feat: add support for deleting Tekton-managed pods and enhance Istio … (#2287)

CasLubbers · otomi-admin · svcAPLBot · web-flow · commit 41560c113fc7 · 2025-06-27T12:53:00.000+02:00
Co-authored-by: otomi-admin &lt;pipeline@cluster.local&gt;
Co-authored-by: svcAPLBot &lt;174728082+svcAPLBot@users.noreply.github.com&gt;
diff --git a/src/common/runtime-upgrades/restart-istio-sidecars.test.ts b/src/common/runtime-upgrades/restart-istio-sidecars.test.ts
@@ -1,8 +1,10 @@
 import { CoreV1Api, V1OwnerReference } from '@kubernetes/client-node'
 import {
+  deletePod,
   detectAndRestartOutdatedIstioSidecars,
   getDeploymentNameFromReplicaSet,
   getIstioVersionFromDeployment,
+  isPodManagedByTekton,
   restartCluster,
   restartDeployment,
   restartPodOwner,
@@ -474,6 +476,164 @@ describe('restartDeployment', () => {
   })
 })
 
+describe('isPodManagedByTekton', () => {
+  it('should return true for pods managed by EventListener', () => {
+    const pod = {
+      metadata: {
+        labels: {
+          'app.kubernetes.io/managed-by': 'EventListener',
+        },
+      },
+    }
+
+    expect(isPodManagedByTekton(pod)).toBe(true)
+  })
+
+  it('should return true for pods with eventlistener label', () => {
+    const pod = {
+      metadata: {
+        labels: {
+          eventlistener: 'gitea-webhook-main',
+        },
+      },
+    }
+
+    expect(isPodManagedByTekton(pod)).toBe(true)
+  })
+
+  it('should return true for pods part of Triggers', () => {
+    const pod = {
+      metadata: {
+        labels: {
+          'app.kubernetes.io/part-of': 'Triggers',
+        },
+      },
+    }
+
+    expect(isPodManagedByTekton(pod)).toBe(true)
+  })
+
+  it('should return false for pods not managed by Tekton', () => {
+    const pod = {
+      metadata: {
+        labels: {
+          'app.kubernetes.io/managed-by': 'Deployment',
+          'app.kubernetes.io/part-of': 'SomeOtherApp',
+        },
+      },
+    }
+
+    expect(isPodManagedByTekton(pod)).toBe(false)
+  })
+
+  it('should return false for pods without labels', () => {
+    const pod = {
+      metadata: {},
+    }
+
+    expect(isPodManagedByTekton(pod)).toBe(false)
+  })
+
+  it('should return false for pods without metadata', () => {
+    const pod = {}
+
+    expect(isPodManagedByTekton(pod)).toBe(false)
+  })
+})
+
+describe('deletePod', () => {
+  let mockD: any
+  let mockCoreApi: any
+
+  beforeEach(() => {
+    mockD = {
+      info: jest.fn(),
+    }
+    mockCoreApi = {
+      deleteNamespacedPod: jest.fn().mockResolvedValue({}),
+    }
+    ;(k8s.core as jest.Mock).mockReturnValue(mockCoreApi)
+    jest.clearAllMocks()
+  })
+
+  it('should delete pod when not in dry run mode', async () => {
+    const mockParsedArgs = { dryRun: false, local: false }
+    const pod = {
+      metadata: {
+        name: 'test-pod',
+        namespace: 'test-namespace',
+      },
+    }
+
+    await deletePod(pod, mockD, mockParsedArgs)
+
+    expect(mockD.info).toHaveBeenCalledWith('Deleting pod test-namespace/test-pod to refresh Istio sidecar')
+    expect(mockD.info).toHaveBeenCalledWith('Successfully deleted pod test-pod')
+    expect(mockCoreApi.deleteNamespacedPod).toHaveBeenCalledWith({
+      name: 'test-pod',
+      namespace: 'test-namespace',
+    })
+  })
+
+  it('should not delete pod in dry run mode', async () => {
+    const mockParsedArgs = { dryRun: true, local: false }
+    const pod = {
+      metadata: {
+        name: 'test-pod',
+        namespace: 'test-namespace',
+      },
+    }
+
+    await deletePod(pod, mockD, mockParsedArgs)
+
+    expect(mockD.info).toHaveBeenCalledWith('Dry run mode - would delete pod test-namespace/test-pod')
+    expect(mockCoreApi.deleteNamespacedPod).not.toHaveBeenCalled()
+  })
+
+  it('should not delete pod in local mode', async () => {
+    const mockParsedArgs = { dryRun: false, local: true }
+    const pod = {
+      metadata: {
+        name: 'test-pod',
+        namespace: 'test-namespace',
+      },
+    }
+
+    await deletePod(pod, mockD, mockParsedArgs)
+
+    expect(mockD.info).toHaveBeenCalledWith('Dry run mode - would delete pod test-namespace/test-pod')
+    expect(mockCoreApi.deleteNamespacedPod).not.toHaveBeenCalled()
+  })
+
+  it('should handle pods without name gracefully', async () => {
+    const mockParsedArgs = { dryRun: false, local: false }
+    const pod = {
+      metadata: {
+        namespace: 'test-namespace',
+      },
+    }
+
+    await deletePod(pod, mockD, mockParsedArgs)
+
+    expect(mockD.info).not.toHaveBeenCalled()
+    expect(mockCoreApi.deleteNamespacedPod).not.toHaveBeenCalled()
+  })
+
+  it('should handle pods without namespace gracefully', async () => {
+    const mockParsedArgs = { dryRun: false, local: false }
+    const pod = {
+      metadata: {
+        name: 'test-pod',
+      },
+    }
+
+    await deletePod(pod, mockD, mockParsedArgs)
+
+    expect(mockD.info).not.toHaveBeenCalled()
+    expect(mockCoreApi.deleteNamespacedPod).not.toHaveBeenCalled()
+  })
+})
+
 describe('restartPodOwner', () => {
   let mockRestartedDeployments: Set<string>
   let mockD: any
@@ -567,21 +727,80 @@ describe('restartPodOwner', () => {
     expect(mockD.info).toHaveBeenCalledWith('Restarting deployment test-deployment in namespace test-namespace')
   })
 
-  it('should handle pods with no owner references', async () => {
+  it('should warn about standalone pods with no owner references', async () => {
     const mockParsedArgs = { dryRun: false, local: false }
 
     mockPod = {
       metadata: {
         namespace: 'test-namespace',
+        name: 'standalone-pod',
       },
     }
 
     await restartPodOwner(mockPod, mockD, mockParsedArgs)
 
-    // No restart attempted since deployment name extraction failed
+    expect(mockD.warn).toHaveBeenCalledWith(
+      'Pod test-namespace/standalone-pod has no owner references (standalone pod). Cannot automatically restart - manual intervention required to update Istio sidecar.',
+    )
     expect(mockD.info).not.toHaveBeenCalled()
   })
 
+  it('should warn about standalone pods with empty owner references', async () => {
+    const mockParsedArgs = { dryRun: false, local: false }
+
+    mockPod = {
+      metadata: {
+        namespace: 'test-namespace',
+        name: 'standalone-pod',
+        ownerReferences: [],
+      },
+    }
+
+    await restartPodOwner(mockPod, mockD, mockParsedArgs)
+
+    expect(mockD.warn).toHaveBeenCalledWith(
+      'Pod test-namespace/standalone-pod has no owner references (standalone pod). Cannot automatically restart - manual intervention required to update Istio sidecar.',
+    )
+    expect(mockD.info).not.toHaveBeenCalled()
+  })
+
+  it('should delete Tekton-managed pods instead of restarting deployment', async () => {
+    const mockParsedArgs = { dryRun: false, local: false }
+    const mockCoreApi = {
+      deleteNamespacedPod: jest.fn().mockResolvedValue({}),
+    }
+    ;(k8s.core as jest.Mock).mockReturnValue(mockCoreApi)
+
+    mockPod = {
+      metadata: {
+        namespace: 'team-labs',
+        name: 'el-gitea-webhook-main-abc123',
+        labels: {
+          'app.kubernetes.io/managed-by': 'EventListener',
+          eventlistener: 'gitea-webhook-main',
+        },
+        ownerReferences: [
+          {
+            kind: 'ReplicaSet',
+            name: 'el-gitea-webhook-main-abc123',
+            apiVersion: 'apps/v1',
+            uid: 'test-uid',
+          },
+        ],
+      },
+    }
+
+    await restartPodOwner(mockPod, mockD, mockParsedArgs)
+
+    expect(mockD.info).toHaveBeenCalledWith(
+      'Deleting pod team-labs/el-gitea-webhook-main-abc123 to refresh Istio sidecar',
+    )
+    expect(mockCoreApi.deleteNamespacedPod).toHaveBeenCalledWith({
+      name: 'el-gitea-webhook-main-abc123',
+      namespace: 'team-labs',
+    })
+  })
+
   it('should handle pods with no metadata', async () => {
     const mockParsedArgs = { dryRun: false, local: false }
 
diff --git a/src/common/runtime-upgrades/restart-istio-sidecars.ts b/src/common/runtime-upgrades/restart-istio-sidecars.ts
@@ -235,8 +235,46 @@ export async function restartDeployment(
   return deploymentName
 }
 
+export function isPodManagedByTekton(pod: V1Pod): boolean {
+  return (
+    pod.metadata?.labels?.['app.kubernetes.io/managed-by'] === 'EventListener' ||
+    pod.metadata?.labels?.['eventlistener'] !== undefined ||
+    pod.metadata?.labels?.['app.kubernetes.io/part-of'] === 'Triggers'
+  )
+}
+
+export async function deletePod(pod: V1Pod, d: OtomiDebugger, parsedArgs: any): Promise<void> {
+  if (!pod.metadata?.name || !pod.metadata?.namespace) return
+
+  if (!parsedArgs?.dryRun && !parsedArgs?.local) {
+    d.info(`Deleting pod ${pod.metadata.namespace}/${pod.metadata.name} to refresh Istio sidecar`)
+    const coreApi = k8s.core()
+    await coreApi.deleteNamespacedPod({
+      name: pod.metadata.name,
+      namespace: pod.metadata.namespace,
+    })
+    d.info(`Successfully deleted pod ${pod.metadata.name}`)
+  } else {
+    d.info(`Dry run mode - would delete pod ${pod.metadata.namespace}/${pod.metadata.name}`)
+  }
+}
+
 export async function restartPodOwner(pod: V1Pod, d: OtomiDebugger, parsedArgs: any): Promise<void> {
-  if (!pod.metadata?.ownerReferences || !pod.metadata?.namespace) return
+  if (!pod.metadata?.namespace) return
+
+  // Handle pods without owner references (standalone pods)
+  if (!pod.metadata?.ownerReferences || pod.metadata.ownerReferences.length === 0) {
+    d.warn(
+      `Pod ${pod.metadata.namespace}/${pod.metadata.name} has no owner references (standalone pod). Cannot automatically restart - manual intervention required to update Istio sidecar.`,
+    )
+    return
+  }
+
+  // For Tekton-managed pods, delete the pod instead of restarting the deployment
+  if (isPodManagedByTekton(pod)) {
+    await deletePod(pod, d, parsedArgs)
+    return
+  }
 
   for (const ownerRef of pod.metadata.ownerReferences) {
     if (!ownerRef.name) continue
