THREESCALE-14652 Prevent perpetual reconcile by hardcoding K8s-defaulted fields in component specs

controllers/apps/apimanager_controller.go

@@ -160,7 +160,7 @@ func (r *APIManagerReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		return res, nil
 	}
 
-	specResult, specErr := r.reconcileAPIManagerLogic(instance)
+	specResult, specErr := r.reconcileAPIManagerLogic(r.BaseReconciler, instance)
 	statusResult, statusErr := r.reconcileAPIManagerStatus(instance, preflightChecksError)
 	if statusErr != nil {
 		return ctrl.Result{}, statusErr
@@ -402,8 +402,8 @@ func (r *APIManagerReconciler) setAPIManagerDefaults(cr *appsv1alpha1.APIManager
 	return ctrl.Result{Requeue: updated}, err
 }
 
-func (r *APIManagerReconciler) reconcileAPIManagerLogic(cr *appsv1alpha1.APIManager) (reconcile.Result, error) {
-	baseAPIManagerLogicReconciler := operator.NewBaseAPIManagerLogicReconciler(r.BaseReconciler, cr)
+func (r *APIManagerReconciler) reconcileAPIManagerLogic(b *reconcilers.BaseReconciler, cr *appsv1alpha1.APIManager) (reconcile.Result, error) {
+	baseAPIManagerLogicReconciler := operator.NewBaseAPIManagerLogicReconciler(b, cr)
 	imageReconciler := operator.NewAMPImagesReconciler(baseAPIManagerLogicReconciler)
 	result, err := imageReconciler.Reconcile()
 	if err != nil || result.Requeue {

go.mod

@@ -28,6 +28,7 @@ require (
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/viper v1.7.0
 	github.com/stretchr/testify v1.11.1
+	go.uber.org/zap v1.26.0
 	golang.org/x/mod v0.27.0
 	k8s.io/api v0.29.0
 	k8s.io/apimachinery v0.29.0
@@ -101,7 +102,6 @@ require (
 	github.com/subosito/gotenv v1.2.0 // indirect
 	go.mongodb.org/mongo-driver v1.14.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go.uber.org/zap v1.26.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/net v0.43.0 // indirect
 	golang.org/x/oauth2 v0.16.0 // indirect

pkg/3scale/amp/component/backend.go

@@ -15,6 +15,7 @@ import (
 	policyv1 "k8s.io/api/policy/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/utils/ptr"
 )
 
 const (
@@ -256,6 +257,9 @@ func (backend *Backend) CronDeployment(ctx context.Context, k8sclient client.Cli
 								},
 								InitialDelaySeconds: 30,
 								PeriodSeconds:       5,
+								TimeoutSeconds:      1,
+								SuccessThreshold:    1,
+								FailureThreshold:    3,
 							},
 						},
 					},
@@ -330,10 +334,10 @@ func (backend *Backend) ListenerDeployment(ctx context.Context, k8sclient client
 									},
 								},
 								InitialDelaySeconds: 30,
-								TimeoutSeconds:      0,
+								TimeoutSeconds:      1,
 								PeriodSeconds:       10,
-								SuccessThreshold:    0,
-								FailureThreshold:    0,
+								SuccessThreshold:    1,
+								FailureThreshold:    3,
 							},
 							ReadinessProbe: &v1.Probe{
 								ProbeHandler: v1.ProbeHandler{
@@ -343,13 +347,14 @@ func (backend *Backend) ListenerDeployment(ctx context.Context, k8sclient client
 											Type:   intstr.Int,
 											IntVal: 3000,
 										},
+										Scheme: v1.URISchemeHTTP,
 									},
 								},
 								InitialDelaySeconds: 30,
 								TimeoutSeconds:      5,
-								PeriodSeconds:       0,
-								SuccessThreshold:    0,
-								FailureThreshold:    0,
+								PeriodSeconds:       10,
+								SuccessThreshold:    1,
+								FailureThreshold:    3,
 							},
 							ImagePullPolicy: v1.PullIfNotPresent,
 						},
@@ -668,7 +673,7 @@ func (backend *Backend) QueuesRedisTLSEnvVars() []v1.EnvVar {
 }
 
 func (backend *Backend) backendVolumes() []v1.Volume {
-	res := []v1.Volume{}
+	var res []v1.Volume
 	if backend.Options.BackendRedisTLS.Enabled {
 		items := []v1.KeyToPath{}
 		if backend.Options.BackendRedisTLS.HasCA() {
@@ -682,8 +687,9 @@ func (backend *Backend) backendVolumes() []v1.Volume {
 			Name: "backend-redis-tls",
 			VolumeSource: v1.VolumeSource{
 				Secret: &v1.SecretVolumeSource{
-					SecretName: BackendSecretBackendRedisSecretName,
-					Items:      items,
+					SecretName:  BackendSecretBackendRedisSecretName,
+					Items:       items,
+					DefaultMode: ptr.To(v1.SecretVolumeSourceDefaultMode),
 				},
 			},
 		}
@@ -703,8 +709,9 @@ func (backend *Backend) backendVolumes() []v1.Volume {
 			Name: "queues-redis-tls",
 			VolumeSource: v1.VolumeSource{
 				Secret: &v1.SecretVolumeSource{
-					SecretName: BackendSecretBackendRedisSecretName,
-					Items:      items,
+					SecretName:  BackendSecretBackendRedisSecretName,
+					Items:       items,
+					DefaultMode: ptr.To(v1.SecretVolumeSourceDefaultMode),
 				},
 			},
 		}
@@ -725,7 +732,7 @@ func (backend *Backend) backendListenerRunArgs() []string {
 }
 
 func (backend *Backend) backendContainerVolumeMounts() []v1.VolumeMount {
-	res := []v1.VolumeMount{}
+	var res []v1.VolumeMount
 	if backend.Options.BackendRedisTLS.Enabled {
 		res = append(res, backend.backendRedisContainerVolumeMounts())
 	}

pkg/3scale/amp/component/backend_redis_tls_test.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	v1 "k8s.io/api/core/v1"
+	"k8s.io/utils/ptr"
 
 	"github.com/3scale/3scale-operator/pkg/helper"
 )
@@ -163,7 +164,7 @@ func TestBackendComponentRedisTLSVolumes(t *testing.T) {
 				BackendRedisTLS:       TLSConfig{Enabled: false},
 				BackendRedisQueuesTLS: TLSConfig{Enabled: false},
 			},
-			[]v1.Volume{},
+			nil,
 		},
 		{
 			"StorageOnly_OneWayTLS",
@@ -183,6 +184,7 @@ func TestBackendComponentRedisTLSVolumes(t *testing.T) {
 							Items: []v1.KeyToPath{
 								{Key: "REDIS_SSL_CA", Path: "backend-redis-ca.crt"},
 							},
+							DefaultMode: ptr.To(v1.SecretVolumeSourceDefaultMode),
 						},
 					},
 				},
@@ -206,6 +208,7 @@ func TestBackendComponentRedisTLSVolumes(t *testing.T) {
 							Items: []v1.KeyToPath{
 								{Key: "REDIS_SSL_QUEUES_CA", Path: "backend-redis-queues-ca.crt"},
 							},
+							DefaultMode: ptr.To(v1.SecretVolumeSourceDefaultMode),
 						},
 					},
 				},
@@ -238,6 +241,7 @@ func TestBackendComponentRedisTLSVolumes(t *testing.T) {
 								{Key: "REDIS_SSL_CERT", Path: "backend-redis-client.crt"},
 								{Key: "REDIS_SSL_KEY", Path: "backend-redis-private.key"},
 							},
+							DefaultMode: ptr.To(v1.SecretVolumeSourceDefaultMode),
 						},
 					},
 				},
@@ -251,6 +255,7 @@ func TestBackendComponentRedisTLSVolumes(t *testing.T) {
 								{Key: "REDIS_SSL_QUEUES_CERT", Path: "backend-redis-queues-client.crt"},
 								{Key: "REDIS_SSL_QUEUES_KEY", Path: "backend-redis-queues-private.key"},
 							},
+							DefaultMode: ptr.To(v1.SecretVolumeSourceDefaultMode),
 						},
 					},
 				},
@@ -281,6 +286,7 @@ func TestBackendComponentRedisTLSVolumes(t *testing.T) {
 								{Key: "REDIS_SSL_CERT", Path: "backend-redis-client.crt"},
 								{Key: "REDIS_SSL_KEY", Path: "backend-redis-private.key"},
 							},
+							DefaultMode: ptr.To(v1.SecretVolumeSourceDefaultMode),
 						},
 					},
 				},
@@ -292,6 +298,7 @@ func TestBackendComponentRedisTLSVolumes(t *testing.T) {
 							Items: []v1.KeyToPath{
 								{Key: "REDIS_SSL_QUEUES_CA", Path: "backend-redis-queues-ca.crt"},
 							},
+							DefaultMode: ptr.To(v1.SecretVolumeSourceDefaultMode),
 						},
 					},
 				},
@@ -322,7 +329,7 @@ func TestBackendComponentRedisTLSVolumeMounts(t *testing.T) {
 				BackendRedisTLS:       TLSConfig{Enabled: false},
 				BackendRedisQueuesTLS: TLSConfig{Enabled: false},
 			},
-			[]v1.VolumeMount{},
+			nil,
 		},
 		{
 			"StorageOnly",

pkg/3scale/amp/component/system.go

@@ -14,6 +14,7 @@ import (
 	policyv1 "k8s.io/api/policy/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/utils/ptr"
 
 	"github.com/3scale/3scale-operator/apis/apps"
 	"github.com/3scale/3scale-operator/pkg/helper"
@@ -594,6 +595,7 @@ func (system *System) appPodVolumes() []v1.Volume {
 							Path: "tls.key", // Map the secret key to the tls.key file in the container
 						},
 					},
+					DefaultMode: ptr.To(v1.SecretVolumeSourceDefaultMode),
 				},
 			},
 		}
@@ -624,6 +626,7 @@ func (system *System) appPodVolumes() []v1.Volume {
 							},
 						},
 					},
+					DefaultMode: ptr.To(v1.ProjectedVolumeSourceDefaultMode),
 				},
 			},
 		}
@@ -988,6 +991,7 @@ func (system *System) SidekiqPodVolumes() []v1.Volume {
 							Path: "tls.key", // Map the secret key to the tls.key file in the container
 						},
 					},
+					DefaultMode: ptr.To(v1.SecretVolumeSourceDefaultMode),
 				},
 			},
 		}
@@ -1015,6 +1019,7 @@ func (system *System) SidekiqPodVolumes() []v1.Volume {
 							},
 						},
 					},
+					DefaultMode: ptr.To(v1.ProjectedVolumeSourceDefaultMode),
 				},
 			},
 		}
@@ -1505,6 +1510,9 @@ func (system *System) systemInit(containerImage string) []v1.Container {
 					"-c",
 					"cp /tls/* /writable-tls/ && chmod 0600 /writable-tls/*",
 				},
+				ImagePullPolicy:          v1.PullIfNotPresent,
+				TerminationMessagePath:   v1.TerminationMessagePathDefault,
+				TerminationMessagePolicy: v1.TerminationMessageReadFile,
 				VolumeMounts: []v1.VolumeMount{
 					{
 						Name:      "tls-secret",
@@ -1535,7 +1543,10 @@ func (system *System) sidekiqInit(containerImage string) []v1.Container {
 			"-c",
 			"bundle exec sh -c \"until rake boot:redis && curl --output /dev/null --silent --fail --head http://system-master:3000/status; do sleep $SLEEP_SECONDS; done\"",
 		},
-		Env: append(system.SystemRedisEnvVars(), helper.EnvVarFromValue("SLEEP_SECONDS", "1")),
+		Env:                      append(system.SystemRedisEnvVars(), helper.EnvVarFromValue("SLEEP_SECONDS", "1")),
+		ImagePullPolicy:          v1.PullIfNotPresent,
+		TerminationMessagePath:   v1.TerminationMessagePathDefault,
+		TerminationMessagePolicy: v1.TerminationMessageReadFile,
 	}
 
 	// Append Redis TLS volume mounts if Redis TLS is enabled
@@ -1552,6 +1563,9 @@ func (system *System) sidekiqInit(containerImage string) []v1.Container {
 				"-c",
 				"cp /tls/* /writable-tls/ && chmod 0600 /writable-tls/*",
 			},
+			ImagePullPolicy:          v1.PullIfNotPresent,
+			TerminationMessagePath:   v1.TerminationMessagePathDefault,
+			TerminationMessagePolicy: v1.TerminationMessageReadFile,
 			VolumeMounts: []v1.VolumeMount{
 				{
 					Name:      "tls-secret",
@@ -1683,8 +1697,9 @@ func (system *System) redisTLSVolumes() []v1.Volume {
 			Name: "system-redis-tls",
 			VolumeSource: v1.VolumeSource{
 				Secret: &v1.SecretVolumeSource{
-					SecretName: SystemSecretSystemRedisSecretName,
-					Items:      items,
+					SecretName:  SystemSecretSystemRedisSecretName,
+					Items:       items,
+					DefaultMode: ptr.To(v1.SecretVolumeSourceDefaultMode),
 				},
 			},
 		}
@@ -1704,8 +1719,9 @@ func (system *System) redisTLSVolumes() []v1.Volume {
 			Name: "backend-redis-tls",
 			VolumeSource: v1.VolumeSource{
 				Secret: &v1.SecretVolumeSource{
-					SecretName: BackendSecretBackendRedisSecretName,
-					Items:      items,
+					SecretName:  BackendSecretBackendRedisSecretName,
+					Items:       items,
+					DefaultMode: ptr.To(v1.SecretVolumeSourceDefaultMode),
 				},
 			},
 		}

pkg/3scale/amp/component/system_redis_tls_test.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	v1 "k8s.io/api/core/v1"
+	"k8s.io/utils/ptr"
 
 	"github.com/3scale/3scale-operator/pkg/helper"
 )
@@ -187,6 +188,7 @@ func TestRedisTLSVolumes(t *testing.T) {
 							Items: []v1.KeyToPath{
 								{Key: "REDIS_SSL_CA", Path: "system-redis-ca.crt"},
 							},
+							DefaultMode: ptr.To(v1.SecretVolumeSourceDefaultMode),
 						},
 					},
 				},
@@ -210,6 +212,7 @@ func TestRedisTLSVolumes(t *testing.T) {
 							Items: []v1.KeyToPath{
 								{Key: "REDIS_SSL_CA", Path: "backend-redis-ca.crt"},
 							},
+							DefaultMode: ptr.To(v1.SecretVolumeSourceDefaultMode),
 						},
 					},
 				},
@@ -242,6 +245,7 @@ func TestRedisTLSVolumes(t *testing.T) {
 								{Key: "REDIS_SSL_CERT", Path: "system-redis-client.crt"},
 								{Key: "REDIS_SSL_KEY", Path: "system-redis-private.key"},
 							},
+							DefaultMode: ptr.To(v1.SecretVolumeSourceDefaultMode),
 						},
 					},
 				},
@@ -255,6 +259,7 @@ func TestRedisTLSVolumes(t *testing.T) {
 								{Key: "REDIS_SSL_CERT", Path: "backend-redis-client.crt"},
 								{Key: "REDIS_SSL_KEY", Path: "backend-redis-private.key"},
 							},
+							DefaultMode: ptr.To(v1.SecretVolumeSourceDefaultMode),
 						},
 					},
 				},
@@ -285,6 +290,7 @@ func TestRedisTLSVolumes(t *testing.T) {
 								{Key: "REDIS_SSL_CERT", Path: "system-redis-client.crt"},
 								{Key: "REDIS_SSL_KEY", Path: "system-redis-private.key"},
 							},
+							DefaultMode: ptr.To(v1.SecretVolumeSourceDefaultMode),
 						},
 					},
 				},
@@ -296,6 +302,7 @@ func TestRedisTLSVolumes(t *testing.T) {
 							Items: []v1.KeyToPath{
 								{Key: "REDIS_SSL_CA", Path: "backend-redis-ca.crt"},
 							},
+							DefaultMode: ptr.To(v1.SecretVolumeSourceDefaultMode),
 						},
 					},
 				},

pkg/3scale/amp/component/system_searchd.go

@@ -101,7 +101,10 @@ func (s *SystemSearchd) Deployment(ctx context.Context, k8sclient client.Client,
 									},
 								},
 								InitialDelaySeconds: 60,
+								TimeoutSeconds:      1,
 								PeriodSeconds:       10,
+								SuccessThreshold:    1,
+								FailureThreshold:    3,
 							},
 							ReadinessProbe: &v1.Probe{
 								ProbeHandler: v1.ProbeHandler{