PTEUDO-1606 test roleclaim CR

    Add a helmtest that verifies a roleclaim CR can be created
    and deleted. Ensure the database has the new role as well.

    - Add ready condition to databaseclaim CR
    - ignore db connection issues on roleclaim deletion
    - helm based roleclaim test
    - service selector was matching test db

Makefile.infoblox

@@ -112,7 +112,7 @@ undeploy:
 	helm -n `cat .id` uninstall `cat .id`
 
 helm-test:
-	helm -n `cat .id` test `cat .id`
+	helm -n `cat .id` test `cat .id` --debug
 
 manifests: test/crd
 

api/v1/databaseclaim_types.go

@@ -227,6 +227,12 @@ type DatabaseClaimStatus struct {
 	MigrationState string `json:"migrationState,omitempty"`
 	// tracks the DB which is migrated and not more operational
 	OldDB StatusForOldDB `json:"oldDB,omitempty"`
+
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`
 }
 
 type StatusForOldDB struct {
@@ -314,7 +320,8 @@ type DatabaseClaimConnectionInfo struct {
 // +kubebuilder:object:root=true
 // +kubebuilder:printcolumn:name="Type",type=string,JSONPath=`.spec.type`
 // +kubebuilder:printcolumn:name="Version",type="string",JSONPath=".status.activeDB.dbversion"
-// +kubebuilder:printcolumn:name="State",type=string,JSONPath=`.status.activeDB.DbState`
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status"
+// +kubebuilder:printcolumn:name="Status",type="string",priority=1,JSONPath=".status.conditions[?(@.type==\"Ready\")].message"
 // +kubebuilder:printcolumn:name="Age",type="date",priority=1,JSONPath=`.metadata.creationTimestamp`
 // +kubebuilder:printcolumn:name="MigrationState",type="string",priority=1,JSONPath=".status.migrationState"
 // +kubebuilder:resource:shortName=dbc

cmd/main.go

@@ -231,17 +231,6 @@ func main() {
 		os.Exit(1)
 	}
 
-	// +kubebuilder:scaffold:builder
-
-	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
-		setupLog.Error(err, "unable to set up health check")
-		os.Exit(1)
-	}
-	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
-		setupLog.Error(err, "unable to set up ready check")
-		os.Exit(1)
-	}
-
 	if enableDBProxyWebhook {
 
 		if err := mutating.SetupWebhookWithManager(mgr, mutating.SetupConfig{
@@ -255,6 +244,17 @@ func main() {
 		}
 	}
 
+	// +kubebuilder:scaffold:builder
+
+	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up health check")
+		os.Exit(1)
+	}
+	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up ready check")
+		os.Exit(1)
+	}
+
 	setupLog.Info("starting manager")
 	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
 		setupLog.Error(err, "problem running manager")

config/crd/bases/persistance.atlas.infoblox.com_databaseclaims.yaml

@@ -23,8 +23,12 @@ spec:
     - jsonPath: .status.activeDB.dbversion
       name: Version
       type: string
-    - jsonPath: .status.activeDB.DbState
-      name: State
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].message
+      name: Status
+      priority: 1
       type: string
     - jsonPath: .metadata.creationTimestamp
       name: Age
@@ -326,6 +330,78 @@ spec:
                     format: date-time
                     type: string
                 type: object
+              conditions:
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource.\n---\nThis struct is intended for
+                    direct use as an array at the field path .status.conditions.  For
+                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
+                    observations of a foo's current state.\n\t    // Known .status.conditions.type
+                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
+                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
+                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
+                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+                    \   // other fields\n\t}"
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: |-
+                        type of condition in CamelCase or in foo.example.com/CamelCase.
+                        ---
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+                        useful (see .node.status.conditions), the ability to deconflict is important.
+                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
               error:
                 description: Any errors related to provisioning this claim.
                 type: string

helm/db-controller/templates/_helpers.tpl

@@ -48,6 +48,7 @@ Selector labels
 {{- define "db-controller.selectorLabels" -}}
 app.kubernetes.io/name: {{ include "db-controller.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/component: manager
 {{- end }}
 
 {{/*

helm/db-controller/templates/deployment.yaml

@@ -13,7 +13,6 @@ spec:
   selector:
     matchLabels:
       {{- include "db-controller.selectorLabels" . | nindent 6 }}
-      app.kubernetes.io/component: manager
   template:
     metadata:
       {{- with .Values.podAnnotations }}
@@ -22,7 +21,6 @@ spec:
       {{- end }}
       labels:
         {{- include "db-controller.selectorLabels" . | nindent 8 }}
-        app.kubernetes.io/component: manager
     spec:
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:

helm/db-controller/templates/tests/dbproxy.yaml

@@ -75,6 +75,7 @@ metadata:
     # ensure this runs on the new db-controller, not the existing one
     "helm.sh/hook": "test"
     "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation
 spec:
   class: {{ .Values.dbController.class }}
   databaseName: mydb

helm/db-controller/templates/tests/dsnexec.yaml

@@ -13,7 +13,7 @@ metadata:
     persistance.atlas.infoblox.com/dsnexec-config: {{ .Release.Name }}-dsnexec-config
   annotations:
     helm.sh/hook: test
-    # helm.sh/hook-delete-policy: "before-hook-creation,hook-succeeded"
+    helm.sh/hook-delete-policy: "before-hook-creation,hook-succeeded"
 spec:
   serviceAccountName: {{ .Release.Name }}-dbproxy-test
   initContainers:
@@ -71,14 +71,15 @@ spec:
               # Fallback to grep when pidof fails
               if check_table_exists; then
                   echo "Table $TABLE_NAME exists!"
+                  # Try this multiple times
                   PID=$(pidof dsnexec)
                   if [ -n "$PID" ]; then
                     echo "Killing dsnexec..."
                     kill -s INT $PID
+                    exit 0
                   else
                     echo "dsnexec not running..."
                   fi
-                  exit 0
               else
                   echo "Table $TABLE_NAME does not exist. Checking again in 2 seconds..."
                   sleep 1

helm/db-controller/templates/tests/roleclaim.yaml

@@ -0,0 +1,99 @@
+apiVersion: persistance.atlas.infoblox.com/v1
+kind: DbRoleClaim
+metadata:
+  name: {{ .Release.Name }}-roleclaim-test
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "db-controller.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-weight": "-4"
+    "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+  class: {{ .Values.dbController.class }}
+  sourceDatabaseClaim:
+    namespace: {{ .Release.Namespace }}
+    name: {{ .Release.Name }}-dbproxy-test
+  secretName: {{ .Release.Name }}-roleclaim-test
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ .Release.Name }}-roleclaim-test
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "db-controller.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: test
+    helm.sh/hook-delete-policy: "before-hook-creation,hook-succeeded"
+spec:
+  serviceAccountName: {{ .Release.Name }}-dbproxy-test
+  containers:
+    - name: psql
+      image: postgres:15
+      env:
+        - name: PGCONNECT_TIMEOUT
+          value: "2"
+      command:
+        - /bin/sh
+        - -c
+        - |
+          uri_dsn=$(cat /etc/secrets/uri_dsn.txt)
+          role_to_check="{{ .Release.Name }}-roleclaim-test"
+          max_attempts=10
+
+          # Function to attempt PostgreSQL connection
+          attempt_connection() {
+              for i in $(seq 1 $max_attempts); do
+                  echo "Connection attempt $i of $max_attempts..."
+                  if psql "$uri_dsn" -c 'SELECT 1' &>/dev/null; then
+                      echo "Connection successful!"
+                      return 0
+                  fi
+                  echo "Failed to connect. Retrying in 1 second..."
+                  sleep 1
+              done
+              echo "Failed to connect after $max_attempts attempts."
+              return 1
+          }
+
+          check_role_exists() {
+              for i in $(seq 1 $max_attempts); do
+                  echo "Checking role existence attempt $i of $max_attempts..."
+                  role_exists=$(psql "$uri_dsn" -tAc "SELECT EXISTS(SELECT 1 FROM pg_roles WHERE rolname = '$role_to_check');" 2>/dev/null)
+                  if [ $? -eq 0 ]; then
+                      if [ "$role_exists" = "t" ]; then
+                          echo "The role '$role_to_check' exists."
+                      else
+                          echo "The role '$role_to_check' does not exist."
+                      fi
+                      return 0
+                  fi
+                  echo "Failed to check role. Retrying in 1 second..."
+                  sleep 1
+              done
+              echo "Failed to check role after $max_attempts attempts."
+              return 1
+          }
+
+          if ! attempt_connection; then
+              echo "Unable to establish connection. Exiting."
+              exit 1
+          fi
+          if ! check_role_exists; then
+              echo "Unable to verify role existence. Exiting."
+              exit 1
+          fi
+          echo "Successfully verified role exists"
+          exit 0
+      volumeMounts:
+        - name: dsn-volume
+          mountPath: /etc/secrets
+          readOnly: true
+  shareProcessNamespace: true
+  restartPolicy: OnFailure
+  volumes:
+    - name: dsn-volume
+      secret:
+        secretName: {{ .Release.Name }}-roleclaim-test
+---

pkg/databaseclaim/claimstatus.go

@@ -86,13 +86,42 @@ func manageError(ctx context.Context, cli client.Client, claim *v1.DatabaseClaim
 	return ctrl.Result{}, wrappedErr
 }
 
+func SetDBClaimCondition(ctx context.Context, dbClaim *v1.DatabaseClaim, condition metav1.Condition) {
+	logf := log.FromContext(ctx)
+
+	condition.LastTransitionTime = metav1.Now()
+	condition.ObservedGeneration = dbClaim.Generation
+
+	for idx, cond := range dbClaim.Status.Conditions {
+		if cond.Type == condition.Type {
+			// No status change, so do not update LastTransitionTime
+			if condition.Status == cond.Status && !condition.LastTransitionTime.IsZero() {
+				condition.LastTransitionTime = cond.LastTransitionTime
+			} else {
+				logf.V(1).Info("Condition status changed %s -> %s", cond.Status, condition.Status)
+			}
+			dbClaim.Status.Conditions[idx] = condition
+			return
+		}
+	}
+	// We didn't find a matching condition, so add it
+	condition.ObservedGeneration = dbClaim.Generation
+	dbClaim.Status.Conditions = append(dbClaim.Status.Conditions, condition)
+}
+
 func (r *DatabaseClaimReconciler) manageSuccess(ctx context.Context, dbClaim *v1.DatabaseClaim) (ctrl.Result, error) {
 
 	dbClaim.Status.Error = ""
+	SetDBClaimCondition(ctx, dbClaim, metav1.Condition{
+		Type:    "Ready",
+		Status:  metav1.ConditionTrue,
+		Reason:  "Ready",
+		Message: "databaseclaim up to date and is ready",
+	})
 
 	if err := r.Client.Status().Update(ctx, dbClaim); err != nil {
 		logr := log.FromContext(ctx).WithValues("databaseclaim", dbClaim.Name)
-		logr.Error(err, "manage_success_update_claim")
+		logr.Error(err, "manage_success_update_claim", "conditions", dbClaim)
 		return ctrl.Result{}, err
 	}
 	//if object is getting deleted then call requeue immediately