diff --git a/config/manifests/bases/aerospike-kubernetes-operator.clusterserviceversion.yaml b/config/manifests/bases/aerospike-kubernetes-operator.clusterserviceversion.yaml index e9cec80a0..64dcdffae 100644 --- a/config/manifests/bases/aerospike-kubernetes-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/aerospike-kubernetes-operator.clusterserviceversion.yaml @@ -51,12 +51,15 @@ spec: displayName: Server Image path: image - description: K8sNodeBlockList is a list of Kubernetes nodes which are not - used for Aerospike pods. + used for Aerospike pods. Pods are not scheduled on these nodes. Pods are + migrated from these nodes if already present. This is useful for the maintenance + of Kubernetes nodes. displayName: Kubernetes Node BlockList path: k8sNodeBlockList - description: MaxUnavailable is the percentage/number of pods that can be allowed to go down or unavailable before application disruption. This value is used - to create PodDisruptionBudget. Defaults to 1. + to create PodDisruptionBudget. Defaults to 1. Refer Aerospike documentation + for more details. displayName: Max Unavailable path: maxUnavailable - description: Certificates to connect to Aerospike. diff --git a/controllers/reconciler.go b/controllers/reconciler.go index 8a0fa6184..8ca37bec9 100644 --- a/controllers/reconciler.go +++ b/controllers/reconciler.go @@ -119,32 +119,8 @@ func (r *SingleClusterReconciler) Reconcile() (result ctrl.Result, recErr error) return reconcile.Result{}, recErr } - if r.aeroCluster.Status.Pods != nil && r.enablingSecurity() { - securityEnabledPods, err := r.getSecurityEnabledPods() - if err != nil { - return reconcile.Result{}, err - } - - if len(securityEnabledPods) > 0 { - ignorablePodNames, err := r.getIgnorablePods(nil, getConfiguredRackStateList(r.aeroCluster)) - if err != nil { - r.Log.Error(err, "Failed to determine pods to be ignored") - - return reconcile.Result{}, err - } - - // Setup access control. - if err := r.validateAndReconcileAccessControl(securityEnabledPods, ignorablePodNames); err != nil { - r.Log.Error(err, "Failed to Reconcile access control") - r.Recorder.Eventf( - r.aeroCluster, corev1.EventTypeWarning, "ACLUpdateFailed", - "Failed to setup Access Control %s/%s", r.aeroCluster.Namespace, - r.aeroCluster.Name, - ) - - return reconcile.Result{}, err - } - } + if err := r.handleEnableSecurity(); err != nil { + return reconcile.Result{}, err } // Reconcile all racks @@ -1046,3 +1022,35 @@ func (r *SingleClusterReconciler) getSecurityEnabledPods() ([]corev1.Pod, error) func (r *SingleClusterReconciler) enablingSecurity() bool { return r.aeroCluster.Spec.AerospikeAccessControl != nil && r.aeroCluster.Status.AerospikeAccessControl == nil } + +func (r *SingleClusterReconciler) handleEnableSecurity() error { + if r.aeroCluster.Status.Pods != nil && r.enablingSecurity() { + securityEnabledPods, err := r.getSecurityEnabledPods() + if err != nil { + return err + } + + if len(securityEnabledPods) > 0 { + ignorablePodNames, err := r.getIgnorablePods(nil, getConfiguredRackStateList(r.aeroCluster)) + if err != nil { + r.Log.Error(err, "Failed to determine pods to be ignored") + + return err + } + + // Setup access control. + if err := r.validateAndReconcileAccessControl(securityEnabledPods, ignorablePodNames); err != nil { + r.Log.Error(err, "Failed to Reconcile access control") + r.Recorder.Eventf( + r.aeroCluster, corev1.EventTypeWarning, "ACLUpdateFailed", + "Failed to setup Access Control %s/%s", r.aeroCluster.Namespace, + r.aeroCluster.Name, + ) + + return err + } + } + } + + return nil +}