Check ownership of pgAdmin services

Before this change PGO would force ownership on any service provided
through PGAdmin.Spec.ServiceName, assuming the Service existed in the
environment.

With this change, we will check ownership and only reconcile a service
if it is either not owned or owned by the associated PGAdmin object.

Author: jmckulk

internal/controller/standalone_pgadmin/service.go

@@ -19,14 +19,16 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	"github.com/pkg/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 
 	"github.com/crunchydata/postgres-operator/internal/logging"
 	"github.com/crunchydata/postgres-operator/internal/naming"
 	"github.com/crunchydata/postgres-operator/pkg/apis/postgres-operator.crunchydata.com/v1beta1"
+	"github.com/pkg/errors"
 )
 
 // +kubebuilder:rbac:groups="",resources="services",verbs={get}
@@ -45,10 +47,12 @@ func (r *PGAdminReconciler) reconcilePGAdminService(
 	// need to delete any existing service(s). At the start of every reconcile
 	// get all services that match the current pgAdmin labels.
 	services := corev1.ServiceList{}
-	if err := r.Client.List(ctx, &services, client.MatchingLabels{
-		naming.LabelStandalonePGAdmin: pgadmin.Name,
-		naming.LabelRole:              naming.RolePGAdmin,
-	}); err != nil {
+	if err := r.Client.List(ctx, &services,
+		client.InNamespace(pgadmin.Namespace),
+		client.MatchingLabels{
+			naming.LabelStandalonePGAdmin: pgadmin.Name,
+			naming.LabelRole:              naming.RolePGAdmin,
+		}); err != nil {
 		return err
 	}
 
@@ -64,16 +68,49 @@ func (r *PGAdminReconciler) reconcilePGAdminService(
 		}
 	}
 
-	// TODO (jmckulk): check if the requested services exists without our pgAdmin
-	// as the owner. If this happens, don't take over ownership of the existing svc.
-
 	// At this point only a service defined by spec.ServiceName should exist.
-	// Update the service or create it if it does not exist
+	// Check if the user has requested a service through ServiceName
 	if pgadmin.Spec.ServiceName != "" {
+		// Look for an existing service with name ServiceName in the namespace
+		existingService := &corev1.Service{}
+		err := r.Client.Get(ctx, types.NamespacedName{
+			Name:      pgadmin.Spec.ServiceName,
+			Namespace: pgadmin.GetNamespace(),
+		}, existingService)
+		if client.IgnoreNotFound(err) != nil {
+			return err
+		}
+
+		// If we found an existing service in our namespace with ServiceName
+		if !apierrors.IsNotFound(err) {
+
+			// Check if the existing service has ownerReferences.
+			// If it doesn't we can go ahead and reconcile the service.
+			// If it does then we need to check if we are the controller.
+			if len(existingService.OwnerReferences) != 0 {
+
+				// If the service is not controlled by this pgAdmin then we shouldn't reconcile
+				if !metav1.IsControlledBy(existingService, pgadmin) {
+					err := errors.New("Service is controlled by another object")
+					log.V(1).Error(err, "PGO does not force ownership on existing services",
+						"ServiceName", pgadmin.Spec.ServiceName)
+					r.Recorder.Event(pgadmin,
+						corev1.EventTypeWarning, "InvalidServiceWarning",
+						"Failed to reconcile Service ServiceName: "+pgadmin.Spec.ServiceName)
+
+					return err
+				}
+			}
+		}
+
+		// A service has been requested and we are allowed to create or reconcile
 		service := service(pgadmin)
+
+		// Set the controller reference on the service
 		if err := errors.WithStack(r.setControllerReference(pgadmin, service)); err != nil {
 			return err
 		}
+
 		return errors.WithStack(r.apply(ctx, service))
 	}
 

testing/kuttl/e2e/standalone-pgadmin-service/00-assert.yaml

@@ -5,6 +5,11 @@ metadata:
   labels:
     postgres-operator.crunchydata.com/role: pgadmin
     postgres-operator.crunchydata.com/pgadmin: pgadmin
+  ownerReferences:
+  - apiVersion: postgres-operator.crunchydata.com/v1beta1
+    controller: true
+    kind: PGAdmin
+    name: pgadmin
 spec:
   selector:
     postgres-operator.crunchydata.com/pgadmin: pgadmin

testing/kuttl/e2e/standalone-pgadmin-service/10--manual-service.yaml

@@ -0,0 +1,30 @@
+# Manually create a service that should be taken over by pgAdmin
+# The manual service is of type LoadBalancer
+# Cnce taken over, the type should change to ClusterIP
+apiVersion: v1
+kind: Service
+metadata:
+  name: manual-pgadmin-service
+spec:
+  ports:
+  - name: pgadmin-port
+    port: 5050
+    protocol: TCP
+  selector:
+    postgres-operator.crunchydata.com/pgadmin: rhino
+  type: LoadBalancer
+---
+# Create a pgAdmin that points to an existing un-owned service
+apiVersion: postgres-operator.crunchydata.com/v1beta1
+kind: PGAdmin
+metadata:
+  name: manual-svc-pgadmin
+spec:
+  serviceName: manual-pgadmin-service
+  dataVolumeClaimSpec:
+    accessModes:
+    - "ReadWriteOnce"
+    resources:
+      requests:
+        storage: 1Gi
+  serverGroups: []

testing/kuttl/e2e/standalone-pgadmin-service/10-assert.yaml

@@ -0,0 +1,22 @@
+# Check that the manually created service has the correct ownerReference
+apiVersion: v1
+kind: Service
+metadata:
+  name: manual-pgadmin-service
+  labels:
+    postgres-operator.crunchydata.com/role: pgadmin
+    postgres-operator.crunchydata.com/pgadmin: manual-svc-pgadmin
+  ownerReferences:
+  - apiVersion: postgres-operator.crunchydata.com/v1beta1
+    controller: true
+    kind: PGAdmin
+    name: manual-svc-pgadmin
+spec:
+  selector:
+    postgres-operator.crunchydata.com/pgadmin: manual-svc-pgadmin
+  ports:
+  - port: 5050
+    targetPort: 5050
+    protocol: TCP
+    name: pgadmin-port
+  type: ClusterIP

testing/kuttl/e2e/standalone-pgadmin-service/20--owned-service.yaml

@@ -0,0 +1,14 @@
+# Create a pgAdmin that will create and own a service
+apiVersion: postgres-operator.crunchydata.com/v1beta1
+kind: PGAdmin
+metadata:
+  name: pgadmin-service-owner
+spec:
+  serviceName: pgadmin-owned-service
+  dataVolumeClaimSpec:
+    accessModes:
+    - "ReadWriteOnce"
+    resources:
+      requests:
+        storage: 1Gi
+  serverGroups: []

testing/kuttl/e2e/standalone-pgadmin-service/20-assert.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: pgadmin-owned-service
+  labels:
+    postgres-operator.crunchydata.com/role: pgadmin
+    postgres-operator.crunchydata.com/pgadmin: pgadmin-service-owner
+  ownerReferences:
+  - apiVersion: postgres-operator.crunchydata.com/v1beta1
+    controller: true
+    kind: PGAdmin
+    name: pgadmin-service-owner
+spec:
+  selector:
+    postgres-operator.crunchydata.com/pgadmin: pgadmin-service-owner
+  ports:
+  - port: 5050
+    targetPort: 5050
+    protocol: TCP
+    name: pgadmin-port
+  type: ClusterIP

testing/kuttl/e2e/standalone-pgadmin-service/21-assert.yaml

@@ -0,0 +1,34 @@
+# Original service should still have owner reference
+apiVersion: v1
+kind: Service
+metadata:
+  name: pgadmin-owned-service
+  labels:
+    postgres-operator.crunchydata.com/role: pgadmin
+    postgres-operator.crunchydata.com/pgadmin: pgadmin-service-owner
+  ownerReferences:
+  - apiVersion: postgres-operator.crunchydata.com/v1beta1
+    controller: true
+    kind: PGAdmin
+    name: pgadmin-service-owner
+spec:
+  selector:
+    postgres-operator.crunchydata.com/pgadmin: pgadmin-service-owner
+  ports:
+  - port: 5050
+    targetPort: 5050
+    protocol: TCP
+    name: pgadmin-port
+  type: ClusterIP
+---
+apiVersion: v1
+involvedObject:
+  apiVersion: postgres-operator.crunchydata.com/v1beta1
+  kind: PGAdmin
+  name: pgadmin-service-thief
+kind: Event
+message: 'Failed to reconcile Service ServiceName: pgadmin-owned-service'
+reason: InvalidServiceWarning
+source:
+  component: pgadmin-controller
+type: Warning

testing/kuttl/e2e/standalone-pgadmin-service/21-steal-service.yaml

@@ -0,0 +1,14 @@
+# Create a second pgAdmin that attempts to steal the service
+apiVersion: postgres-operator.crunchydata.com/v1beta1
+kind: PGAdmin
+metadata:
+  name: pgadmin-service-thief
+spec:
+  serviceName: pgadmin-owned-service
+  dataVolumeClaimSpec:
+    accessModes:
+    - "ReadWriteOnce"
+    resources:
+      requests:
+        storage: 1Gi
+  serverGroups: []