Add support for pod changes due to security contexts and probes

Author: russgold

operator/src/main/java/oracle/kubernetes/operator/helpers/PodStepContext.java

@@ -5,6 +5,7 @@
 package oracle.kubernetes.operator.helpers;
 
 import static oracle.kubernetes.operator.LabelConstants.forDomainUid;
+import static oracle.kubernetes.operator.VersionConstants.DEFAULT_DOMAIN_VERSION;
 
 import io.kubernetes.client.custom.IntOrString;
 import io.kubernetes.client.models.*;
@@ -270,55 +271,35 @@ private boolean canUseCurrentPod(V1Pod currentPod) {
   // Therefore, we'll just compare specific fields
   private static boolean isCurrentPodValid(V1Pod build, V1Pod current) {
     List<String> ignoring = getVolumesToIgnore(current);
-    if (!VersionHelper.matchesResourceVersion(
-        current.getMetadata(), VersionConstants.DEFAULT_DOMAIN_VERSION)) {
-      return false;
-    }
-
-    if (!isRestartVersionValid(build, current)) {
-      return false;
-    }
-
-    if (areUnequal(
-        volumesWithout(current.getSpec().getVolumes(), ignoring), build.getSpec().getVolumes()))
-      return false;
-
-    if (areUnequal(current.getSpec().getImagePullSecrets(), build.getSpec().getImagePullSecrets()))
-      return false;
 
-    if (areUnequal(getCustomerLabels(current), getCustomerLabels(build))) return false;
-
-    if (areUnequal(current.getMetadata().getAnnotations(), build.getMetadata().getAnnotations()))
-      return false;
-
-    List<V1Container> buildContainers = build.getSpec().getContainers();
-    List<V1Container> currentContainers = current.getSpec().getContainers();
+    return isCurrentPodMetadataValid(build.getMetadata(), current.getMetadata())
+        && isCurrentPodSpecValid(build.getSpec(), current.getSpec(), ignoring);
+  }
 
-    if (buildContainers != null) {
-      if (currentContainers == null) {
-        return false;
-      }
+  private static boolean isCurrentPodMetadataValid(V1ObjectMeta build, V1ObjectMeta current) {
+    return VersionHelper.matchesResourceVersion(current, DEFAULT_DOMAIN_VERSION)
+        && isRestartVersionValid(build, current)
+        && Objects.equals(getCustomerLabels(current), getCustomerLabels(build))
+        && Objects.equals(current.getAnnotations(), build.getAnnotations());
+  }
 
-      for (V1Container bc : buildContainers) {
-        V1Container fcc = getContainerWithName(currentContainers, bc.getName());
-        if (fcc == null) {
-          return false;
-        }
-        if (!fcc.getImage().equals(bc.getImage())
-            || !fcc.getImagePullPolicy().equals(bc.getImagePullPolicy())) {
-          return false;
-        }
+  private static boolean isCurrentPodSpecValid(
+      V1PodSpec build, V1PodSpec current, List<String> ignoring) {
+    return Objects.equals(current.getSecurityContext(), build.getSecurityContext())
+        //  && Objects.equals(current.getNodeSelector(), build.getNodeSelector())
+        && equalSets(volumesWithout(current.getVolumes(), ignoring), build.getVolumes())
+        && equalSets(current.getImagePullSecrets(), build.getImagePullSecrets())
+        && areCompatible(build.getContainers(), current.getContainers(), ignoring);
+  }
 
-        if (areUnequal(mountsWithout(fcc.getVolumeMounts(), ignoring), bc.getVolumeMounts()))
-          return false;
+  private static boolean areCompatible(
+      List<V1Container> build, List<V1Container> current, List<String> ignoring) {
+    if (build != null) {
+      if (current == null) return false;
 
-        if (areUnequal(fcc.getPorts(), bc.getPorts())) {
-          return false;
-        }
-        if (areUnequal(fcc.getEnv(), bc.getEnv())) {
-          return false;
-        }
-        if (areUnequal(fcc.getEnvFrom(), bc.getEnvFrom())) {
+      for (V1Container bc : build) {
+        V1Container fcc = getContainerWithName(current, bc.getName());
+        if (fcc == null || !isCompatible(bc, fcc, ignoring)) {
           return false;
         }
       }
@@ -327,6 +308,33 @@ private static boolean isCurrentPodValid(V1Pod build, V1Pod current) {
     return true;
   }
 
+  /**
+   * Compares two pod spec containers for equality
+   *
+   * @param build the desired container model
+   * @param current the current container, obtained from Kubernetes
+   * @param ignoring a list of volume names to ignore
+   * @return true if the containers are considered equal
+   */
+  private static boolean isCompatible(
+      V1Container build, V1Container current, List<String> ignoring) {
+    return current.getImage().equals(build.getImage())
+        && current.getImagePullPolicy().equals(build.getImagePullPolicy())
+        && Objects.equals(current.getSecurityContext(), build.getSecurityContext())
+        && equalSettings(current.getLivenessProbe(), build.getLivenessProbe())
+        && equalSettings(current.getReadinessProbe(), build.getReadinessProbe())
+        && equalSets(mountsWithout(current.getVolumeMounts(), ignoring), build.getVolumeMounts())
+        && equalSets(current.getPorts(), build.getPorts())
+        && equalSets(current.getEnv(), build.getEnv())
+        && equalSets(current.getEnvFrom(), build.getEnvFrom());
+  }
+
+  private static boolean equalSettings(V1Probe probe1, V1Probe probe2) {
+    return Objects.equals(probe1.getInitialDelaySeconds(), probe2.getInitialDelaySeconds())
+        && Objects.equals(probe1.getTimeoutSeconds(), probe2.getTimeoutSeconds())
+        && Objects.equals(probe1.getPeriodSeconds(), probe2.getPeriodSeconds());
+  }
+
   private static List<V1Volume> volumesWithout(
       List<V1Volume> volumeMounts, List<String> volumesToIgnore) {
     List<V1Volume> result = new ArrayList<>(volumeMounts);
@@ -363,9 +371,9 @@ private static List<V1VolumeMount> getVolumeMounts(V1Container container) {
     return Optional.ofNullable(container.getVolumeMounts()).orElse(Collections.emptyList());
   }
 
-  private static Map<String, String> getCustomerLabels(V1Pod pod) {
+  private static Map<String, String> getCustomerLabels(V1ObjectMeta metadata) {
     Map<String, String> result = new HashMap<>();
-    for (Map.Entry<String, String> entry : pod.getMetadata().getLabels().entrySet())
+    for (Map.Entry<String, String> entry : metadata.getLabels().entrySet())
       if (!isOperatorLabel(entry)) result.put(entry.getKey(), entry.getValue());
     return result;
   }
@@ -374,12 +382,10 @@ private static boolean isOperatorLabel(Map.Entry<String, String> label) {
     return label.getKey().startsWith("weblogic.");
   }
 
-  private static boolean isRestartVersionValid(V1Pod build, V1Pod current) {
-    V1ObjectMeta m1 = build.getMetadata();
-    V1ObjectMeta m2 = current.getMetadata();
-    return isLabelSame(m1, m2, LabelConstants.DOMAINRESTARTVERSION_LABEL)
-        && isLabelSame(m1, m2, LabelConstants.CLUSTERRESTARTVERSION_LABEL)
-        && isLabelSame(m1, m2, LabelConstants.SERVERRESTARTVERSION_LABEL);
+  private static boolean isRestartVersionValid(V1ObjectMeta build, V1ObjectMeta current) {
+    return isLabelSame(build, current, LabelConstants.DOMAINRESTARTVERSION_LABEL)
+        && isLabelSame(build, current, LabelConstants.CLUSTERRESTARTVERSION_LABEL)
+        && isLabelSame(build, current, LabelConstants.SERVERRESTARTVERSION_LABEL);
   }
 
   private static boolean isLabelSame(V1ObjectMeta build, V1ObjectMeta current, String labelName) {
@@ -395,33 +401,13 @@ private static V1Container getContainerWithName(List<V1Container> containers, St
     return null;
   }
 
-  private static <T> boolean areUnequal(List<T> a, List<T> b) {
-    if (a == b) {
-      return false;
-    }
-
-    if (a == null) a = Collections.emptyList();
-    if (b == null) b = Collections.emptyList();
-
-    if (a.size() != b.size()) {
-      return true;
-    }
-
-    List<T> bprime = new ArrayList<>(b);
-    for (T at : a) {
-      if (!bprime.remove(at)) {
-        return true;
-      }
-    }
-    return false;
-  }
-
-  private static <K, V> boolean areUnequal(Map<K, V> a, Map<K, V> b) {
-    return !emptyIfNull(a).equals(emptyIfNull(b));
+  private static <T> boolean equalSets(List<T> first, List<T> second) {
+    if (first == second) return true;
+    return asSet(first).equals(asSet(second));
   }
 
-  private static <K, V> Map<K, V> emptyIfNull(Map<K, V> map) {
-    return map != null ? map : Collections.emptyMap();
+  private static <T> Set<T> asSet(List<T> first) {
+    return (first == null) ? Collections.emptySet() : new HashSet<>(first);
   }
 
   private class VerifyPodStep extends Step {
@@ -595,8 +581,7 @@ protected V1ObjectMeta createMetadata() {
     // Add internal labels. This will overwrite any custom labels that conflict with internal
     // labels.
     metadata
-        .putLabelsItem(
-            LabelConstants.RESOURCE_VERSION_LABEL, VersionConstants.DEFAULT_DOMAIN_VERSION)
+        .putLabelsItem(LabelConstants.RESOURCE_VERSION_LABEL, DEFAULT_DOMAIN_VERSION)
         .putLabelsItem(LabelConstants.DOMAINUID_LABEL, getDomainUID())
         .putLabelsItem(LabelConstants.DOMAINNAME_LABEL, getDomainName())
         .putLabelsItem(LabelConstants.SERVERNAME_LABEL, getServerName())

operator/src/test/java/oracle/kubernetes/operator/helpers/AdminPodHelperTest.java

@@ -6,17 +6,8 @@
 
 import static oracle.kubernetes.LogMatcher.containsFine;
 import static oracle.kubernetes.LogMatcher.containsInfo;
-import static oracle.kubernetes.operator.LabelConstants.RESOURCE_VERSION_LABEL;
-import static oracle.kubernetes.operator.logging.MessageKeys.ADMIN_POD_CREATED;
-import static oracle.kubernetes.operator.logging.MessageKeys.ADMIN_POD_EXISTS;
-import static oracle.kubernetes.operator.logging.MessageKeys.ADMIN_POD_REPLACED;
-import static org.hamcrest.Matchers.allOf;
-import static org.hamcrest.Matchers.contains;
-import static org.hamcrest.Matchers.empty;
-import static org.hamcrest.Matchers.equalTo;
-import static org.hamcrest.Matchers.hasEntry;
-import static org.hamcrest.Matchers.hasKey;
-import static org.hamcrest.Matchers.not;
+import static oracle.kubernetes.operator.logging.MessageKeys.*;
+import static org.hamcrest.Matchers.*;
 import static org.hamcrest.junit.MatcherAssert.assertThat;
 
 import io.kubernetes.client.ApiException;
@@ -67,7 +58,8 @@ String getPodReplacedMessageKey() {
     return ADMIN_POD_REPLACED;
   }
 
-  private void verifyAdminPodReplacedWhen(PodMutator mutator) {
+  @Override
+  protected void verifyReplacePodWhen(PodMutator mutator) {
     testSupport.addComponent(
         ProcessingConstants.PODWATCHER_COMPONENT_NAME,
         PodAwaiterStepFactory.class,
@@ -158,25 +150,14 @@ public void whenAdminPodReplacementFails_retryOnFailure() {
     testSupport.verifyCompletionThrowable(ApiException.class);
   }
 
-  @Test
-  public void whenExistingAdminPodHasBadVersion_replaceIt() {
-    verifyAdminPodReplacedWhen(
-        pod -> pod.getMetadata().putLabelsItem(RESOURCE_VERSION_LABEL, "??"));
-  }
-
-  @Test
-  public void whenExistingManagedPodHasUnknownCustomerLabel_designateForRoll() {
-    verifyAdminPodReplacedWhen(pod -> pod.getMetadata().putLabelsItem("customer.label", "value"));
-  }
-
   @Test
   public void whenExistingAdminPodSpecHasUnknownCustomerAnnotation_replaceIt() {
-    verifyAdminPodReplacedWhen(pod -> pod.getMetadata().putAnnotationsItem("annotation1", "value"));
+    verifyReplacePodWhen(pod -> pod.getMetadata().putAnnotationsItem("annotation1", "value"));
   }
 
   @Test
   public void whenExistingAdminPodSpecHasUnknownAddedVolumes_replaceIt() {
-    verifyAdminPodReplacedWhen((pod) -> pod.getSpec().addVolumesItem(new V1Volume().name("dummy")));
+    verifyReplacePodWhen((pod) -> pod.getSpec().addVolumesItem(new V1Volume().name("dummy")));
   }
 
   @Test
@@ -194,19 +175,19 @@ public void whenExistingAdminPodSpecHasK8sVolume_ignoreIt() {
 
   @Test
   public void whenExistingAdminPodSpecHasUnusedImagePullSecret_replaceIt() {
-    verifyAdminPodReplacedWhen(
+    verifyReplacePodWhen(
         (pod) ->
             pod.getSpec().addImagePullSecretsItem(new V1LocalObjectReference().name("secret")));
   }
 
   @Test
   public void whenExistingAdminPodSpecHasNoContainers_replaceIt() {
-    verifyAdminPodReplacedWhen((pod) -> pod.getSpec().setContainers(null));
+    verifyReplacePodWhen((pod) -> pod.getSpec().setContainers(null));
   }
 
   @Test
   public void whenExistingAdminPodSpecHasNoContainersWithExpectedName_replaceIt() {
-    verifyAdminPodReplacedWhen((pod) -> getSpecContainer(pod).setName("???"));
+    verifyReplacePodWhen((pod) -> getSpecContainer(pod).setName("???"));
   }
 
   private V1Container getSpecContainer(V1Pod pod) {
@@ -215,7 +196,7 @@ private V1Container getSpecContainer(V1Pod pod) {
 
   @Test
   public void whenExistingAdminPodSpecHasUnneededVolumeMount_replaceIt() {
-    verifyAdminPodReplacedWhen(
+    verifyReplacePodWhen(
         (pod) -> getSpecContainer(pod).addVolumeMountsItem(new V1VolumeMount().name("dummy")));
   }
 
@@ -232,22 +213,22 @@ public void whenExistingAdminPodSpecHasK8sVolumeMount_ignoreIt() {
 
   @Test
   public void whenExistingAdminPodSpecContainerHasWrongImage_replaceIt() {
-    verifyAdminPodReplacedWhen((pod) -> getSpecContainer(pod).setImage(VERSIONED_IMAGE));
+    verifyReplacePodWhen((pod) -> getSpecContainer(pod).setImage(VERSIONED_IMAGE));
   }
 
   @Test
   public void whenExistingAdminPodSpecContainerHasWrongImagePullPolicy_replaceIt() {
-    verifyAdminPodReplacedWhen((pod) -> getSpecContainer(pod).setImagePullPolicy("NONE"));
+    verifyReplacePodWhen((pod) -> getSpecContainer(pod).setImagePullPolicy("NONE"));
   }
 
   @Test
   public void whenExistingAdminPodSpecContainerHasNoPorts_replaceIt() {
-    verifyAdminPodReplacedWhen((pod) -> getSpecContainer(pod).setPorts(Collections.emptyList()));
+    verifyReplacePodWhen((pod) -> getSpecContainer(pod).setPorts(Collections.emptyList()));
   }
 
   @Test
   public void whenExistingAdminPodSpecContainerHasExtraPort_replaceIt() {
-    verifyAdminPodReplacedWhen((pod) -> getSpecContainer(pod).addPortsItem(definePort(1234)));
+    verifyReplacePodWhen((pod) -> getSpecContainer(pod).addPortsItem(definePort(1234)));
   }
 
   private V1ContainerPort definePort(int port) {
@@ -256,24 +237,23 @@ private V1ContainerPort definePort(int port) {
 
   @Test
   public void whenExistingAdminPodSpecContainerHasIncorrectPort_replaceIt() {
-    verifyAdminPodReplacedWhen(
-        (pod) -> getSpecContainer(pod).getPorts().get(0).setContainerPort(1234));
+    verifyReplacePodWhen((pod) -> getSpecContainer(pod).getPorts().get(0).setContainerPort(1234));
   }
 
   @Test
   public void whenExistingAdminPodSpecContainerHasWrongEnvVariable_replaceIt() {
-    verifyAdminPodReplacedWhen((pod) -> getSpecContainer(pod).getEnv().get(0).setValue("???"));
+    verifyReplacePodWhen((pod) -> getSpecContainer(pod).getEnv().get(0).setValue("???"));
   }
 
   @Test
   public void whenExistingAdminPodSpecContainerHasWrongEnvFrom_replaceIt() {
-    verifyAdminPodReplacedWhen(
+    verifyReplacePodWhen(
         (pod) -> getSpecContainer(pod).envFrom(Collections.singletonList(new V1EnvFromSource())));
   }
 
   @Test
   public void whenExistingAdminPodSpecContainerHasRestartVersion_replaceIt() {
-    verifyAdminPodReplacedWhen(
+    verifyReplacePodWhen(
         (pod) ->
             pod.getMetadata()
                 .putLabelsItem(LabelConstants.SERVERRESTARTVERSION_LABEL, "adminRestartV1"));