Merge pull request #91 from adam-cattermole/reconcile-pdb

Author: adam-cattermole

Makefile

@@ -303,14 +303,25 @@ local-setup: ## Deploy operator in local kind cluster
 	$(MAKE) docker-build
 	@echo "Deploying Limitador control plane"
 	$(KIND) load docker-image ${IMG} --name ${KIND_CLUSTER_NAME}
-	make deploy-develmode
+	$(MAKE) deploy-develmode
 	@echo "Wait for all deployments to be up"
 	kubectl -n limitador-operator-system wait --timeout=300s --for=condition=Available deployments --all
 
 .PHONY: local-cleanup
 local-cleanup: ## Clean up local kind cluster
 	$(MAKE) kind-delete-cluster
 
+.PHONY: local-redeploy
+local-redeploy: export IMG := limitador-operator:dev
+local-redeploy: ## re-deploy operator in local kind cluster
+	$(MAKE) docker-build
+	@echo "Deploying Limitador control plane"
+	$(KIND) load docker-image ${IMG} --name ${KIND_CLUSTER_NAME}
+	$(MAKE) deploy-develmode
+	kubectl rollout restart deployment -n limitador-operator-system limitador-operator-controller-manager
+	@echo "Wait for all deployments to be up"
+	kubectl -n limitador-operator-system wait --timeout=300s --for=condition=Available deployments --all
+
 ##@ Code Style
 
 .PHONY: run-lint

api/v1alpha1/limitador_types.go

@@ -24,6 +24,7 @@ import (
 	"github.com/google/go-cmp/cmp"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
 
 	"github.com/kuadrant/limitador-operator/pkg/helpers"
 )
@@ -61,6 +62,9 @@ type LimitadorSpec struct {
 
 	// +optional
 	Limits []RateLimit `json:"limits,omitempty"`
+
+	// +optional
+	PodDisruptionBudget *PodDisruptionBudgetType `json:"pdb,omitempty"`
 }
 
 //+kubebuilder:object:root=true
@@ -288,3 +292,18 @@ func (s *LimitadorStatus) Equals(other *LimitadorStatus, logger logr.Logger) boo
 func init() {
 	SchemeBuilder.Register(&Limitador{}, &LimitadorList{})
 }
+
+type PodDisruptionBudgetType struct {
+	// An eviction is allowed if at most "maxUnavailable" limitador pods
+	// are unavailable after the eviction, i.e. even in absence of
+	// the evicted pod. For example, one can prevent all voluntary evictions
+	// by specifying 0. This is a mutually exclusive setting with "minAvailable".
+	// +optional
+	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty"`
+	// An eviction is allowed if at least "minAvailable" limitador pods will
+	// still be available after the eviction, i.e. even in the absence of
+	// the evicted pod.  So for example you can prevent all voluntary
+	// evictions by specifying "100%".
+	// +optional
+	MinAvailable *intstr.IntOrString `json:"minAvailable,omitempty"`
+}

api/v1alpha1/zz_generated.deepcopy.go

@@ -118,6 +118,17 @@ spec:
           - get
           - patch
           - update
+        - apiGroups:
+          - policy
+          resources:
+          - poddisruptionbudgets
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - update
+          - watch
         serviceAccountName: limitador-operator-controller-manager
       deployments:
       - label:

bundle/manifests/limitador-operator.clusterserviceversion.yaml

@@ -75,6 +75,28 @@ spec:
                         type: integer
                     type: object
                 type: object
+              pdb:
+                properties:
+                  maxUnavailable:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: An eviction is allowed if at most "maxUnavailable"
+                      limitador pods are unavailable after the eviction, i.e. even
+                      in absence of the evicted pod. For example, one can prevent
+                      all voluntary evictions by specifying 0. This is a mutually
+                      exclusive setting with "minAvailable".
+                    x-kubernetes-int-or-string: true
+                  minAvailable:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: An eviction is allowed if at least "minAvailable"
+                      limitador pods will still be available after the eviction, i.e.
+                      even in the absence of the evicted pod.  So for example you
+                      can prevent all voluntary evictions by specifying "100%".
+                    x-kubernetes-int-or-string: true
+                type: object
               rateLimitHeaders:
                 description: RateLimitHeadersType defines the valid options for the
                   --rate-limit-headers arg

bundle/manifests/limitador.kuadrant.io_limitadors.yaml

@@ -76,6 +76,28 @@ spec:
                         type: integer
                     type: object
                 type: object
+              pdb:
+                properties:
+                  maxUnavailable:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: An eviction is allowed if at most "maxUnavailable"
+                      limitador pods are unavailable after the eviction, i.e. even
+                      in absence of the evicted pod. For example, one can prevent
+                      all voluntary evictions by specifying 0. This is a mutually
+                      exclusive setting with "minAvailable".
+                    x-kubernetes-int-or-string: true
+                  minAvailable:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: An eviction is allowed if at least "minAvailable"
+                      limitador pods will still be available after the eviction, i.e.
+                      even in the absence of the evicted pod.  So for example you
+                      can prevent all voluntary evictions by specifying "100%".
+                    x-kubernetes-int-or-string: true
+                type: object
               rateLimitHeaders:
                 description: RateLimitHeadersType defines the valid options for the
                   --rate-limit-headers arg

config/crd/bases/limitador.kuadrant.io_limitadors.yaml

@@ -25,35 +25,35 @@ spec:
       securityContext:
         runAsNonRoot: true
       containers:
-      - command:
-        - /manager
-        args:
-        - --leader-elect
-        env:
-        - name: RELATED_IMAGE_LIMITADOR
-          value: "quay.io/kuadrant/limitador:latest"
-        image: controller:latest
-        name: manager
-        securityContext:
-          allowPrivilegeEscalation: false
-        livenessProbe:
-          httpGet:
-            path: /healthz
-            port: 8081
-          initialDelaySeconds: 15
-          periodSeconds: 20
-        readinessProbe:
-          httpGet:
-            path: /readyz
-            port: 8081
-          initialDelaySeconds: 5
-          periodSeconds: 10
-        resources:
-          limits:
-            cpu: 200m
-            memory: 300Mi
-          requests:
-            cpu: 200m
-            memory: 200Mi
+        - command:
+            - /manager
+          args:
+            - --leader-elect
+          env:
+            - name: RELATED_IMAGE_LIMITADOR
+              value: "quay.io/kuadrant/limitador:latest"
+          image: controller:latest
+          name: manager
+          securityContext:
+            allowPrivilegeEscalation: false
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+            initialDelaySeconds: 15
+            periodSeconds: 20
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8081
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            limits:
+              cpu: 200m
+              memory: 300Mi
+            requests:
+              cpu: 200m
+              memory: 200Mi
       serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10

config/manager/manager.yaml

@@ -65,3 +65,14 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - update
+  - watch

config/rbac/role.yaml

@@ -25,6 +25,7 @@ import (
 	"github.com/go-logr/logr"
 	appsv1 "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
+	policyv1 "k8s.io/api/policy/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -45,6 +46,7 @@ type LimitadorReconciler struct {
 //+kubebuilder:rbac:groups=limitador.kuadrant.io,resources=limitadors/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=limitador.kuadrant.io,resources=limitadors/finalizers,verbs=update
 //+kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;delete
+//+kubebuilder:rbac:groups=policy,resources=poddisruptionbudgets,verbs=get;list;watch;create;update;delete
 //+kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;delete
 //+kubebuilder:rbac:groups="",resources=configmaps;secrets,verbs=get;list;watch;create;update;delete
 
@@ -116,9 +118,55 @@ func (r *LimitadorReconciler) reconcileSpec(ctx context.Context, limitadorObj *l
 		return ctrl.Result{}, err
 	}
 
+	if err := r.reconcilePdb(ctx, limitadorObj); err != nil {
+		return ctrl.Result{}, err
+	}
+
 	return ctrl.Result{}, nil
 }
 
+func (r *LimitadorReconciler) reconcilePdb(ctx context.Context, limitadorObj *limitadorv1alpha1.Limitador) error {
+	logger, err := logr.FromContext(ctx)
+	if err != nil {
+		return err
+	}
+	if limitadorObj.Spec.PodDisruptionBudget == nil {
+		pdb := &policyv1.PodDisruptionBudget{}
+		if err := r.GetResource(ctx,
+			types.NamespacedName{
+				Namespace: limitadorObj.Namespace,
+				Name:      limitador.PodDisruptionBudgetName(limitadorObj),
+			}, pdb); err != nil {
+			if errors.IsNotFound(err) {
+				return nil
+			}
+			return err
+		}
+		if pdb.ObjectMeta.DeletionTimestamp == nil {
+			if err = r.DeleteResource(ctx, pdb); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+
+	pdb := limitador.PodDisruptionBudget(limitadorObj)
+	if err := limitador.ValidatePDB(pdb); err != nil {
+		return err
+	}
+
+	// controller reference
+	if err := r.SetOwnerReference(limitadorObj, pdb); err != nil {
+		return err
+	}
+	err = r.ReconcilePodDisruptionBudget(ctx, pdb, reconcilers.PodDisruptionBudgetMutator)
+	logger.V(1).Info("reconcile pdb", "error", err)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 func (r *LimitadorReconciler) reconcileDeployment(ctx context.Context, limitadorObj *limitadorv1alpha1.Limitador) error {
 	logger, err := logr.FromContext(ctx)
 	if err != nil {
@@ -213,6 +261,7 @@ func (r *LimitadorReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		For(&limitadorv1alpha1.Limitador{}).
 		Owns(&appsv1.Deployment{}).
 		Owns(&v1.ConfigMap{}).
+		Owns(&policyv1.PodDisruptionBudget{}).
 		Complete(r)
 }