Fix InUse detection in IstioRevisionTag controller (openshift-service-mesh#553)

* Fix InUse detection in IstioRevisionTag controller

Also adds unit tests.

Signed-off-by: Daniel Grimm <[email protected]>

* Shorten variable name

Signed-off-by: Daniel Grimm <[email protected]>

* Add more tests

Signed-off-by: Daniel Grimm <[email protected]>

* Rewrite mapPodToReconcileRequest to reconcile all relevant revisions

Signed-off-by: Daniel Grimm <[email protected]>

---------

Signed-off-by: Daniel Grimm <[email protected]>

Author: dgn

controllers/istiorevision/istiorevision_controller.go

@@ -447,47 +447,18 @@ func (r *Reconciler) isRevisionReferenced(ctx context.Context, rev *v1alpha1.Ist
 }
 
 func namespaceReferencesRevision(ns corev1.Namespace, rev *v1alpha1.IstioRevision) bool {
-	return rev.Name == getReferencedRevisionFromNamespace(ns.Labels)
+	return rev.Name == revision.GetReferencedRevisionFromNamespace(ns.Labels)
 }
 
 func podReferencesRevision(pod corev1.Pod, ns corev1.Namespace, rev *v1alpha1.IstioRevision) bool {
-	return rev.Name == getReferencedRevisionFromPod(pod.GetLabels(), pod.GetAnnotations(), ns.GetLabels())
-}
-
-func getReferencedRevisionFromNamespace(labels map[string]string) string {
-	if labels[constants.IstioInjectionLabel] == constants.IstioInjectionEnabledValue {
-		return v1alpha1.DefaultRevision
+	if rev.Name == revision.GetInjectedRevisionFromPod(pod.GetAnnotations()) {
+		return true
 	}
-	revision := labels[constants.IstioRevLabel]
-	if revision != "" {
-		return revision
+	if revision.GetReferencedRevisionFromNamespace(ns.Labels) == "" &&
+		rev.Name == revision.GetReferencedRevisionFromPod(pod.GetLabels()) {
+		return true
 	}
-	// TODO: if .Values.sidecarInjectorWebhook.enableNamespacesByDefault is true, then all namespaces except system namespaces should use the "default" revision
-
-	return ""
-}
-
-func getReferencedRevisionFromPod(podLabels, podAnnotations, nsLabels map[string]string) string {
-	// if pod was already injected, the revision that did the injection is specified in the istio.io/rev annotation
-	revision := podAnnotations[constants.IstioRevLabel]
-	if revision != "" {
-		return revision
-	}
-
-	// pod is marked for injection by a specific revision, but wasn't injected (e.g. because it was created before the revision was applied)
-	revisionFromNamespace := getReferencedRevisionFromNamespace(nsLabels)
-	if podLabels[constants.IstioSidecarInjectLabel] != "false" {
-		if revisionFromNamespace != "" {
-			return revisionFromNamespace
-		}
-		revisionFromPod := podLabels[constants.IstioRevLabel]
-		if revisionFromPod != "" {
-			return revisionFromPod
-		} else if podLabels[constants.IstioSidecarInjectLabel] == "true" {
-			return v1alpha1.DefaultRevision
-		}
-	}
-	return ""
+	return false
 }
 
 func istiodDeploymentKey(rev *v1alpha1.IstioRevision) client.ObjectKey {
@@ -532,24 +503,41 @@ func (r *Reconciler) mapNamespaceToReconcileRequest(ctx context.Context, ns clie
 	}
 
 	// Check if the namespace references an IstioRevision in its labels
-	revision := getReferencedRevisionFromNamespace(ns.GetLabels())
-	if revision != "" {
-		requests = append(requests, reconcile.Request{NamespacedName: types.NamespacedName{Name: revision}})
+	revisionName := revision.GetReferencedRevisionFromNamespace(ns.GetLabels())
+	if revisionName != "" {
+		requests = append(requests, reconcile.Request{NamespacedName: types.NamespacedName{Name: revisionName}})
 	}
 	return requests
 }
 
+// mapPodToReconcileRequest will collect all referenced revisions from a pod and its namespace and trigger reconciliation
 func (r *Reconciler) mapPodToReconcileRequest(ctx context.Context, pod client.Object) []reconcile.Request {
-	// TODO: rewrite getReferencedRevisionFromPod to use lazy loading to avoid loading the namespace if the pod references a revision directly
+	revisionNames := []string{}
+	revisionName := revision.GetInjectedRevisionFromPod(pod.GetAnnotations())
+	if revisionName != "" {
+		revisionNames = append(revisionNames, revisionName)
+	} else {
+		revisionName = revision.GetReferencedRevisionFromPod(pod.GetLabels())
+		if revisionName != "" {
+			revisionNames = append(revisionNames, revisionName)
+		}
+	}
 	ns := corev1.Namespace{}
 	err := r.Client.Get(ctx, types.NamespacedName{Name: pod.GetNamespace()}, &ns)
 	if err != nil {
 		return nil
 	}
+	revisionName = revision.GetReferencedRevisionFromNamespace(ns.GetLabels())
+	if revisionName != "" {
+		revisionNames = append(revisionNames, revisionName)
+	}
 
-	revision := getReferencedRevisionFromPod(pod.GetLabels(), pod.GetAnnotations(), ns.GetLabels())
-	if revision != "" {
-		return []reconcile.Request{{NamespacedName: types.NamespacedName{Name: revision}}}
+	if len(revisionNames) > 0 {
+		reqs := []reconcile.Request{}
+		for _, revName := range revisionNames {
+			reqs = append(reqs, reconcile.Request{NamespacedName: types.NamespacedName{Name: revName}})
+		}
+		return reqs
 	}
 	return nil
 }

controllers/istiorevision/istiorevision_controller_test.go

@@ -526,6 +526,12 @@ func TestDetermineInUseCondition(t *testing.T) {
 			matchesRevision: "",
 		},
 
+		// pod annotations only
+		{
+			podAnnotations:  map[string]string{"istio.io/rev": "default"},
+			matchesRevision: "default",
+		},
+
 		// namespace labels only
 		{
 			nsLabels:        map[string]string{"istio-injection": "enabled"},
@@ -567,6 +573,11 @@ func TestDetermineInUseCondition(t *testing.T) {
 		},
 
 		// ns and pod labels
+		{
+			nsLabels:        map[string]string{"istio.io/rev": "my-rev"},
+			podLabels:       map[string]string{"sidecar.istio.io/inject": "true"},
+			matchesRevision: "my-rev",
+		},
 		{
 			nsLabels:        map[string]string{"istio-injection": "enabled"},
 			podLabels:       map[string]string{"istio.io/rev": "default"},

controllers/istiorevisiontag/istiorevisiontag_controller.go

@@ -30,6 +30,7 @@ import (
 	"github.com/istio-ecosystem/sail-operator/pkg/helm"
 	"github.com/istio-ecosystem/sail-operator/pkg/kube"
 	"github.com/istio-ecosystem/sail-operator/pkg/reconciler"
+	"github.com/istio-ecosystem/sail-operator/pkg/revision"
 	admissionv1 "k8s.io/api/admissionregistration/v1"
 	autoscalingv2 "k8s.io/api/autoscaling/v2"
 	corev1 "k8s.io/api/core/v1"
@@ -363,7 +364,7 @@ func (r *Reconciler) isRevisionTagReferencedByWorkloads(ctx context.Context, tag
 		return false, fmt.Errorf("failed to list pods: %w", err)
 	}
 	for _, pod := range podList.Items {
-		if podReferencesRevisionTag(pod, tag) {
+		if ns, found := nsMap[pod.Namespace]; found && podReferencesRevisionTag(pod, tag, ns) {
 			log.V(2).Info("RevisionTag is referenced by Pod", "Pod", client.ObjectKeyFromObject(&pod))
 			return true, nil
 		}
@@ -386,52 +387,29 @@ func (r *Reconciler) isRevisionTagReferencedByWorkloads(ctx context.Context, tag
 }
 
 func namespaceReferencesRevisionTag(ns corev1.Namespace, tag *v1alpha1.IstioRevisionTag) bool {
-	return tag.Name == getReferencedRevisionFromNamespace(ns.Labels)
+	return tag.Name == revision.GetReferencedRevisionFromNamespace(ns.Labels)
 }
 
-func podReferencesRevisionTag(pod corev1.Pod, tag *v1alpha1.IstioRevisionTag) bool {
-	return tag.Name == getReferencedRevisionTagFromPod(pod.GetLabels())
-}
-
-func getReferencedRevisionFromNamespace(labels map[string]string) string {
-	if labels[constants.IstioInjectionLabel] == constants.IstioInjectionEnabledValue {
-		return v1alpha1.DefaultRevision
-	}
-	revision := labels[constants.IstioRevLabel]
-	if revision != "" {
-		return revision
-	}
-	// TODO: if .Values.sidecarInjectorWebhook.enableNamespacesByDefault is true, then all namespaces except system namespaces should use the "default" revision
-
-	return ""
-}
-
-func getReferencedRevisionTagFromPod(podLabels map[string]string) string {
-	// we only look at pod labels to identify injection intent, as the annotation only references the real revision name instead of the tag
-	if podLabels[constants.IstioInjectionLabel] == constants.IstioInjectionEnabledValue {
-		return v1alpha1.DefaultRevision
-	} else if podLabels[constants.IstioSidecarInjectLabel] != "false" && podLabels[constants.IstioRevLabel] != "" {
-		return podLabels[constants.IstioRevLabel]
-	}
-
-	return ""
+func podReferencesRevisionTag(pod corev1.Pod, tag *v1alpha1.IstioRevisionTag, ns corev1.Namespace) bool {
+	return revision.GetReferencedRevisionFromNamespace(ns.Labels) == "" &&
+		tag.Name == revision.GetReferencedRevisionFromPod(pod.GetLabels())
 }
 
 func (r *Reconciler) mapNamespaceToReconcileRequest(ctx context.Context, ns client.Object) []reconcile.Request {
 	var requests []reconcile.Request
 
 	// Check if the namespace references an IstioRevisionTag in its labels
-	revision := getReferencedRevisionFromNamespace(ns.GetLabels())
-	if revision != "" {
-		requests = append(requests, reconcile.Request{NamespacedName: types.NamespacedName{Name: revision}})
+	tag := revision.GetReferencedRevisionFromNamespace(ns.GetLabels())
+	if tag != "" {
+		requests = append(requests, reconcile.Request{NamespacedName: types.NamespacedName{Name: tag}})
 	}
 	return requests
 }
 
 func (r *Reconciler) mapPodToReconcileRequest(ctx context.Context, pod client.Object) []reconcile.Request {
-	revision := getReferencedRevisionTagFromPod(pod.GetLabels())
-	if revision != "" {
-		return []reconcile.Request{{NamespacedName: types.NamespacedName{Name: revision}}}
+	tag := revision.GetReferencedRevisionFromPod(pod.GetLabels())
+	if tag != "" {
+		return []reconcile.Request{{NamespacedName: types.NamespacedName{Name: tag}}}
 	}
 	return nil
 }