Merge remote-tracking branch 'origin/main' into op-rs-0.79.0

Author: maltesander

.github/workflows/build.yml

@@ -25,7 +25,7 @@ env:
   CARGO_TERM_COLOR: always
   CARGO_INCREMENTAL: '0'
   CARGO_PROFILE_DEV_DEBUG: '0'
-  RUST_TOOLCHAIN_VERSION: "1.80.1"
+  RUST_TOOLCHAIN_VERSION: "1.81.0"
   RUSTFLAGS: "-D warnings"
   RUSTDOCFLAGS: "-D warnings"
   RUST_LOG: "info"

.github/workflows/pr_pre-commit.yaml

@@ -6,7 +6,7 @@ on:
 
 env:
   CARGO_TERM_COLOR: always
-  RUST_TOOLCHAIN_VERSION: "1.80.1"
+  RUST_TOOLCHAIN_VERSION: "1.81.0"
   HADOLINT_VERSION: "v2.12.0"
   PYTHON_VERSION: "3.12"
 

.pre-commit-config.yaml

@@ -6,7 +6,7 @@ default_language_version:
 
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: 2c9f875913ee60ca25ce70243dc24d5b6415598c # 4.6.0
+    rev: cef0300fd0fc4d2a87a85fa2093c6b283ea36f4b # 5.0.0
     hooks:
       - id: trailing-whitespace
       - id: end-of-file-fixer
@@ -28,7 +28,7 @@ repos:
       - id: yamllint
 
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: f295829140d25717bc79368d3f966fc1f67a824f # 0.41.0
+    rev: aa975a18c9a869648007d33864034dbc7481fe5e # 0.42.0
     hooks:
       - id: markdownlint
         types: [text]
@@ -44,15 +44,15 @@ repos:
   # If you do not, you will need to delete the cached ruff binary shown in the
   # error message
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: f1ebc5730d98440041cc43e4d69829ad598ae1e7 # 0.6.3
+    rev: 8983acb92ee4b01924893632cf90af926fa608f0 # 0.7.0
     hooks:
       # Run the linter.
       - id: ruff
       # Run the formatter.
       - id: ruff-format
 
   - repo: https://github.com/rhysd/actionlint
-    rev: 62dc61a45fc95efe8c800af7a557ab0b9165d63b # 1.7.1
+    rev: 4e683ab8014a63fafa117492a0c6053758e6d593 # 1.7.3
     hooks:
       - id: actionlint
 

CHANGELOG.md

@@ -20,9 +20,14 @@ All notable changes to this project will be documented in this file.
 
 - Remove ZooKeeper 3.8.4 from tests and docs ([#857]).
 
+### Fixed
+
+- Failing to parse one `ZookeeperCluster`/`ZookeeperZnode` should no longer cause the whole operator to stop functioning ([#872]).
+
 [#853]: https://github.com/stackabletech/zookeeper-operator/pull/853
 [#857]: https://github.com/stackabletech/zookeeper-operator/pull/857
 [#870]: https://github.com/stackabletech/zookeeper-operator/pull/870
+[#872]: https://github.com/stackabletech/zookeeper-operator/pull/872
 
 ## [24.7.0] - 2024-07-24
 

Makefile

@@ -48,9 +48,10 @@ docker-publish:
 	# Uses the keyless signing flow with Github Actions as identity provider\
 	cosign sign -y "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE";\
 	# Generate the SBOM for the operator image, this leverages the already generated SBOM for the operator binary by cargo-cyclonedx\
-	syft scan --output cyclonedx-json=sbom.json --select-catalogers "-cargo-auditable-binary-cataloger" --scope all-layers --source-name "${OPERATOR_NAME}" --source-version "${VERSION}" "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE";\
+	syft scan --output cyclonedx-json=sbom.json --select-catalogers "-cargo-auditable-binary-cataloger" --scope all-layers --source-name "${OPERATOR_NAME}" --source-version "${VERSION}-${ARCH}" "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE";\
 	# Determine the PURL for the container image\
-	PURL="pkg:docker/${ORGANIZATION}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE?repository_url=${DOCKER_REPO}";\
+	URLENCODED_REPO_DIGEST_OF_IMAGE=$$(echo "$$REPO_DIGEST_OF_IMAGE" | sed 's/:/%3A/g');\
+	PURL="pkg:oci/${OPERATOR_NAME}@$$URLENCODED_REPO_DIGEST_OF_IMAGE?arch=${ARCH}&repository_url=${DOCKER_REPO}%2F${ORGANIZATION}%2F${OPERATOR_NAME}";\
 	# Get metadata from the image\
 	IMAGE_DESCRIPTION=$$(docker inspect --format='{{.Config.Labels.description}}' "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-${ARCH}");\
 	IMAGE_NAME=$$(docker inspect --format='{{.Config.Labels.name}}' "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-${ARCH}");\
@@ -73,9 +74,10 @@ docker-publish:
 	# Uses the keyless signing flow with Github Actions as identity provider\
 	cosign sign -y "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE";\
 	# Generate the SBOM for the operator image, this leverages the already generated SBOM for the operator binary by cargo-cyclonedx\
-	syft scan --output cyclonedx-json=sbom.json --select-catalogers "-cargo-auditable-binary-cataloger" --scope all-layers --source-name "${OPERATOR_NAME}" --source-version "${VERSION}" "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE";\
+	syft scan --output cyclonedx-json=sbom.json --select-catalogers "-cargo-auditable-binary-cataloger" --scope all-layers --source-name "${OPERATOR_NAME}" --source-version "${VERSION}-${ARCH}" "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE";\
 	# Determine the PURL for the container image\
-	PURL="pkg:docker/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE?repository_url=${OCI_REGISTRY_HOSTNAME}";\
+	URLENCODED_REPO_DIGEST_OF_IMAGE=$$(echo "$$REPO_DIGEST_OF_IMAGE" | sed 's/:/%3A/g');\
+	PURL="pkg:oci/${OPERATOR_NAME}@$$URLENCODED_REPO_DIGEST_OF_IMAGE?arch=${ARCH}&repository_url=${OCI_REGISTRY_HOSTNAME}%2F${OCI_REGISTRY_PROJECT_IMAGES}%2F${OPERATOR_NAME}";\
 	# Get metadata from the image\
 	IMAGE_DESCRIPTION=$$(docker inspect --format='{{.Config.Labels.description}}' "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-${ARCH}");\
 	IMAGE_NAME=$$(docker inspect --format='{{.Config.Labels.name}}' "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-${ARCH}");\

rust-toolchain.toml

@@ -1,3 +1,3 @@
 # DO NOT EDIT, this file is generated by operator-templating
 [toolchain]
-channel = "1.80.1"
+channel = "1.81.0"

rust/operator-binary/src/main.rs

@@ -8,7 +8,11 @@ use stackable_operator::{
         apps::v1::StatefulSet,
         core::v1::{ConfigMap, Endpoints, Service},
     },
-    kube::runtime::{reflector::ObjectRef, watcher, Controller},
+    kube::{
+        core::DeserializeGuard,
+        runtime::{reflector::ObjectRef, watcher, Controller},
+        Resource,
+    },
     logging::controller::report_controller_reconciled,
     CustomResourceExt,
 };
@@ -73,36 +77,40 @@ async fn main() -> anyhow::Result<()> {
                     .await?;
 
             let zk_controller_builder = Controller::new(
-                watch_namespace.get_api::<ZookeeperCluster>(&client),
+                watch_namespace.get_api::<DeserializeGuard<ZookeeperCluster>>(&client),
                 watcher::Config::default(),
             );
 
             let zk_store = zk_controller_builder.store();
             let zk_controller = zk_controller_builder
                 .owns(
-                    watch_namespace.get_api::<Service>(&client),
+                    watch_namespace.get_api::<DeserializeGuard<Service>>(&client),
                     watcher::Config::default(),
                 )
                 .watches(
-                    watch_namespace.get_api::<Endpoints>(&client),
+                    watch_namespace.get_api::<DeserializeGuard<Endpoints>>(&client),
                     watcher::Config::default(),
                     move |endpoints| {
                         zk_store
                             .state()
                             .into_iter()
                             .filter(move |zk| {
-                                zk.metadata.namespace == endpoints.metadata.namespace
-                                    && zk.server_role_service_name() == endpoints.metadata.name
+                                let Ok(zk) = &zk.0 else {
+                                    return false;
+                                };
+                                let endpoints_meta = endpoints.meta();
+                                zk.metadata.namespace == endpoints_meta.namespace
+                                    && zk.server_role_service_name() == endpoints_meta.name
                             })
                             .map(|zk| ObjectRef::from_obj(&*zk))
                     },
                 )
                 .owns(
-                    watch_namespace.get_api::<StatefulSet>(&client),
+                    watch_namespace.get_api::<DeserializeGuard<StatefulSet>>(&client),
                     watcher::Config::default(),
                 )
                 .owns(
-                    watch_namespace.get_api::<ConfigMap>(&client),
+                    watch_namespace.get_api::<DeserializeGuard<ConfigMap>>(&client),
                     watcher::Config::default(),
                 )
                 .shutdown_on_signal()
@@ -122,25 +130,29 @@ async fn main() -> anyhow::Result<()> {
                     );
                 });
             let znode_controller_builder = Controller::new(
-                watch_namespace.get_api::<ZookeeperZnode>(&client),
+                watch_namespace.get_api::<DeserializeGuard<ZookeeperZnode>>(&client),
                 watcher::Config::default(),
             );
             let znode_store = znode_controller_builder.store();
             let znode_controller = znode_controller_builder
                 .owns(
-                    watch_namespace.get_api::<ConfigMap>(&client),
+                    watch_namespace.get_api::<DeserializeGuard<ConfigMap>>(&client),
                     watcher::Config::default(),
                 )
                 .watches(
-                    watch_namespace.get_api::<ZookeeperCluster>(&client),
+                    watch_namespace.get_api::<DeserializeGuard<ZookeeperCluster>>(&client),
                     watcher::Config::default(),
                     move |zk| {
                         znode_store
                             .state()
                             .into_iter()
                             .filter(move |znode| {
-                                zk.metadata.namespace == znode.spec.cluster_ref.namespace
-                                    && zk.metadata.name == znode.spec.cluster_ref.name
+                                let Ok(znode) = &znode.0 else {
+                                    return false;
+                                };
+                                let zk_meta = zk.meta();
+                                zk_meta.namespace == znode.spec.cluster_ref.namespace
+                                    && zk_meta.name == znode.spec.cluster_ref.name
                             })
                             .map(|znode| ObjectRef::from_obj(&*znode))
                     },

rust/operator-binary/src/zk_controller.rs

@@ -39,7 +39,12 @@ use stackable_operator::{
         apimachinery::pkg::apis::meta::v1::LabelSelector,
         DeepMerge,
     },
-    kube::{api::DynamicObject, runtime::controller, Resource},
+    kube::{
+        api::DynamicObject,
+        core::{error_boundary, DeserializeGuard},
+        runtime::controller,
+        Resource,
+    },
     kvp::{Label, LabelError, Labels},
     logging::controller::ReconcilerError,
     product_config_utils::{transform_all_roles_to_config, validate_all_roles_and_groups_config},
@@ -92,6 +97,11 @@ type Result<T, E = Error> = std::result::Result<T, E>;
 #[strum_discriminants(derive(IntoStaticStr))]
 #[allow(clippy::enum_variant_names)]
 pub enum Error {
+    #[snafu(display("ZookeeperCluster object is invalid"))]
+    InvalidZookeeperCluster {
+        source: error_boundary::InvalidObject,
+    },
+
     #[snafu(display("crd validation failure"))]
     CrdValidationFailure {
         source: stackable_zookeeper_crd::Error,
@@ -272,6 +282,7 @@ impl ReconcilerError for Error {
     }
     fn secondary_object(&self) -> Option<ObjectRef<DynamicObject>> {
         match self {
+            Error::InvalidZookeeperCluster { source: _ } => None,
             Error::CrdValidationFailure { .. } => None,
             Error::NoServerRole => None,
             Error::RoleParseFailure { .. } => None,
@@ -312,8 +323,15 @@ impl ReconcilerError for Error {
     }
 }
 
-pub async fn reconcile_zk(zk: Arc<ZookeeperCluster>, ctx: Arc<Ctx>) -> Result<controller::Action> {
+pub async fn reconcile_zk(
+    zk: Arc<DeserializeGuard<ZookeeperCluster>>,
+    ctx: Arc<Ctx>,
+) -> Result<controller::Action> {
     tracing::info!("Starting reconcile");
+    let zk =
+        zk.0.as_ref()
+            .map_err(error_boundary::InvalidObject::clone)
+            .context(InvalidZookeeperClusterSnafu)?;
     let client = &ctx.client;
 
     let resolved_product_image = zk
@@ -333,7 +351,7 @@ pub async fn reconcile_zk(zk: Arc<ZookeeperCluster>, ctx: Arc<Ctx>) -> Result<co
     let validated_config = validate_all_roles_and_groups_config(
         &resolved_product_image.app_version_label,
         &transform_all_roles_to_config(
-            zk.as_ref(),
+            zk,
             [(
                 ZookeeperRole::Server.to_string(),
                 (
@@ -359,16 +377,16 @@ pub async fn reconcile_zk(zk: Arc<ZookeeperCluster>, ctx: Arc<Ctx>) -> Result<co
         .map(Cow::Borrowed)
         .unwrap_or_default();
 
-    let vector_aggregator_address = resolve_vector_aggregator_address(&zk, client)
+    let vector_aggregator_address = resolve_vector_aggregator_address(zk, client)
         .await
         .context(ResolveVectorAggregatorAddressSnafu)?;
 
-    let zookeeper_security = ZookeeperSecurity::new_from_zookeeper_cluster(client, &zk)
+    let zookeeper_security = ZookeeperSecurity::new_from_zookeeper_cluster(client, zk)
         .await
         .context(FailedToInitializeSecurityContextSnafu)?;
 
     let (rbac_sa, rbac_rolebinding) = build_rbac_resources(
-        zk.as_ref(),
+        zk,
         APP_NAME,
         cluster_resources
             .get_required_labels()
@@ -389,7 +407,7 @@ pub async fn reconcile_zk(zk: Arc<ZookeeperCluster>, ctx: Arc<Ctx>) -> Result<co
     let server_role_service = cluster_resources
         .add(
             client,
-            build_server_role_service(&zk, &resolved_product_image, &zookeeper_security)?,
+            build_server_role_service(zk, &resolved_product_image, &zookeeper_security)?,
         )
         .await
         .context(ApplyRoleServiceSnafu)?;
@@ -404,21 +422,21 @@ pub async fn reconcile_zk(zk: Arc<ZookeeperCluster>, ctx: Arc<Ctx>) -> Result<co
             .context(FailedToResolveConfigSnafu)?;
 
         let rg_service = build_server_rolegroup_service(
-            &zk,
+            zk,
             &rolegroup,
             &resolved_product_image,
             &zookeeper_security,
         )?;
         let rg_configmap = build_server_rolegroup_config_map(
-            &zk,
+            zk,
             &rolegroup,
             rolegroup_config,
             &resolved_product_image,
             vector_aggregator_address.as_deref(),
             &zookeeper_security,
         )?;
         let rg_statefulset = build_server_rolegroup_statefulset(
-            &zk,
+            zk,
             &zk_role,
             &rolegroup,
             rolegroup_config,
@@ -454,7 +472,7 @@ pub async fn reconcile_zk(zk: Arc<ZookeeperCluster>, ctx: Arc<Ctx>) -> Result<co
         pod_disruption_budget: pdb,
     }) = role_config
     {
-        add_pdbs(pdb, &zk, &zk_role, client, &mut cluster_resources)
+        add_pdbs(pdb, zk, &zk_role, client, &mut cluster_resources)
             .await
             .context(FailedToCreatePdbSnafu)?;
     }
@@ -463,8 +481,8 @@ pub async fn reconcile_zk(zk: Arc<ZookeeperCluster>, ctx: Arc<Ctx>) -> Result<co
     // We don't /need/ stability, but it's still nice to avoid spurious changes where possible.
     let mut discovery_hash = FnvHasher::with_key(0);
     for discovery_cm in build_discovery_configmaps(
-        &zk,
-        &*zk,
+        zk,
+        zk,
         client,
         ZK_CONTROLLER_NAME,
         &server_role_service,
@@ -491,18 +509,15 @@ pub async fn reconcile_zk(zk: Arc<ZookeeperCluster>, ctx: Arc<Ctx>) -> Result<co
         // Serialize as a string to discourage users from trying to parse the value,
         // and to keep things flexible if we end up changing the hasher at some point.
         discovery_hash: Some(discovery_hash.finish().to_string()),
-        conditions: compute_conditions(
-            zk.as_ref(),
-            &[&ss_cond_builder, &cluster_operation_cond_builder],
-        ),
+        conditions: compute_conditions(zk, &[&ss_cond_builder, &cluster_operation_cond_builder]),
     };
 
     cluster_resources
         .delete_orphaned_resources(client)
         .await
         .context(DeleteOrphansSnafu)?;
     client
-        .apply_patch_status(OPERATOR_NAME, &*zk, &status)
+        .apply_patch_status(OPERATOR_NAME, zk, &status)
         .await
         .context(ApplyStatusSnafu)?;
 
@@ -1046,11 +1061,16 @@ fn build_server_rolegroup_statefulset(
 }
 
 pub fn error_policy(
-    _obj: Arc<ZookeeperCluster>,
-    _error: &Error,
+    _obj: Arc<DeserializeGuard<ZookeeperCluster>>,
+    error: &Error,
     _ctx: Arc<Ctx>,
 ) -> controller::Action {
-    controller::Action::requeue(*Duration::from_secs(5))
+    match error {
+        // root object is invalid, will be requeued when modified anyway
+        Error::InvalidZookeeperCluster { .. } => controller::Action::await_change(),
+
+        _ => controller::Action::requeue(*Duration::from_secs(5)),
+    }
 }
 
 #[cfg(test)]