fix(webhook,observer): validate resource limits and fix observer bugs

fernando-villalba · fernando-villalba · commit 66fb134b3912 · 2026-03-13T09:58:40.000Z
The overnight exercise run found that the webhook accepts resource
  specs where limits &lt; requests, causing pods to fail at creation and
  clusters to get stuck in Progressing. The observer also had false
  positive errors for multi-cell primary counts and failed to discover
  external etcd endpoints.

  - Add validateResourceRequirements helper in pkg/resolver/validation.go
    checking limits &gt;= requests for all component resource specs (etcd,
    multiadmin, multiadmin-web, multigateway, multiorch, pool postgres,
    pool multipooler)
  - Add countPrimariesForPool helper in observer status.go to count
    primaries across all cells when len(poolSpec.Cells) &gt; 1, falling
    back to per-cell checks for single-cell pools
  - Update findEtcdAddress in observer topology.go to check
    GlobalTopoServer.External.Endpoints before managed etcd lookup;
    extract checkEtcdHealth helper for reuse
  - Extend probeTopoServerServices in observer connectivity.go to probe
    external etcd endpoints parsed from cluster specs

  Catches invalid resource specs at admission time instead of at pod
  creation, and eliminates false positive observer findings for
  multi-cell and external-etcd clusters.
diff --git a/pkg/resolver/validation.go b/pkg/resolver/validation.go
@@ -263,6 +263,42 @@ func (r *Resolver) ValidateClusterLogic(
 		))
 	}
 
+	// ------------------------------------------------------------------
+	// 0c. Resource Limits Validation (Top-Level Components)
+	// ------------------------------------------------------------------
+	if cluster.Spec.GlobalTopoServer != nil &&
+		cluster.Spec.GlobalTopoServer.Etcd != nil {
+		if err := validateResourceRequirements(
+			cluster.Spec.GlobalTopoServer.Etcd.Resources, "etcd",
+		); err != nil {
+			return nil, err
+		}
+	}
+	if cluster.Spec.MultiAdmin != nil && cluster.Spec.MultiAdmin.Spec != nil {
+		if err := validateResourceRequirements(
+			cluster.Spec.MultiAdmin.Spec.Resources, "multiadmin",
+		); err != nil {
+			return nil, err
+		}
+	}
+	if cluster.Spec.MultiAdminWeb != nil && cluster.Spec.MultiAdminWeb.Spec != nil {
+		if err := validateResourceRequirements(
+			cluster.Spec.MultiAdminWeb.Spec.Resources, "multiadmin-web",
+		); err != nil {
+			return nil, err
+		}
+	}
+	for _, cell := range cluster.Spec.Cells {
+		if cell.Spec != nil {
+			if err := validateResourceRequirements(
+				cell.Spec.MultiGateway.Resources,
+				fmt.Sprintf("cell '%s' multigateway", cell.Name),
+			); err != nil {
+				return nil, err
+			}
+		}
+	}
+
 	// Iterate through every Shard and "Simulate" Resolution
 	for _, db := range cluster.Spec.Databases {
 		dbBackup := multigresv1alpha1.MergeBackupConfig(db.Backup, cluster.Spec.Backup)
@@ -383,6 +419,30 @@ func (r *Resolver) ValidateClusterLogic(
 					}
 				}
 
+				// ------------------------------------------------------------------
+				// 3b. Resource Limits Validation (Resolved Shard Components)
+				// ------------------------------------------------------------------
+				if err := validateResourceRequirements(
+					orch.Resources,
+					fmt.Sprintf("shard '%s' multiorch", shard.Name),
+				); err != nil {
+					return nil, err
+				}
+				for poolName, pool := range pools {
+					if err := validateResourceRequirements(
+						pool.Postgres.Resources,
+						fmt.Sprintf("shard '%s' pool '%s' postgres", shard.Name, poolName),
+					); err != nil {
+						return nil, err
+					}
+					if err := validateResourceRequirements(
+						pool.Multipooler.Resources,
+						fmt.Sprintf("shard '%s' pool '%s' multipooler", shard.Name, poolName),
+					); err != nil {
+						return nil, err
+					}
+				}
+
 				// ------------------------------------------------------------------
 				// 4. Backup Validation
 				// ------------------------------------------------------------------
@@ -519,6 +579,26 @@ func getEffectiveEtcdReplicas(cluster *multigresv1alpha1.MultigresCluster) int32
 	return DefaultEtcdReplicas
 }
 
+// validateResourceRequirements checks that for every resource type present in
+// both Limits and Requests, the limit is >= the request. Kubernetes enforces
+// this on Pods but NOT on CRDs, so we catch it early in the webhook.
+func validateResourceRequirements(resources corev1.ResourceRequirements, component string) error {
+	for resourceName, limit := range resources.Limits {
+		if request, ok := resources.Requests[resourceName]; ok {
+			if limit.Cmp(request) < 0 {
+				return fmt.Errorf(
+					"%s: resource %s limit (%s) must be >= request (%s)",
+					component,
+					resourceName,
+					limit.String(),
+					request.String(),
+				)
+			}
+		}
+	}
+	return nil
+}
+
 // validateCellTopology checks if nodes exist in the cluster matching each cell's
 // zone or region topology label. Returns warnings (not errors) for any cells
 // whose topology labels don't match any nodes — pods targeting those cells will
diff --git a/tools/observer/Dockerfile b/tools/observer/Dockerfile
@@ -24,7 +24,9 @@ RUN CGO_ENABLED=0 \
 	-a -o multigres-observer \
 	cmd/multigres-observer/main.go
 
-FROM gcr.io/distroless/static:nonroot
+FROM alpine:3.23
+
+RUN apk add --no-cache curl
 
 LABEL org.opencontainers.image.source="https://github.com/numtide/multigres-operator"
 WORKDIR /
diff --git a/tools/observer/pkg/observer/connectivity.go b/tools/observer/pkg/observer/connectivity.go
@@ -7,6 +7,7 @@ import (
 	"io"
 	"net"
 	"net/http"
+	"net/url"
 	"strings"
 	"time"
 
@@ -100,6 +101,7 @@ func (o *Observer) probeMultiOrchServices(ctx context.Context) {
 }
 
 func (o *Observer) probeTopoServerServices(ctx context.Context) {
+	// Probe managed etcd services.
 	var svcs corev1.ServiceList
 	if err := o.client.List(ctx, &svcs,
 		o.listOpts(client.MatchingLabels{
@@ -115,6 +117,34 @@ func (o *Observer) probeTopoServerServices(ctx context.Context) {
 		addr := fmt.Sprintf("%s.%s.svc", svc.Name, svc.Namespace)
 		o.probeHTTP(ctx, addr, common.PortEtcdClient, "/health", "etcd-health", svc.Name)
 	}
+
+	// Probe external etcd endpoints from clusters using external topo servers.
+	var clusters multigresv1alpha1.MultigresClusterList
+	if err := o.client.List(ctx, &clusters, o.listOpts()...); err != nil {
+		return
+	}
+	for i := range clusters.Items {
+		cluster := &clusters.Items[i]
+		if cluster.Spec.GlobalTopoServer == nil ||
+			cluster.Spec.GlobalTopoServer.External == nil {
+			continue
+		}
+		for _, ep := range cluster.Spec.GlobalTopoServer.External.Endpoints {
+			parsed, err := url.Parse(string(ep))
+			if err != nil {
+				continue
+			}
+			host := parsed.Hostname()
+			port := common.PortEtcdClient
+			if parsed.Port() != "" {
+				if p, err := net.LookupPort("tcp", parsed.Port()); err == nil {
+					port = p
+				}
+			}
+			component := fmt.Sprintf("external-etcd/%s/%s", cluster.Name, host)
+			o.probeHTTP(ctx, host, port, "/health", "etcd-health", component)
+		}
+	}
 }
 
 func (o *Observer) probePoolPodHealth(ctx context.Context) {
diff --git a/tools/observer/pkg/observer/status.go b/tools/observer/pkg/observer/status.go
@@ -334,15 +334,14 @@ func (o *Observer) checkShardPodRoles(ctx context.Context, shard *multigresv1alp
 	}
 
 	for poolName, poolSpec := range shard.Spec.Pools {
-		for _, cellName := range poolSpec.Cells {
-			violationKey := fmt.Sprintf("%s/%s-%s", comp, poolName, cellName)
-			primaryCount := countPrimariesForPoolCell(
+		if len(poolSpec.Cells) > 1 {
+			// Multi-cell: expect exactly 1 primary across ALL cells for this pool.
+			violationKey := fmt.Sprintf("%s/%s-global", comp, poolName)
+			primaryCount := countPrimariesForPool(
 				shard.Status.PodRoles,
 				podLabels,
 				string(poolName),
-				string(cellName),
 			)
-
 			if primaryCount != 1 {
 				since, tracked := o.primaryViolationSince[violationKey]
 				if !tracked {
@@ -355,21 +354,59 @@ func (o *Observer) checkShardPodRoles(ctx context.Context, shard *multigresv1alp
 						Check:     "crd-status",
 						Component: comp,
 						Message: fmt.Sprintf(
-							"Pool %s cell %s has %d primaries (expected 1)",
+							"Pool %s has %d primaries across all cells (expected 1)",
 							poolName,
-							cellName,
 							primaryCount,
 						),
 						Details: map[string]any{
 							"pool":         string(poolName),
-							"cell":         string(cellName),
 							"primaryCount": primaryCount,
+							"multiCell":    true,
 						},
 					})
 				}
 			} else {
 				delete(o.primaryViolationSince, violationKey)
 			}
+		} else {
+			// Single-cell: expect exactly 1 primary per cell.
+			for _, cellName := range poolSpec.Cells {
+				violationKey := fmt.Sprintf("%s/%s-%s", comp, poolName, cellName)
+				primaryCount := countPrimariesForPoolCell(
+					shard.Status.PodRoles,
+					podLabels,
+					string(poolName),
+					string(cellName),
+				)
+
+				if primaryCount != 1 {
+					since, tracked := o.primaryViolationSince[violationKey]
+					if !tracked {
+						o.primaryViolationSince[violationKey] = now
+						continue
+					}
+					if now.Sub(since) > common.PrimaryGracePeriod {
+						o.reporter.Report(report.Finding{
+							Severity:  report.SeverityError,
+							Check:     "crd-status",
+							Component: comp,
+							Message: fmt.Sprintf(
+								"Pool %s cell %s has %d primaries (expected 1)",
+								poolName,
+								cellName,
+								primaryCount,
+							),
+							Details: map[string]any{
+								"pool":         string(poolName),
+								"cell":         string(cellName),
+								"primaryCount": primaryCount,
+							},
+						})
+					}
+				} else {
+					delete(o.primaryViolationSince, violationKey)
+				}
+			}
 		}
 	}
 }
@@ -380,6 +417,30 @@ type podPoolCell struct {
 	cell string
 }
 
+// countPrimariesForPool counts pods with a "primary" role across all cells
+// for the specified pool. Used for multi-cell durability policies where
+// exactly one primary exists across all cells.
+func countPrimariesForPool(
+	podRoles map[string]string,
+	podLabels map[string]podPoolCell,
+	poolName string,
+) int {
+	count := 0
+	for podName, role := range podRoles {
+		if role != "primary" && role != "PRIMARY" {
+			continue
+		}
+		info, ok := podLabels[podName]
+		if !ok {
+			continue
+		}
+		if info.pool == poolName {
+			count++
+		}
+	}
+	return count
+}
+
 // countPrimariesForPoolCell counts pods with a "primary" role that belong to
 // the specified pool and cell, using pod labels for accurate filtering.
 func countPrimariesForPoolCell(
diff --git a/tools/observer/pkg/observer/topology.go b/tools/observer/pkg/observer/topology.go
@@ -29,7 +29,7 @@ func (o *Observer) checkTopology(ctx context.Context) {
 	for i := range clusters.Items {
 		cluster := &clusters.Items[i]
 
-		etcdAddr := o.findEtcdAddress(ctx, cluster.Name)
+		etcdAddr := o.findEtcdAddress(ctx, cluster)
 		if etcdAddr == "" {
 			o.reporter.Report(report.Finding{
 				Severity:  report.SeverityWarn,
@@ -66,36 +66,51 @@ func (o *Observer) checkTopology(ctx context.Context) {
 	}
 }
 
-func (o *Observer) findEtcdAddress(ctx context.Context, clusterName string) string {
+func (o *Observer) findEtcdAddress(ctx context.Context, cluster *multigresv1alpha1.MultigresCluster) string {
+	// Check external etcd endpoints first.
+	if cluster.Spec.GlobalTopoServer != nil &&
+		cluster.Spec.GlobalTopoServer.External != nil &&
+		len(cluster.Spec.GlobalTopoServer.External.Endpoints) > 0 {
+		for _, ep := range cluster.Spec.GlobalTopoServer.External.Endpoints {
+			addr := strings.TrimRight(string(ep), "/")
+			if o.checkEtcdHealth(addr) {
+				return addr
+			}
+		}
+		return ""
+	}
+
+	// Fall through to managed etcd service lookup.
 	var svcs corev1.ServiceList
 	if err := o.client.List(ctx, &svcs,
 		o.listOpts(client.MatchingLabels{
 			common.LabelAppManagedBy:     common.ManagedByMultigres,
 			common.LabelAppComponent:     common.ComponentGlobalTopo,
-			common.LabelMultigresCluster: clusterName,
+			common.LabelMultigresCluster: cluster.Name,
 		})...,
 	); err != nil || len(svcs.Items) == 0 {
 		return ""
 	}
 
-	// Use the first topo service found.
 	svc := &svcs.Items[0]
 	addr := fmt.Sprintf("http://%s.%s.svc:%d", svc.Name, svc.Namespace, common.PortEtcdClient)
+	if o.checkEtcdHealth(addr) {
+		return addr
+	}
+	return ""
+}
 
-	// Verify connectivity with a health check.
+// checkEtcdHealth verifies etcd is reachable at the given address.
+func (o *Observer) checkEtcdHealth(addr string) bool {
 	resp, err := o.httpClient.Get(addr + "/health")
 	if err != nil {
-		return ""
+		return false
 	}
 	defer func() {
 		_, _ = io.Copy(io.Discard, resp.Body)
 		_ = resp.Body.Close()
 	}()
-
-	if resp.StatusCode != http.StatusOK {
-		return ""
-	}
-	return addr
+	return resp.StatusCode == http.StatusOK
 }
 
 // etcdRangeResponse is the minimal JSON response from the etcd v3 gRPC-gateway range API.
diff --git a/tools/observer/skills/exercise_cluster/SKILL.md b/tools/observer/skills/exercise_cluster/SKILL.md
diff --git a/tools/observer/skills/exercise_cluster/references/scenarios.md b/tools/observer/skills/exercise_cluster/references/scenarios.md
