fix(runtime): preserve stable workload selectors

Author: onutc

operator/controllers/acp_probe_test.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -26,6 +27,9 @@ func newControllerTestScheme(t *testing.T) *runtime.Scheme {
 	if err := appsv1.AddToScheme(scheme); err != nil {
 		t.Fatalf("failed to register apps scheme: %v", err)
 	}
+	if err := corev1.AddToScheme(scheme); err != nil {
+		t.Fatalf("failed to register core scheme: %v", err)
+	}
 	return scheme
 }
 

operator/controllers/service_account_test.go

@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
@@ -99,3 +100,116 @@ func TestReconcileDeploymentKeepsRuntimePolicyLabelsOutOfSelector(t *testing.T)
 		t.Fatalf("expected runtime policy label on pod template, got %#v", deployment.Spec.Template.Labels)
 	}
 }
+
+func TestReconcileDeploymentPreservesExistingSelectorOnUpgrade(t *testing.T) {
+	scheme := newControllerTestScheme(t)
+	oldSelector := map[string]string{
+		"spritz.sh/name": "tidy-otter",
+		ownerLabelKey:    ownerLabelValue("user-1"),
+	}
+	spritz := &spritzv1.Spritz{
+		ObjectMeta: metav1.ObjectMeta{Name: "tidy-otter", Namespace: "spritz-test"},
+		Spec: spritzv1.SpritzSpec{
+			Image: "example.com/openclaw:latest",
+			Owner: spritzv1.SpritzOwner{ID: "user-1"},
+			RuntimePolicy: &spritzv1.SpritzRuntimePolicy{
+				NetworkProfile:  "dev-cluster-only",
+				MountProfile:    "dev-default",
+				ExposureProfile: "internal-acp",
+				Revision:        "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+			},
+		},
+	}
+	existingDeployment := &appsv1.Deployment{
+		ObjectMeta: metav1.ObjectMeta{Name: spritz.Name, Namespace: spritz.Namespace},
+		Spec: appsv1.DeploymentSpec{
+			Selector: &metav1.LabelSelector{MatchLabels: oldSelector},
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{Labels: oldSelector},
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{Name: spritzContainerName, Image: spritz.Spec.Image},
+					},
+				},
+			},
+		},
+	}
+	k8sClient := fake.NewClientBuilder().
+		WithScheme(scheme).
+		WithObjects(spritz, existingDeployment).
+		Build()
+	reconciler := &SpritzReconciler{
+		Client: k8sClient,
+		Scheme: scheme,
+	}
+
+	if err := reconciler.reconcileDeployment(context.Background(), spritz); err != nil {
+		t.Fatalf("reconcileDeployment returned error: %v", err)
+	}
+
+	deployment := &appsv1.Deployment{}
+	if err := k8sClient.Get(
+		context.Background(),
+		client.ObjectKey{Name: spritz.Name, Namespace: spritz.Namespace},
+		deployment,
+	); err != nil {
+		t.Fatalf("failed to load deployment: %v", err)
+	}
+	if deployment.Spec.Selector == nil {
+		t.Fatal("expected deployment selector")
+	}
+	if deployment.Spec.Selector.MatchLabels["spritz.sh/name"] != spritz.Name {
+		t.Fatalf("expected existing deployment selector to keep spritz name, got %#v", deployment.Spec.Selector.MatchLabels)
+	}
+	if deployment.Spec.Selector.MatchLabels[ownerLabelKey] != ownerLabelValue("user-1") {
+		t.Fatalf("expected existing deployment selector to keep owner label, got %#v", deployment.Spec.Selector.MatchLabels)
+	}
+	if deployment.Spec.Template.Labels[runtimeNetworkProfileLabelKey] != "dev-cluster-only" {
+		t.Fatalf("expected runtime policy label on pod template, got %#v", deployment.Spec.Template.Labels)
+	}
+}
+
+func TestReconcileServiceKeepsRuntimePolicyLabelsOutOfSelector(t *testing.T) {
+	scheme := newControllerTestScheme(t)
+	spritz := &spritzv1.Spritz{
+		ObjectMeta: metav1.ObjectMeta{Name: "tidy-otter", Namespace: "spritz-test"},
+		Spec: spritzv1.SpritzSpec{
+			Image: "example.com/openclaw:latest",
+			Owner: spritzv1.SpritzOwner{ID: "user-1"},
+			RuntimePolicy: &spritzv1.SpritzRuntimePolicy{
+				NetworkProfile:  "dev-cluster-only",
+				MountProfile:    "dev-default",
+				ExposureProfile: "internal-acp",
+				Revision:        "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+			},
+		},
+	}
+	k8sClient := fake.NewClientBuilder().
+		WithScheme(scheme).
+		WithObjects(spritz).
+		Build()
+	reconciler := &SpritzReconciler{
+		Client: k8sClient,
+		Scheme: scheme,
+	}
+
+	if err := reconciler.reconcileService(context.Background(), spritz); err != nil {
+		t.Fatalf("reconcileService returned error: %v", err)
+	}
+
+	service := &corev1.Service{}
+	if err := k8sClient.Get(
+		context.Background(),
+		client.ObjectKey{Name: spritz.Name, Namespace: spritz.Namespace},
+		service,
+	); err != nil {
+		t.Fatalf("failed to load service: %v", err)
+	}
+	if len(service.Spec.Selector) != 1 ||
+		service.Spec.Selector["spritz.sh/name"] != spritz.Name {
+		t.Fatalf("expected stable service selector, got %#v", service.Spec.Selector)
+	}
+	if _, ok := service.Spec.Selector[runtimeNetworkProfileLabelKey]; ok {
+		t.Fatalf("service selector must not depend on runtime policy labels: %#v", service.Spec.Selector)
+	}
+}

operator/controllers/spritz_controller.go

@@ -289,7 +289,6 @@ func (r *SpritzReconciler) acpHealthProbePath() string {
 
 func (r *SpritzReconciler) reconcileDeployment(ctx context.Context, spritz *spritzv1.Spritz) error {
 	labels := baseLabels(spritz)
-	selectorLabels := deploymentSelectorLabels(spritz)
 	annotations := baseAnnotations(spritz)
 	workspaceSizeLimit := emptyDirSizeLimit("SPRITZ_WORKSPACE_SIZE_LIMIT", defaultWorkspaceSizeLimit)
 	homeSizeLimit := emptyDirSizeLimit("SPRITZ_HOME_SIZE_LIMIT", defaultHomeSizeLimit)
@@ -301,11 +300,12 @@ func (r *SpritzReconciler) reconcileDeployment(ctx context.Context, spritz *spri
 			return err
 		}
 
+		selectorLabels := stableWorkloadSelectorLabels(deploy.Spec.Selector, spritz)
 		deploy.Labels = mergeMaps(labels, spritz.Spec.Labels)
 		deploy.Annotations = mergeMaps(deploy.Annotations, spritz.Spec.Annotations)
 		deploy.Annotations = mergeMaps(deploy.Annotations, annotations)
 		deploy.Spec.Selector = &metav1.LabelSelector{MatchLabels: selectorLabels}
-		deploy.Spec.Template.Labels = labels
+		deploy.Spec.Template.Labels = mergeMaps(selectorLabels, labels)
 		deploy.Spec.Template.Annotations = mergeMaps(deploy.Spec.Template.Annotations, spritz.Spec.Annotations)
 		deploy.Spec.Template.Annotations = mergeMaps(deploy.Spec.Template.Annotations, annotations)
 
@@ -481,7 +481,7 @@ func (r *SpritzReconciler) reconcileService(ctx context.Context, spritz *spritzv
 		labels := baseLabels(spritz)
 		annotations := baseAnnotations(spritz)
 		svc.Labels = mergeMaps(labels, spritz.Spec.Labels)
-		svc.Spec.Selector = labels
+		svc.Spec.Selector = deploymentSelectorLabels(spritz)
 		svc.Annotations = mergeMaps(svc.Annotations, spritz.Spec.Annotations)
 		svc.Annotations = mergeMaps(svc.Annotations, annotations)
 
@@ -924,6 +924,20 @@ func deploymentSelectorLabels(spritz *spritzv1.Spritz) map[string]string {
 	}
 }
 
+func stableWorkloadSelectorLabels(
+	selector *metav1.LabelSelector,
+	spritz *spritzv1.Spritz,
+) map[string]string {
+	if selector != nil && len(selector.MatchLabels) > 0 {
+		preserved := map[string]string{}
+		for key, value := range selector.MatchLabels {
+			preserved[key] = value
+		}
+		return preserved
+	}
+	return deploymentSelectorLabels(spritz)
+}
+
 func baseAnnotations(spritz *spritzv1.Spritz) map[string]string {
 	annotations := map[string]string{}
 	if spritz.Spec.RuntimePolicy != nil {