diff --git a/api/v1/aerospikecluster_types.go b/api/v1/aerospikecluster_types.go index fd01c5703..5e42a1c79 100644 --- a/api/v1/aerospikecluster_types.go +++ b/api/v1/aerospikecluster_types.go @@ -872,8 +872,8 @@ type AerospikePodStatus struct { //nolint:govet // for readability // PodSpecHash is ripemd160 hash of PodSpec used by this pod PodSpecHash string `json:"podSpecHash"` - // SecurityEnabled is true if security is enabled in the pod - SecurityEnabled bool `json:"securityEnabled"` + // IsSecurityEnabled is true if security is enabled in the pod + IsSecurityEnabled bool `json:"isSecurityEnabled"` } // +kubebuilder:object:root=true diff --git a/config/crd/bases/asdb.aerospike.com_aerospikeclusters.yaml b/config/crd/bases/asdb.aerospike.com_aerospikeclusters.yaml index 757c0d37a..648fde7c5 100644 --- a/config/crd/bases/asdb.aerospike.com_aerospikeclusters.yaml +++ b/config/crd/bases/asdb.aerospike.com_aerospikeclusters.yaml @@ -14255,6 +14255,10 @@ spec: items: type: string type: array + isSecurityEnabled: + description: IsSecurityEnabled is true if security is enabled + in the pod + type: boolean networkPolicyHash: description: NetworkPolicyHash is ripemd160 hash of NetworkPolicy used by this pod @@ -14270,10 +14274,6 @@ spec: description: PodSpecHash is ripemd160 hash of PodSpec used by this pod type: string - securityEnabled: - description: SecurityEnabled is true if security is enabled - in the pod - type: boolean servicePort: description: ServicePort is the port Aerospike clients outside K8s can connect to. @@ -14282,11 +14282,11 @@ spec: required: - aerospikeConfigHash - image + - isSecurityEnabled - networkPolicyHash - podIP - podPort - podSpecHash - - securityEnabled type: object description: Pods has Aerospike specific status of the pods. This is map instead of the conventional map as list convention to allow diff --git a/controllers/reconciler.go b/controllers/reconciler.go index 8ca37bec9..18496827d 100644 --- a/controllers/reconciler.go +++ b/controllers/reconciler.go @@ -1004,7 +1004,7 @@ func (r *SingleClusterReconciler) getSecurityEnabledPods() ([]corev1.Pod, error) securityEnabledPods := make([]corev1.Pod, 0, len(r.aeroCluster.Status.Pods)) for podName := range r.aeroCluster.Status.Pods { - if r.aeroCluster.Status.Pods[podName].SecurityEnabled { + if r.aeroCluster.Status.Pods[podName].IsSecurityEnabled { pod := &corev1.Pod{} podName := types.NamespacedName{Name: podName, Namespace: r.aeroCluster.Namespace} @@ -1024,32 +1024,36 @@ func (r *SingleClusterReconciler) enablingSecurity() bool { } func (r *SingleClusterReconciler) handleEnableSecurity() error { - if r.aeroCluster.Status.Pods != nil && r.enablingSecurity() { - securityEnabledPods, err := r.getSecurityEnabledPods() - if err != nil { - return err - } + if !r.enablingSecurity() { + return nil // No need to proceed if security is not to be enabling + } - if len(securityEnabledPods) > 0 { - ignorablePodNames, err := r.getIgnorablePods(nil, getConfiguredRackStateList(r.aeroCluster)) - if err != nil { - r.Log.Error(err, "Failed to determine pods to be ignored") + securityEnabledPods, err := r.getSecurityEnabledPods() + if err != nil { + return err + } - return err - } + if len(securityEnabledPods) == 0 { + return nil // No security-enabled pods found + } - // Setup access control. - if err := r.validateAndReconcileAccessControl(securityEnabledPods, ignorablePodNames); err != nil { - r.Log.Error(err, "Failed to Reconcile access control") - r.Recorder.Eventf( - r.aeroCluster, corev1.EventTypeWarning, "ACLUpdateFailed", - "Failed to setup Access Control %s/%s", r.aeroCluster.Namespace, - r.aeroCluster.Name, - ) + ignorablePodNames, err := r.getIgnorablePods(nil, getConfiguredRackStateList(r.aeroCluster)) + if err != nil { + r.Log.Error(err, "Failed to determine pods to be ignored") - return err - } - } + return err + } + + // Setup access control. + if err := r.validateAndReconcileAccessControl(securityEnabledPods, ignorablePodNames); err != nil { + r.Log.Error(err, "Failed to Reconcile access control") + r.Recorder.Eventf( + r.aeroCluster, corev1.EventTypeWarning, "ACLUpdateFailed", + "Failed to setup Access Control %s/%s", r.aeroCluster.Namespace, + r.aeroCluster.Name, + ) + + return err } return nil diff --git a/helm-charts/aerospike-kubernetes-operator/crds/customresourcedefinition_aerospikeclusters.asdb.aerospike.com.yaml b/helm-charts/aerospike-kubernetes-operator/crds/customresourcedefinition_aerospikeclusters.asdb.aerospike.com.yaml index 757c0d37a..648fde7c5 100644 --- a/helm-charts/aerospike-kubernetes-operator/crds/customresourcedefinition_aerospikeclusters.asdb.aerospike.com.yaml +++ b/helm-charts/aerospike-kubernetes-operator/crds/customresourcedefinition_aerospikeclusters.asdb.aerospike.com.yaml @@ -14255,6 +14255,10 @@ spec: items: type: string type: array + isSecurityEnabled: + description: IsSecurityEnabled is true if security is enabled + in the pod + type: boolean networkPolicyHash: description: NetworkPolicyHash is ripemd160 hash of NetworkPolicy used by this pod @@ -14270,10 +14274,6 @@ spec: description: PodSpecHash is ripemd160 hash of PodSpec used by this pod type: string - securityEnabled: - description: SecurityEnabled is true if security is enabled - in the pod - type: boolean servicePort: description: ServicePort is the port Aerospike clients outside K8s can connect to. @@ -14282,11 +14282,11 @@ spec: required: - aerospikeConfigHash - image + - isSecurityEnabled - networkPolicyHash - podIP - podPort - podSpecHash - - securityEnabled type: object description: Pods has Aerospike specific status of the pods. This is map instead of the conventional map as list convention to allow