Properly set Available and Progressing conditions

dlom · dlom · commit 7c3a20b52612 · 2026-03-09T11:46:33.000-07:00
The Pod Identity Webhook controller will now report Available: False
when there are no pods available on the deployment, and Progressing:
True when not all pods match the latest deployment spec (motivating
factor: when the image on the deployment spec has been updated)
diff --git a/pkg/operator/cleanup/status.go b/pkg/operator/cleanup/status.go
@@ -1,6 +1,8 @@
 package cleanup
 
 import (
+	"context"
+
 	log "github.com/sirupsen/logrus"
 
 	configv1 "github.com/openshift/api/config/v1"
@@ -9,7 +11,7 @@ import (
 
 var _ status.Handler = &ReconcileStaleCredentialsRequest{}
 
-func (r *ReconcileStaleCredentialsRequest) GetConditions(logger log.FieldLogger) ([]configv1.ClusterOperatorStatusCondition, error) {
+func (r *ReconcileStaleCredentialsRequest) GetConditions(ctx context.Context, logger log.FieldLogger) ([]configv1.ClusterOperatorStatusCondition, error) {
 	return []configv1.ClusterOperatorStatusCondition{}, nil
 }
 
diff --git a/pkg/operator/credentialsrequest/credentialsrequest_controller.go b/pkg/operator/credentialsrequest/credentialsrequest_controller.go
@@ -493,9 +493,9 @@ type ReconcileSecretMissingLabel struct {
 	mutatingClient corev1client.SecretsGetter
 }
 
-func (r *ReconcileSecretMissingLabel) GetConditions(logger log.FieldLogger) ([]configv1.ClusterOperatorStatusCondition, error) {
+func (r *ReconcileSecretMissingLabel) GetConditions(ctx context.Context, logger log.FieldLogger) ([]configv1.ClusterOperatorStatusCondition, error) {
 	var secrets corev1.SecretList
-	if err := r.cachedClient.List(context.TODO(), &secrets); err != nil {
+	if err := r.cachedClient.List(ctx, &secrets); err != nil {
 		return nil, err
 	}
 	var missing int
diff --git a/pkg/operator/credentialsrequest/credentialsrequest_controller_azure_test.go b/pkg/operator/credentialsrequest/credentialsrequest_controller_azure_test.go
@@ -253,7 +253,7 @@ func TestCredentialsRequestAzureReconcile(t *testing.T) {
 
 			if test.expectedCOConditions != nil {
 				logger := log.WithFields(log.Fields{"controller": controllerName})
-				currentConditions, err := rcr.GetConditions(logger)
+				currentConditions, err := rcr.GetConditions(context.TODO(), logger)
 				require.NoError(t, err, "failed getting conditions")
 
 				for _, expectedCondition := range test.expectedCOConditions {
diff --git a/pkg/operator/credentialsrequest/credentialsrequest_controller_gcp_test.go b/pkg/operator/credentialsrequest/credentialsrequest_controller_gcp_test.go
@@ -974,7 +974,7 @@ func TestCredentialsRequestGCPReconcile(t *testing.T) {
 
 			if test.expectedCOConditions != nil {
 				logger := log.WithFields(log.Fields{"controller": controllerName})
-				currentConditions, err := rcr.GetConditions(logger)
+				currentConditions, err := rcr.GetConditions(context.TODO(), logger)
 				require.NoError(t, err, "failed getting conditions")
 
 				for _, expectedCondition := range test.expectedCOConditions {
diff --git a/pkg/operator/credentialsrequest/credentialsrequest_controller_label_test.go b/pkg/operator/credentialsrequest/credentialsrequest_controller_label_test.go
@@ -251,7 +251,7 @@ func TestReconcileSecretMissingLabel_GetConditions(t *testing.T) {
 				mutatingClient: nil,
 			}
 
-			conditions, err := rcr.GetConditions(logrus.StandardLogger())
+			conditions, err := rcr.GetConditions(context.TODO(), logrus.StandardLogger())
 
 			if err != nil && !test.expectErr {
 				require.NoError(t, err, "Unexpected error: %v", err)
diff --git a/pkg/operator/credentialsrequest/credentialsrequest_controller_test.go b/pkg/operator/credentialsrequest/credentialsrequest_controller_test.go
@@ -1535,7 +1535,7 @@ func TestCredentialsRequestReconcile(t *testing.T) {
 
 			if test.expectedCOConditions != nil {
 				logger := log.WithFields(log.Fields{"controller": controllerName})
-				currentConditions, err := rcr.GetConditions(logger)
+				currentConditions, err := rcr.GetConditions(context.TODO(), logger)
 				require.NoError(t, err, "failed getting conditions")
 
 				for _, expectedCondition := range test.expectedCOConditions {
diff --git a/pkg/operator/credentialsrequest/credentialsrequest_controller_vsphere_test.go b/pkg/operator/credentialsrequest/credentialsrequest_controller_vsphere_test.go
@@ -226,7 +226,7 @@ func TestCredentialsRequestVSphereReconcile(t *testing.T) {
 
 			if test.expectedCOConditions != nil {
 				logger := log.WithFields(log.Fields{"controller": controllerName})
-				currentConditions, err := rcr.GetConditions(logger)
+				currentConditions, err := rcr.GetConditions(context.TODO(), logger)
 				require.NoError(t, err, "failed getting conditions")
 
 				for _, expectedCondition := range test.expectedCOConditions {
diff --git a/pkg/operator/credentialsrequest/status.go b/pkg/operator/credentialsrequest/status.go
@@ -29,8 +29,8 @@ const (
 
 var _ status.Handler = &ReconcileCredentialsRequest{}
 
-func (r *ReconcileCredentialsRequest) GetConditions(logger log.FieldLogger) ([]configv1.ClusterOperatorStatusCondition, error) {
-	_, credRequests, mode, err := r.getOperatorState(logger)
+func (r *ReconcileCredentialsRequest) GetConditions(ctx context.Context, logger log.FieldLogger) ([]configv1.ClusterOperatorStatusCondition, error) {
+	_, credRequests, mode, err := r.getOperatorState(ctx, logger)
 	if err != nil {
 		return []configv1.ClusterOperatorStatusCondition{}, fmt.Errorf("failed to get operator state: %v", err)
 	}
@@ -43,7 +43,7 @@ func (r *ReconcileCredentialsRequest) GetConditions(logger log.FieldLogger) ([]c
 }
 
 func (r *ReconcileCredentialsRequest) GetRelatedObjects(logger log.FieldLogger) ([]configv1.ObjectReference, error) {
-	_, credRequests, _, err := r.getOperatorState(logger)
+	_, credRequests, _, err := r.getOperatorState(context.TODO(), logger)
 	if err != nil {
 		return []configv1.ObjectReference{}, fmt.Errorf("failed to get operator state: %v", err)
 	}
@@ -56,10 +56,10 @@ func (r *ReconcileCredentialsRequest) Name() string {
 
 // getOperatorState gets and returns the resources necessary to compute the
 // operator's current state.
-func (r *ReconcileCredentialsRequest) getOperatorState(logger log.FieldLogger) (*corev1.Namespace, []minterv1.CredentialsRequest, operatorv1.CloudCredentialsMode, error) {
+func (r *ReconcileCredentialsRequest) getOperatorState(ctx context.Context, logger log.FieldLogger) (*corev1.Namespace, []minterv1.CredentialsRequest, operatorv1.CloudCredentialsMode, error) {
 
 	ns := &corev1.Namespace{}
-	if err := r.Client.Get(context.TODO(), types.NamespacedName{Name: minterv1.CloudCredOperatorNamespace}, ns); err != nil {
+	if err := r.Client.Get(ctx, types.NamespacedName{Name: minterv1.CloudCredOperatorNamespace}, ns); err != nil {
 		if apierrors.IsNotFound(err) {
 			return nil, nil, operatorv1.CloudCredentialsModeDefault, nil
 		}
@@ -72,7 +72,7 @@ func (r *ReconcileCredentialsRequest) getOperatorState(logger log.FieldLogger) (
 	// central list to live. Other credentials requests in other namespaces will not affect status,
 	// but they will still work fine.
 	credRequestList := &minterv1.CredentialsRequestList{}
-	err := r.Client.List(context.TODO(), credRequestList, client.InNamespace(minterv1.CloudCredOperatorNamespace))
+	err := r.Client.List(ctx, credRequestList, client.InNamespace(minterv1.CloudCredOperatorNamespace))
 	if err != nil {
 		return nil, nil, operatorv1.CloudCredentialsModeDefault, fmt.Errorf(
 			"failed to list CredentialsRequests: %v", err)
diff --git a/pkg/operator/loglevel/status.go b/pkg/operator/loglevel/status.go
@@ -1,6 +1,8 @@
 package loglevel
 
 import (
+	"context"
+
 	log "github.com/sirupsen/logrus"
 
 	configv1 "github.com/openshift/api/config/v1"
@@ -9,7 +11,7 @@ import (
 
 var _ status.Handler = &ReconcileCloudCredentialConfig{}
 
-func (r *ReconcileCloudCredentialConfig) GetConditions(logger log.FieldLogger) ([]configv1.ClusterOperatorStatusCondition, error) {
+func (r *ReconcileCloudCredentialConfig) GetConditions(ctx context.Context, logger log.FieldLogger) ([]configv1.ClusterOperatorStatusCondition, error) {
 	return []configv1.ClusterOperatorStatusCondition{}, nil
 }
 
diff --git a/pkg/operator/podidentity/podidentitywebhook_controller.go b/pkg/operator/podidentity/podidentitywebhook_controller.go
@@ -37,12 +37,14 @@ import (
 )
 
 const (
-	controllerName                      = "pod-identity"
-	deploymentName                      = "cloud-credential-operator"
-	operatorNamespace                   = "openshift-cloud-credential-operator"
-	retryInterval                       = 10 * time.Second
-	reasonStaticResourceReconcileFailed = "StaticResourceReconcileFailed"
-	pdb                                 = "v4.1.0/common/poddisruptionbudget.yaml"
+	controllerName                            = "pod-identity"
+	deploymentName                            = "cloud-credential-operator"
+	operatorNamespace                         = "openshift-cloud-credential-operator"
+	retryInterval                             = 10 * time.Second
+	reasonStaticResourceReconcileFailed       = "StaticResourceReconcileFailed"
+	reasonPodIdentityWebhookPodsStillUpdating = "PodIdentityWebhookPodsStillUpdating"
+	reasonPodIdentityWebhookPodsNotAvailable  = "PodIdentityWebhookPodsNotAvailable"
+	pdb                                       = "v4.1.0/common/poddisruptionbudget.yaml"
 )
 
 var (
@@ -384,10 +386,77 @@ func (r *staticResourceReconciler) ReconcileResources(ctx context.Context) error
 	return nil
 }
 
+type webhookPodStatus struct {
+	desiredReplicas   int32
+	availableReplicas int32
+	updatedReplicas   int32
+}
+
+func (wps *webhookPodStatus) Available() bool {
+	return wps.availableReplicas > 0
+}
+
+func (wps *webhookPodStatus) Progressing() bool {
+	return wps.updatedReplicas != wps.desiredReplicas
+}
+
+func (r *staticResourceReconciler) CheckPodStatus(ctx context.Context) (*webhookPodStatus, error) {
+	deployment := &appsv1.Deployment{}
+	err := r.client.Get(ctx, client.ObjectKey{
+		Name:      "pod-identity-webhook",
+		Namespace: operatorNamespace,
+	}, deployment)
+	if err != nil {
+		return nil, err
+	}
+
+	desiredReplicas := int32(1) // kubernetes defaults to 1 if not specified
+	if deployment.Spec.Replicas != nil {
+		desiredReplicas = *deployment.Spec.Replicas
+	}
+
+	deploymentStatus := &webhookPodStatus{
+		desiredReplicas:   desiredReplicas,
+		availableReplicas: deployment.Status.AvailableReplicas,
+		updatedReplicas:   deployment.Status.UpdatedReplicas,
+	}
+
+	return deploymentStatus, nil
+}
+
 var _ status.Handler = &staticResourceReconciler{}
 
-func (r *staticResourceReconciler) GetConditions(logger log.FieldLogger) ([]configv1.ClusterOperatorStatusCondition, error) {
-	return r.conditions, nil
+func (r *staticResourceReconciler) GetConditions(ctx context.Context, logger log.FieldLogger) ([]configv1.ClusterOperatorStatusCondition, error) {
+	podStatus, err := r.CheckPodStatus(ctx)
+	if err != nil {
+		logger.WithError(err).Errorf("checking pod identity webhook status failed")
+		return nil, err
+	}
+
+	conditions := make([]configv1.ClusterOperatorStatusCondition, len(r.conditions))
+	copy(conditions, r.conditions)
+	if !podStatus.Available() {
+		conditions = append(conditions, configv1.ClusterOperatorStatusCondition{
+			Type:    configv1.OperatorAvailable,
+			Status:  configv1.ConditionFalse,
+			Reason:  reasonPodIdentityWebhookPodsNotAvailable,
+			Message: "No pod identity webhook pods are available",
+		})
+	}
+	if podStatus.Progressing() {
+		conditions = append(conditions, configv1.ClusterOperatorStatusCondition{
+			Type:   configv1.OperatorProgressing,
+			Status: configv1.ConditionTrue,
+			Reason: reasonPodIdentityWebhookPodsStillUpdating,
+			Message: fmt.Sprintf(
+				"Waiting for pod identity webhook deployment rollout to finish: %d out of %d new replica(s) have been updated...",
+				podStatus.updatedReplicas,
+				podStatus.desiredReplicas,
+			),
+		})
+	}
+
+	return conditions, nil
 }
 
 func (r *staticResourceReconciler) GetRelatedObjects(logger log.FieldLogger) ([]configv1.ObjectReference, error) {
diff --git a/pkg/operator/podidentity/podidentitywebhook_controller_test.go b/pkg/operator/podidentity/podidentitywebhook_controller_test.go
diff --git a/pkg/operator/secretannotator/status/status.go b/pkg/operator/secretannotator/status/status.go
diff --git a/pkg/operator/status/status_controller.go b/pkg/operator/status/status_controller.go
diff --git a/pkg/operator/status/status_controller_test.go b/pkg/operator/status/status_controller_test.go

Original file line number	Diff line number	Diff line change
`@@ -493,9 +493,9 @@ type ReconcileSecretMissingLabel struct {`
`493`	`493`	`mutatingClient corev1client.SecretsGetter`
`494`	`494`	`}`
`495`	`495`
`496`		`-func (r *ReconcileSecretMissingLabel) GetConditions(logger log.FieldLogger) ([]configv1.ClusterOperatorStatusCondition, error) {`
	`496`	`+func (r *ReconcileSecretMissingLabel) GetConditions(ctx context.Context, logger log.FieldLogger) ([]configv1.ClusterOperatorStatusCondition, error) {`
`497`	`497`	`var secrets corev1.SecretList`
`498`		`- if err := r.cachedClient.List(context.TODO(), &secrets); err != nil {`
	`498`	`+ if err := r.cachedClient.List(ctx, &secrets); err != nil {`
`499`	`499`	`return nil, err`
`500`	`500`	`}`
`501`	`501`	`var missing int`
Original file line number	Diff line number	Diff line change
`@@ -251,7 +251,7 @@ func TestReconcileSecretMissingLabel_GetConditions(t *testing.T) {`
`251`	`251`	`mutatingClient: nil,`
`252`	`252`	`}`
`253`	`253`
`254`		`- conditions, err := rcr.GetConditions(logrus.StandardLogger())`
	`254`	`+ conditions, err := rcr.GetConditions(context.TODO(), logrus.StandardLogger())`
`255`	`255`
`256`	`256`	`if err != nil && !test.expectErr {`
`257`	`257`	`require.NoError(t, err, "Unexpected error: %v", err)`