubernetes.io/name: kroxylicious
     app.kubernetes.io/component: operator
 rules:
-  - apiGroups:
+  - # The operator needs to know about its own CRs
+    apiGroups:
       - "kroxylicious.io"
     resources:
       - kafkaproxies
@@ -25,10 +26,8 @@ rules:
       - get
       - list
       - watch
-      # - create
-      # - patch
-      # - update
-  - apiGroups:
+  - # The operator needs to update the status on its own CRs
+    apiGroups:
       - "kroxylicious.io"
     resources:
       - kafkaproxies/status
@@ -37,4 +36,33 @@ rules:
     verbs:
       - get
       - patch
-      - update
+      - update
+  - # The operator needs to know about its own CRs
+    apiGroups:
+      - "filter.kroxylicious.io"
+    resources:
+      - kafkaprotocolfilters
+    verbs:
+      - get
+      - list
+      - watch
+  - # The operator needs to update the status on its own CRs
+    apiGroups:
+      - "filter.kroxylicious.io"
+    resources:
+      - kafkaprotocolfilters/status
+    verbs:
+      - get
+      - patch
+      - update
+  - # the operator needs get/list/watch on these because they can be referenced
+    # from our CRs, so the operator needs to be able to resolve them.
+    apiGroups:
+      - ""
+    resources:
+      - secrets
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch

kroxylicious-operator/pom.xml

@@ -358,6 +358,9 @@
                         <io.kroxylicious.kubernetes.api.v1alpha1.kafkaservicestatus.Conditions>
                             io.kroxylicious.kubernetes.api.common.Condition
                         </io.kroxylicious.kubernetes.api.v1alpha1.kafkaservicestatus.Conditions>
+                        <io.kroxylicious.kubernetes.filter.api.v1alpha1.kafkaprotocolfilterstatus.Conditions>
+                            io.kroxylicious.kubernetes.api.common.Condition
+                        </io.kroxylicious.kubernetes.filter.api.v1alpha1.kafkaprotocolfilterstatus.Conditions>
                         <io.kroxylicious.kubernetes.filter.api.v1alpha1.kafkaprotocolfilterspec.ConfigTemplate>
                             java.lang.Object
                         </io.kroxylicious.kubernetes.filter.api.v1alpha1.kafkaprotocolfilterspec.ConfigTemplate>

kroxylicious-operator/src/main/java/io/kroxylicious/kubernetes/operator/KafkaProtocolFilterReconciler.java

@@ -0,0 +1,211 @@
+/*
+ * Copyright Kroxylicious Authors.
+ *
+ * Licensed under the Apache Software License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+package io.kroxylicious.kubernetes.operator;
+
+import java.time.Clock;
+import java.time.ZoneId;
+import java.time.ZonedDateTime;
+import java.util.List;
+import java.util.Objects;
+import java.util.Optional;
+import java.util.Set;
+import java.util.TreeSet;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import io.fabric8.kubernetes.api.model.ConfigMap;
+import io.fabric8.kubernetes.api.model.ConfigMapVolumeSource;
+import io.fabric8.kubernetes.api.model.HasMetadata;
+import io.fabric8.kubernetes.api.model.Secret;
+import io.fabric8.kubernetes.api.model.SecretVolumeSource;
+import io.javaoperatorsdk.operator.api.config.informer.InformerEventSourceConfiguration;
+import io.javaoperatorsdk.operator.api.reconciler.Context;
+import io.javaoperatorsdk.operator.api.reconciler.ErrorStatusUpdateControl;
+import io.javaoperatorsdk.operator.api.reconciler.EventSourceContext;
+import io.javaoperatorsdk.operator.api.reconciler.Reconciler;
+import io.javaoperatorsdk.operator.api.reconciler.UpdateControl;
+import io.javaoperatorsdk.operator.processing.event.ResourceID;
+import io.javaoperatorsdk.operator.processing.event.source.EventSource;
+import io.javaoperatorsdk.operator.processing.event.source.informer.InformerEventSource;
+
+import io.kroxylicious.kubernetes.api.common.Condition;
+import io.kroxylicious.kubernetes.api.common.ConditionBuilder;
+import io.kroxylicious.kubernetes.filter.api.v1alpha1.KafkaProtocolFilter;
+import io.kroxylicious.kubernetes.filter.api.v1alpha1.KafkaProtocolFilterBuilder;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+
+/**
+ * Reconciles a {@link KafkaProtocolFilter} by checking whether the {@link Secret}s
+ * and {@link ConfigMap}s refered to in interpolated expressions actually exist, setting a
+ * {@link Condition.Type#ResolvedRefs} {@link Condition} accordingly.
+ */
+public class KafkaProtocolFilterReconciler implements
+        Reconciler<KafkaProtocolFilter> {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(KafkaProtocolFilterReconciler.class);
+    private final Clock clock;
+    private final SecureConfigInterpolator secureConfigInterpolator;
+
+    KafkaProtocolFilterReconciler(Clock clock, SecureConfigInterpolator secureConfigInterpolator) {
+        this.clock = Objects.requireNonNull(clock);
+        this.secureConfigInterpolator = Objects.requireNonNull(secureConfigInterpolator);
+    }
+
+    @Override
+    public List<EventSource<?, KafkaProtocolFilter>> prepareEventSources(EventSourceContext<KafkaProtocolFilter> context) {
+        return List.of(
+                new InformerEventSource<>(templateResourceReferenceEventSourceConfig(context, Secret.class,
+                        interpolationResult -> interpolationResult.volumes().stream()
+                                .flatMap(volume -> Optional.ofNullable(volume.getSecret())
+                                        .map(SecretVolumeSource::getSecretName)
+                                        .stream())),
+                        context),
+                new InformerEventSource<>(templateResourceReferenceEventSourceConfig(context, ConfigMap.class,
+                        interpolationResult -> interpolationResult.volumes().stream()
+                                .flatMap(volume -> Optional.ofNullable(volume.getConfigMap())
+                                        .map(ConfigMapVolumeSource::getName)
+                                        .stream())),
+                        context));
+    }
+
+    /**
+     * Returns a new event source config for getting the resource dependencies of a given type present in a filter's {@code spec.configTemplate}.
+     * @param context The context.
+     * @param secondaryClass The Java type of resource reference (e.g. Secret)
+     * @param resourceNameExtractor A function which extracts the name of the resources from an interpolation result.
+     * @param <R> The type of referenced resource
+     * @return The event source configuration
+     */
+    private <R extends HasMetadata> InformerEventSourceConfiguration<R> templateResourceReferenceEventSourceConfig(
+                                                                                                                   EventSourceContext<KafkaProtocolFilter> context,
+                                                                                                                   Class<R> secondaryClass,
+                                                                                                                   Function<SecureConfigInterpolator.InterpolationResult, Stream<String>> resourceNameExtractor) {
+        return InformerEventSourceConfiguration.from(
+                secondaryClass,
+                KafkaProtocolFilter.class)
+                .withPrimaryToSecondaryMapper((KafkaProtocolFilter filter) -> {
+                    Object configTemplate = filter.getSpec().getConfigTemplate();
+                    var interpolationResult = secureConfigInterpolator.interpolate(configTemplate);
+                    Set<ResourceID> resourceIds = resourceNameExtractor.apply(interpolationResult)
+                            .map(name -> new ResourceID(name, ResourcesUtil.namespace(filter)))
+                            .collect(Collectors.toSet());
+                    LOGGER.debug("Filter {} references {}(s) {}", ResourcesUtil.name(filter), secondaryClass.getName(), resourceIds);
+                    return resourceIds;
+                })
+                .withSecondaryToPrimaryMapper(secret -> {
+                    Set<ResourceID> resourceIds = ResourcesUtil.filteredResourceIdsInSameNamespace(
+                            context,
+                            secret,
+                            KafkaProtocolFilter.class,
+                            filter -> {
+                                Object configTemplate = filter.getSpec().getConfigTemplate();
+                                var interpolationResult = secureConfigInterpolator.interpolate(configTemplate);
+                                return resourceNameExtractor.apply(interpolationResult)
+                                        .anyMatch(secretNameFromVolume -> secretNameFromVolume.equals(ResourcesUtil.name(secret)));
+                            });
+                    LOGGER.debug("{} {} referenced by Filters {}", secondaryClass.getName(), ResourcesUtil.name(secret), resourceIds);
+                    return resourceIds;
+                })
+                .build();
+    }
+
+    @Override
+    public UpdateControl<KafkaProtocolFilter> reconcile(
+                                                        KafkaProtocolFilter filter,
+                                                        Context<KafkaProtocolFilter> context) {
+
+        var now = ZonedDateTime.ofInstant(clock.instant(), ZoneId.of("Z"));
+
+        ConditionBuilder conditionBuilder = newResolvedRefsCondition(filter, now);
+
+        var existingSecrets = context.getSecondaryResourcesAsStream(Secret.class)
+                .map(ResourcesUtil::name)
+                .collect(Collectors.toSet());
+        LOGGER.debug("Existing secrets: {}", existingSecrets);
+
+        var existingConfigMaps = context.getSecondaryResourcesAsStream(ConfigMap.class)
+                .map(ResourcesUtil::name)
+                .collect(Collectors.toSet());
+        LOGGER.debug("Existing configmaps: {}", existingConfigMaps);
+
+        var interpolationResult = secureConfigInterpolator.interpolate(filter.getSpec().getConfigTemplate());
+        var referencedSecrets = interpolationResult.volumes().stream().flatMap(volume -> Optional.ofNullable(volume.getSecret())
+                .map(SecretVolumeSource::getSecretName)
+                .stream())
+                .collect(Collectors.toCollection(TreeSet::new));
+        LOGGER.debug("Referenced secrets: {}", referencedSecrets);
+
+        var referencedConfigMaps = interpolationResult.volumes().stream().flatMap(volume -> Optional.ofNullable(volume.getConfigMap())
+                .map(ConfigMapVolumeSource::getName)
+                .stream())
+                .collect(Collectors.toCollection(TreeSet::new));
+        LOGGER.debug("Referenced configmaps: {}", referencedConfigMaps);
+
+        if (existingSecrets.containsAll(referencedSecrets)
+                && existingConfigMaps.containsAll(referencedConfigMaps)) {
+            conditionBuilder.withStatus(Condition.Status.TRUE);
+        }
+        else {
+            referencedSecrets.removeAll(existingSecrets);
+            referencedConfigMaps.removeAll(existingConfigMaps);
+            String message = "Referenced";
+            if (!referencedSecrets.isEmpty()) {
+                message += " Secrets [" + String.join(", ", referencedSecrets) + "]";
+            }
+            if (!referencedConfigMaps.isEmpty()) {
+                message += " ConfigMaps [" + String.join(", ", referencedConfigMaps) + "]";
+            }
+            message += " not found";
+            conditionBuilder.withStatus(Condition.Status.FALSE)
+                    .withReason("MissingInterpolationReferences")
+                    .withMessage(message);
+        }
+
+        KafkaProtocolFilter newFilter = newFilterWithCondition(filter, conditionBuilder.build());
+        LOGGER.debug("Patching with status {}", newFilter.getStatus());
+        return UpdateControl.patchStatus(newFilter);
+    }
+
+    @NonNull
+    private static KafkaProtocolFilter newFilterWithCondition(KafkaProtocolFilter filter, Condition condition) {
+        // @formatter:off
+        return new KafkaProtocolFilterBuilder(filter)
+                    .withNewStatus()
+                        .withObservedGeneration(ResourcesUtil.generation(filter))
+                        .withConditions(condition) // overwrite any existing conditions
+                    .endStatus()
+                .build();
+        // @formatter:on
+    }
+
+    private static ConditionBuilder newResolvedRefsCondition(KafkaProtocolFilter filter, ZonedDateTime now) {
+        return new ConditionBuilder()
+                .withType(Condition.Type.ResolvedRefs)
+                .withLastTransitionTime(now)
+                .withObservedGeneration(ResourcesUtil.generation(filter));
+    }
+
+    @Override
+    public ErrorStatusUpdateControl<KafkaProtocolFilter> updateErrorStatus(
+                                                                           KafkaProtocolFilter filter,
+                                                                           Context<KafkaProtocolFilter> context,
+                                                                           Exception e) {
+        var now = ZonedDateTime.ofInstant(clock.instant(), ZoneId.of("Z"));
+        // ResolvedRefs to UNKNOWN
+        Condition condition = newResolvedRefsCondition(filter, now)
+                .withStatus(Condition.Status.UNKNOWN)
+                .withReason(e.getClass().getName())
+                .withMessage(e.getMessage())
+                .build();
+        return ErrorStatusUpdateControl.patchStatus(newFilterWithCondition(filter, condition));
+    }
+}

kroxylicious-operator/src/main/java/io/kroxylicious/kubernetes/operator/KafkaProxyReconciler.java

@@ -23,6 +23,7 @@
 import io.javaoperatorsdk.operator.AggregatedOperatorException;
 import io.javaoperatorsdk.operator.api.config.informer.InformerEventSourceConfiguration;
 import io.javaoperatorsdk.operator.api.reconciler.Context;
+import io.javaoperatorsdk.operator.api.reconciler.ContextInitializer;
 import io.javaoperatorsdk.operator.api.reconciler.ErrorStatusUpdateControl;
 import io.javaoperatorsdk.operator.api.reconciler.EventSourceContext;
 import io.javaoperatorsdk.operator.api.reconciler.Reconciler;
@@ -74,13 +75,31 @@
 })
 // @formatter:on
 public class KafkaProxyReconciler implements
-        Reconciler<KafkaProxy> {
+        Reconciler<KafkaProxy>,
+        ContextInitializer<KafkaProxy> {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(KafkaProxyReconciler.class);
 
     public static final String CONFIG_DEP = "config";
     public static final String DEPLOYMENT_DEP = "deployment";
     public static final String CLUSTERS_DEP = "clusters";
+    static final String SEC = "sec";
+    private final SecureConfigInterpolator secureConfigInterpolator;
+
+    public KafkaProxyReconciler(SecureConfigInterpolator secureConfigInterpolator) {
+        this.secureConfigInterpolator = secureConfigInterpolator;
+    }
+
+    static SecureConfigInterpolator secureConfigInterpolator(Context<KafkaProxy> context) {
+        return context.managedWorkflowAndDependentResourceContext().getMandatory(SEC, SecureConfigInterpolator.class);
+    }
+
+    @Override
+    public void initContext(
+                            KafkaProxy primary,
+                            Context<KafkaProxy> context) {
+        context.managedWorkflowAndDependentResourceContext().put(SEC, secureConfigInterpolator);
+    }
 
     /**
      * The happy path, where all the dependent resources expressed a desired
@@ -426,5 +445,4 @@ private static InformerEventSource<KafkaProtocolFilter, KafkaProxy> eventSourceF
     private static @NonNull Predicate<KafkaProxyIngress> ingressReferences(HasMetadata primary) {
         return ingress -> ingress.getSpec().getProxyRef().getName().equals(name(primary));
     }
-
 }

kroxylicious-operator/src/main/java/io/kroxylicious/kubernetes/operator/OperatorMain.java

@@ -80,13 +80,14 @@ public static void main(String[] args) {
      */
     void start() {
         operator.installShutdownHook(Duration.ofSeconds(10));
-        operator.register(new KafkaProxyReconciler());
+        operator.register(new KafkaProxyReconciler(SecureConfigInterpolator.DEFAULT_INTERPOLATOR));
         operator.register(new KafkaProxyIngressReconciler(Clock.systemUTC()));
         operator.register(new KafkaServiceReconciler(Clock.systemUTC()));
+        operator.register(new KafkaProtocolFilterReconciler(Clock.systemUTC(), SecureConfigInterpolator.DEFAULT_INTERPOLATOR));
         addHttpGetHandler("/", () -> 404);
         managementServer.start();
-        operator.start();
         addHttpGetHandler(HTTP_PATH_LIVEZ, this::livezStatusCode);
+        operator.start();
         LOGGER.info("Operator started");
     }
 
@@ -111,7 +112,7 @@ private int livezStatusCode() {
             sc = 400;
             LOGGER.error("Ignoring exception caught while getting operator health info", e);
         }
-        LOGGER.trace("Responding {} to GET {}", sc, HTTP_PATH_LIVEZ);
+        (sc != 200 ? LOGGER.atWarn() : LOGGER.atDebug()).log("Responding {} to GET {}", sc, HTTP_PATH_LIVEZ);
         return sc;
     }
 

kroxylicious-operator/src/main/java/io/kroxylicious/kubernetes/operator/ProxyConfigConfigMap.java

@@ -79,14 +79,8 @@ private static String toYaml(Object filterDefs) {
         }
     }
 
-    private final SecureConfigInterpolator secureConfigInterpolator;
-
     public ProxyConfigConfigMap() {
         super(ConfigMap.class);
-        var providerMap = Map.<String, SecureConfigProvider> of(
-                "secret", MountedResourceConfigProvider.SECRET_PROVIDER,
-                "configmap", MountedResourceConfigProvider.CONFIGMAP_PROVIDER);
-        secureConfigInterpolator = new SecureConfigInterpolator("/opt/kroxylicious/secure", providerMap);
     }
 
     /**
@@ -207,7 +201,7 @@ private List<NamedFilterDefinition> filterDefinitions(Context<KafkaProxy> contex
             var filterCr = resolutionResult.filter(filterCrRef).orElseThrow();
             var spec = filterCr.getSpec();
             String type = spec.getType();
-            SecureConfigInterpolator.InterpolationResult interpolationResult = interpolateConfig(spec);
+            SecureConfigInterpolator.InterpolationResult interpolationResult = interpolateConfig(context, spec);
             ManagedWorkflowAndDependentResourceContext ctx = context.managedWorkflowAndDependentResourceContext();
             putOrMerged(ctx, SECURE_VOLUME_KEY, interpolationResult.volumes());
             putOrMerged(ctx, SECURE_VOLUME_MOUNT_KEY, interpolationResult.mounts());
@@ -226,7 +220,8 @@ private static <T> void putOrMerged(ManagedWorkflowAndDependentResourceContext c
         }
     }
 
-    private SecureConfigInterpolator.InterpolationResult interpolateConfig(KafkaProtocolFilterSpec spec) {
+    private SecureConfigInterpolator.InterpolationResult interpolateConfig(Context<KafkaProxy> context, KafkaProtocolFilterSpec spec) {
+        SecureConfigInterpolator secureConfigInterpolator = KafkaProxyReconciler.secureConfigInterpolator(context);
         Object configTemplate = Objects.requireNonNull(spec.getConfigTemplate(), "ConfigTemplate is required in the KafkaProtocolFilterSpec");
         return secureConfigInterpolator.interpolate(configTemplate);
     }

kroxylicious-operator/src/main/java/io/kroxylicious/kubernetes/operator/SecureConfigInterpolator.java

@@ -46,6 +46,10 @@ private record InterpolatedValue(@Nullable Object interpolatedValue, @NonNull Li
 
     private static final InterpolatedValue NULL_INTERPOLATED_VALUE = new InterpolatedValue(null, List.of());
 
+    static final SecureConfigInterpolator DEFAULT_INTERPOLATOR = new SecureConfigInterpolator("/opt/kroxylicious/secure", Map.<String, SecureConfigProvider> of(
+            "secret", MountedResourceConfigProvider.SECRET_PROVIDER,
+            "configmap", MountedResourceConfigProvider.CONFIGMAP_PROVIDER));
+
     private final Map<String, SecureConfigProvider> providers;
     private final Path mountPathBase;