Label referenced objects for backup even if the cluster is installed

Previously if/when IBIO was upgraded to include changes to add backup
labels the labels would not be added for resources referenced by already
installed clusters. To allow for this, the controller now needs to get
the ClusterDeployment earlier (to find the referenced resources). To
allow the conditions to still be set as before in cases where the
ClusterDeployment is missing or the reference is not set, Reconcile
specifically does not return when ClusterDeployment can't be found in this
new, earlier, getCD call error case.

This also handles labeling created resources immediately by adding the
backup label to them when they are created in the credentials package.

Author: carbonin

controllers/imageclusterinstall_controller.go

@@ -147,6 +147,17 @@ func (r *ImageClusterInstallReconciler) Reconcile(ctx context.Context, req ctrl.
 		return res, err
 	}
 
+	var cd *hivev1.ClusterDeployment
+	if ici.Spec.ClusterDeploymentRef != nil && ici.Spec.ClusterDeploymentRef.Name != "" {
+		var err error
+		cd, err = r.getCD(ctx, ici)
+		if err != nil {
+			log.Error(err)
+		}
+	}
+
+	r.labelReferencedObjectsForBackup(ctx, log, ici, cd)
+
 	// Nothing to do if the installation is complete
 	if InstallationCompleted(ici) {
 		return ctrl.Result{}, nil
@@ -199,7 +210,7 @@ func (r *ImageClusterInstallReconciler) Reconcile(ctx context.Context, req ctrl.
 	//   when the problem is resolved.
 	// - ConfigurationFailed: sets this reason when AutomatedCleaningMode cannot be modified in BMH.
 	cond.Reason = v1alpha1.ConfigurationPendingReason
-	cd, bmh, err := r.validateConfiguration(ctx, ici, &cond, log)
+	bmh, err := r.validateConfiguration(ctx, ici, cd, &cond, log)
 	if cd == nil || bmh == nil || err != nil {
 		return ctrl.Result{}, err
 	}
@@ -231,8 +242,6 @@ func (r *ImageClusterInstallReconciler) Reconcile(ctx context.Context, req ctrl.
 		return res, err
 	}
 
-	r.labelReferencedObjectsForBackup(ctx, log, ici, cd)
-
 	// 4. Host configuration phase
 	// Possible reasons for not meeting requirements and exiting reconcile:
 	// - HostConfigurationPending: sets this reason in following scenarios:
@@ -261,34 +270,33 @@ func GetClusterConfigDir(namespacesDir, namespace, uid string) string {
 func (r *ImageClusterInstallReconciler) validateConfiguration(
 	ctx context.Context,
 	ici *v1alpha1.ImageClusterInstall,
+	cd *hivev1.ClusterDeployment,
 	cond *hivev1.ClusterInstallCondition,
 	log logrus.FieldLogger,
-) (*hivev1.ClusterDeployment, *bmh_v1alpha1.BareMetalHost, error) {
-
-	if ici.Spec.ClusterDeploymentRef == nil || ici.Spec.ClusterDeploymentRef.Name == "" {
-		cond.Message = "ClusterDeploymentRef is unset"
-		log.Error(errors.New(cond.Message))
-		return nil, nil, nil
-	}
+) (*bmh_v1alpha1.BareMetalHost, error) {
+	if cd == nil {
+		if ici.Spec.ClusterDeploymentRef == nil || ici.Spec.ClusterDeploymentRef.Name == "" {
+			cond.Message = "ClusterDeploymentRef is unset"
+			log.Error(errors.New(cond.Message))
+			return nil, nil
+		}
 
-	cd, err := r.getCD(ctx, ici)
-	if err != nil {
+		// in this case error would have been logged when cd couldn't be queried earlier in Reconcile so just set the Message here
 		cond.Message = fmt.Sprintf("failed to get ClusterDeployment %s/%s", ici.Namespace, ici.Spec.ClusterDeploymentRef.Name)
-		log.Error(err)
-		return nil, nil, nil
+		return nil, nil
 	}
 
 	if ici.Spec.BareMetalHostRef == nil || ici.Spec.BareMetalHostRef.Name == "" {
 		cond.Message = "BareMetalHostRef is unset"
 		log.Error(errors.New(cond.Message))
-		return nil, nil, nil
+		return nil, nil
 	}
 
 	bmh, err := r.getBMH(ctx, ici.Spec.BareMetalHostRef)
 	if err != nil {
 		cond.Message = fmt.Sprintf("failed to get BareMetalHost %s/%s", ici.Spec.BareMetalHostRef.Namespace, ici.Spec.BareMetalHostRef.Name)
 		log.Error(err)
-		return nil, nil, nil
+		return nil, nil
 	}
 
 	// AutomatedCleaningMode is set at the beginning of this flow because we don't want ironic to format the disk
@@ -300,11 +308,11 @@ func (r *ImageClusterInstallReconciler) validateConfiguration(
 			cond.Reason = v1alpha1.ConfigurationFailedReason
 			cond.Message = fmt.Sprintf("failed to disable automated cleaning mode for BareMetalHost %s/%s", bmh.Namespace, bmh.Name)
 			log.WithError(err).Error(cond.Message)
-			return nil, nil, err
+			return nil, err
 		}
 	}
 
-	return cd, bmh, nil
+	return bmh, nil
 }
 
 func (r *ImageClusterInstallReconciler) validateHost(
@@ -933,19 +941,6 @@ func (r *ImageClusterInstallReconciler) labelDataImageForBackup(ctx context.Cont
 }
 
 func (r *ImageClusterInstallReconciler) labelReferencedObjectsForBackup(ctx context.Context, log logrus.FieldLogger, ici *v1alpha1.ImageClusterInstall, cd *hivev1.ClusterDeployment) {
-	if ici.Spec.ClusterMetadata != nil {
-		kubeconfigKey := types.NamespacedName{Name: ici.Spec.ClusterMetadata.AdminKubeconfigSecretRef.Name, Namespace: ici.Namespace}
-		if err := r.labelSecretForBackup(ctx, kubeconfigKey); err != nil {
-			log.WithError(err).Errorf("failed to label Secret %s for backup", kubeconfigKey)
-		}
-		if ici.Spec.ClusterMetadata.AdminPasswordSecretRef != nil {
-			passwordKey := types.NamespacedName{Name: ici.Spec.ClusterMetadata.AdminPasswordSecretRef.Name, Namespace: ici.Namespace}
-			if err := r.labelSecretForBackup(ctx, passwordKey); err != nil {
-				log.WithError(err).Errorf("failed to label Secret %s for backup", passwordKey)
-			}
-		}
-	}
-
 	if ici.Spec.CABundleRef != nil {
 		caBundleKey := types.NamespacedName{Name: ici.Spec.CABundleRef.Name, Namespace: ici.Namespace}
 		if err := r.labelConfigMapForBackup(ctx, caBundleKey); err != nil {
@@ -960,10 +955,17 @@ func (r *ImageClusterInstallReconciler) labelReferencedObjectsForBackup(ctx cont
 		}
 	}
 
-	if cd.Spec.PullSecretRef != nil {
-		psKey := types.NamespacedName{Name: cd.Spec.PullSecretRef.Name, Namespace: cd.Namespace}
-		if err := r.labelSecretForBackup(ctx, psKey); err != nil {
-			log.WithError(err).Errorf("failed to label Secret %s for backup", psKey)
+	if cd != nil {
+		reconfigKey := types.NamespacedName{Name: credentials.SeedReconfigurationSecretName(cd.Name), Namespace: cd.Namespace}
+		if err := r.labelSecretForBackup(ctx, reconfigKey); err != nil {
+			log.WithError(err).Errorf("failed to label Secret %s for backup", reconfigKey)
+		}
+
+		if cd.Spec.PullSecretRef != nil {
+			psKey := types.NamespacedName{Name: cd.Spec.PullSecretRef.Name, Namespace: cd.Namespace}
+			if err := r.labelSecretForBackup(ctx, psKey); err != nil {
+				log.WithError(err).Errorf("failed to label Secret %s for backup", psKey)
+			}
 		}
 	}
 
@@ -976,6 +978,19 @@ func (r *ImageClusterInstallReconciler) labelReferencedObjectsForBackup(ctx cont
 			log.WithError(err).Errorf("failed to label DataImage %s/%s for backup", ici.Spec.BareMetalHostRef.Namespace, ici.Spec.BareMetalHostRef.Name)
 		}
 	}
+
+	if ici.Spec.ClusterMetadata != nil {
+		kubeconfigKey := types.NamespacedName{Name: ici.Spec.ClusterMetadata.AdminKubeconfigSecretRef.Name, Namespace: ici.Namespace}
+		if err := r.labelSecretForBackup(ctx, kubeconfigKey); err != nil {
+			log.WithError(err).Errorf("failed to label Secret %s for backup", kubeconfigKey)
+		}
+		if ici.Spec.ClusterMetadata.AdminPasswordSecretRef != nil {
+			passwordKey := types.NamespacedName{Name: ici.Spec.ClusterMetadata.AdminPasswordSecretRef.Name, Namespace: ici.Namespace}
+			if err := r.labelSecretForBackup(ctx, passwordKey); err != nil {
+				log.WithError(err).Errorf("failed to label Secret %s for backup", passwordKey)
+			}
+		}
+	}
 }
 
 func (r *ImageClusterInstallReconciler) configDirs(ici *v1alpha1.ImageClusterInstall) (string, string, error) {

controllers/imageclusterinstall_controller_test.go

@@ -2207,6 +2207,124 @@ var _ = Describe("Reconcile", func() {
 		Expect(testDataImage.GetLabels()).To(HaveKeyWithValue(backupLabel, backupLabelValue), "DataImage %s/%s missing backup label", testDataImage.Namespace, testDataImage.Name)
 	})
 
+	It("labels referenced resources for backup when cluster is already marked as installed", func() {
+		// Create BMH
+		bmh := bmhInState(bmh_v1alpha1.StateAvailable)
+		bmh.Spec.Online = true
+		bmh.Spec.ExternallyProvisioned = false
+		Expect(c.Create(ctx, bmh)).To(Succeed())
+
+		// Create DataImage
+		dataImage := &bmh_v1alpha1.DataImage{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      bmh.Name,
+				Namespace: bmh.Namespace,
+			},
+			Spec: bmh_v1alpha1.DataImageSpec{
+				URL: imageURL(),
+			},
+		}
+		Expect(c.Create(ctx, dataImage)).To(Succeed())
+
+		// Create CA bundle ConfigMap
+		caBundleCM := &corev1.ConfigMap{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "ca-bundle",
+				Namespace: clusterInstallNamespace,
+			},
+			Data: map[string]string{caBundleFileName: "mycabundle"},
+		}
+		Expect(c.Create(ctx, caBundleCM)).To(Succeed())
+
+		// Create extra manifests ConfigMap
+		extraManifestCM := &corev1.ConfigMap{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "extra-manifest",
+				Namespace: clusterInstallNamespace,
+			},
+			Data: map[string]string{
+				"manifest.yaml": "thing: stuff",
+			},
+		}
+		Expect(c.Create(ctx, extraManifestCM)).To(Succeed())
+
+		// Set up ImageClusterInstall with InstallationCompleted condition set to True
+		clusterInstall.Spec.BareMetalHostRef = &v1alpha1.BareMetalHostReference{
+			Name:      bmh.Name,
+			Namespace: bmh.Namespace,
+		}
+		clusterInstall.Spec.CABundleRef = &corev1.LocalObjectReference{
+			Name: "ca-bundle",
+		}
+		clusterInstall.Spec.ExtraManifestsRefs = []corev1.LocalObjectReference{
+			{Name: "extra-manifest"},
+		}
+		clusterInstall.Status.Conditions = []hivev1.ClusterInstallCondition{
+			{
+				Type:    hivev1.ClusterInstallCompleted,
+				Status:  corev1.ConditionTrue,
+				Reason:  v1alpha1.InstallSucceededReason,
+				Message: v1alpha1.InstallSucceededMessage,
+			},
+		}
+		Expect(c.Create(ctx, clusterInstall)).To(Succeed())
+
+		// Set up ClusterDeployment with pull secret reference
+		clusterDeployment.Spec.ClusterName = "test"
+		clusterDeployment.Spec.BaseDomain = "example.com"
+		Expect(c.Create(ctx, clusterDeployment)).To(Succeed())
+
+		// Reconcile - should label resources even though InstallationCompleted is True
+		key := types.NamespacedName{
+			Namespace: clusterInstallNamespace,
+			Name:      clusterInstallName,
+		}
+		res, err := r.Reconcile(ctx, ctrl.Request{NamespacedName: key})
+		Expect(err).NotTo(HaveOccurred())
+		Expect(res).To(Equal(ctrl.Result{}))
+
+		// Verify BMH has backup label
+		bmhKey := types.NamespacedName{
+			Namespace: bmh.Namespace,
+			Name:      bmh.Name,
+		}
+		testBMH := &bmh_v1alpha1.BareMetalHost{}
+		Expect(c.Get(ctx, bmhKey, testBMH)).To(Succeed())
+		Expect(testBMH.GetLabels()).To(HaveKeyWithValue(backupLabel, backupLabelValue), "BMH %s/%s missing backup label", testBMH.Namespace, testBMH.Name)
+
+		// Verify DataImage has backup label
+		testDataImage := &bmh_v1alpha1.DataImage{}
+		Expect(c.Get(ctx, bmhKey, testDataImage)).To(Succeed())
+		Expect(testDataImage.GetLabels()).To(HaveKeyWithValue(backupLabel, backupLabelValue), "DataImage %s/%s missing backup label", testDataImage.Namespace, testDataImage.Name)
+
+		// Verify CA bundle ConfigMap has backup label
+		caBundleKey := types.NamespacedName{
+			Name:      caBundleCM.Name,
+			Namespace: caBundleCM.Namespace,
+		}
+		testCABundleCM := &corev1.ConfigMap{}
+		Expect(c.Get(ctx, caBundleKey, testCABundleCM)).To(Succeed())
+		Expect(testCABundleCM.GetLabels()).To(HaveKeyWithValue(backupLabel, backupLabelValue), "ConfigMap %s/%s missing backup label", testCABundleCM.Namespace, testCABundleCM.Name)
+
+		// Verify extra manifest ConfigMap has backup label
+		extraManifestKey := types.NamespacedName{
+			Name:      extraManifestCM.Name,
+			Namespace: extraManifestCM.Namespace,
+		}
+		testExtraManifestCM := &corev1.ConfigMap{}
+		Expect(c.Get(ctx, extraManifestKey, testExtraManifestCM)).To(Succeed())
+		Expect(testExtraManifestCM.GetLabels()).To(HaveKeyWithValue(backupLabel, backupLabelValue), "ConfigMap %s/%s missing backup label", testExtraManifestCM.Namespace, testExtraManifestCM.Name)
+
+		// Verify pull secret has backup label
+		pullSecretKey := types.NamespacedName{
+			Name:      pullSecret.Name,
+			Namespace: pullSecret.Namespace,
+		}
+		testPullSecret := &corev1.Secret{}
+		Expect(c.Get(ctx, pullSecretKey, testPullSecret)).To(Succeed())
+		Expect(testPullSecret.GetLabels()).To(HaveKeyWithValue(backupLabel, backupLabelValue), "Secret %s/%s missing backup label", testPullSecret.Namespace, testPullSecret.Name)
+	})
+
 	Context("when the cluster identity secrets exist", func() {
 		createSecret := func(name string, data map[string][]byte) {
 			s := corev1.Secret{

internal/credentials/credentials.go

@@ -197,6 +197,7 @@ func (r *Credentials) createOrUpdateClusterCredentialSecret(ctx context.Context,
 		metav1.SetMetaDataLabel(&secret.ObjectMeta, "hive.openshift.io/secret-type", secretType)
 		metav1.SetMetaDataLabel(&secret.ObjectMeta, SecretResourceLabel, SecretResourceValue)
 		metav1.SetMetaDataLabel(&secret.ObjectMeta, secretPreservationLabel, secretPreservationValue)
+		metav1.SetMetaDataLabel(&secret.ObjectMeta, "cluster.open-cluster-management.io/backup", "true")
 
 		// Update the Secret object with the desired data
 		secret.Data = data

internal/credentials/credentials_test.go

@@ -269,6 +269,17 @@ var _ = Describe("Credentials", func() {
 			Expect(len(secret.OwnerReferences)).To(Equal(1))
 			Expect(secret.OwnerReferences[0].Name).To(Equal(clusterDeployment.Name))
 		})
+
+		It("sets the backup label", func() {
+			name := "test-secret"
+			data := map[string][]byte{"thing": []byte("stuff")}
+			Expect(cm.createOrUpdateClusterCredentialSecret(ctx, log, clusterDeployment, name, data, "thing")).To(Succeed())
+
+			secret := corev1.Secret{}
+			key := types.NamespacedName{Name: name, Namespace: clusterDeployment.Namespace}
+			Expect(c.Get(ctx, key, &secret)).To(Succeed())
+			Expect(secret.Labels).To(HaveKeyWithValue("cluster.open-cluster-management.io/backup", "true"))
+		})
 	})
 
 	createSecret := func(name string, data map[string][]byte) {