From 3809c5049445185a3b0eb5de50e3eacf69e3c036 Mon Sep 17 00:00:00 2001 From: Wesley Hayutin Date: Thu, 7 Aug 2025 14:57:03 -0600 Subject: [PATCH 1/2] OADP-6500: allow nonadmin.enabled.false Signed-off-by: Wesley Hayutin --- internal/controller/validator.go | 50 ++++++++++++--------------- internal/controller/validator_test.go | 43 +++++++++++++++++++++++ 2 files changed, 66 insertions(+), 27 deletions(-) diff --git a/internal/controller/validator.go b/internal/controller/validator.go index 442837a830..3c9c5f7b8c 100644 --- a/internal/controller/validator.go +++ b/internal/controller/validator.go @@ -136,36 +136,32 @@ func (r *DataProtectionApplicationReconciler) ValidateDataProtectionCR(log logr. } // validate non-admin enable - if r.dpa.Spec.NonAdmin != nil { - if r.dpa.Spec.NonAdmin.Enable != nil { - - dpaList := &oadpv1alpha1.DataProtectionApplicationList{} - err = r.ClusterWideClient.List(r.Context, dpaList) - if err != nil { - return false, err - } - for _, dpa := range dpaList.Items { - if dpa.Namespace != r.NamespacedName.Namespace && (&DataProtectionApplicationReconciler{dpa: &dpa}).checkNonAdminEnabled() { - nonAdminDeployment := &appsv1.Deployment{ - ObjectMeta: metav1.ObjectMeta{ - Name: nonAdminObjectName, - Namespace: dpa.Namespace, - }, - } - if err := r.ClusterWideClient.Get( - r.Context, - types.NamespacedName{ - Name: nonAdminDeployment.Name, - Namespace: nonAdminDeployment.Namespace, - }, - nonAdminDeployment, - ); err == nil { - return false, fmt.Errorf("only a single instance of Non-Admin Controller can be installed across the entire cluster. Non-Admin controller is already configured and installed in %s namespace", dpa.Namespace) - } + if r.checkNonAdminEnabled() { + dpaList := &oadpv1alpha1.DataProtectionApplicationList{} + err = r.ClusterWideClient.List(r.Context, dpaList) + if err != nil { + return false, err + } + for _, dpa := range dpaList.Items { + if dpa.Namespace != r.NamespacedName.Namespace && (&DataProtectionApplicationReconciler{dpa: &dpa}).checkNonAdminEnabled() { + nonAdminDeployment := &appsv1.Deployment{ + ObjectMeta: metav1.ObjectMeta{ + Name: nonAdminObjectName, + Namespace: dpa.Namespace, + }, + } + if err := r.ClusterWideClient.Get( + r.Context, + types.NamespacedName{ + Name: nonAdminDeployment.Name, + Namespace: nonAdminDeployment.Namespace, + }, + nonAdminDeployment, + ); err == nil { + return false, fmt.Errorf("only a single instance of Non-Admin Controller can be installed across the entire cluster. Non-Admin controller is already configured and installed in %s namespace", dpa.Namespace) } } } - garbageCollectionPeriod := r.dpa.Spec.NonAdmin.GarbageCollectionPeriod appliedGarbageCollectionPeriod := oadpv1alpha1.DefaultGarbageCollectionPeriod if garbageCollectionPeriod != nil { diff --git a/internal/controller/validator_test.go b/internal/controller/validator_test.go index f0263c4d9e..cb18f838a8 100644 --- a/internal/controller/validator_test.go +++ b/internal/controller/validator_test.go @@ -1507,6 +1507,49 @@ func TestDPAReconciler_ValidateDataProtectionCR(t *testing.T) { wantErr: true, messageErr: "only a single instance of Non-Admin Controller can be installed across the entire cluster. Non-Admin controller is already configured and installed in test-another-ns namespace", }, + { + name: "[valid] DPA CR: NonAdmin.Enable is false with existing NAC deployment", + dpa: &oadpv1alpha1.DataProtectionApplication{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-DPA-CR", + Namespace: "test-ns", + }, + Spec: oadpv1alpha1.DataProtectionApplicationSpec{ + NonAdmin: &oadpv1alpha1.NonAdmin{ + Enable: pointer.Bool(true), + }, + Configuration: &oadpv1alpha1.ApplicationConfig{ + Velero: &oadpv1alpha1.VeleroConfig{ + DefaultPlugins: []oadpv1alpha1.DefaultPlugin{ + oadpv1alpha1.DefaultPluginAWS, + }, + NoDefaultBackupLocation: true, + }, + }, + BackupImages: pointer.Bool(false), + }, + }, + objects: []client.Object{ + &oadpv1alpha1.DataProtectionApplication{ + ObjectMeta: metav1.ObjectMeta{ + Name: "another-DPA-CR", + Namespace: "test-another-ns", + }, + Spec: oadpv1alpha1.DataProtectionApplicationSpec{ + NonAdmin: &oadpv1alpha1.NonAdmin{ + Enable: pointer.Bool(false), + }, + }, + }, + &appsv1.Deployment{ + ObjectMeta: metav1.ObjectMeta{ + Name: "non-admin-controller", + Namespace: "test-another-ns", + }, + }, + }, + wantErr: false, + }, { name: "given invalid DPA CR aws and legacy-aws plugins both specified", dpa: &oadpv1alpha1.DataProtectionApplication{ From a654ed64c80f7b37b47bd353f7bb156d0dff616d Mon Sep 17 00:00:00 2001 From: Wesley Hayutin <138787+weshayutin@users.noreply.github.com> Date: Thu, 7 Aug 2025 15:23:49 -0600 Subject: [PATCH 2/2] Update internal/controller/validator_test.go Co-authored-by: Tiger Kaovilai --- internal/controller/validator_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/controller/validator_test.go b/internal/controller/validator_test.go index cb18f838a8..41001bb0d0 100644 --- a/internal/controller/validator_test.go +++ b/internal/controller/validator_test.go @@ -1508,7 +1508,7 @@ func TestDPAReconciler_ValidateDataProtectionCR(t *testing.T) { messageErr: "only a single instance of Non-Admin Controller can be installed across the entire cluster. Non-Admin controller is already configured and installed in test-another-ns namespace", }, { - name: "[valid] DPA CR: NonAdmin.Enable is false with existing NAC deployment", + name: "[valid] DPA CR: NonAdmin.Enable is true with another DPA having NonAdmin.Enable false", dpa: &oadpv1alpha1.DataProtectionApplication{ ObjectMeta: metav1.ObjectMeta{ Name: "test-DPA-CR",