fix: prevent non-deterministic reconcile loops (#121)

Author: timtalbot

api/core/v1beta1/connect_types_test.go

@@ -121,22 +121,22 @@ func TestCreateVolumeFactory_OffHost(t *testing.T) {
 	fmt.Printf("VolMounts: %+v\n", volMounts)
 	assert.Len(t, volMounts, 6)
 
-	// config volumes
+	// config volumes (sorted by MountPath within the same volume name)
 	checkVolumeMount(t, volMounts[0], "config-volume",
-		"/etc/rstudio-connect/rstudio-connect.gcfg", "rstudio-connect.gcfg", true)
-	checkVolumeMount(t, volMounts[1], "config-volume",
-		"/etc/rstudio-connect/runtime.yaml", "runtime.yaml", true)
-	checkVolumeMount(t, volMounts[2], "config-volume",
 		"/etc/rstudio-connect/launcher/launcher.kubernetes.profiles.conf",
 		"launcher.kubernetes.profiles.conf", true)
+	checkVolumeMount(t, volMounts[1], "config-volume",
+		"/etc/rstudio-connect/rstudio-connect.gcfg", "rstudio-connect.gcfg", true)
+	checkVolumeMount(t, volMounts[2], "config-volume",
+		"/etc/rstudio-connect/runtime.yaml", "runtime.yaml", true)
 
-	// template volumes
+	// template volumes (sorted by MountPath within the same volume name)
 	checkVolumeMount(t, volMounts[3], "template-config",
-		"/var/lib/rstudio-connect-launcher/Kubernetes/rstudio-library-templates-data.tpl",
-		"rstudio-library-templates-data.tpl", true)
-	checkVolumeMount(t, volMounts[4], "template-config",
 		"/var/lib/rstudio-connect-launcher/Kubernetes/job.tpl",
 		"job.tpl", true)
+	checkVolumeMount(t, volMounts[4], "template-config",
+		"/var/lib/rstudio-connect-launcher/Kubernetes/rstudio-library-templates-data.tpl",
+		"rstudio-library-templates-data.tpl", true)
 	checkVolumeMount(t, volMounts[5], "template-config",
 		"/var/lib/rstudio-connect-launcher/Kubernetes/service.tpl",
 		"service.tpl", true)

api/product/secret.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"sort"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/config"
@@ -58,10 +59,15 @@ func (t *TestSecretProvider) GetSecretWithFallback(key string) string {
 }
 
 func mapToJmesPath(input map[string]string) (jmes []secretObjectJmesPath) {
-	for k, v := range input {
+	keys := make([]string, 0, len(input))
+	for k := range input {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+	for _, k := range keys {
 		jmes = append(jmes, secretObjectJmesPath{
 			// ensure this path is quoted appropriately...
-			Path:        fmt.Sprintf("\"%s\"", v),
+			Path:        fmt.Sprintf("\"%s\"", input[k]),
 			ObjectAlias: k,
 		})
 	}
@@ -83,11 +89,22 @@ func generateSecretObjectYaml(name string, keys map[string]string) (string, erro
 }
 
 func generateSecretObjects(p KubernetesOwnerProvider, secrets map[string]map[string]string) (output []*v1.SecretObject) {
-	for k, v := range secrets {
+	outerKeys := make([]string, 0, len(secrets))
+	for k := range secrets {
+		outerKeys = append(outerKeys, k)
+	}
+	sort.Strings(outerKeys)
+	for _, k := range outerKeys {
+		v := secrets[k]
+		innerKeys := make([]string, 0, len(v))
+		for dk := range v {
+			innerKeys = append(innerKeys, dk)
+		}
+		sort.Strings(innerKeys)
 		var objData []*v1.SecretObjectData
-		for dk, dv := range v {
+		for _, dk := range innerKeys {
 			objData = append(objData, &v1.SecretObjectData{
-				ObjectName: dv,
+				ObjectName: v[dk],
 				Key:        dk,
 			})
 		}

api/product/volumes.go

@@ -29,8 +29,14 @@ type MultiContainerVolumeFactory struct {
 }
 
 func (m *MultiContainerVolumeFactory) InitContainers() []corev1.Container {
-	containers := []corev1.Container{}
-	for k, s := range m.InitContainerDefs {
+	keys := make([]string, 0, len(m.InitContainerDefs))
+	for k := range m.InitContainerDefs {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+	containers := make([]corev1.Container, 0, len(keys))
+	for _, k := range keys {
+		s := m.InitContainerDefs[k]
 		containers = append(containers, corev1.Container{
 			Name:            k,
 			Image:           s.Image,
@@ -45,8 +51,14 @@ func (m *MultiContainerVolumeFactory) InitContainers() []corev1.Container {
 }
 
 func (m *MultiContainerVolumeFactory) Sidecars() []corev1.Container {
-	containers := []corev1.Container{}
-	for k, s := range m.SidecarDefs {
+	keys := make([]string, 0, len(m.SidecarDefs))
+	for k := range m.SidecarDefs {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+	containers := make([]corev1.Container, 0, len(keys))
+	for _, k := range keys {
+		s := m.SidecarDefs[k]
 		containers = append(containers, corev1.Container{
 			Name:            k,
 			Image:           s.Image,
@@ -114,7 +126,10 @@ func (v *VolumeFactory) VolumeMounts() []corev1.VolumeMount {
 		}
 	}
 	sort.Slice(vms, func(i, j int) bool {
-		return vms[i].Name < vms[j].Name
+		if vms[i].Name != vms[j].Name {
+			return vms[i].Name < vms[j].Name
+		}
+		return vms[i].MountPath < vms[j].MountPath
 	})
 	return vms
 }

internal/controller/core/site_controller_workbench.go

@@ -3,6 +3,7 @@ package core
 import (
 	"context"
 	"fmt"
+	"sort"
 	"strings"
 
 	"github.com/go-logr/logr"
@@ -579,6 +580,7 @@ func getResourceProfileKeys(resourceProfiles map[string]*v1beta1.WorkbenchLaunch
 	for key := range resourceProfiles {
 		keys = append(keys, key)
 	}
+	sort.Strings(keys)
 	return keys
 }
 

internal/controller/core/subdir.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"math/rand"
+	"strings"
 
 	"github.com/posit-dev/team-operator/api/core/v1beta1"
 	"github.com/posit-dev/team-operator/api/product"
@@ -93,96 +94,123 @@ func (r *SiteReconciler) provisionSubDirectoryCreator(ctx context.Context, req c
 		return err
 	}
 
-	// TODO: some way to ensure that we do not spawn _too many_ jobs...?
-
 	if !site.Spec.VolumeSubdirJobOff {
-		args := []string{
-			fmt.Sprintf("/mnt/%s/connect", site.Name),
-			fmt.Sprintf("/mnt/%s/workbench", site.Name),
-			fmt.Sprintf("/mnt/%s/workbench-shared-storage", site.Name),
+		// Skip Job creation if a successfully completed subdir Job already exists.
+		// The Job is idempotent (mkdir -p), so re-running it is harmless but wasteful
+		var existingJobs batchv1.JobList
+		if err := r.List(ctx, &existingJobs,
+			client.InNamespace(req.Namespace),
+			client.MatchingLabels(site.KubernetesLabels()),
+		); err != nil {
+			l.Error(err, "Error listing existing subdir jobs")
+			return err
 		}
-		if site.Spec.SharedDirectory != "" {
-			args = append(args, fmt.Sprintf("/mnt/%s/shared", site.Name))
+		hasCompletedJob := false
+		for i := range existingJobs.Items {
+			job := &existingJobs.Items[i]
+			if strings.HasPrefix(job.Name, provisionerName+"-") {
+				for _, cond := range job.Status.Conditions {
+					if cond.Type == batchv1.JobComplete && cond.Status == v1.ConditionTrue {
+						hasCompletedJob = true
+						break
+					}
+				}
+			}
+			if hasCompletedJob {
+				break
+			}
 		}
-		provisionerNameTemp := provisionerName + "-" + RandStringBytes(6)
+		if hasCompletedJob {
+			l.V(1).Info("Subdir provisioning job already completed; skipping")
+		} else {
+			args := []string{
+				fmt.Sprintf("/mnt/%s/connect", site.Name),
+				fmt.Sprintf("/mnt/%s/workbench", site.Name),
+				fmt.Sprintf("/mnt/%s/workbench-shared-storage", site.Name),
+			}
+			if site.Spec.SharedDirectory != "" {
+				args = append(args, fmt.Sprintf("/mnt/%s/shared", site.Name))
+			}
+			provisionerNameTemp := provisionerName + "-" + RandStringBytes(6)
 
-		provisionerJob := &batchv1.Job{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      provisionerNameTemp,
-				Namespace: req.Namespace,
-			},
-		}
+			provisionerJob := &batchv1.Job{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      provisionerNameTemp,
+					Namespace: req.Namespace,
+				},
+			}
 
-		if _, err := internal.CreateOrUpdateResource(ctx, r.Client, r.Scheme, l, provisionerJob, site, func() error {
-			provisionerJob.Labels = site.KubernetesLabels()
-			provisionerJob.Spec = batchv1.JobSpec{
-				// 2 hours to live
-				TTLSecondsAfterFinished: ptr.To(int32(2 * 60 * 60)),
-				Template: v1.PodTemplateSpec{
-					Spec: v1.PodSpec{
-						EnableServiceLinks: ptr.To(false),
-						RestartPolicy:      v1.RestartPolicyOnFailure,
-						Containers: []v1.Container{
-							{
-								Name:  "subdir-maker",
-								Image: "ghcr.io/rstudio/rstudio-workbench-preview:jammy-daily",
-								Command: []string{
-									"/subdir-provisioner.sh",
-								},
-								Args: args,
-								VolumeMounts: []v1.VolumeMount{
-									{
-										Name:      "exec-script",
-										ReadOnly:  false,
-										MountPath: "/subdir-provisioner.sh",
-										SubPath:   "subdir-provisioner.sh",
+			if _, err := internal.CreateOrUpdateResource(ctx, r.Client, r.Scheme, l, provisionerJob, site, func() error {
+				provisionerJob.Labels = site.KubernetesLabels()
+				provisionerJob.Spec = batchv1.JobSpec{
+					// 2 hours to live
+					TTLSecondsAfterFinished: ptr.To(int32(2 * 60 * 60)),
+					Template: v1.PodTemplateSpec{
+						Spec: v1.PodSpec{
+							EnableServiceLinks: ptr.To(false),
+							RestartPolicy:      v1.RestartPolicyOnFailure,
+							Containers: []v1.Container{
+								{
+									Name:  "subdir-maker",
+									Image: "ghcr.io/rstudio/rstudio-workbench-preview:jammy-daily",
+									Command: []string{
+										"/subdir-provisioner.sh",
 									},
-									{
-										Name:      "data-volume",
-										ReadOnly:  false,
-										MountPath: "/mnt/",
+									Args: args,
+									VolumeMounts: []v1.VolumeMount{
+										{
+											Name:      "exec-script",
+											ReadOnly:  false,
+											MountPath: "/subdir-provisioner.sh",
+											SubPath:   "subdir-provisioner.sh",
+										},
+										{
+											Name:      "data-volume",
+											ReadOnly:  false,
+											MountPath: "/mnt/",
+										},
 									},
 								},
 							},
-						},
-						SecurityContext: &v1.PodSecurityContext{
-							RunAsUser: ptr.To(int64(0)),
-						},
-						Volumes: []v1.Volume{
-							{
-								Name: "exec-script",
-								VolumeSource: v1.VolumeSource{
-									ConfigMap: &v1.ConfigMapVolumeSource{
-										LocalObjectReference: v1.LocalObjectReference{
-											Name: provisionerName,
-										},
-										Items: []v1.KeyToPath{
-											{
-												Key:  "subdir-provisioner.sh",
-												Path: "subdir-provisioner.sh",
+							SecurityContext: &v1.PodSecurityContext{
+								RunAsUser: ptr.To(int64(0)),
+							},
+							Volumes: []v1.Volume{
+								{
+									Name: "exec-script",
+									VolumeSource: v1.VolumeSource{
+										ConfigMap: &v1.ConfigMapVolumeSource{
+											LocalObjectReference: v1.LocalObjectReference{
+												Name: provisionerName,
 											},
+											Items: []v1.KeyToPath{
+												{
+													Key:  "subdir-provisioner.sh",
+													Path: "subdir-provisioner.sh",
+												},
+											},
+											DefaultMode: ptr.To(product.MustParseOctal("755")),
 										},
-										DefaultMode: ptr.To(product.MustParseOctal("755")),
 									},
 								},
-							},
-							{
-								Name: "data-volume",
-								VolumeSource: v1.VolumeSource{
-									PersistentVolumeClaim: &v1.PersistentVolumeClaimVolumeSource{
-										ClaimName: provisionerName,
-										ReadOnly:  false,
+								{
+									Name: "data-volume",
+									VolumeSource: v1.VolumeSource{
+										PersistentVolumeClaim: &v1.PersistentVolumeClaimVolumeSource{
+											ClaimName: provisionerName,
+											ReadOnly:  false,
+										},
 									},
 								},
 							},
 						},
 					},
-				},
+				}
+				return nil
+			}); err != nil {
+				l.Error(err, "Error creating provisioner job")
+				return err
 			}
-			return nil
-		}); err != nil {
-			l.Error(err, "Error creating provisioner job")
-			return err
 		}
 	}
 	return nil

internal/controller/core/workbench.go

@@ -653,7 +653,15 @@ func (r *WorkbenchReconciler) ensureDeployedService(ctx context.Context, req ctr
 		if _, err := internal.CreateOrUpdateResource(ctx, r.Client, r.Scheme, l, secret, w, func() error {
 			secret.Labels = w.KubernetesLabels()
 			secret.Immutable = nil
-			secret.StringData = secretData
+			// Use Data ([]byte) instead of StringData (string) to avoid a spurious
+			// diff on every reconcile. StringData is write-only: the API server
+			// converts it to Data on create, and returns StringData as nil on read.
+			// CreateOrUpdate compares the pre-mutation snapshot (StringData=nil) with
+			// the post-mutation object (StringData set), always seeing a diff.
+			secret.Data = make(map[string][]byte, len(secretData))
+			for k, v := range secretData {
+				secret.Data[k] = []byte(v)
+			}
 			secret.Type = "Opaque"
 			return nil
 		}); err != nil {