Skip to content

Commit a3d1af8

Browse files
chrissetochrisseto
committed
pkg/kube: validate .Namespace is unset on Cluster scoped
Add validation to `kube.Syncer` that asserts that Cluster scoped objects do NOT have `.Namespace` set. Setting .Namespace on cluster scoped objects causes a key mismatch in the `toDelete` map which results in the syncer deleting objects it's just created. (cherry picked from commit 43ad1a4)
1 parent 3ff47dd commit a3d1af8

File tree

7 files changed

+1554
-24
lines changed

7 files changed

+1554
-24
lines changed

operator/internal/lifecycle/testdata/cases.pools.golden.txtar

Lines changed: 367 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -740,3 +740,370 @@
740740
status:
741741
availableReplicas: 0
742742
replicas: 0
743+
-- rack-awareness --
744+
- apiVersion: apps/v1
745+
kind: StatefulSet
746+
metadata:
747+
creationTimestamp: null
748+
labels:
749+
app.kubernetes.io/component: redpanda
750+
app.kubernetes.io/instance: rack-awareness
751+
app.kubernetes.io/managed-by: Helm
752+
app.kubernetes.io/name: redpanda
753+
cluster.redpanda.com/namespace: rack-awareness
754+
cluster.redpanda.com/operator: v2
755+
cluster.redpanda.com/owner: rack-awareness
756+
helm.sh/chart: redpanda-5.10.4
757+
helm.toolkit.fluxcd.io/name: rack-awareness
758+
helm.toolkit.fluxcd.io/namespace: rack-awareness
759+
name: rack-awareness
760+
namespace: rack-awareness
761+
spec:
762+
podManagementPolicy: Parallel
763+
replicas: 3
764+
selector:
765+
matchLabels:
766+
app.kubernetes.io/component: redpanda-statefulset
767+
app.kubernetes.io/instance: rack-awareness
768+
app.kubernetes.io/name: redpanda
769+
serviceName: rack-awareness
770+
template:
771+
metadata:
772+
annotations:
773+
config.redpanda.com/checksum: a90b21628d89546d234075143f437a7118e87dca2eb009f7ffb653e7b8f09eca
774+
creationTimestamp: null
775+
labels:
776+
app.kubernetes.io/component: redpanda-statefulset
777+
app.kubernetes.io/instance: rack-awareness
778+
app.kubernetes.io/managed-by: Helm
779+
app.kubernetes.io/name: redpanda
780+
helm.sh/chart: redpanda-5.10.4
781+
redpanda.com/poddisruptionbudget: rack-awareness
782+
spec:
783+
affinity:
784+
podAntiAffinity:
785+
requiredDuringSchedulingIgnoredDuringExecution:
786+
- labelSelector:
787+
matchLabels:
788+
app.kubernetes.io/component: redpanda-statefulset
789+
app.kubernetes.io/instance: rack-awareness
790+
app.kubernetes.io/name: redpanda
791+
topologyKey: kubernetes.io/hostname
792+
automountServiceAccountToken: false
793+
containers:
794+
- command:
795+
- rpk
796+
- redpanda
797+
- start
798+
- --advertise-rpc-addr=$(SERVICE_NAME).rack-awareness.rack-awareness.svc.cluster.local.:33145
799+
env:
800+
- name: SERVICE_NAME
801+
valueFrom:
802+
fieldRef:
803+
fieldPath: metadata.name
804+
- name: POD_IP
805+
valueFrom:
806+
fieldRef:
807+
fieldPath: status.podIP
808+
- name: HOST_IP
809+
valueFrom:
810+
fieldRef:
811+
fieldPath: status.hostIP
812+
image: docker.redpanda.com/redpandadata/redpanda:v25.1.7
813+
lifecycle:
814+
postStart:
815+
exec:
816+
command:
817+
- bash
818+
- -c
819+
- 'timeout -v 45 bash -x /var/lifecycle/postStart.sh 2>&1 | sed "s/^/lifecycle-hook
820+
post-start $(date): /" | tee /proc/1/fd/1; true'
821+
preStop:
822+
exec:
823+
command:
824+
- bash
825+
- -c
826+
- 'timeout -v 45 bash -x /var/lifecycle/preStop.sh 2>&1 | sed "s/^/lifecycle-hook
827+
pre-stop $(date): /" | tee /proc/1/fd/1; true'
828+
livenessProbe:
829+
exec:
830+
command:
831+
- /bin/sh
832+
- -c
833+
- curl --silent --fail -k -m 5 --cacert /etc/tls/certs/default/ca.crt
834+
"https://${SERVICE_NAME}.rack-awareness.rack-awareness.svc.cluster.local.:9644/v1/status/ready"
835+
failureThreshold: 3
836+
initialDelaySeconds: 10
837+
periodSeconds: 10
838+
name: redpanda
839+
ports:
840+
- containerPort: 9644
841+
name: admin
842+
- containerPort: 9645
843+
name: admin-default
844+
- containerPort: 8082
845+
name: http
846+
- containerPort: 8083
847+
name: http-default
848+
- containerPort: 9093
849+
name: kafka
850+
- containerPort: 9094
851+
name: kafka-default
852+
- containerPort: 33145
853+
name: rpc
854+
- containerPort: 8081
855+
name: schemaregistry
856+
- containerPort: 8084
857+
name: schema-default
858+
resources:
859+
limits:
860+
cpu: "1"
861+
memory: 2560Mi
862+
securityContext:
863+
runAsGroup: 101
864+
runAsUser: 101
865+
startupProbe:
866+
exec:
867+
command:
868+
- /bin/sh
869+
- -c
870+
- |
871+
set -e
872+
RESULT=$(curl --silent --fail -k -m 5 --cacert /etc/tls/certs/default/ca.crt "https://${SERVICE_NAME}.rack-awareness.rack-awareness.svc.cluster.local.:9644/v1/status/ready")
873+
echo $RESULT
874+
echo $RESULT | grep ready
875+
failureThreshold: 120
876+
initialDelaySeconds: 1
877+
periodSeconds: 10
878+
volumeMounts:
879+
- mountPath: /etc/tls/certs/default
880+
name: redpanda-default-cert
881+
- mountPath: /etc/tls/certs/external
882+
name: redpanda-external-cert
883+
- mountPath: /etc/redpanda
884+
name: config
885+
- mountPath: /tmp/base-config
886+
name: base-config
887+
- mountPath: /var/lifecycle
888+
name: lifecycle-scripts
889+
- mountPath: /var/lib/redpanda/data
890+
name: datadir
891+
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
892+
name: kube-api-access
893+
readOnly: true
894+
- args:
895+
- supervisor
896+
- --
897+
- /redpanda-operator
898+
- sidecar
899+
- --redpanda-yaml
900+
- /etc/redpanda/redpanda.yaml
901+
- --redpanda-cluster-namespace
902+
- rack-awareness
903+
- --redpanda-cluster-name
904+
- rack-awareness
905+
- --run-broker-probe
906+
- --broker-probe-broker-url
907+
- $(SERVICE_NAME).rack-awareness.rack-awareness.svc.cluster.local.:9644
908+
command:
909+
- /redpanda-operator
910+
env:
911+
- name: SERVICE_NAME
912+
valueFrom:
913+
fieldRef:
914+
fieldPath: metadata.name
915+
- name: POD_IP
916+
valueFrom:
917+
fieldRef:
918+
fieldPath: status.podIP
919+
- name: HOST_IP
920+
valueFrom:
921+
fieldRef:
922+
fieldPath: status.hostIP
923+
image: localhost/redpanda-operator:dev
924+
name: sidecar
925+
readinessProbe:
926+
failureThreshold: 3
927+
httpGet:
928+
path: /healthz
929+
port: 8093
930+
initialDelaySeconds: 1
931+
periodSeconds: 10
932+
successThreshold: 1
933+
resources: {}
934+
securityContext: {}
935+
volumeMounts:
936+
- mountPath: /etc/tls/certs/default
937+
name: redpanda-default-cert
938+
- mountPath: /etc/tls/certs/external
939+
name: redpanda-external-cert
940+
- mountPath: /etc/redpanda
941+
name: config
942+
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
943+
name: kube-api-access
944+
readOnly: true
945+
initContainers:
946+
- command:
947+
- /bin/bash
948+
- -c
949+
- rpk redpanda tune all
950+
image: docker.redpanda.com/redpandadata/redpanda:v25.1.7
951+
name: tuning
952+
resources: {}
953+
securityContext:
954+
capabilities:
955+
add:
956+
- SYS_RESOURCE
957+
privileged: true
958+
runAsGroup: 0
959+
runAsUser: 0
960+
volumeMounts:
961+
- mountPath: /etc/tls/certs/default
962+
name: redpanda-default-cert
963+
- mountPath: /etc/tls/certs/external
964+
name: redpanda-external-cert
965+
- mountPath: /etc/redpanda
966+
name: base-config
967+
- command:
968+
- /bin/bash
969+
- -c
970+
- trap "exit 0" TERM; exec $CONFIGURATOR_SCRIPT "${SERVICE_NAME}" "${KUBERNETES_NODE_NAME}"
971+
& wait $!
972+
env:
973+
- name: CONFIGURATOR_SCRIPT
974+
value: /etc/secrets/configurator/scripts/configurator.sh
975+
- name: SERVICE_NAME
976+
valueFrom:
977+
fieldRef:
978+
fieldPath: metadata.name
979+
- name: KUBERNETES_NODE_NAME
980+
valueFrom:
981+
fieldRef:
982+
fieldPath: spec.nodeName
983+
- name: HOST_IP_ADDRESS
984+
valueFrom:
985+
fieldRef:
986+
apiVersion: v1
987+
fieldPath: status.hostIP
988+
image: docker.redpanda.com/redpandadata/redpanda:v25.1.7
989+
name: redpanda-configurator
990+
resources: {}
991+
securityContext:
992+
runAsGroup: 101
993+
runAsUser: 101
994+
volumeMounts:
995+
- mountPath: /etc/tls/certs/default
996+
name: redpanda-default-cert
997+
- mountPath: /etc/tls/certs/external
998+
name: redpanda-external-cert
999+
- mountPath: /etc/redpanda
1000+
name: config
1001+
- mountPath: /tmp/base-config
1002+
name: base-config
1003+
- mountPath: /etc/secrets/configurator/scripts/
1004+
name: rack-awareness-configurator
1005+
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
1006+
name: kube-api-access
1007+
readOnly: true
1008+
- command:
1009+
- /redpanda-operator
1010+
- bootstrap
1011+
- --in-dir
1012+
- /tmp/base-config
1013+
- --out-dir
1014+
- /tmp/config
1015+
image: localhost/redpanda-operator:dev
1016+
name: bootstrap-yaml-envsubst
1017+
resources:
1018+
limits:
1019+
cpu: 100m
1020+
memory: 125Mi
1021+
requests:
1022+
cpu: 100m
1023+
memory: 125Mi
1024+
securityContext:
1025+
allowPrivilegeEscalation: false
1026+
readOnlyRootFilesystem: true
1027+
runAsNonRoot: true
1028+
volumeMounts:
1029+
- mountPath: /tmp/config/
1030+
name: config
1031+
- mountPath: /tmp/base-config/
1032+
name: base-config
1033+
securityContext:
1034+
fsGroup: 101
1035+
fsGroupChangePolicy: OnRootMismatch
1036+
serviceAccountName: rack-awareness
1037+
terminationGracePeriodSeconds: 90
1038+
topologySpreadConstraints:
1039+
- labelSelector:
1040+
matchLabels:
1041+
app.kubernetes.io/component: redpanda-statefulset
1042+
app.kubernetes.io/instance: rack-awareness
1043+
app.kubernetes.io/name: redpanda
1044+
maxSkew: 1
1045+
topologyKey: topology.kubernetes.io/zone
1046+
whenUnsatisfiable: ScheduleAnyway
1047+
volumes:
1048+
- name: redpanda-default-cert
1049+
secret:
1050+
defaultMode: 288
1051+
secretName: rack-awareness-default-cert
1052+
- name: redpanda-external-cert
1053+
secret:
1054+
defaultMode: 288
1055+
secretName: rack-awareness-external-cert
1056+
- name: lifecycle-scripts
1057+
secret:
1058+
defaultMode: 509
1059+
secretName: rack-awareness-sts-lifecycle
1060+
- configMap:
1061+
name: rack-awareness
1062+
name: base-config
1063+
- emptyDir: {}
1064+
name: config
1065+
- name: rack-awareness-configurator
1066+
secret:
1067+
defaultMode: 509
1068+
secretName: rack-awareness-configurator
1069+
- name: datadir
1070+
persistentVolumeClaim:
1071+
claimName: datadir
1072+
- name: kube-api-access
1073+
projected:
1074+
defaultMode: 420
1075+
sources:
1076+
- serviceAccountToken:
1077+
expirationSeconds: 3607
1078+
path: token
1079+
- configMap:
1080+
items:
1081+
- key: ca.crt
1082+
path: ca.crt
1083+
name: kube-root-ca.crt
1084+
- downwardAPI:
1085+
items:
1086+
- fieldRef:
1087+
apiVersion: v1
1088+
fieldPath: metadata.namespace
1089+
path: namespace
1090+
updateStrategy:
1091+
type: RollingUpdate
1092+
volumeClaimTemplates:
1093+
- metadata:
1094+
creationTimestamp: null
1095+
labels:
1096+
app.kubernetes.io/component: redpanda
1097+
app.kubernetes.io/instance: rack-awareness
1098+
app.kubernetes.io/name: redpanda
1099+
name: datadir
1100+
spec:
1101+
accessModes:
1102+
- ReadWriteOnce
1103+
resources:
1104+
requests:
1105+
storage: 20Gi
1106+
status: {}
1107+
status:
1108+
availableReplicas: 0
1109+
replicas: 0

0 commit comments

Comments
 (0)