Merge pull request #195 from mintel/master

Add Label Whitelisting functionality

README.md

@@ -117,6 +117,28 @@ By default, no pod annotations will be applied to Redis nor Sentinel pods.
 
 In order to apply custom pod Annotations, you can provide the `podAnnotations` option inside redis/sentinel spec. An example can be found in the [custom annotations example file](example/redisfailover/custom-annotations.yaml).
 
+### Control of label propagation.
+By default the operator will propagate all labels on the CRD down to the resources that it creates.  This can be problematic if the
+labels on the CRD are not fully under your own control (for example: being deployed by a gitops operator)
+as a change to a labels value can fail on immutable resources such as PodDisruptionBudgets.  To control what labels the operator propagates
+to resource is creates you can modify the labelWhitelist option in the spec.
+
+By default specifying no whitelist or an empty whitelist will cause all labels to still be copied as not to break backwards compatibility.
+
+Items in the array should be regular expressions, see [here](example/redisfailover/control-label-propagation.yaml) as an example of how they can be used and
+[here](https://github.com/google/re2/wiki/Syntax) for a syntax reference.
+
+The whitelist can also be used as a form of blacklist by specifying a regular expression that will not match any label.
+
+NOTE: The operator will always add the labels it requires for operation to resources.  These are the following:
+```
+app.kubernetes.io/component
+app.kubernetes.io/managed-by
+app.kubernetes.io/name
+app.kubernetes.io/part-of
+redisfailovers.databases.spotahome.com/name
+```
+
 ## Connection to the created Redis Failovers
 
 In order to connect to the redis-failover and use it, a [Sentinel-ready](https://redis.io/topics/sentinel-clients) library has to be used. This will connect through the Sentinel service to the Redis node working as a master.

api/redisfailover/v1/types.go

@@ -20,6 +20,7 @@ type RedisFailoverSpec struct {
 	Redis    RedisSettings    `json:"redis,omitempty"`
 	Sentinel SentinelSettings `json:"sentinel,omitempty"`
 	Auth     AuthSettings     `json:"auth,omitempty"`
+	LabelWhitelist []string   `json:"labelWhitelist,omitempty"`
 }
 
 // RedisSettings defines the specification of the redis cluster

example/redisfailover/control-label-propagation.yaml

@@ -0,0 +1,29 @@
+apiVersion: databases.spotahome.com/v1
+kind: RedisFailover
+metadata:
+  name: redisfailover2
+  labels:
+    # These two labels will be propagated.
+    app.example.com/label1: value
+    app.example.com/label2: value
+    # This one wont be, as there is a non-empty whitelist and the regexp doesnt match it.
+    anotherlabel: value
+spec:
+  sentinel:
+    replicas: 3
+    resources:
+      requests:
+        cpu: 100m
+      limits:
+        memory: 100Mi
+  redis:
+    replicas: 3
+    resources:
+      requests:
+        cpu: 100m
+        memory: 100Mi
+      limits:
+        cpu: 400m
+        memory: 500Mi
+  labelWhitelist:
+  - ^app.example.com.*

operator/redisfailover/handler.go

@@ -3,6 +3,7 @@ package redisfailover
 import (
 	"context"
 	"fmt"
+	"regexp"
 	"strings"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -102,7 +103,27 @@ func (r *RedisFailoverHandler) getLabels(rf *redisfailoverv1.RedisFailover) map[
 	dynLabels := map[string]string{
 		rfLabelNameKey: rf.Name,
 	}
-	return util.MergeLabels(defaultLabels, dynLabels, rf.Labels)
+
+	// Filter the labels based on the whitelist
+	filteredCustomLabels := make(map[string]string)
+	if rf.Spec.LabelWhitelist != nil && len(rf.Spec.LabelWhitelist) != 0 {
+		for _, regex := range rf.Spec.LabelWhitelist {
+			compiledRegexp, err := regexp.Compile(regex)
+			if err != nil {
+				r.logger.Errorf("Unable to compile label whitelist regex '%s', ignoring it.", regex)
+				continue
+			}
+			for labelKey, labelValue := range rf.Labels {
+				if match := compiledRegexp.MatchString(labelKey); match {
+					filteredCustomLabels[labelKey] = labelValue
+				}
+			}
+		}
+	} else {
+		// If no whitelist is specified then don't filter the labels.
+		filteredCustomLabels = rf.Labels
+	}
+	return util.MergeLabels(defaultLabels, dynLabels, filteredCustomLabels)
 }
 
 func (w *RedisFailoverHandler) createOwnerReferences(rf *redisfailoverv1.RedisFailover) []metav1.OwnerReference {