Operator: new CR status condition for upgrades

Closes #37220

Signed-off-by: Pedro Ruivo <[email protected]>

Author: pruivo

docs/guides/operator/advanced-configuration.adoc

@@ -153,7 +153,7 @@ spec:
 
 The unsupported podTemplate may be used to override the default probes.
 
-In particular the default startup probe timeout of 10 minutes may be too short in scenarios where there is a long-running migration. 
+In particular the default startup probe timeout of 10 minutes may be too short in scenarios where there is a long-running migration.
 
 If your instances encounter this startup failure or if you wish to proactively prevent such a startup failure from occurring, then the startup probe timeout should be increased.
 
@@ -526,4 +526,28 @@ When the image field changes, the StatefulSet is scaled down before applying the
 
 |===
 
+===== CR Statuses =====
+
+The Keycloak CR status of type `RecreateUpdateUsed` indicates the type of update strategy employed during the last update operation.
+The `lastTransitionTime` field indicates when the last update occurred.
+
+[%autowidth]
+.Condition statuses
+|===
+|Status |Description
+
+m|Unknown
+|The initial state.
+It means no update has taken place.
+
+m|False
+|The rolling update type was used in the last update.
+
+m|True
+|The recreate update type was used in the last update.
+The `message` field explains why this strategy was chosen.
+
+|===
+
+
 </@tmpl.guide>

operator/src/main/java/org/keycloak/operator/controllers/KeycloakController.java

@@ -134,8 +134,8 @@ public UpdateControl<Keycloak> reconcile(Keycloak kc, Context<Keycloak> context)
         ContextUtils.storeCurrentStatefulSet(context, existingDeployment);
         ContextUtils.storeDesiredStatefulSet(context, new KeycloakDeploymentDependentResource().desired(kc, context));
 
-        var upgradeLogicControl = upgradeLogicFactory.create(kc, context)
-                .decideUpgrade();
+        var upgradeLogic = upgradeLogicFactory.create(kc, context);
+        var upgradeLogicControl = upgradeLogic.decideUpgrade();
         if (upgradeLogicControl.isPresent()) {
             Log.debug("--- Reconciliation interrupted due to upgrade logic");
             return upgradeLogicControl.get();
@@ -147,6 +147,7 @@ public UpdateControl<Keycloak> reconcile(Keycloak kc, Context<Keycloak> context)
         var statusAggregator = new KeycloakStatusAggregator(kc.getStatus(), kc.getMetadata().getGeneration());
 
         updateStatus(kc, existingDeployment, statusAggregator, context);
+        upgradeLogic.updateStatus(statusAggregator);
         var status = statusAggregator.build();
 
         Log.debug("--- Reconciliation finished successfully");

operator/src/main/java/org/keycloak/operator/crds/v2alpha1/deployment/KeycloakStatusAggregator.java

@@ -35,6 +35,7 @@ public class KeycloakStatusAggregator {
     private final KeycloakStatusCondition readyCondition = new KeycloakStatusCondition();
     private final KeycloakStatusCondition hasErrorsCondition = new KeycloakStatusCondition();
     private final KeycloakStatusCondition rollingUpdate = new KeycloakStatusCondition();
+    private final KeycloakStatusCondition updateType = new KeycloakStatusCondition();
 
     private final List<String> notReadyMessages = new ArrayList<>();
     private final List<String> errorMessages = new ArrayList<>();
@@ -71,6 +72,8 @@ public KeycloakStatusAggregator(KeycloakStatus current, Long generation) {
         hasErrorsCondition.setType(KeycloakStatusCondition.HAS_ERRORS);
 
         rollingUpdate.setType(KeycloakStatusCondition.ROLLING_UPDATE);
+
+        updateType.setType(KeycloakStatusCondition.UPDATE_TYPE);
     }
 
     public KeycloakStatusAggregator addNotReadyMessage(String message) {
@@ -100,6 +103,12 @@ public KeycloakStatusAggregator addRollingUpdateMessage(String message) {
         return this;
     }
 
+    public void addUpgradeType(boolean recreate, String message) {
+        updateType.setStatus(recreate);
+        updateType.setObservedGeneration(observedGeneration);
+        updateType.setMessage(message);
+    }
+
     /**
      * Apply non-condition changes to the status
      */
@@ -142,10 +151,11 @@ public KeycloakStatus build() {
         updateConditionFromExisting(readyCondition, existingConditions, now);
         updateConditionFromExisting(hasErrorsCondition, existingConditions, now);
         updateConditionFromExisting(rollingUpdate, existingConditions, now);
+        updateConditionFromExisting(updateType, existingConditions, now);
 
         return statusBuilder
                 .withObservedGeneration(observedGeneration)
-                .withConditions(List.of(readyCondition, hasErrorsCondition, rollingUpdate))
+                .withConditions(List.of(readyCondition, hasErrorsCondition, rollingUpdate, updateType))
                 .build();
     }
 

operator/src/main/java/org/keycloak/operator/crds/v2alpha1/deployment/KeycloakStatusCondition.java

@@ -26,4 +26,5 @@ public class KeycloakStatusCondition extends StatusCondition {
     public static final String READY = "Ready";
     public static final String HAS_ERRORS = "HasErrors";
     public static final String ROLLING_UPDATE = "RollingUpdate";
+    public static final String UPDATE_TYPE = "RecreateUpdateUsed";
 }

operator/src/main/java/org/keycloak/operator/upgrade/UpgradeLogic.java

@@ -23,6 +23,7 @@
 import io.javaoperatorsdk.operator.api.reconciler.Context;
 import io.javaoperatorsdk.operator.api.reconciler.UpdateControl;
 import org.keycloak.operator.crds.v2alpha1.deployment.Keycloak;
+import org.keycloak.operator.crds.v2alpha1.deployment.KeycloakStatusAggregator;
 
 /**
  * An API to implement to handle Keycloak CR updates.
@@ -48,4 +49,11 @@ public interface UpgradeLogic {
      */
     Optional<UpdateControl<Keycloak>> decideUpgrade();
 
+    /**
+     * Updates the Keycloak CR status.
+     *
+     * @param statusAggregator The {@link KeycloakStatusAggregator} to update.
+     */
+    void updateStatus(KeycloakStatusAggregator statusAggregator);
+
 }

operator/src/main/java/org/keycloak/operator/upgrade/impl/AutoUpgradeLogic.java

@@ -69,7 +69,7 @@ Optional<UpdateControl<Keycloak>> onUpgrade() {
         if (pod.isEmpty()) {
             // TODO some cases the pod is removed. Do we start over or use recreate update?
             Log.warn("Pod for Update Job not found.");
-            decideRecreateUpgrade();
+            decideRecreateUpgrade("The Pod running update-compatibility command not found.");
             return Optional.empty();
         }
 
@@ -99,12 +99,17 @@ private void checkUpgradeType(Pod pod) {
                 .map(AutoUpgradeLogic::exitCode);
         if (initContainerExitCode.isEmpty()) {
             Log.warn("InitContainer not found for Update Job.");
-            decideRecreateUpgrade();
+            decideRecreateUpgrade("InitContainer running update-compatibility command not found. Did it crash? Check update job for details.");
             return;
         }
         if (initContainerExitCode.get() != 0) {
+            if (initContainerExitCode.get() == 4) {
+                Log.warn("Feature 'rolling-update' not enabled.");
+                decideRecreateUpgrade("Feature 'rolling-update' not enabled.");
+                return;
+            }
             Log.warn("InitContainer unexpectedly failed for Update Job.");
-            decideRecreateUpgrade();
+            decideRecreateUpgrade("Unexpected update-compatibility command exit code (%s). Check update job for details.".formatted(initContainerExitCode.get()));
             return;
         }
 
@@ -113,37 +118,37 @@ private void checkUpgradeType(Pod pod) {
                 .map(AutoUpgradeLogic::exitCode);
         if (containerExitCode.isEmpty()) {
             Log.warn("Container not found for Update Job.");
-            decideRecreateUpgrade();
+            decideRecreateUpgrade("Container running update-compatibility command not found. Did it crash?");
             return;
         }
         switch (containerExitCode.get()) {
             case 0: {
-                decideRollingUpgrade();
+                decideRollingUpgrade("Compatible changes detected.");
                 return;
             }
             case 1: {
                 Log.warn("Container has an unexpected error for Update Job");
-                decideRecreateUpgrade();
+                decideRecreateUpgrade("Unexpected update-compatibility command error. Check update job for details.");
                 return;
             }
             case 2: {
                 Log.warn("Container has an invalid arguments for Update Job.");
-                decideRecreateUpgrade();
+                decideRecreateUpgrade("Invalid arguments in update-compatibility command. Check update job for details.");
                 return;
             }
             case 3: {
                 Log.warn("Rolling Update not possible.");
-                decideRecreateUpgrade();
+                decideRecreateUpgrade("Incompatible changes detected. Check update job for details.");
                 return;
             }
             case 4: {
                 Log.warn("Feature 'rolling-update' not enabled.");
-                decideRecreateUpgrade();
+                decideRecreateUpgrade("Feature 'rolling-update' not enabled.");
                 return;
             }
             default: {
-                Log.warnf("Unexpected Update Job exit code: " + containerExitCode.get());
-                decideRecreateUpgrade();
+                Log.warnf("Unexpected Update Job exit code: %s", containerExitCode.get());
+                decideRecreateUpgrade("Unexpected update-compatibility command exit code (%s). Check update job for details.".formatted(containerExitCode.get()));
             }
         }
     }

operator/src/main/java/org/keycloak/operator/upgrade/impl/BaseUpgradeLogic.java

@@ -20,6 +20,7 @@
 import java.util.Map;
 import java.util.Objects;
 import java.util.Optional;
+import java.util.function.Consumer;
 import java.util.function.Function;
 import java.util.stream.Collectors;
 
@@ -33,6 +34,7 @@
 import org.keycloak.operator.controllers.KeycloakDeploymentDependentResource;
 import org.keycloak.operator.crds.v2alpha1.CRDUtils;
 import org.keycloak.operator.crds.v2alpha1.deployment.Keycloak;
+import org.keycloak.operator.crds.v2alpha1.deployment.KeycloakStatusAggregator;
 import org.keycloak.operator.upgrade.UpgradeLogic;
 import org.keycloak.operator.upgrade.UpgradeType;
 
@@ -46,6 +48,7 @@ abstract class BaseUpgradeLogic implements UpgradeLogic {
 
     protected final Context<Keycloak> context;
     protected final Keycloak keycloak;
+    private Consumer<KeycloakStatusAggregator> statusConsumer = unused -> {};
 
     BaseUpgradeLogic(Context<Keycloak> context, Keycloak keycloak) {
         this.context = context;
@@ -73,28 +76,35 @@ public final Optional<UpdateControl<Keycloak>> decideUpgrade() {
         return onUpgrade();
     }
 
+    @Override
+    public final void updateStatus(KeycloakStatusAggregator statusAggregator) {
+        statusConsumer.accept(statusAggregator);
+    }
+
     /**
      * Concrete upgrade logic should be implemented here.
      * <p>
      * Use {@link ContextUtils#getCurrentStatefulSet(Context)} and/or
      * {@link ContextUtils#getDesiredStatefulSet(Context)} to get the current and the desired {@link StatefulSet},
      * respectively.
      * <p>
-     * Use the methods {@link #decideRecreateUpgrade()} or {@link #decideRollingUpgrade()} to use one of the available
+     * Use the methods {@link #decideRecreateUpgrade(String)} or {@link #decideRollingUpgrade(String)} to use one of the available
      * upgrade logics.
      *
      * @return An {@link UpdateControl} if the reconciliation must be interrupted before updating the
      * {@link StatefulSet}.
      */
     abstract Optional<UpdateControl<Keycloak>> onUpgrade();
 
-    void decideRollingUpgrade() {
-        Log.debug("Decided rolling upgrade type.");
+    void decideRollingUpgrade(String reason) {
+        Log.debugf("Decided rolling upgrade type. Reason: %s", reason);
+        statusConsumer = status -> status.addUpgradeType(false, reason);
         ContextUtils.storeUpgradeType(context, UpgradeType.ROLLING);
     }
 
-    void decideRecreateUpgrade() {
-        Log.debug("Decided recreate upgrade type.");
+    void decideRecreateUpgrade(String reason) {
+        Log.debugf("Decided recreate upgrade type. Reason: %s", reason);
+        statusConsumer = status -> status.addUpgradeType(true, reason);
         ContextUtils.storeUpgradeType(context, UpgradeType.RECREATE);
     }
 
@@ -124,7 +134,6 @@ private static boolean isEnvEquals(Container actual, Container desired) {
 
     private static Map<String, EnvVar> envVars(Container container) {
         // The operator only sets value or secrets. Any other combination is from unsupported pod template.
-        //noinspection DataFlowIssue
         return container.getEnv().stream()
                 .filter(envVar -> !envVar.getName().equals(KeycloakDeploymentDependentResource.POD_IP))
                 .collect(Collectors.toMap(EnvVar::getName, Function.identity()));

operator/src/main/java/org/keycloak/operator/upgrade/impl/ForceRecreateUpgradeLogic.java

@@ -37,7 +37,7 @@ public ForceRecreateUpgradeLogic(Context<Keycloak> context, Keycloak keycloak) {
 
     @Override
     Optional<UpdateControl<Keycloak>> onUpgrade() {
-        decideRecreateUpgrade();
+        decideRecreateUpgrade("Strategy ForceRecreate configured.");
         return Optional.empty();
     }
 }

operator/src/main/java/org/keycloak/operator/upgrade/impl/RecreateOnImageChangeUpgradeLogic.java

@@ -47,9 +47,9 @@ Optional<UpdateControl<Keycloak>> onUpgrade() {
         var desiredImage = extractImage(ContextUtils.getDesiredStatefulSet(context));
 
         if (Objects.equals(currentImage, desiredImage)) {
-            decideRollingUpgrade();
+            decideRollingUpgrade("Image unchanged.");
         } else {
-            decideRecreateUpgrade();
+            decideRecreateUpgrade("Image changed %s -> %s".formatted(currentImage, desiredImage));
         }
         return Optional.empty();
     }

operator/src/test/java/org/keycloak/operator/testsuite/integration/BaseOperatorTest.java

@@ -40,14 +40,7 @@
 import io.fabric8.kubernetes.client.utils.Serialization;
 import io.javaoperatorsdk.operator.Operator;
 import io.javaoperatorsdk.operator.api.config.BaseConfigurationService;
-import io.javaoperatorsdk.operator.api.config.ControllerConfiguration;
-import io.javaoperatorsdk.operator.api.config.Utils;
-import io.javaoperatorsdk.operator.api.config.dependent.DependentResourceConfigurationResolver;
-import io.javaoperatorsdk.operator.api.config.dependent.DependentResourceSpec;
 import io.javaoperatorsdk.operator.api.reconciler.Reconciler;
-import io.javaoperatorsdk.operator.api.reconciler.dependent.Dependent;
-import io.javaoperatorsdk.operator.api.reconciler.dependent.DependentResource;
-import io.javaoperatorsdk.operator.api.reconciler.dependent.DependentResourceFactory;
 import io.quarkiverse.operatorsdk.runtime.QuarkusConfigurationService;
 import io.quarkus.logging.Log;
 import io.quarkus.test.junit.callback.QuarkusTestAfterEachCallback;
@@ -175,7 +168,7 @@ private static void createRBACresourcesAndOperatorDeployment() throws FileNotFou
     K8sUtils.set(k8sclient, new FileInputStream(TARGET_KUBERNETES_GENERATED_YML_FOLDER + deploymentTarget + ".yml"), obj -> {
         if (obj instanceof ClusterRoleBinding) {
             ((ClusterRoleBinding)obj).getSubjects().forEach(s -> s.setNamespace(namespace));
-        } else if (obj instanceof RoleBinding && "keycloak-operator-view".equals(((RoleBinding)obj).getMetadata().getName())) {
+        } else if (obj instanceof RoleBinding && "keycloak-operator-view".equals(obj.getMetadata().getName())) {
             return null; // exclude this role since it's not present in olm
         } else if (obj instanceof Deployment) {
             // set values useful for testing - TODO: could drive this in some way from the test/resource/application.properties
@@ -310,8 +303,8 @@ public void afterEach(QuarkusTestMethodContext context) {
           Method testMethod = context.getTestMethod();
           if (context.getTestStatus().getTestErrorCause() == null
                   || context.getTestStatus().getTestErrorCause() instanceof TestAbortedException
-                  || !Stream.of(context.getTestStatus().getTestErrorCause().getStackTrace())
-                          .anyMatch(ste -> ste.getMethodName().equals(testMethod.getName())
+                  || Stream.of(context.getTestStatus().getTestErrorCause().getStackTrace())
+                          .noneMatch(ste -> ste.getMethodName().equals(testMethod.getName())
                                   && ste.getClassName().equals(testMethod.getDeclaringClass().getName()))) {
               return;
           }
@@ -325,7 +318,7 @@ public void afterEach(QuarkusTestMethodContext context) {
               log(k8sclient.apps().deployments().withName("keycloak-operator"), Deployment::getStatus, false);
           }
           logFailed(k8sclient.apps().statefulSets().withName(POSTGRESQL_NAME), StatefulSet::getStatus);
-          k8sclient.pods().withLabel("app", "keycloak-realm-import").list().getItems().stream()
+          k8sclient.pods().withLabel("app", "keycloak-realm-import").list().getItems()
                   .forEach(pod -> log(k8sclient.pods().resource(pod), Pod::getStatus, false));
       } finally {
           cleanup();
@@ -380,6 +373,13 @@ private void logFailedKeycloaks() {
                                   threadDump(p);
                               });
                   }
+                  var job = k8sclient.batch().v1().jobs()
+                          .inNamespace(kc.getMetadata().getNamespace())
+                          .withName(KeycloakUpdateJobDependentResource.jobName(kc))
+                          .get();
+                  if (job != null) {
+                      Log.warnf("Keycloak Update Job \"%s\" %s", job.getMetadata().getName(), Serialization.asYaml(job.getStatus()));
+                  }
               });
   }
 
@@ -421,7 +421,7 @@ private void logEvents() {
           var entry = grouped.next();
           Log.logf("Normal".equals(entry.getValue().get(0).getType()) ? Level.INFO : Level.WARN,
                   "Event last seen %s repeated %s times - %s", getTime(entry.getValue().get(0)),
-                  entry.getValue().size(), entry.getKey().stream().collect(Collectors.joining(" ")));
+                  entry.getValue().size(), String.join(" ", entry.getKey()));
       }
   }