From be7b493d6b6f9301525a329133117f101ffc3eeb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ra=C3=BAl=20Sevilla?= <rsevilla@redhat.com>
Date: Thu, 25 May 2023 11:03:29 +0200
Subject: [PATCH] Fix churning patch (#320)

The previous patching implementation was causing warnings b/c it was
removing all the previous labels from the namespace. i.e:

```console
$airflow@414awsovnsmallcpclusterdensity-97775a0f892d4636a9fe8f5a2c677f0c:~/auth kubectl get  namespace/cluster-density-288 --show-labels
NAME                  STATUS   AGE   LABELS
cluster-density-288   Active   58s    churndelete=delete,kube-burner-job=cluster-density,kube-burner-uuid=b509253e-cluster-density-20230524,kubernetes.io/metadata.name=cluster-density-288,pod-security.kubernetes.io/audit=privileged,pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/warn=privileged,security.openshift.io/scc.podSecurityLabelSync=false
$ kubectl patch ns cluster-density-288 --type=json -p '[{"op":"add","path":"/metadata/labels","value":{"churndelete":"delete"}}]'
Warning: existing pods in namespace "cluster-density-288" violate the new PodSecurity enforce level "restricted:latest"
Warning: cluster-density-1-build: privileged, allowPrivilegeEscalation != false, unrestricted capabilities, restricted volume types, runAsNonRoot != true, runAsUser=0, seccompProfile
namespace/cluster-density-288 patched
$ kubectl get  namespace/cluster-density-288 --show-labels    # Note that some of the labels were removed
NAME                  STATUS   AGE   LABELS
cluster-density-288   Active   96s   churndelete=delete,kubernetes.io/metadata.name=cluster-density-288,pod-security.kubernetes.io/enforce-version=v1.24,pod-security.kubernetes.io/enforce=restricted
```

---

Updating the patch expression to `[{"op":"add","path":"/metadata/labels/churndelete","value": "delete"}]` as per [RFC6902](https://datatracker.ietf.org/doc/html/rfc6902#appendix-A.1) states
does not cause this issue:

```console
$ kubectl patch ns cluster-density-300 --type=json -p '[{"op":"add","path":"/metadata/labels/churndelete","value": "delete"}]'
namespace/cluster-density-300 patched
$ kubectl get ns cluster-density-300 --show-labels
NAME                  STATUS   AGE     LABELS
cluster-density-300   Active   6m12s    churndelete=delete,kube-burner-job=cluster-density,kube-burner-uuid=b509253e-cluster-density-20230524,kubernetes.io/metadata.name=cluster-density-300,pod-security.kubernetes.io/audit=privileged,pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/warn=privileged,security.openshift.io/scc.podSecurityLabelSync=false
```

Signed-off-by: Raul Sevilla <rsevilla@redhat.com>
---
 pkg/burner/create.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/burner/create.go b/pkg/burner/create.go
index 042b460a1..2066473ef 100644
--- a/pkg/burner/create.go
+++ b/pkg/burner/create.go
@@ -279,7 +279,7 @@ func (ex *Executor) RunCreateJobWithChurn() {
 	// Create timer for the churn duration
 	timer := time.After(ex.Config.ChurnDuration)
 	// Patch to label namespaces for deletion
-	delPatch := []byte(`[{"op":"add","path":"/metadata/labels","value":{"churndelete":"delete"}}]`)
+	delPatch := []byte(`[{"op":"add","path":"/metadata/labels/churndelete","value": "delete"}]`)
 	for {
 		select {
 		case <-timer: