MonitoringCRD
@@ -1373,6 +1379,189 @@ be derived automatically.
If no URL is provided, Alertmanager will point to the Google Cloud Metric Explorer page.
+
+
+storage
+
+
+AlertmanagerStorageSpec
+
+
+ |
+
+ Storage opts the managed Alertmanager into a PersistentVolumeClaim-backed
+data directory. When unset, Alertmanager uses an ephemeral emptyDir volume
+and all silences, notification log entries, and inhibitions are lost on
+pod restart. When set, the operator creates a PVC in the operator
+namespace and mounts it at the Alertmanager data path so this state
+survives pod churn.
+See issue #685.
+ |
+
+
+
+
+AlertmanagerStorageSpec
+
+
+
+(Appears in: ManagedAlertmanagerSpec)
+
+
+
AlertmanagerStorageSpec configures persistent storage for the managed
+Alertmanager. The operator provisions a single PersistentVolumeClaim named
+"alertmanager-data" in the operator namespace using the supplied spec and
+mounts it at the Alertmanager data path. The managed Alertmanager runs with
+a single replica, so a ReadWriteOnce access mode is sufficient; multi-replica
+support would require migrating to volumeClaimTemplates and is out of scope
+here.
+
Changing this spec after creation triggers a rolling restart of the
+Alertmanager StatefulSet. Most PersistentVolumeClaim fields are immutable
+once the claim is bound — only resources.requests.storage can be
+expanded (and only if the StorageClass allows volume expansion). The
+operator logs and ignores shrink requests and other mutations to
+immutable fields; the existing PVC must be deleted manually to fully
+reset (silences will be lost).
+
+
+
+| Field |
+Description |
+
+
+
+
+
+volumeClaim
+
+
+EmbeddedPersistentVolumeClaim
+
+
+ |
+
+ VolumeClaim describes the desired PersistentVolumeClaim. The embedded
+structure exposes both metadata (so callers can attach labels and
+annotations, e.g. for volume-snapshot tooling) and spec (so every
+Kubernetes PVC field — accessModes, storageClassName, resources, selector,
+volumeMode, dataSource, dataSourceRef — is configurable). The operator
+overwrites the claim's name and namespace; everything else is taken from
+the caller-provided spec modulo Kubernetes-enforced immutability.
+ |
+
+
+
+
+EmbeddedPersistentVolumeClaim
+
+
+
+(Appears in: AlertmanagerStorageSpec)
+
+
+
EmbeddedPersistentVolumeClaim is a PersistentVolumeClaim definition
+embedded directly in a parent resource's spec. It mirrors prometheus-
+operator's type of the same name so user-facing YAML feels familiar.
+
+
+
+| Field |
+Description |
+
+
+
+
+
+metadata
+
+
+EmbeddedObjectMetadata
+
+
+ |
+
+ EmbeddedObjectMetadata contains labels, annotations and finalizers
+applied to the generated PersistentVolumeClaim. Other ObjectMeta
+fields are ignored.
+ |
+
+
+
+spec
+
+
+Kubernetes core/v1.PersistentVolumeClaimSpec
+
+
+ |
+
+ Spec defines the desired characteristics of the volume. At minimum,
+resources.requests.storage must be set.
+ |
+
+
+
+
+
+(Appears in: EmbeddedPersistentVolumeClaim)
+
+
+
EmbeddedObjectMetadata is a subset of metav1.ObjectMeta containing only
+the fields that make sense to set on an operator-managed child resource.
+Setting name or namespace here has no effect — the operator owns
+those.
+
+
+
+| Field |
+Description |
+
+
+
+
+
+labels
+
+map[string]string
+
+ |
+
+ Labels applied to the generated resource. Merged with the operator's
+default labels; on conflict the operator's value wins.
+ |
+
+
+
+annotations
+
+map[string]string
+
+ |
+
+ Annotations applied to the generated resource. Useful for integrations
+such as VolumeSnapshot controllers or storage-class provisioners that
+read annotations from the claim.
+ |
+
+
+
+finalizers
+
+[]string
+
+ |
+
+ Finalizers applied to the generated resource on creation. The operator
+does not strip user-managed finalizers it did not add, so removing
+entries from this list does not remove them from the live object.
+ |
+
diff --git a/pkg/operator/apis/monitoring/v1/operator_types.go b/pkg/operator/apis/monitoring/v1/operator_types.go
index a3fb792188..4fbc7009c0 100644
--- a/pkg/operator/apis/monitoring/v1/operator_types.go
+++ b/pkg/operator/apis/monitoring/v1/operator_types.go
@@ -289,6 +289,87 @@ type ManagedAlertmanagerSpec struct {
//
// If no URL is provided, Alertmanager will point to the Google Cloud Metric Explorer page.
ExternalURL string `json:"externalURL,omitempty"`
+ // Storage opts the managed Alertmanager into a PersistentVolumeClaim-backed
+ // data directory. When unset, Alertmanager uses an ephemeral emptyDir volume
+ // and all silences, notification log entries, and inhibitions are lost on
+ // pod restart. When set, the operator creates a PVC in the operator
+ // namespace and mounts it at the Alertmanager data path so this state
+ // survives pod churn.
+ //
+ // See https://github.com/GoogleCloudPlatform/prometheus-engine/issues/685.
+ Storage *AlertmanagerStorageSpec `json:"storage,omitempty"`
+}
+
+// AlertmanagerStorageSpec configures persistent storage for the managed
+// Alertmanager. The operator provisions a single PersistentVolumeClaim named
+// "alertmanager-data" in the operator namespace using the supplied spec and
+// mounts it at the Alertmanager data path. The managed Alertmanager runs with
+// a single replica, so a ReadWriteOnce access mode is sufficient; multi-replica
+// support would require migrating to volumeClaimTemplates and is out of scope
+// here.
+//
+// Changing this spec after creation triggers a rolling restart of the
+// Alertmanager StatefulSet. Most PersistentVolumeClaim fields are immutable
+// once the claim is bound — only `resources.requests.storage` can be
+// expanded (and only if the StorageClass allows volume expansion). The
+// operator logs and ignores shrink requests and other mutations to
+// immutable fields; the existing PVC must be deleted manually to fully
+// reset (silences will be lost).
+type AlertmanagerStorageSpec struct {
+ // VolumeClaim describes the desired PersistentVolumeClaim. The
+ // embedded structure exposes both `metadata` (so callers can attach
+ // labels and annotations, e.g. for volume-snapshot tooling) and `spec`
+ // (so every Kubernetes PVC field — accessModes, storageClassName,
+ // resources, selector, volumeMode, dataSource, dataSourceRef — is
+ // configurable). The operator overwrites the claim's name and
+ // namespace; everything else is taken from the caller-provided spec
+ // modulo Kubernetes-enforced immutability.
+ VolumeClaim EmbeddedPersistentVolumeClaim `json:"volumeClaim"`
+}
+
+// EmbeddedPersistentVolumeClaim is a PersistentVolumeClaim definition
+// embedded directly in a parent resource's spec. It mirrors prometheus-
+// operator's type of the same name so user-facing YAML feels familiar.
+//
+// Only ObjectMeta fields that customise the claim itself (labels,
+// annotations, finalizers) are honoured; name and namespace are owned by
+// the operator.
+type EmbeddedPersistentVolumeClaim struct {
+ metav1.TypeMeta `json:",inline"`
+
+ // EmbeddedObjectMetadata contains labels, annotations and finalizers
+ // applied to the generated PersistentVolumeClaim. Other ObjectMeta
+ // fields are ignored.
+ // +optional
+ EmbeddedObjectMetadata `json:"metadata,omitempty"`
+
+ // Spec defines the desired characteristics of the volume. At minimum,
+ // `resources.requests.storage` must be set. See the Kubernetes
+ // PersistentVolumeClaim documentation for the full field reference:
+ // https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#persistentvolumeclaimspec-v1-core
+ Spec corev1.PersistentVolumeClaimSpec `json:"spec,omitempty"`
+}
+
+// EmbeddedObjectMetadata is a subset of metav1.ObjectMeta containing only
+// the fields that make sense to set on an operator-managed child resource.
+// Setting `name` or `namespace` here has no effect — the operator owns
+// those.
+type EmbeddedObjectMetadata struct {
+ // Labels applied to the generated resource. Merged with the
+ // operator's default labels; on conflict the operator's value wins.
+ // +optional
+ Labels map[string]string `json:"labels,omitempty"`
+ // Annotations applied to the generated resource. Useful for
+ // integrations such as VolumeSnapshot controllers or storage-class
+ // provisioners that read annotations from the claim.
+ // +optional
+ Annotations map[string]string `json:"annotations,omitempty"`
+ // Finalizers applied to the generated resource on creation. The
+ // operator does not strip user-managed finalizers it did not add, so
+ // removing entries from this list does not remove them from the live
+ // object.
+ // +optional
+ Finalizers []string `json:"finalizers,omitempty"`
}
// AlertmanagerEndpoints defines a selection of a single Endpoints object
diff --git a/pkg/operator/apis/monitoring/v1/zz_generated.deepcopy.go b/pkg/operator/apis/monitoring/v1/zz_generated.deepcopy.go
index c6a5d372f2..d722b44836 100644
--- a/pkg/operator/apis/monitoring/v1/zz_generated.deepcopy.go
+++ b/pkg/operator/apis/monitoring/v1/zz_generated.deepcopy.go
@@ -661,6 +661,11 @@ func (in *ManagedAlertmanagerSpec) DeepCopyInto(out *ManagedAlertmanagerSpec) {
*out = new(corev1.SecretKeySelector)
(*in).DeepCopyInto(*out)
}
+ if in.Storage != nil {
+ in, out := &in.Storage, &out.Storage
+ *out = new(AlertmanagerStorageSpec)
+ (*in).DeepCopyInto(*out)
+ }
return
}
@@ -674,6 +679,77 @@ func (in *ManagedAlertmanagerSpec) DeepCopy() *ManagedAlertmanagerSpec {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AlertmanagerStorageSpec) DeepCopyInto(out *AlertmanagerStorageSpec) {
+ *out = *in
+ in.VolumeClaim.DeepCopyInto(&out.VolumeClaim)
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlertmanagerStorageSpec.
+func (in *AlertmanagerStorageSpec) DeepCopy() *AlertmanagerStorageSpec {
+ if in == nil {
+ return nil
+ }
+ out := new(AlertmanagerStorageSpec)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EmbeddedPersistentVolumeClaim) DeepCopyInto(out *EmbeddedPersistentVolumeClaim) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.EmbeddedObjectMetadata.DeepCopyInto(&out.EmbeddedObjectMetadata)
+ in.Spec.DeepCopyInto(&out.Spec)
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EmbeddedPersistentVolumeClaim.
+func (in *EmbeddedPersistentVolumeClaim) DeepCopy() *EmbeddedPersistentVolumeClaim {
+ if in == nil {
+ return nil
+ }
+ out := new(EmbeddedPersistentVolumeClaim)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EmbeddedObjectMetadata) DeepCopyInto(out *EmbeddedObjectMetadata) {
+ *out = *in
+ if in.Labels != nil {
+ in, out := &in.Labels, &out.Labels
+ *out = make(map[string]string, len(*in))
+ for key, val := range *in {
+ (*out)[key] = val
+ }
+ }
+ if in.Annotations != nil {
+ in, out := &in.Annotations, &out.Annotations
+ *out = make(map[string]string, len(*in))
+ for key, val := range *in {
+ (*out)[key] = val
+ }
+ }
+ if in.Finalizers != nil {
+ in, out := &in.Finalizers, &out.Finalizers
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EmbeddedObjectMetadata.
+func (in *EmbeddedObjectMetadata) DeepCopy() *EmbeddedObjectMetadata {
+ if in == nil {
+ return nil
+ }
+ out := new(EmbeddedObjectMetadata)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *MonitoringCondition) DeepCopyInto(out *MonitoringCondition) {
*out = *in
diff --git a/pkg/operator/operator_config.go b/pkg/operator/operator_config.go
index 61417e62d8..f7a32994cf 100644
--- a/pkg/operator/operator_config.go
+++ b/pkg/operator/operator_config.go
@@ -38,6 +38,7 @@ import (
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
+ "k8s.io/apimachinery/pkg/api/resource"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
ctrl "sigs.k8s.io/controller-runtime"
@@ -512,7 +513,235 @@ func (r *operatorConfigReconciler) ensureAlertmanagerStatefulSet(ctx context.Con
logger.Error(err, "Alertmanager StatefulSet does not exist")
return nil
}
- return err
+ if err != nil {
+ return err
+ }
+
+ return r.reconcileAlertmanagerStorage(ctx, &sset, spec.Storage)
+}
+
+// alertmanagerDataVolumeName is the name of the volume backing Alertmanager's
+// --storage.path. Matches manifests/operator.yaml. Used as both the volume
+// name on the StatefulSet pod template and the PVC name in the operator
+// namespace when persistent storage is configured.
+const alertmanagerDataVolumeName = "alertmanager-data"
+
+// reconcileAlertmanagerStorage swaps the Alertmanager data volume between an
+// ephemeral emptyDir and a PVC-backed claim depending on whether the user
+// configured persistent storage.
+//
+// When spec is non-nil, the operator owns a PVC named "alertmanager-data" in
+// the operator namespace and the StatefulSet's pod template references it via
+// `volumes[name=alertmanager-data].persistentVolumeClaim`. The PVC spec is
+// kept in sync with the user-provided spec, modulo Kubernetes' restriction
+// that most PVC fields are immutable after creation — for those the operator
+// logs a warning and leaves the existing PVC alone.
+//
+// When spec is nil, the StatefulSet falls back to the manifest default
+// (emptyDir) and any operator-owned PVC is left in place to avoid surprising
+// data loss; users wanting to reclaim storage should delete the PVC manually.
+func (r *operatorConfigReconciler) reconcileAlertmanagerStorage(ctx context.Context, sset *appsv1.StatefulSet, spec *monitoringv1.AlertmanagerStorageSpec) error {
+ logger, _ := logr.FromContext(ctx)
+
+ if spec == nil {
+ // Restore the manifest default emptyDir if a previous spec swapped
+ // it for a PVC reference. Doing this lets users disable persistence
+ // without manually editing the StatefulSet, at the cost of leaving
+ // the PVC behind (intentional — see godoc above).
+ return r.setAlertmanagerDataVolume(ctx, sset, corev1.Volume{
+ Name: alertmanagerDataVolumeName,
+ VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}},
+ })
+ }
+
+ if err := r.ensureAlertmanagerPVC(ctx, spec); err != nil {
+ return fmt.Errorf("ensure alertmanager PVC: %w", err)
+ }
+
+ logger.Info("alertmanager storage reconciled", "claim", alertmanagerDataVolumeName, "namespace", r.opts.OperatorNamespace)
+
+ return r.setAlertmanagerDataVolume(ctx, sset, corev1.Volume{
+ Name: alertmanagerDataVolumeName,
+ VolumeSource: corev1.VolumeSource{
+ PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{
+ ClaimName: alertmanagerDataVolumeName,
+ },
+ },
+ })
+}
+
+// ensureAlertmanagerPVC creates or updates the PVC backing Alertmanager's
+// data directory. Most PVC fields are immutable post-creation (access modes,
+// storage class, volume name); only the storage request is patchable via
+// Kubernetes' PVC resize support. We update only that field on existing
+// claims to avoid validation errors. Caller-supplied labels and annotations
+// are merged on every reconciliation so they can be added or updated after
+// the PVC is bound.
+func (r *operatorConfigReconciler) ensureAlertmanagerPVC(ctx context.Context, spec *monitoringv1.AlertmanagerStorageSpec) error {
+ logger, _ := logr.FromContext(ctx)
+
+ desiredSpec := spec.VolumeClaim.Spec.DeepCopy()
+ if len(desiredSpec.AccessModes) == 0 {
+ desiredSpec.AccessModes = []corev1.PersistentVolumeAccessMode{corev1.ReadWriteOnce}
+ }
+
+ pvcKey := client.ObjectKey{Namespace: r.opts.OperatorNamespace, Name: alertmanagerDataVolumeName}
+ var existing corev1.PersistentVolumeClaim
+ err := r.client.Get(ctx, pvcKey, &existing)
+ if apierrors.IsNotFound(err) {
+ pvc := corev1.PersistentVolumeClaim{
+ ObjectMeta: metav1.ObjectMeta{
+ Namespace: pvcKey.Namespace,
+ Name: pvcKey.Name,
+ Labels: mergeLabels(componentLabels(NameAlertmanager), spec.VolumeClaim.Labels),
+ Annotations: copyMap(spec.VolumeClaim.Annotations),
+ Finalizers: append([]string(nil), spec.VolumeClaim.Finalizers...),
+ },
+ Spec: *desiredSpec,
+ }
+ return r.client.Create(ctx, &pvc)
+ }
+ if err != nil {
+ return err
+ }
+
+ patch := existing.DeepCopy()
+ mutated := false
+
+ // Reconcile mutable metadata. Operator-owned label keys always win;
+ // every other user-supplied label/annotation is propagated. We do not
+ // remove keys the user previously set and has now removed — to do so
+ // safely we'd need to track owned keys explicitly, which is more
+ // surface than needed for the v1 of this feature.
+ if labels := mergeLabels(existing.Labels, spec.VolumeClaim.Labels, componentLabels(NameAlertmanager)); !mapsEqual(labels, existing.Labels) {
+ patch.Labels = labels
+ mutated = true
+ }
+ if anns := mergeLabels(existing.Annotations, spec.VolumeClaim.Annotations); !mapsEqual(anns, existing.Annotations) {
+ patch.Annotations = anns
+ mutated = true
+ }
+
+ // Only the storage request is mutable on a bound PVC. Anything else
+ // (access modes, storage class, selector) silently won't apply and the
+ // API server rejects the update — so log and skip.
+ wantStorage := desiredSpec.Resources.Requests[corev1.ResourceStorage]
+ gotStorage := existing.Spec.Resources.Requests[corev1.ResourceStorage]
+ switch wantStorage.Cmp(gotStorage) {
+ case 1:
+ if patch.Spec.Resources.Requests == nil {
+ patch.Spec.Resources.Requests = corev1.ResourceList{}
+ }
+ patch.Spec.Resources.Requests[corev1.ResourceStorage] = wantStorage
+ mutated = true
+ case -1:
+ logger.Info("ignoring requested PVC shrink; Kubernetes does not support PVC shrinking",
+ "have", gotStorage.String(), "want", wantStorage.String())
+ }
+
+ if !mutated {
+ return nil
+ }
+ return r.client.Patch(ctx, patch, client.MergeFrom(&existing))
+}
+
+// componentLabels returns the standard label set used by gmp-operator-managed
+// resources for a given component name. Kept local to operator_config.go to
+// avoid leaking into the broader API surface.
+func componentLabels(component string) map[string]string {
+ return map[string]string{
+ LabelAppName: component,
+ }
+}
+
+// mergeLabels merges any number of string maps. Later maps take precedence
+// over earlier ones, so operator-owned labels should be passed last to
+// override any user-supplied conflicting values.
+func mergeLabels(in ...map[string]string) map[string]string {
+ out := map[string]string{}
+ for _, m := range in {
+ maps.Copy(out, m)
+ }
+ if len(out) == 0 {
+ return nil
+ }
+ return out
+}
+
+func copyMap(m map[string]string) map[string]string {
+ if m == nil {
+ return nil
+ }
+ out := make(map[string]string, len(m))
+ maps.Copy(out, m)
+ return out
+}
+
+func mapsEqual(a, b map[string]string) bool {
+ if len(a) != len(b) {
+ return false
+ }
+ for k, v := range a {
+ if b[k] != v {
+ return false
+ }
+ }
+ return true
+}
+
+// setAlertmanagerDataVolume replaces the named volume on the Alertmanager
+// pod template. It is a no-op when the existing volume already matches the
+// desired source, so steady-state reconciliations don't churn the
+// StatefulSet. The mutation is sent as a strategic-merge patch off a
+// snapshot of the original object so the operator doesn't blast over
+// fields owned by another controller (e.g. addon-manager-set annotations)
+// and never races with concurrent writers via optimistic-concurrency
+// conflicts.
+func (r *operatorConfigReconciler) setAlertmanagerDataVolume(ctx context.Context, sset *appsv1.StatefulSet, desired corev1.Volume) error {
+ original := sset.DeepCopy()
+ for i, v := range sset.Spec.Template.Spec.Volumes {
+ if v.Name != desired.Name {
+ continue
+ }
+ if volumeSourcesEqual(v.VolumeSource, desired.VolumeSource) {
+ return nil
+ }
+ sset.Spec.Template.Spec.Volumes[i] = desired
+ return r.client.Patch(ctx, sset, client.MergeFrom(original))
+ }
+ // Volume not present — append. Should not happen with the shipped
+ // manifest, but keeps the operator self-healing if someone strips it.
+ sset.Spec.Template.Spec.Volumes = append(sset.Spec.Template.Spec.Volumes, desired)
+ return r.client.Patch(ctx, sset, client.MergeFrom(original))
+}
+
+// volumeSourcesEqual checks whether two VolumeSource values describe the
+// same underlying storage. It compares the kind of source plus every field
+// the operator manages (and might therefore need to correct on drift), so a
+// manually-edited `medium`, `sizeLimit`, or `readOnly` reconciles back to
+// the operator-desired shape rather than being silently preserved.
+func volumeSourcesEqual(a, b corev1.VolumeSource) bool {
+ switch {
+ case a.EmptyDir != nil && b.EmptyDir != nil:
+ if a.EmptyDir.Medium != b.EmptyDir.Medium {
+ return false
+ }
+ return resourceQuantityPtrEqual(a.EmptyDir.SizeLimit, b.EmptyDir.SizeLimit)
+ case a.PersistentVolumeClaim != nil && b.PersistentVolumeClaim != nil:
+ return a.PersistentVolumeClaim.ClaimName == b.PersistentVolumeClaim.ClaimName &&
+ a.PersistentVolumeClaim.ReadOnly == b.PersistentVolumeClaim.ReadOnly
+ }
+ return false
+}
+
+// resourceQuantityPtrEqual returns true when two *resource.Quantity pointers
+// describe the same quantity (or are both nil). Defined locally because
+// k8s.io/apimachinery does not expose a pointer-aware equality helper.
+func resourceQuantityPtrEqual(a, b *resource.Quantity) bool {
+ if a == nil || b == nil {
+ return a == b
+ }
+ return a.Cmp(*b) == 0
}
// ensureRuleEvaluatorDeployment reconciles the Deployment for rule-evaluator.
diff --git a/pkg/operator/operator_config_test.go b/pkg/operator/operator_config_test.go
index 7627e251ac..0f69bedfb7 100644
--- a/pkg/operator/operator_config_test.go
+++ b/pkg/operator/operator_config_test.go
@@ -15,6 +15,7 @@
package operator
import (
+ "fmt"
"testing"
monitoringv1 "github.com/GoogleCloudPlatform/prometheus-engine/pkg/operator/apis/monitoring/v1"
@@ -25,7 +26,10 @@ import (
"github.com/prometheus/prometheus/google/export"
"github.com/stretchr/testify/require"
"gopkg.in/yaml.v3"
+ appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
+ apierrors "k8s.io/apimachinery/pkg/api/errors"
+ "k8s.io/apimachinery/pkg/api/resource"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
"sigs.k8s.io/controller-runtime/pkg/client"
@@ -433,3 +437,179 @@ route:
})
}
}
+
+func TestEnsureAlertmanagerStatefulSet_Storage(t *testing.T) {
+ operatorOpts := Options{
+ ProjectID: "test-project",
+ Location: "us-central1-c",
+ Cluster: "test-cluster",
+ PublicNamespace: DefaultPublicNamespace,
+ OperatorNamespace: DefaultOperatorNamespace,
+ }
+
+ newSset := func() *appsv1.StatefulSet {
+ return &appsv1.StatefulSet{
+ ObjectMeta: v1.ObjectMeta{
+ Namespace: DefaultOperatorNamespace,
+ Name: NameAlertmanager,
+ },
+ Spec: appsv1.StatefulSetSpec{
+ Template: corev1.PodTemplateSpec{
+ Spec: corev1.PodSpec{
+ Volumes: []corev1.Volume{
+ {
+ Name: alertmanagerDataVolumeName,
+ VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}},
+ },
+ },
+ },
+ },
+ },
+ }
+ }
+
+ storageGB := func(gb int) corev1.PersistentVolumeClaimSpec {
+ return corev1.PersistentVolumeClaimSpec{
+ Resources: corev1.VolumeResourceRequirements{
+ Requests: corev1.ResourceList{
+ corev1.ResourceStorage: resource.MustParse(fmt.Sprintf("%dGi", gb)),
+ },
+ },
+ }
+ }
+
+ t.Run("nil storage leaves emptyDir intact", func(t *testing.T) {
+ ctx := t.Context()
+ sset := newSset()
+ kubeClient := newFakeClientBuilder().WithObjects(sset).Build()
+ reconciler := newOperatorConfigReconciler(kubeClient, operatorOpts)
+
+ require.NoError(t, reconciler.ensureAlertmanagerStatefulSet(ctx, &monitoringv1.ManagedAlertmanagerSpec{}))
+
+ var got appsv1.StatefulSet
+ require.NoError(t, kubeClient.Get(ctx, client.ObjectKeyFromObject(sset), &got))
+ require.NotNil(t, got.Spec.Template.Spec.Volumes[0].EmptyDir, "emptyDir volume must be preserved when no storage spec is set")
+ require.Nil(t, got.Spec.Template.Spec.Volumes[0].PersistentVolumeClaim)
+
+ // No PVC should have been created.
+ var pvc corev1.PersistentVolumeClaim
+ err := kubeClient.Get(ctx, client.ObjectKey{Namespace: DefaultOperatorNamespace, Name: alertmanagerDataVolumeName}, &pvc)
+ require.True(t, apierrors.IsNotFound(err), "PVC must not exist when storage is unset; got err=%v", err)
+ })
+
+ t.Run("storage set provisions PVC and swaps volume to PVC reference", func(t *testing.T) {
+ ctx := t.Context()
+ sset := newSset()
+ kubeClient := newFakeClientBuilder().WithObjects(sset).Build()
+ reconciler := newOperatorConfigReconciler(kubeClient, operatorOpts)
+
+ spec := &monitoringv1.ManagedAlertmanagerSpec{
+ Storage: &monitoringv1.AlertmanagerStorageSpec{
+ VolumeClaim: monitoringv1.EmbeddedPersistentVolumeClaim{
+ EmbeddedObjectMetadata: monitoringv1.EmbeddedObjectMetadata{
+ Labels: map[string]string{"team": "platform"},
+ Annotations: map[string]string{"backup.example.com/enabled": "true"},
+ },
+ Spec: storageGB(5),
+ },
+ },
+ }
+ require.NoError(t, reconciler.ensureAlertmanagerStatefulSet(ctx, spec))
+
+ var pvc corev1.PersistentVolumeClaim
+ require.NoError(t, kubeClient.Get(ctx, client.ObjectKey{Namespace: DefaultOperatorNamespace, Name: alertmanagerDataVolumeName}, &pvc))
+ require.Equal(t, []corev1.PersistentVolumeAccessMode{corev1.ReadWriteOnce}, pvc.Spec.AccessModes, "access mode must default to ReadWriteOnce when caller omits it")
+ require.Equal(t, "5Gi", pvc.Spec.Resources.Requests.Storage().String())
+ require.Equal(t, "platform", pvc.Labels["team"])
+ require.Equal(t, NameAlertmanager, pvc.Labels[LabelAppName], "operator-owned label must be set")
+ require.Equal(t, "true", pvc.Annotations["backup.example.com/enabled"])
+
+ var got appsv1.StatefulSet
+ require.NoError(t, kubeClient.Get(ctx, client.ObjectKeyFromObject(sset), &got))
+ require.NotNil(t, got.Spec.Template.Spec.Volumes[0].PersistentVolumeClaim, "data volume must now reference the PVC")
+ require.Equal(t, alertmanagerDataVolumeName, got.Spec.Template.Spec.Volumes[0].PersistentVolumeClaim.ClaimName)
+ require.Nil(t, got.Spec.Template.Spec.Volumes[0].EmptyDir)
+ })
+
+ t.Run("expanding storage request patches the PVC", func(t *testing.T) {
+ ctx := t.Context()
+ sset := newSset()
+ // Pre-bind PVC at 5Gi to simulate a steady-state cluster.
+ existingPVC := &corev1.PersistentVolumeClaim{
+ ObjectMeta: v1.ObjectMeta{
+ Namespace: DefaultOperatorNamespace,
+ Name: alertmanagerDataVolumeName,
+ },
+ Spec: storageGB(5),
+ }
+ existingPVC.Spec.AccessModes = []corev1.PersistentVolumeAccessMode{corev1.ReadWriteOnce}
+ kubeClient := newFakeClientBuilder().WithObjects(sset, existingPVC).Build()
+ reconciler := newOperatorConfigReconciler(kubeClient, operatorOpts)
+
+ spec := &monitoringv1.ManagedAlertmanagerSpec{
+ Storage: &monitoringv1.AlertmanagerStorageSpec{
+ VolumeClaim: monitoringv1.EmbeddedPersistentVolumeClaim{Spec: storageGB(10)},
+ },
+ }
+ require.NoError(t, reconciler.ensureAlertmanagerStatefulSet(ctx, spec))
+
+ var pvc corev1.PersistentVolumeClaim
+ require.NoError(t, kubeClient.Get(ctx, client.ObjectKey{Namespace: DefaultOperatorNamespace, Name: alertmanagerDataVolumeName}, &pvc))
+ require.Equal(t, "10Gi", pvc.Spec.Resources.Requests.Storage().String(), "PVC must be expanded to match requested size")
+ })
+
+ t.Run("shrink request is ignored", func(t *testing.T) {
+ ctx := t.Context()
+ sset := newSset()
+ existingPVC := &corev1.PersistentVolumeClaim{
+ ObjectMeta: v1.ObjectMeta{
+ Namespace: DefaultOperatorNamespace,
+ Name: alertmanagerDataVolumeName,
+ },
+ Spec: storageGB(10),
+ }
+ existingPVC.Spec.AccessModes = []corev1.PersistentVolumeAccessMode{corev1.ReadWriteOnce}
+ kubeClient := newFakeClientBuilder().WithObjects(sset, existingPVC).Build()
+ reconciler := newOperatorConfigReconciler(kubeClient, operatorOpts)
+
+ spec := &monitoringv1.ManagedAlertmanagerSpec{
+ Storage: &monitoringv1.AlertmanagerStorageSpec{
+ VolumeClaim: monitoringv1.EmbeddedPersistentVolumeClaim{Spec: storageGB(2)},
+ },
+ }
+ require.NoError(t, reconciler.ensureAlertmanagerStatefulSet(ctx, spec))
+
+ var pvc corev1.PersistentVolumeClaim
+ require.NoError(t, kubeClient.Get(ctx, client.ObjectKey{Namespace: DefaultOperatorNamespace, Name: alertmanagerDataVolumeName}, &pvc))
+ require.Equal(t, "10Gi", pvc.Spec.Resources.Requests.Storage().String(), "PVC must not shrink; Kubernetes does not allow this")
+ })
+
+ t.Run("removing storage spec falls back to emptyDir and leaves PVC in place", func(t *testing.T) {
+ ctx := t.Context()
+ sset := newSset()
+ sset.Spec.Template.Spec.Volumes[0] = corev1.Volume{
+ Name: alertmanagerDataVolumeName,
+ VolumeSource: corev1.VolumeSource{
+ PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{ClaimName: alertmanagerDataVolumeName},
+ },
+ }
+ existingPVC := &corev1.PersistentVolumeClaim{
+ ObjectMeta: v1.ObjectMeta{
+ Namespace: DefaultOperatorNamespace,
+ Name: alertmanagerDataVolumeName,
+ },
+ Spec: storageGB(5),
+ }
+ kubeClient := newFakeClientBuilder().WithObjects(sset, existingPVC).Build()
+ reconciler := newOperatorConfigReconciler(kubeClient, operatorOpts)
+
+ require.NoError(t, reconciler.ensureAlertmanagerStatefulSet(ctx, &monitoringv1.ManagedAlertmanagerSpec{}))
+
+ var got appsv1.StatefulSet
+ require.NoError(t, kubeClient.Get(ctx, client.ObjectKeyFromObject(sset), &got))
+ require.NotNil(t, got.Spec.Template.Spec.Volumes[0].EmptyDir, "removing storage spec must restore emptyDir")
+
+ var pvc corev1.PersistentVolumeClaim
+ require.NoError(t, kubeClient.Get(ctx, client.ObjectKey{Namespace: DefaultOperatorNamespace, Name: alertmanagerDataVolumeName}, &pvc), "PVC must remain so silences survive accidental config removal")
+ })
+}