Server Side Apply phase 1 - ConfigMap, Ingress, Service, ServiceAccount, PVC (strimzi#11693)

Signed-off-by: Lukas Kral <lukywill16@gmail.com>
Signed-off-by: Lukáš Král <53821852+im-konge@users.noreply.github.com>
Co-authored-by: PaulRMellor <47596553+PaulRMellor@users.noreply.github.com>

Author: 2 people

.azure/templates/jobs/system-tests/feature_gates_regression_jobs.yaml

@@ -5,7 +5,7 @@ jobs:
       display_name: 'feature-gates-regression-bundle I. - kafka + oauth'
       profile: 'azp_kafka_oauth'
       cluster_operator_install_type: 'yaml'
-      strimzi_feature_gates: '+DummyFeatureGate'
+      strimzi_feature_gates: '+ServerSideApplyPhase1'
       timeout: 360
       releaseVersion: '${{ parameters.releaseVersion }}'
       kafkaVersion: '${{ parameters.kafkaVersion }}'
@@ -16,7 +16,7 @@ jobs:
       display_name: 'feature-gates-regression-bundle II. - security'
       profile: 'azp_security'
       cluster_operator_install_type: 'yaml'
-      strimzi_feature_gates: '+DummyFeatureGate'
+      strimzi_feature_gates: '+ServerSideApplyPhase1'
       timeout: 360
       releaseVersion: '${{ parameters.releaseVersion }}'
       kafkaVersion: '${{ parameters.kafkaVersion }}'
@@ -27,7 +27,7 @@ jobs:
       display_name: 'feature-gates-regression-bundle III. - dynconfig + tracing + watcher'
       profile: 'azp_dynconfig_listeners_tracing_watcher'
       cluster_operator_install_type: 'yaml'
-      strimzi_feature_gates: '+DummyFeatureGate'
+      strimzi_feature_gates: '+ServerSideApplyPhase1'
       timeout: 360
       releaseVersion: '${{ parameters.releaseVersion }}'
       kafkaVersion: '${{ parameters.kafkaVersion }}'
@@ -38,7 +38,7 @@ jobs:
       display_name: 'feature-gates-regression-bundle IV. - operators'
       profile: 'azp_operators'
       cluster_operator_install_type: 'yaml'
-      strimzi_feature_gates: '+DummyFeatureGate'
+      strimzi_feature_gates: '+ServerSideApplyPhase1'
       timeout: 360
       releaseVersion: '${{ parameters.releaseVersion }}'
       kafkaVersion: '${{ parameters.kafkaVersion }}'
@@ -49,7 +49,7 @@ jobs:
       display_name: 'feature-gates-regression-bundle V. - rollingupdate'
       profile: 'azp_rolling_update_bridge'
       cluster_operator_install_type: 'yaml'
-      strimzi_feature_gates: '+DummyFeatureGate'
+      strimzi_feature_gates: '+ServerSideApplyPhase1'
       timeout: 360
       releaseVersion: '${{ parameters.releaseVersion }}'
       kafkaVersion: '${{ parameters.kafkaVersion }}'
@@ -60,7 +60,7 @@ jobs:
       display_name: 'feature-gates-regression-bundle VI. - connect + mirrormaker'
       profile: 'azp_connect_mirrormaker'
       cluster_operator_install_type: 'yaml'
-      strimzi_feature_gates: '+DummyFeatureGate'
+      strimzi_feature_gates: '+ServerSideApplyPhase1'
       timeout: 360
       releaseVersion: '${{ parameters.releaseVersion }}'
       kafkaVersion: '${{ parameters.kafkaVersion }}'
@@ -71,7 +71,7 @@ jobs:
         display_name: 'feature-gates-regression-bundle VII. - logging + specific'
         profile: 'azp_logging_specific'
         cluster_operator_install_type: 'yaml'
-        strimzi_feature_gates: '+DummyFeatureGate'
+        strimzi_feature_gates: '+ServerSideApplyPhase1'
         timeout: 360
         releaseVersion: '${{ parameters.releaseVersion }}'
         kafkaVersion: '${{ parameters.kafkaVersion }}'
@@ -82,7 +82,7 @@ jobs:
       display_name: 'feature-gates-regression-bundle VIII. - remaining system tests'
       profile: 'azp_remaining'
       cluster_operator_install_type: 'yaml'
-      strimzi_feature_gates: '+DummyFeatureGate'
+      strimzi_feature_gates: '+ServerSideApplyPhase1'
       timeout: 360
       releaseVersion: '${{ parameters.releaseVersion }}'
       kafkaVersion: '${{ parameters.kafkaVersion }}'

.azure/templates/jobs/system-tests/feature_gates_regression_namespace_rbac_jobs.yaml

@@ -8,7 +8,7 @@ jobs:
       cluster_operator_install_type: 'yaml'
       timeout: 360
       strimzi_rbac_scope: NAMESPACE
-      strimzi_feature_gates: '+DummyFeatureGate'
+      strimzi_feature_gates: '+ServerSideApplyPhase1'
       releaseVersion: '${{ parameters.releaseVersion }}'
       kafkaVersion: '${{ parameters.kafkaVersion }}'
 
@@ -21,7 +21,7 @@ jobs:
       cluster_operator_install_type: 'yaml'
       timeout: 360
       strimzi_rbac_scope: NAMESPACE
-      strimzi_feature_gates: '+DummyFeatureGate'
+      strimzi_feature_gates: '+ServerSideApplyPhase1'
       releaseVersion: '${{ parameters.releaseVersion }}'
       kafkaVersion: '${{ parameters.kafkaVersion }}'
 
@@ -34,7 +34,7 @@ jobs:
       cluster_operator_install_type: 'yaml'
       timeout: 360
       strimzi_rbac_scope: NAMESPACE
-      strimzi_feature_gates: '+DummyFeatureGate'
+      strimzi_feature_gates: '+ServerSideApplyPhase1'
       releaseVersion: '${{ parameters.releaseVersion }}'
       kafkaVersion: '${{ parameters.kafkaVersion }}'
 
@@ -47,7 +47,7 @@ jobs:
       cluster_operator_install_type: 'yaml'
       timeout: 360
       strimzi_rbac_scope: NAMESPACE
-      strimzi_feature_gates: '+DummyFeatureGate'
+      strimzi_feature_gates: '+ServerSideApplyPhase1'
       releaseVersion: '${{ parameters.releaseVersion }}'
       kafkaVersion: '${{ parameters.kafkaVersion }}'
 
@@ -60,7 +60,7 @@ jobs:
       cluster_operator_install_type: 'yaml'
       timeout: 360
       strimzi_rbac_scope: NAMESPACE
-      strimzi_feature_gates: '+DummyFeatureGate'
+      strimzi_feature_gates: '+ServerSideApplyPhase1'
       releaseVersion: '${{ parameters.releaseVersion }}'
       kafkaVersion: '${{ parameters.kafkaVersion }}'
 
@@ -73,7 +73,7 @@ jobs:
       cluster_operator_install_type: 'yaml'
       timeout: 360
       strimzi_rbac_scope: NAMESPACE
-      strimzi_feature_gates: '+DummyFeatureGate'
+      strimzi_feature_gates: '+ServerSideApplyPhase1'
       releaseVersion: '${{ parameters.releaseVersion }}'
       kafkaVersion: '${{ parameters.kafkaVersion }}'
 
@@ -86,6 +86,6 @@ jobs:
       cluster_operator_install_type: 'yaml'
       timeout: 360
       strimzi_rbac_scope: NAMESPACE
-      strimzi_feature_gates: '+DummyFeatureGate'
+      strimzi_feature_gates: '+ServerSideApplyPhase1'
       releaseVersion: '${{ parameters.releaseVersion }}'
       kafkaVersion: '${{ parameters.kafkaVersion }}'

CHANGELOG.md

@@ -8,6 +8,7 @@
 * Add monitoring of custom resources using [kubernetes-state-metrics (KSM)](https://github.com/kubernetes/kube-state-metrics) (see [Strimzi proposal 087](https://github.com/strimzi/proposals/blob/main/087-monitoring-of-custom-resources.md))
 * Ignore users (their ACLs, Quotas and SCRAM-SHA-512 credentials) managed by some other tools based on a configurable pattern in User Operator
 * Added support for Strimzi Metrics Reporter to Kafka Connect, Mirror Maker 2 and Kafka Bridge.
+* Add new feature gate `ServerSideApplyPhase1` (disabled by default) that adds support for Server Side Apply for `ConfigMap`, `Ingress`, `PVC`, `Service`, and `ServiceAccount` according to [Strimzi Proposal #105](https://github.com/strimzi/proposals/blob/main/105-server-side-apply-implementation-fg-timelines.md).
 
 ### Major changes, deprecations and removals
 

cluster-operator/src/main/java/io/strimzi/operator/cluster/Main.java

@@ -136,13 +136,15 @@ private static Future<PlatformFeaturesAvailability> createPlatformFeaturesAvaila
      *
      * @return  Future which completes when all Cluster Operator verticles are started and running
      */
-    static CompositeFuture deployClusterOperatorVerticles(Vertx vertx, KubernetesClient client, MetricsProvider metricsProvider, PlatformFeaturesAvailability pfa, ClusterOperatorConfig config, ShutdownHook shutdownHook) {
+    static CompositeFuture deployClusterOperatorVerticles(Vertx vertx, KubernetesClient client, MetricsProvider metricsProvider,
+                                                          PlatformFeaturesAvailability pfa, ClusterOperatorConfig config, ShutdownHook shutdownHook) {
         ResourceOperatorSupplier resourceOperatorSupplier = new ResourceOperatorSupplier(
                 vertx,
                 client,
                 metricsProvider,
                 pfa,
-                config.getOperatorName()
+                config.getOperatorName(),
+                config.featureGates()
         );
 
         // Initialize the PodSecurityProvider factory to provide the user configured provider

cluster-operator/src/main/java/io/strimzi/operator/cluster/operator/resource/ResourceOperatorSupplier.java

@@ -49,6 +49,7 @@
 import io.strimzi.operator.common.AdminClientProvider;
 import io.strimzi.operator.common.DefaultAdminClientProvider;
 import io.strimzi.operator.common.MetricsProvider;
+import io.strimzi.operator.common.featuregates.FeatureGates;
 import io.vertx.core.Vertx;
 
 /**
@@ -230,15 +231,17 @@ public class ResourceOperatorSupplier {
      * @param metricsProvider       Metrics provider
      * @param pfa                   Platform Availability Features
      * @param operatorName          Name of this operator instance
+     * @param featureGates          Feature Gates configuration of operator
      */
-    public ResourceOperatorSupplier(Vertx vertx, KubernetesClient client, MetricsProvider metricsProvider, PlatformFeaturesAvailability pfa, String operatorName) {
+    public ResourceOperatorSupplier(Vertx vertx, KubernetesClient client, MetricsProvider metricsProvider, PlatformFeaturesAvailability pfa, String operatorName, FeatureGates featureGates) {
         this(vertx,
-                client,
-                new DefaultAdminClientProvider(),
-                new DefaultKafkaAgentClientProvider(),
-                metricsProvider,
-                pfa,
-                new KubernetesRestartEventPublisher(client, operatorName)
+            client,
+            new DefaultAdminClientProvider(),
+            new DefaultKafkaAgentClientProvider(),
+            metricsProvider,
+            pfa,
+            new KubernetesRestartEventPublisher(client, operatorName),
+            featureGates
         );
     }
 
@@ -275,21 +278,40 @@ private ResourceOperatorSupplier(Vertx vertx,
                                      MetricsProvider metricsProvider,
                                      PlatformFeaturesAvailability pfa,
                                      KubernetesRestartEventPublisher restartEventPublisher) {
-        this(new ServiceOperator(vertx, client),
+        this(vertx,
+            client,
+            adminClientProvider,
+            kafkaAgentClientProvider,
+            metricsProvider,
+            pfa,
+            restartEventPublisher,
+            new FeatureGates("")
+        );
+    }
+
+    private ResourceOperatorSupplier(Vertx vertx,
+                                     KubernetesClient client,
+                                     AdminClientProvider adminClientProvider,
+                                     KafkaAgentClientProvider kafkaAgentClientProvider,
+                                     MetricsProvider metricsProvider,
+                                     PlatformFeaturesAvailability pfa,
+                                     KubernetesRestartEventPublisher restartEventPublisher,
+                                     FeatureGates featureGates) {
+        this(new ServiceOperator(vertx, client, featureGates.serverSideApplyPhase1Enabled()),
                 pfa.hasRoutes() ? new RouteOperator(vertx, client.adapt(OpenShiftClient.class)) : null,
                 pfa.hasImages() ? new ImageStreamOperator(vertx, client.adapt(OpenShiftClient.class)) : null,
-                new ConfigMapOperator(vertx, client),
+                new ConfigMapOperator(vertx, client, featureGates.serverSideApplyPhase1Enabled()),
                 new SecretOperator(vertx, client),
-                new PvcOperator(vertx, client),
+                new PvcOperator(vertx, client, featureGates.serverSideApplyPhase1Enabled()),
                 new DeploymentOperator(vertx, client),
-                new ServiceAccountOperator(vertx, client),
+                new ServiceAccountOperator(vertx, client, featureGates.serverSideApplyPhase1Enabled()),
                 new RoleBindingOperator(vertx, client),
                 new RoleOperator(vertx, client),
                 new ClusterRoleBindingOperator(vertx, client),
                 new NetworkPolicyOperator(vertx, client),
                 new PodDisruptionBudgetOperator(vertx, client),
                 new PodOperator(vertx, client),
-                new IngressOperator(vertx, client),
+                new IngressOperator(vertx, client, featureGates.serverSideApplyPhase1Enabled()),
                 pfa.hasBuilds() ? new BuildConfigOperator(vertx, client.adapt(OpenShiftClient.class)) : null,
                 pfa.hasBuilds() ? new BuildOperator(vertx, client.adapt(OpenShiftClient.class)) : null,
                 new CrdOperator<>(vertx, client, Kafka.class, KafkaList.class, Kafka.RESOURCE_KIND),

cluster-operator/src/main/java/io/strimzi/operator/cluster/operator/resource/kubernetes/AbstractNamespacedResourceOperator.java

@@ -9,6 +9,7 @@
 import io.fabric8.kubernetes.api.model.KubernetesResourceList;
 import io.fabric8.kubernetes.api.model.LabelSelector;
 import io.fabric8.kubernetes.client.KubernetesClient;
+import io.fabric8.kubernetes.client.KubernetesClientException;
 import io.fabric8.kubernetes.client.Watcher;
 import io.fabric8.kubernetes.client.dsl.FilterWatchListDeletable;
 import io.fabric8.kubernetes.client.dsl.Informable;
@@ -49,15 +50,29 @@ public abstract class AbstractNamespacedResourceOperator<C extends KubernetesCli
             R extends Resource<T>>
         extends AbstractResourceOperator<C, T, L, R> {
     private static final ReconciliationLogger LOGGER = ReconciliationLogger.create(AbstractNamespacedResourceOperator.class);
+    private final boolean useServerSideApply;
 
     /**
      * Constructor.
      * @param vertx The vertx instance.
      * @param client The kubernetes client.
-     * @param resourceKind The mind of Kubernetes resource (used for logging).
+     * @param resourceKind The kind of Kubernetes resource (used for logging).
      */
     public AbstractNamespacedResourceOperator(Vertx vertx, C client, String resourceKind) {
         super(vertx, client, resourceKind);
+        this.useServerSideApply = false;
+    }
+
+    /**
+     * Constructor.
+     * @param vertx                 The vertx instance.
+     * @param client                The kubernetes client.
+     * @param resourceKind          The kind of Kubernetes resource (used for logging).
+     * @param useServerSideApply    Determines if Server Side Apply should be used.
+     */
+    public AbstractNamespacedResourceOperator(Vertx vertx, C client, String resourceKind, boolean useServerSideApply) {
+        super(vertx, client, resourceKind);
+        this.useServerSideApply = useServerSideApply;
     }
 
     protected abstract MixedOperation<T, L, R> operation();
@@ -96,22 +111,25 @@ public Future<ReconcileResult<T>> reconcile(Reconciliation reconciliation, Strin
 
         return getAsync(namespace, name)
                 .compose(current -> {
-                    if (desired != null) {
+                    if (desired == null) {
                         if (current == null) {
-                            LOGGER.debugCr(reconciliation, "{} {}/{} does not exist, creating it", resourceKind, namespace, name);
-                            return internalCreate(reconciliation, namespace, name, desired);
+                            LOGGER.debugCr(reconciliation, "{} {}/{} does not exist, noop", resourceKind, namespace, name);
+                            return Future.succeededFuture(ReconcileResult.noop(null));
                         } else {
-                            LOGGER.debugCr(reconciliation, "{} {}/{} already exists, updating it", resourceKind, namespace, name);
-                            return internalUpdate(reconciliation, namespace, name, current, desired);
-                        }
-                    } else {
-                        if (current != null) {
                             // Deletion is desired
                             LOGGER.debugCr(reconciliation, "{} {}/{} exist, deleting it", resourceKind, namespace, name);
                             return internalDelete(reconciliation, namespace, name);
+                        }
+                    } else {
+                        if (useServerSideApply) {
+                            LOGGER.debugCr(reconciliation, "{} {}/{} is desired, patching it", resourceKind, namespace, name);
+                            return internalServerSideApply(reconciliation, namespace, name, desired);
+                        } else if (current == null) {
+                            LOGGER.debugCr(reconciliation, "{} {}/{} does not exist, creating it", resourceKind, namespace, name);
+                            return internalCreate(reconciliation, namespace, name, desired);
                         } else {
-                            LOGGER.debugCr(reconciliation, "{} {}/{} does not exist, noop", resourceKind, namespace, name);
-                            return Future.succeededFuture(ReconcileResult.noop(null));
+                            LOGGER.debugCr(reconciliation, "{} {}/{} already exists, updating it", resourceKind, namespace, name);
+                            return internalUpdate(reconciliation, namespace, name, current, desired);
                         }
                     }
                 });
@@ -245,6 +263,56 @@ protected Future<ReconcileResult<T>> internalUpdate(Reconciliation reconciliatio
         }
     }
 
+    /**
+     * Patches the resource with the given namespace and name to match the given desired resource
+     * and completes the given future accordingly.
+     * The patch is done using Server-Side Apply, which means that the server will handle the changes
+     * to the resource.
+     * First patch attempt is done without force, however if there is a conflict, operator will try again using force.
+     */
+    protected Future<ReconcileResult<T>> internalServerSideApply(Reconciliation reconciliation, String namespace, String name, T desired) {
+        R resourceOp = operation().inNamespace(namespace).withName(name);
+
+        try {
+            T result;
+
+            try {
+                LOGGER.debugCr(reconciliation, "{} {}/{} is being patched using Server Side Apply", resourceKind, namespace, name);
+                result = resourceOp.patch(serverSideApplyPatchContext(false), desired);
+            } catch (KubernetesClientException e) {
+                // in case that error code is 409, we have conflict with other operator when using SSA
+                // so we will use force
+                if (e.getCode() == 409) {
+                    LOGGER.warnCr(reconciliation, "{} {}/{} failed to patch because of conflict: {}, applying force", resourceKind, namespace, name, e.getMessage());
+                    result = resourceOp.patch(serverSideApplyPatchContext(true), desired);
+                } else {
+                    // otherwise throw the exception
+                    throw e;
+                }
+            }
+
+            LOGGER.debugCr(reconciliation, "{} {}/{} has been patched", resourceKind, namespace, name);
+            return Future.succeededFuture(ReconcileResult.patchedWithServerSideApply(result));
+        } catch (Exception e) {
+            LOGGER.debugCr(reconciliation, "Caught exception while patching {} {} in namespace {}", resourceKind, name, namespace, e);
+            return Future.failedFuture(e);
+        }
+    }
+
+    /**
+     * Creates {@link PatchContext} with SSA type for the Cluster Operator.
+     *
+     * @param useForce  boolean parameter determining if the force should be used or not.
+     * @return  {@link PatchContext} with SSA type for the Cluster Operator.
+     */
+    private static PatchContext serverSideApplyPatchContext(boolean useForce) {
+        return new PatchContext.Builder()
+            .withFieldManager("strimzi-kafka-operator")
+            .withForce(useForce)
+            .withPatchType(PatchType.SERVER_SIDE_APPLY)
+            .build();
+    }
+
     /**
      * Method for patching or replacing a resource. By default, is using JSON-type patch. Overriding this method can be
      * used to use replace instead of patch or different patch strategies.

cluster-operator/src/main/java/io/strimzi/operator/cluster/operator/resource/kubernetes/ConfigMapOperator.java

@@ -28,11 +28,12 @@ public class ConfigMapOperator extends AbstractNamespacedResourceOperator<Kubern
     /**
      * Constructor
      *
-     * @param vertx The Vertx instance
-     * @param client The Kubernetes client
+     * @param vertx                 The Vertx instance
+     * @param client                The Kubernetes client
+     * @param useServerSideApply    Determines if Server Side Apply should be used
      */
-    public ConfigMapOperator(Vertx vertx, KubernetesClient client) {
-        super(vertx, client, "ConfigMap");
+    public ConfigMapOperator(Vertx vertx, KubernetesClient client, boolean useServerSideApply) {
+        super(vertx, client, "ConfigMap", useServerSideApply);
     }
 
     @Override