operator: various sidecar fixes

Prior to this commit the operator sidecar's decommissioner and pvcunbinder
controllers did not work. This was due to:
- RBAC issues, the sidecar did not correctly scope itself to a single namespace.
- Incorrect label selectors hidden within the controllers in question.
	- This _likely_ prevented the vectorized adaptor from ever working.

Additionally, the statefulset decommissioner's sole test case has been disabled
for quite sometime. There's been zero test coverage of this functionality.

This commit:
- Restores the decommissioner's tests to a working state
- Strips out the "fetcher" to reduce duplication and remove reliance on
  fetching live helm values.
- Replaces baked in filtering with a label selector argument that will be
  constructed by the helm chart.

A follow up commit with chart changes and acceptance tests will be submitted.
It's been made separate to ease the process of backporting to the v2.x
branches.

Author: chrisseto

operator/cmd/run/run.go

@@ -21,6 +21,7 @@ import (
 	"time"
 
 	"github.com/cockroachdb/errors"
+	"github.com/redpanda-data/common-go/rpadmin"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	appsv1 "k8s.io/api/apps/v1"
@@ -34,7 +35,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/certwatcher"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	kubeClient "sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
@@ -566,21 +566,6 @@ func Run(
 	return nil
 }
 
-type v1Fetcher struct {
-	client kubeClient.Client
-}
-
-func (f *v1Fetcher) FetchLatest(ctx context.Context, name, namespace string) (any, error) {
-	var vectorizedCluster vectorizedv1alpha1.Cluster
-	if err := f.client.Get(ctx, types.NamespacedName{
-		Name:      name,
-		Namespace: namespace,
-	}, &vectorizedCluster); err != nil {
-		return nil, err
-	}
-	return &vectorizedCluster, nil
-}
-
 // setupVectorizedControllers configures and registers controllers and
 // runnables for the custom resources in the vectorized group, AKA the V1
 // operator.
@@ -632,123 +617,155 @@ func setupVectorizedControllers(ctx context.Context, mgr ctrl.Manager, cloudExpa
 		}
 	}
 
-	if opts.enableGhostBrokerDecommissioner {
-		d := decommissioning.NewStatefulSetDecommissioner(mgr, &v1Fetcher{client: mgr.GetClient()},
+	if opts.enableGhostBrokerDecommissioner && opts.enableVectorizedControllers {
+		b := vectorizedDecommissioner{client: mgr.GetClient()}
+		d := decommissioning.NewStatefulSetDecommissioner(
+			mgr,
+			b.getAdminClient,
+			decommissioning.WithFilter(b.filter),
+			// Operator v1 supports multiple NodePools, and therefore multiple STS.
+			// This function provides a custom replica count: the desired replicas of all STS, instead of a single STS.
+			decommissioning.WithDesiredReplicasFetcher(b.desiredReplicas),
 			decommissioning.WithSyncPeriod(opts.ghostBrokerDecommissionerSyncPeriod),
 			decommissioning.WithCleanupPVCs(false),
 			// In Operator v1, decommissioning based on pod ordinal is not correct because
 			// it has controller code that manages decommissioning. If something else decommissions the node, it can not deal with this under all circumstances because of various reasons, eg. bercause of a protection against stale status reads of status.currentReplicas
 			//   (http://github.com/redpanda-data/redpanda-operator/blob/main/operator/pkg/resources/statefulset_scale.go#L139)
 			// In addition to this situation where it can not (always) recover, it is just not desired that it interferes with graceful, "standard" decommissions (at least, in Operator v1 mode)
 			decommissioning.WithDecommisionOnTooHighOrdinal(false),
-			// Operator v1 supports multiple NodePools, and therefore multiple STS.
-			// This function provides a custom replica count: the desired replicas of all STS, instead of a single STS.
-			decommissioning.WithDesiredReplicasFetcher(func(ctx context.Context, sts *appsv1.StatefulSet) (int32, error) {
-				// Get Cluster CR, so we can then find its StatefulSets for a full count of desired replicas.
-				idx := slices.IndexFunc(
-					sts.OwnerReferences,
-					func(ownerRef metav1.OwnerReference) bool {
-						return ownerRef.APIVersion == vectorizedv1alpha1.GroupVersion.String() && ownerRef.Kind == "Cluster"
-					})
-				if idx == -1 {
-					return 0, nil
-				}
+		)
 
-				var vectorizedCluster vectorizedv1alpha1.Cluster
-				if err := mgr.GetClient().Get(ctx, types.NamespacedName{
-					Name:      sts.OwnerReferences[idx].Name,
-					Namespace: sts.Namespace,
-				}, &vectorizedCluster); err != nil {
-					return 0, fmt.Errorf("could not get Cluster: %w", err)
-				}
+		if err := d.SetupWithManager(mgr); err != nil {
+			log.Error(ctx, err, "unable to create controller", "controller", "StatefulSetDecommissioner")
+			return err
+		}
+	}
 
-				// We assume the cluster is fine and synced, checks have been performed in the filter already.
+	return nil
+}
 
-				// Get all nodepool-sts for this Cluster
-				var stsList appsv1.StatefulSetList
-				err := mgr.GetClient().List(ctx, &stsList, &client.ListOptions{
-					LabelSelector: pkglabels.ForCluster(&vectorizedCluster).AsClientSelector(),
-				})
-				if err != nil {
-					return 0, fmt.Errorf("failed to list statefulsets of Cluster: %w", err)
-				}
+// vectorizedDecommissioner is a helper struct that implements various methods
+// of mapping StatefulSets through Vectorized Clusters to arguments for the
+// StatefulSetDecommissioner.
+type vectorizedDecommissioner struct {
+	client  client.Client
+	factory internalclient.ClientFactory
+}
 
-				if len(stsList.Items) == 0 {
-					return 0, errors.New("found 0 StatefulSets for this Cluster")
-				}
+func (b *vectorizedDecommissioner) desiredReplicas(ctx context.Context, sts *appsv1.StatefulSet) (int32, error) {
+	// Get Cluster CR, so we can then find its StatefulSets for a full count of desired replicas.
+	vectorizedCluster, err := b.getCluster(ctx, sts)
+	if err != nil {
+		return 0, err
+	}
 
-				var allReplicas int32
-				for _, sts := range stsList.Items {
-					allReplicas += ptr.Deref(sts.Spec.Replicas, 0)
-				}
+	if vectorizedCluster == nil {
+		return 0, nil
+	}
 
-				// Should not happen, but if it actually happens, we don't want to run ghost broker decommissioner.
-				if allReplicas < 3 {
-					return 0, fmt.Errorf("found %d desiredReplicas, but want >= 3", allReplicas)
-				}
+	// We assume the cluster is fine and synced, checks have been performed in the filter already.
 
-				if allReplicas != vectorizedCluster.Status.CurrentReplicas || allReplicas != vectorizedCluster.Status.Replicas {
-					return 0, fmt.Errorf("replicas not synced. status.currentReplicas=%d,status.replicas=%d,allReplicas=%d", vectorizedCluster.Status.CurrentReplicas, vectorizedCluster.Status.Replicas, allReplicas)
-				}
+	// Get all nodepool-sts for this Cluster
+	var stsList appsv1.StatefulSetList
+	if err := b.client.List(ctx, &stsList, &client.ListOptions{
+		LabelSelector: pkglabels.ForCluster(vectorizedCluster).AsClientSelector(),
+	}); err != nil {
+		return 0, fmt.Errorf("failed to list statefulsets of Cluster: %w", err)
+	}
 
-				return allReplicas, nil
-			}),
-			decommissioning.WithFactory(internalclient.NewFactory(mgr.GetConfig(), mgr.GetClient())),
-			decommissioning.WithFilter(func(ctx context.Context, sts *appsv1.StatefulSet) (bool, error) {
-				log := ctrl.LoggerFrom(ctx, "namespace", sts.Namespace).WithName("StatefulSetDecomissioner.Filter")
-				idx := slices.IndexFunc(
-					sts.OwnerReferences,
-					func(ownerRef metav1.OwnerReference) bool {
-						return ownerRef.APIVersion == vectorizedv1alpha1.GroupVersion.String() && ownerRef.Kind == "Cluster"
-					})
-				if idx == -1 {
-					return false, nil
-				}
+	if len(stsList.Items) == 0 {
+		return 0, errors.New("found 0 StatefulSets for this Cluster")
+	}
 
-				var vectorizedCluster vectorizedv1alpha1.Cluster
-				if err := mgr.GetClient().Get(ctx, types.NamespacedName{
-					Name:      sts.OwnerReferences[idx].Name,
-					Namespace: sts.Namespace,
-				}, &vectorizedCluster); err != nil {
-					return false, fmt.Errorf("could not get Cluster: %w", err)
-				}
+	var allReplicas int32
+	for _, sts := range stsList.Items {
+		allReplicas += ptr.Deref(sts.Spec.Replicas, 0)
+	}
 
-				managedAnnotationKey := vectorizedv1alpha1.GroupVersion.Group + "/managed"
-				if managed, exists := vectorizedCluster.Annotations[managedAnnotationKey]; exists && managed == "false" {
-					log.V(1).Info("ignoring StatefulSet of unmanaged V1 Cluster", "sts", sts.Name, "namespace", sts.Namespace)
-					return false, nil
-				}
+	// Should not happen, but if it actually happens, we don't want to run ghost broker decommissioner.
+	if allReplicas < 3 {
+		return 0, errors.Newf("found %d desiredReplicas, but want >= 3", allReplicas)
+	}
 
-				// Do some "manual" checks, as ClusterlQuiescent condition is always false if a ghost broker causes unhealthy cluster
-				// (and we can therefore not use it to check if the cluster is synced otherwise)
-				if vectorizedCluster.Status.CurrentReplicas != vectorizedCluster.Status.Replicas {
-					log.V(1).Info("replicas are not synced", "cluster", vectorizedCluster.Name, "namespace", vectorizedCluster.Namespace)
-					return false, nil
-				}
-				if vectorizedCluster.Status.Restarting {
-					log.V(1).Info("cluster is restarting", "cluster", vectorizedCluster.Name, "namespace", vectorizedCluster.Namespace)
-					return false, nil
-				}
+	if allReplicas != vectorizedCluster.Status.CurrentReplicas || allReplicas != vectorizedCluster.Status.Replicas {
+		return 0, errors.Newf("replicas not synced. status.currentReplicas=%d,status.replicas=%d,allReplicas=%d", vectorizedCluster.Status.CurrentReplicas, vectorizedCluster.Status.Replicas, allReplicas)
+	}
 
-				if vectorizedCluster.Status.ObservedGeneration != vectorizedCluster.Generation {
-					log.V(1).Info("generation not synced", "cluster", vectorizedCluster.Name, "namespace", vectorizedCluster.Namespace, "generation", vectorizedCluster.Generation, "observedGeneration", vectorizedCluster.Status.ObservedGeneration)
-					return false, nil
-				}
+	return allReplicas, nil
+}
 
-				if vectorizedCluster.Status.DecommissioningNode != nil {
-					log.V(1).Info("decommission in progress", "cluster", vectorizedCluster.Name, "namespace", vectorizedCluster.Namespace, "node", *vectorizedCluster.Status.DecommissioningNode)
-					return false, nil
-				}
+func (b *vectorizedDecommissioner) filter(ctx context.Context, sts *appsv1.StatefulSet) (bool, error) {
+	log := ctrl.LoggerFrom(ctx, "namespace", sts.Namespace).WithName("StatefulSetDecomissioner.Filter")
 
-				return true, nil
-			}),
-		)
+	vectorizedCluster, err := b.getCluster(ctx, sts)
+	if err != nil {
+		return false, err
+	}
 
-		if err := d.SetupWithManager(mgr); err != nil {
-			log.Error(ctx, err, "unable to create controller", "controller", "StatefulSetDecommissioner")
-			return err
-		}
+	if vectorizedCluster == nil {
+		return false, nil
 	}
 
-	return nil
+	managedAnnotationKey := vectorizedv1alpha1.GroupVersion.Group + "/managed"
+	if managed, exists := vectorizedCluster.Annotations[managedAnnotationKey]; exists && managed == "false" {
+		log.V(1).Info("ignoring StatefulSet of unmanaged V1 Cluster", "sts", sts.Name, "namespace", sts.Namespace)
+		return false, nil
+	}
+
+	// Do some "manual" checks, as ClusterlQuiescent condition is always false if a ghost broker causes unhealthy cluster
+	// (and we can therefore not use it to check if the cluster is synced otherwise)
+	if vectorizedCluster.Status.CurrentReplicas != vectorizedCluster.Status.Replicas {
+		log.V(1).Info("replicas are not synced", "cluster", vectorizedCluster.Name, "namespace", vectorizedCluster.Namespace)
+		return false, nil
+	}
+	if vectorizedCluster.Status.Restarting {
+		log.V(1).Info("cluster is restarting", "cluster", vectorizedCluster.Name, "namespace", vectorizedCluster.Namespace)
+		return false, nil
+	}
+
+	if vectorizedCluster.Status.ObservedGeneration != vectorizedCluster.Generation {
+		log.V(1).Info("generation not synced", "cluster", vectorizedCluster.Name, "namespace", vectorizedCluster.Namespace, "generation", vectorizedCluster.Generation, "observedGeneration", vectorizedCluster.Status.ObservedGeneration)
+		return false, nil
+	}
+
+	if vectorizedCluster.Status.DecommissioningNode != nil {
+		log.V(1).Info("decommission in progress", "cluster", vectorizedCluster.Name, "namespace", vectorizedCluster.Namespace, "node", *vectorizedCluster.Status.DecommissioningNode)
+		return false, nil
+	}
+
+	return true, nil
+}
+
+func (b *vectorizedDecommissioner) getAdminClient(ctx context.Context, sts *appsv1.StatefulSet) (*rpadmin.AdminAPI, error) {
+	cluster, err := b.getCluster(ctx, sts)
+	if err != nil {
+		return nil, err
+	}
+
+	if cluster == nil {
+		return nil, errors.Newf("failed to resolve %s/%s to vectorized cluster", sts.Namespace, sts.Name)
+	}
+
+	return b.factory.RedpandaAdminClient(ctx, cluster)
+}
+
+func (b *vectorizedDecommissioner) getCluster(ctx context.Context, sts *appsv1.StatefulSet) (*vectorizedv1alpha1.Cluster, error) {
+	idx := slices.IndexFunc(
+		sts.OwnerReferences,
+		func(ownerRef metav1.OwnerReference) bool {
+			return ownerRef.APIVersion == vectorizedv1alpha1.GroupVersion.String() && ownerRef.Kind == "Cluster"
+		})
+	if idx == -1 {
+		return nil, nil
+	}
+
+	var vectorizedCluster vectorizedv1alpha1.Cluster
+	if err := b.client.Get(ctx, types.NamespacedName{
+		Name:      sts.OwnerReferences[idx].Name,
+		Namespace: sts.Namespace,
+	}, &vectorizedCluster); err != nil {
+		return nil, errors.Wrap(err, "could not get Cluster")
+	}
+
+	return &vectorizedCluster, nil
 }