noobaa · liranmauda · Aug 12, 2024 · Jul 30, 2024 · Aug 1, 2024 · Jul 29, 2024
diff --git a/deploy/internal/deployment-endpoint.yaml b/deploy/internal/deployment-endpoint.yaml
@@ -77,6 +77,10 @@ spec:
             - containerPort: 6443
             - containerPort: 7443
           env:
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
             - name: NOOBAA_DISABLE_COMPRESSION
               valueFrom:
                 configMapKeyRef:

diff --git a/deploy/internal/pod-agent.yaml b/deploy/internal/pod-agent.yaml
@@ -22,6 +22,7 @@ spec:
         - name: CONTAINER_PLATFORM
           value: KUBERNETES
         - name: AGENT_CONFIG
+        - name: NOOBAA_LOG_LEVEL
       command: ["/noobaa_init_files/noobaa_init.sh", "agent"]
       # Insert the relevant image for the agent
       ports:
@@ -35,6 +36,7 @@ spec:
       securityContext:
         runAsNonRoot: true
         allowPrivilegeEscalation: false
+  automountServiceAccountToken: false
   securityContext:
     runAsUser: 10001
     runAsGroup: 0

diff --git a/pkg/backingstore/reconciler.go b/pkg/backingstore/reconciler.go
@@ -81,6 +81,7 @@ type Reconciler struct {
 	PodAgentTemplate *corev1.Pod
 	PvcAgentTemplate *corev1.PersistentVolumeClaim
 	ServiceAccount   *corev1.ServiceAccount
+	CoreAppConfig    *corev1.ConfigMap
 
 	SystemInfo             *nb.SystemInfo
 	ExternalConnectionInfo *nb.ExternalConnectionInfo
@@ -118,6 +119,7 @@ func NewReconciler(
 		NooBaa:           util.KubeObject(bundle.File_deploy_crds_noobaa_io_v1alpha1_noobaa_cr_yaml).(*nbv1.NooBaa),
 		Secret:           util.KubeObject(bundle.File_deploy_internal_secret_empty_yaml).(*corev1.Secret),
 		ServiceAccount:   util.KubeObject(bundle.File_deploy_service_account_yaml).(*corev1.ServiceAccount),
+		CoreAppConfig:    util.KubeObject(bundle.File_deploy_internal_configmap_empty_yaml).(*corev1.ConfigMap),
 		PodAgentTemplate: util.KubeObject(bundle.File_deploy_internal_pod_agent_yaml).(*corev1.Pod),
 		PvcAgentTemplate: util.KubeObject(bundle.File_deploy_internal_pvc_agent_yaml).(*corev1.PersistentVolumeClaim),
 	}
@@ -126,11 +128,13 @@ func NewReconciler(
 	r.BackingStore.Namespace = r.Request.Namespace
 	r.NooBaa.Namespace = r.Request.Namespace
 	r.ServiceAccount.Namespace = r.Request.Namespace
+	r.CoreAppConfig.Namespace = r.Request.Namespace
 
 	// Set Names
 	r.BackingStore.Name = r.Request.Name
 	r.NooBaa.Name = options.SystemName
 	r.ServiceAccount.Name = options.SystemName
+	r.CoreAppConfig.Name = "noobaa-config"
 
 	// Set secret names to empty
 	r.Secret.Namespace = ""
@@ -928,7 +932,7 @@ func (r *Reconciler) CheckExternalConnection(connInfo *nb.CheckExternalConnectio
 	case nb.ExternalConnectionInvalidCredentials:
 		if time.Since(r.BackingStore.CreationTimestamp.Time) < 5*time.Minute {
 			r.Logger.Infof("got invalid credentials. sometimes access keys take time to propagate inside AWS. requeuing for 5 minutes")
-			return fmt.Errorf("Got InvalidCredentials. requeue again")
+			return fmt.Errorf("got InvalidCredentials. requeue again")
 		}
 		fallthrough
 	case nb.ExternalConnectionInvalidEndpoint:
@@ -957,6 +961,10 @@ func (r *Reconciler) CheckExternalConnection(connInfo *nb.CheckExternalConnectio
 // ReconcilePool handles the pool using noobaa api
 func (r *Reconciler) ReconcilePool() error {
 
+	if !util.KubeCheck(r.CoreAppConfig) {
+		r.Logger.Warnf("Could not find NooBaa config map")
+	}
+
 	// TODO we only support creation here, but not updates - just for pvpool
 	if r.PoolInfo != nil {
 		if r.BackingStore.Spec.Type == nbv1.StoreTypePVPool {
@@ -1160,6 +1168,16 @@ func (r *Reconciler) needUpdate(pod *corev1.Pod) bool {
 			return true
 		}
 	}
+
+	var noobaaLogEnv = "NOOBAA_LOG_LEVEL"
+	var configMapLogLevel = r.CoreAppConfig.Data[noobaaLogEnv]
+	noobaaLogEnvVar := util.GetEnvVariable(&c.Env, noobaaLogEnv)
+
+	if (configMapLogLevel != noobaaLogEnvVar.Value) {
+		r.Logger.Warnf("NOOBAA_LOG_LEVEL Env variable change detected: (%v) on the config map (%v)", noobaaLogEnvVar.Value, configMapLogLevel)
+			return true
+	}
+
 	if c.Image != r.NooBaa.Status.ActualImage {
 		r.Logger.Warnf("Change in Image detected: current image(%v) noobaa image(%v)", c.Image, r.NooBaa.Status.ActualImage)
 		return true
@@ -1170,6 +1188,11 @@ func (r *Reconciler) needUpdate(pod *corev1.Pod) bool {
 		return true
 	}
 
+	// if automountServiceAccountToken setting is different than the podAgentTemplate, return true
+	if pod.Spec.AutomountServiceAccountToken == nil || *pod.Spec.AutomountServiceAccountToken != *r.PodAgentTemplate.Spec.AutomountServiceAccountToken {
+		return true
+	}
+
 	podSecrets := pod.Spec.ImagePullSecrets
 	noobaaSecret := r.NooBaa.Spec.ImagePullSecret
 	if noobaaSecret == nil {
@@ -1250,6 +1273,7 @@ func (r *Reconciler) isPodinNoobaa(pod *corev1.Pod) bool {
 }
 
 func (r *Reconciler) updatePodTemplate() error {
+	log := r.Logger.WithField("func", "updatePodTemplate")
 	c := &r.PodAgentTemplate.Spec.Containers[0]
 	for j := range c.Env {
 		switch c.Env[j].Name {
@@ -1262,6 +1286,8 @@ func (r *Reconciler) updatePodTemplate() error {
 					Key: "AGENT_CONFIG",
 				},
 			}
+		case "NOOBAA_LOG_LEVEL":
+			c.Env[j].Value = r.CoreAppConfig.Data["NOOBAA_LOG_LEVEL"]
 		}
 	}
 	util.ReflectEnvVariable(&c.Env, "HTTP_PROXY")
@@ -1277,8 +1303,9 @@ func (r *Reconciler) updatePodTemplate() error {
 			[]corev1.LocalObjectReference{*r.NooBaa.Spec.ImagePullSecret}
 	}
 	r.PodAgentTemplate.Labels = map[string]string{
-		"app":  "noobaa",
-		"pool": r.BackingStore.Name,
+		"app":          "noobaa",
+		"pool":         r.BackingStore.Name,
+		"backingstore": "noobaa",
 	}
 	if r.NooBaa.Spec.Tolerations != nil {
 		r.PodAgentTemplate.Spec.Tolerations = r.NooBaa.Spec.Tolerations
@@ -1287,6 +1314,25 @@ func (r *Reconciler) updatePodTemplate() error {
 		r.PodAgentTemplate.Spec.Affinity = r.NooBaa.Spec.Affinity
 	}
 
+	if !util.HasNodeInclusionPolicyInPodTopologySpread() {
+		log.Info("TopologySpreadConstraints cannot be set because feature gate NodeInclusionPolicyInPodTopologySpread is not supported on this cluster version")
+	} else {
+		log.Info("Adding default TopologySpreadConstraints to backingstore pod")
+		honor := corev1.NodeInclusionPolicyHonor
+		topologySpreadConstraint := corev1.TopologySpreadConstraint{
+			MaxSkew:           1,
+			TopologyKey:       "kubernetes.io/hostname",
+			WhenUnsatisfiable: corev1.ScheduleAnyway,
+			NodeTaintsPolicy:  &honor,
+			LabelSelector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"backingstore": "noobaa",
+				},
+			},
+		}
+		r.PodAgentTemplate.Spec.TopologySpreadConstraints = []corev1.TopologySpreadConstraint{topologySpreadConstraint}
+	}
+
 	return r.updatePodResourcesTemplate(c)
 }
 

diff --git a/pkg/bundle/deploy.go b/pkg/bundle/deploy.go
@@ -3852,7 +3852,7 @@ data:
     shared_preload_libraries = 'pg_stat_statements'
 `
 
-const Sha256_deploy_internal_deployment_endpoint_yaml = "846a11f2ff8035ee4beb2dff72339f4cd946b05827c76489a44e921be2c34f48"
+const Sha256_deploy_internal_deployment_endpoint_yaml = "a3825f23a13320c35024a33662e714010814b78dc774712a54ac503db8ea5dde"
 
 const File_deploy_internal_deployment_endpoint_yaml = `apiVersion: apps/v1
 kind: Deployment
@@ -3933,6 +3933,10 @@ spec:
             - containerPort: 6443
             - containerPort: 7443
           env:
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
             - name: NOOBAA_DISABLE_COMPRESSION
               valueFrom:
                 configMapKeyRef:
@@ -4326,7 +4330,7 @@ spec:
       storage: 30Gi
 `
 
-const Sha256_deploy_internal_pod_agent_yaml = "a02ebca336c7db9e4b84a13459e30664fd8fd2a8ea238e188685caea52a281fd"
+const Sha256_deploy_internal_pod_agent_yaml = "7e3cfc034b4fc19567cdc429abaeb7726f69c728f5be360c15cb1a1951443d5d"
 
 const File_deploy_internal_pod_agent_yaml = `apiVersion: v1
 kind: Pod
@@ -4352,6 +4356,7 @@ spec:
         - name: CONTAINER_PLATFORM
           value: KUBERNETES
         - name: AGENT_CONFIG
+        - name: NOOBAA_LOG_LEVEL
       command: ["/noobaa_init_files/noobaa_init.sh", "agent"]
       # Insert the relevant image for the agent
       ports:
@@ -4365,6 +4370,7 @@ spec:
       securityContext:
         runAsNonRoot: true
         allowPrivilegeEscalation: false
+  automountServiceAccountToken: false
   securityContext:
     runAsUser: 10001
     runAsGroup: 0

diff --git a/pkg/controller/backingstore/backingstore_controller.go b/pkg/controller/backingstore/backingstore_controller.go
@@ -50,6 +50,12 @@ func Add(mgr manager.Manager) error {
 		Scheme:    mgr.GetScheme(),
 	}
 
+	// Predicate that filter events that noobaa is not their owner
+	filterForNoobaaOwnerPredicate := util.FilterForOwner{
+		OwnerType: &nbv1.NooBaa{},
+		Scheme:    mgr.GetScheme(),
+	}
+
 	// Predicate that allows events that only change spec, labels or finalizers and will log any allowed events
 	// This will stop infinite reconciles that triggered by status or irrelevant metadata changes
 	backingStorePredicate := util.ComposePredicates(
@@ -79,6 +85,10 @@ func Add(mgr manager.Manager) error {
 	if err != nil {
 		return err
 	}
+	err = c.Watch(source.Kind(mgr.GetCache(), &corev1.ConfigMap{}), ownerHandler, &filterForNoobaaOwnerPredicate, &logEventsPredicate)
+	if err != nil {
+		return err
+	}
 
 	// setting another handler to watch events on secrets that not necessarily owned by the Backingstore.
 	// only one OwnerReference can be a controller see:

diff --git a/pkg/system/phase2_creating.go b/pkg/system/phase2_creating.go
@@ -459,17 +459,24 @@ func (r *Reconciler) SetDesiredCoreApp() error {
 	podSpec.ServiceAccountName = "noobaa"
 	coreImageChanged := false
 
+	// adding the missing Volumes from default podSpec
+	podSpec.Volumes = r.DefaultCoreApp.Volumes
+
 	for i := range podSpec.Containers {
 		c := &podSpec.Containers[i]
+
+		// adding the missing VolumeMounts from default container
+		c.VolumeMounts = r.DefaultCoreApp.Containers[i].VolumeMounts
+		// adding the missing Env variable from default container
+		util.MergeEnvArrays(&c.Env, &r.DefaultCoreApp.Containers[i].Env)
+		r.setDesiredCoreEnv(c)
+
 		switch c.Name {
 		case "core":
 			if c.Image != r.NooBaa.Status.ActualImage {
 				coreImageChanged = true
 				c.Image = r.NooBaa.Status.ActualImage
 			}
-			// adding the missing Env variable from default container
-			util.MergeEnvArrays(&c.Env, &r.DefaultCoreApp.Env)
-			r.setDesiredCoreEnv(c)
 			r.setDesiredRootMasterKeyMounts(podSpec, c)
 
 			util.ReflectEnvVariable(&c.Env, "HTTP_PROXY")
@@ -507,9 +514,6 @@ func (r *Reconciler) SetDesiredCoreApp() error {
 				coreImageChanged = true
 				c.Image = r.NooBaa.Status.ActualImage
 			}
-			// adding the missing Env variable from default container
-			util.MergeEnvArrays(&c.Env, &r.DefaultCoreApp.Env)
-			r.setDesiredCoreEnv(c)
 
 			if r.NooBaa.Spec.LogResources != nil {
 				c.Resources = *r.NooBaa.Spec.LogResources

diff --git a/pkg/system/phase4_configuring.go b/pkg/system/phase4_configuring.go
@@ -15,7 +15,6 @@ import (
 	"encoding/json"
 
 	"cloud.google.com/go/storage"
-	semver "github.com/coreos/go-semver/semver"
 	"github.com/marstr/randname"
 	nbv1 "github.com/noobaa/noobaa-operator/v5/pkg/apis/noobaa/v1alpha1"
 	"github.com/noobaa/noobaa-operator/v5/pkg/bundle"
@@ -42,12 +41,11 @@ import (
 )
 
 const (
-	ibmEndpoint                           = "https://s3.direct.%s.cloud-object-storage.appdomain.cloud"
-	ibmLocation                           = "%s-standard"
-	ibmCosBucketCred                      = "ibm-cloud-cos-creds"
-	topologyConstraintsEnabledKubeVersion = "1.26.0"
-	minutesToWaitForDefaultBSCreation     = 10
-	credentialsKey                        = "credentials"
+	ibmEndpoint                       = "https://s3.direct.%s.cloud-object-storage.appdomain.cloud"
+	ibmLocation                       = "%s-standard"
+	ibmCosBucketCred                  = "ibm-cloud-cos-creds"
+	minutesToWaitForDefaultBSCreation = 10
+	credentialsKey                    = "credentials"
 )
 
 type gcpAuthJSON struct {
@@ -285,7 +283,7 @@ func (r *Reconciler) SetDesiredDeploymentEndpoint() error {
 	disableDefaultTopologyConstraints, found := r.NooBaa.ObjectMeta.Annotations[nbv1.SkipTopologyConstraints]
 	if podSpec.TopologySpreadConstraints != nil {
 		r.Logger.Debugf("deployment %s TopologySpreadConstraints already exists, leaving as is", r.DeploymentEndpoint.Name)
-	} else if !r.hasNodeInclusionPolicyInPodTopologySpread() {
+	} else if !util.HasNodeInclusionPolicyInPodTopologySpread() {
 		r.Logger.Debugf("deployment %s TopologySpreadConstraints cannot be set because feature gate NodeInclusionPolicyInPodTopologySpread is not supported on this cluster version",
 			r.DeploymentEndpoint.Name)
 	} else if found && disableDefaultTopologyConstraints == "true" {
@@ -436,23 +434,6 @@ func (r *Reconciler) SetDesiredDeploymentEndpoint() error {
 	return nil
 }
 
-func (r *Reconciler) hasNodeInclusionPolicyInPodTopologySpread() bool {
-	kubeVersion, err := util.GetKubeVersion()
-	if err != nil {
-		r.Logger.Printf("❌ Failed to get kube version %s", err)
-		return false
-	}
-	enabledKubeVersion, err := semver.NewVersion(topologyConstraintsEnabledKubeVersion)
-	if err != nil {
-		util.Panic(err)
-		return false
-	}
-	if kubeVersion.LessThan(*enabledKubeVersion) {
-		return false
-	}
-	return true
-}
-
 func (r *Reconciler) setDesiredRootMasterKeyMounts(podSpec *corev1.PodSpec, container *corev1.Container) {
 	// Don't map secret map volume if the string secret is used
 	if len(r.SecretRootMasterKey) > 0 {

diff --git a/pkg/system/reconciler.go b/pkg/system/reconciler.go
@@ -72,7 +72,7 @@ type Reconciler struct {
 	ServiceAccount            *corev1.ServiceAccount
 	CoreApp                   *appsv1.StatefulSet
 	CoreAppConfig             *corev1.ConfigMap
-	DefaultCoreApp            *corev1.Container
+	DefaultCoreApp            *corev1.PodSpec
 	PostgresDBConf            *corev1.ConfigMap
 	NooBaaPostgresDB          *appsv1.StatefulSet
 	ServiceMgmt               *corev1.Service
@@ -301,7 +301,7 @@ func NewReconciler(
 	r.BucketLoggingVolume = r.Request.Name + "-bucket-logging-volume"
 	r.BucketLoggingVolumeMount = "/var/logs/bucket-logs"
 
-	r.DefaultCoreApp = r.CoreApp.Spec.Template.Spec.Containers[0].DeepCopy()
+	r.DefaultCoreApp = r.CoreApp.Spec.Template.Spec.DeepCopy()
 	r.DefaultDeploymentEndpoint = r.DeploymentEndpoint.Spec.Template.Spec.DeepCopy()
 
 	return r

diff --git a/pkg/util/util.go b/pkg/util/util.go
@@ -77,6 +77,8 @@ const (
 	gigabyte             = 1024 * 1024 * 1024
 	petabyte             = gigabyte * 1024 * 1024
 	obcMaxSizeUpperLimit = petabyte * 1023
+
+	topologyConstraintsEnabledKubeVersion = "1.26.0"
 )
 
 // OAuth2Endpoints holds OAuth2 endpoints information.
@@ -2199,3 +2201,21 @@ func IsDevEnv() bool {
 	}
 	return false
 }
+
+// HasNodeInclusionPolicyInPodTopologySpread checks if the cluster supports the spread topology policy
+func HasNodeInclusionPolicyInPodTopologySpread() bool {
+	kubeVersion, err := GetKubeVersion()
+	if err != nil {
+		fmt.Printf("❌ Failed to get kube version %s", err)
+		return false
+	}
+	enabledKubeVersion, err := semver.NewVersion(topologyConstraintsEnabledKubeVersion)
+	if err != nil {
+		Panic(err)
+		return false
+	}
+	if kubeVersion.LessThan(*enabledKubeVersion) {
+		return false
+	}
+	return true
+}