052 server side apply

.azure/templates/jobs/system-tests/feature_gates_regression_jobs.yaml

@@ -5,7 +5,7 @@ jobs:
       display_name: 'feature-gates-regression-bundle I. - kafka + oauth'
       profile: 'azp_kafka_oauth'
       cluster_operator_install_type: 'bundle'
-      strimzi_feature_gates: '-UnidirectionalTopicOperator,-UseKRaft'
+      strimzi_feature_gates: '-UnidirectionalTopicOperator,-UseKRaft,+UseServerSideApply'
       strimzi_use_node_pools_in_tests: "false"
       timeout: 360
       releaseVersion: '${{ parameters.releaseVersion }}'
@@ -17,7 +17,7 @@ jobs:
       display_name: 'feature-gates-regression-bundle II. - security'
       profile: 'azp_security'
       cluster_operator_install_type: 'bundle'
-      strimzi_feature_gates: '-UnidirectionalTopicOperator,-UseKRaft'
+      strimzi_feature_gates: '-UnidirectionalTopicOperator,-UseKRaft,+UseServerSideApply'
       strimzi_use_node_pools_in_tests: "false"
       timeout: 360
       releaseVersion: '${{ parameters.releaseVersion }}'
@@ -29,7 +29,7 @@ jobs:
       display_name: 'feature-gates-regression-bundle III. - dynconfig + tracing + watcher'
       profile: 'azp_dynconfig_listeners_tracing_watcher'
       cluster_operator_install_type: 'bundle'
-      strimzi_feature_gates: '-UnidirectionalTopicOperator,-UseKRaft'
+      strimzi_feature_gates: '-UnidirectionalTopicOperator,-UseKRaft,+UseServerSideApply'
       strimzi_use_node_pools_in_tests: "false"
       timeout: 360
       releaseVersion: '${{ parameters.releaseVersion }}'
@@ -41,7 +41,7 @@ jobs:
       display_name: 'feature-gates-regression-bundle IV. - operators'
       profile: 'azp_operators'
       cluster_operator_install_type: 'bundle'
-      strimzi_feature_gates: '-UnidirectionalTopicOperator,-UseKRaft'
+      strimzi_feature_gates: '-UnidirectionalTopicOperator,-UseKRaft,+UseServerSideApply'
       strimzi_use_node_pools_in_tests: "false"
       timeout: 360
       releaseVersion: '${{ parameters.releaseVersion }}'
@@ -53,7 +53,7 @@ jobs:
       display_name: 'feature-gates-regression-bundle V. - rollingupdate'
       profile: 'azp_rolling_update_bridge'
       cluster_operator_install_type: 'bundle'
-      strimzi_feature_gates: '-UnidirectionalTopicOperator,-UseKRaft'
+      strimzi_feature_gates: '-UnidirectionalTopicOperator,-UseKRaft,+UseServerSideApply'
       strimzi_use_node_pools_in_tests: "false"
       timeout: 360
       releaseVersion: '${{ parameters.releaseVersion }}'
@@ -65,7 +65,7 @@ jobs:
       display_name: 'feature-gates-regression-bundle VI. - connect + mirrormaker'
       profile: 'azp_connect_mirrormaker'
       cluster_operator_install_type: 'bundle'
-      strimzi_feature_gates: '-UnidirectionalTopicOperator,-UseKRaft'
+      strimzi_feature_gates: '-UnidirectionalTopicOperator,-UseKRaft,+UseServerSideApply'
       strimzi_use_node_pools_in_tests: "false"
       timeout: 360
       releaseVersion: '${{ parameters.releaseVersion }}'
@@ -77,7 +77,7 @@ jobs:
       display_name: 'feature-gates-regression-bundle VII. - remaining system tests'
       profile: 'azp_remaining'
       cluster_operator_install_type: 'bundle'
-      strimzi_feature_gates: '-UnidirectionalTopicOperator,-UseKRaft'
+      strimzi_feature_gates: '-UnidirectionalTopicOperator,-UseKRaft,+UseServerSideApply'
       strimzi_use_node_pools_in_tests: "false"
       timeout: 360
       releaseVersion: '${{ parameters.releaseVersion }}'

.azure/templates/jobs/system-tests/feature_gates_regression_namespace_rbac_jobs.yaml

@@ -8,7 +8,7 @@ jobs:
       cluster_operator_install_type: 'bundle'
       timeout: 360
       strimzi_rbac_scope: NAMESPACE
-      strimzi_feature_gates: '-UnidirectionalTopicOperator,-UseKRaft'
+      strimzi_feature_gates: '-UnidirectionalTopicOperator,-UseKRaft,+UseServerSideApply'
       strimzi_use_node_pools_in_tests: "false"
       releaseVersion: '${{ parameters.releaseVersion }}'
       kafkaVersion: '${{ parameters.kafkaVersion }}'
@@ -22,7 +22,7 @@ jobs:
       cluster_operator_install_type: 'bundle'
       timeout: 360
       strimzi_rbac_scope: NAMESPACE
-      strimzi_feature_gates: '-UnidirectionalTopicOperator,-UseKRaft'
+      strimzi_feature_gates: '-UnidirectionalTopicOperator,-UseKRaft,+UseServerSideApply'
       strimzi_use_node_pools_in_tests: "false"
       releaseVersion: '${{ parameters.releaseVersion }}'
       kafkaVersion: '${{ parameters.kafkaVersion }}'
@@ -36,7 +36,7 @@ jobs:
       cluster_operator_install_type: 'bundle'
       timeout: 360
       strimzi_rbac_scope: NAMESPACE
-      strimzi_feature_gates: '-UnidirectionalTopicOperator,-UseKRaft'
+      strimzi_feature_gates: '-UnidirectionalTopicOperator,-UseKRaft,+UseServerSideApply'
       strimzi_use_node_pools_in_tests: "false"
       releaseVersion: '${{ parameters.releaseVersion }}'
       kafkaVersion: '${{ parameters.kafkaVersion }}'
@@ -50,7 +50,7 @@ jobs:
       cluster_operator_install_type: 'bundle'
       timeout: 360
       strimzi_rbac_scope: NAMESPACE
-      strimzi_feature_gates: '-UnidirectionalTopicOperator,-UseKRaft'
+      strimzi_feature_gates: '-UnidirectionalTopicOperator,-UseKRaft,+UseServerSideApply'
       strimzi_use_node_pools_in_tests: "false"
       releaseVersion: '${{ parameters.releaseVersion }}'
       kafkaVersion: '${{ parameters.kafkaVersion }}'
@@ -64,7 +64,7 @@ jobs:
       cluster_operator_install_type: 'bundle'
       timeout: 360
       strimzi_rbac_scope: NAMESPACE
-      strimzi_feature_gates: '-UnidirectionalTopicOperator,-UseKRaft'
+      strimzi_feature_gates: '-UnidirectionalTopicOperator,-UseKRaft,+UseServerSideApply'
       strimzi_use_node_pools_in_tests: "false"
       releaseVersion: '${{ parameters.releaseVersion }}'
       kafkaVersion: '${{ parameters.kafkaVersion }}'
@@ -78,7 +78,7 @@ jobs:
       cluster_operator_install_type: 'bundle'
       timeout: 360
       strimzi_rbac_scope: NAMESPACE
-      strimzi_feature_gates: '-UnidirectionalTopicOperator,-UseKRaft'
+      strimzi_feature_gates: '-UnidirectionalTopicOperator,-UseKRaft,+UseServerSideApply'
       strimzi_use_node_pools_in_tests: "false"
       releaseVersion: '${{ parameters.releaseVersion }}'
       kafkaVersion: '${{ parameters.kafkaVersion }}'
@@ -92,7 +92,7 @@ jobs:
       cluster_operator_install_type: 'bundle'
       timeout: 360
       strimzi_rbac_scope: NAMESPACE
-      strimzi_feature_gates: '-UnidirectionalTopicOperator,-UseKRaft'
+      strimzi_feature_gates: '-UnidirectionalTopicOperator,-UseKRaft,+UseServerSideApply'
       strimzi_use_node_pools_in_tests: "false"
       releaseVersion: '${{ parameters.releaseVersion }}'
       kafkaVersion: '${{ parameters.kafkaVersion }}'

CHANGELOG.md

@@ -6,6 +6,8 @@
 * The `KafkaNodePools` feature gate moves to GA stage and is permanently enabled without the possibility to disable it.
   To use the Kafka Node Pool resources, you still need to use the `strimzi.io/node-pools: enabled` annotation on the `Kafka` custom resources.
 * Added support for configuring the `externalIPs` field in node port type services.
+* Added support for [Server-Side Apply](https://kubernetes.io/docs/reference/using-api/server-side-apply/) via `UseServerSideApply` feature gate. The feature is disabled by default.
+  If needed, `UseServerSideApply` can be enabled in the feature gates configuration in the Cluster Operator.
 
 ## 0.40.0
 

cluster-operator/src/main/java/io/strimzi/operator/cluster/FeatureGates.java

@@ -4,11 +4,12 @@
  */
 package io.strimzi.operator.cluster;
 
-import io.strimzi.operator.common.InvalidConfigurationException;
+import io.strimzi.operator.common.config.FeatureGate;
+import io.strimzi.operator.common.config.FeatureGatesParser;
 
 import java.util.List;
-
-import static java.util.Arrays.asList;
+import java.util.Map;
+import java.util.stream.Collectors;
 
 /**
  * Class for handling the configuration of feature gates
@@ -18,82 +19,42 @@ public class FeatureGates {
 
     private static final String USE_KRAFT = "UseKRaft";
     private static final String UNIDIRECTIONAL_TOPIC_OPERATOR = "UnidirectionalTopicOperator";
+    private static final String USE_SERVER_SIDE_APPLY = "UseServerSideApply";
 
-    // When adding new feature gates, do not forget to add them to allFeatureGates() and toString() methods
-    private final FeatureGate useKRaft = new FeatureGate(USE_KRAFT, true);
-    private final FeatureGate unidirectionalTopicOperator = new FeatureGate(UNIDIRECTIONAL_TOPIC_OPERATOR, true);
+    private final Map<String, FeatureGate> featureGates = Map.ofEntries(
+            Map.entry(USE_KRAFT, new FeatureGate(USE_KRAFT, true)),
+            Map.entry(UNIDIRECTIONAL_TOPIC_OPERATOR, new FeatureGate(UNIDIRECTIONAL_TOPIC_OPERATOR, true)),
+            Map.entry(USE_SERVER_SIDE_APPLY, new FeatureGate(USE_SERVER_SIDE_APPLY, false))
+    );
 
     /**
      * Constructs the feature gates configuration.
      *
      * @param featureGateConfig String with comma separated list of enabled or disabled feature gates
      */
     public FeatureGates(String featureGateConfig) {
-        if (featureGateConfig != null && !featureGateConfig.trim().isEmpty()) {
-            List<String> featureGates;
-
-            if (featureGateConfig.matches("(\\s*[+-][a-zA-Z0-9]+\\s*,)*\\s*[+-][a-zA-Z0-9]+\\s*")) {
-                featureGates = asList(featureGateConfig.trim().split("\\s*,+\\s*"));
-            } else {
-                throw new InvalidConfigurationException(featureGateConfig + " is not a valid feature gate configuration");
-            }
-
-            for (String featureGate : featureGates) {
-                boolean value = '+' == featureGate.charAt(0);
-                featureGate = featureGate.substring(1);
-
-                switch (featureGate) {
-                    case USE_KRAFT:
-                        setValueOnlyOnce(useKRaft, value);
-                        break;
-                    case UNIDIRECTIONAL_TOPIC_OPERATOR:
-                        setValueOnlyOnce(unidirectionalTopicOperator, value);
-                        break;
-                    default:
-                        throw new InvalidConfigurationException("Unknown feature gate " + featureGate + " found in the configuration");
-                }
-            }
-
-            validateInterDependencies();
-        }
-    }
-
-    /**
-     * Validates any dependencies between various feature gates. When the dependencies are not satisfied,
-     * InvalidConfigurationException is thrown.
-     */
-    private void validateInterDependencies()    {
-        // There are currently no interdependencies between different feature gates.
-        // But we keep this method as these might happen again in the future.
-    }
-
-    /**
-     * Sets the feature gate value if it was not set yet. But if it is already set, then it throws an exception. This
-     * helps to ensure that each feature gate is configured always only once.
-     *
-     * @param gate  Feature gate which is being configured
-     * @param value Value which should be set
-     */
-    private void setValueOnlyOnce(FeatureGate gate, boolean value) {
-        if (gate.isSet()) {
-            throw new InvalidConfigurationException("Feature gate " + gate.getName() + " is configured multiple times");
-        }
-
-        gate.setValue(value);
+        new FeatureGatesParser(featureGateConfig).applyFor(featureGates);
     }
 
     /**
      * @return  Returns true when the UseKRaft feature gate is enabled
      */
     public boolean useKRaftEnabled() {
-        return useKRaft.isEnabled();
+        return featureGates.get(USE_KRAFT).isEnabled();
     }
 
     /**
      * @return  Returns true when the UnidirectionalTopicOperator feature gate is enabled
      */
     public boolean unidirectionalTopicOperatorEnabled() {
-        return unidirectionalTopicOperator.isEnabled();
+        return featureGates.get(UNIDIRECTIONAL_TOPIC_OPERATOR).isEnabled();
+    }
+
+    /**
+     * @return  Returns true when the UseServerSideApply feature gate is enabled
+     */
+    public boolean useServerSideApply() {
+        return featureGates.get(USE_SERVER_SIDE_APPLY).isEnabled();
     }
 
     /**
@@ -102,74 +63,15 @@ public boolean unidirectionalTopicOperatorEnabled() {
      * @return  List of all Feature Gates
      */
     /*test*/ List<FeatureGate> allFeatureGates()  {
-        return List.of(
-                useKRaft,
-                unidirectionalTopicOperator
-        );
+        return featureGates.values().stream().toList();
     }
 
     @Override
     public String toString() {
-        return "FeatureGates(" +
-                "UseKRaft=" + useKRaft.isEnabled() + "," +
-                "UnidirectionalTopicOperator=" + unidirectionalTopicOperator.isEnabled() +
-                ")";
-    }
-
-    /**
-     * Feature gate class represents individual feature fate
-     */
-    static class FeatureGate {
-        private final String name;
-        private final boolean defaultValue;
-        private Boolean value = null;
-
-        /**
-         * Feature fate constructor
-         *
-         * @param name          Name of the feature gate
-         * @param defaultValue  Default value of the feature gate
-         */
-        FeatureGate(String name, boolean defaultValue) {
-            this.name = name;
-            this.defaultValue = defaultValue;
-        }
-
-        /**
-         * @return  The name of the feature gate
-         */
-        public String getName() {
-            return name;
-        }
-
-        /**
-         * @return  Returns true if the value for this feature gate is already set or false if it is still null
-         */
-        public boolean isSet() {
-            return value != null;
-        }
-
-        /**
-         * Sets the value of the feature gate
-         *
-         * @param value Value of the feature gate
-         */
-        public void setValue(boolean value) {
-            this.value = value;
-        }
-
-        /**
-         * @return  True if the feature gate is enabled. False otherwise.
-         */
-        public boolean isEnabled() {
-            return value == null ? defaultValue : value;
-        }
-
-        /**
-         * @return  Returns True if this feature gate is enabled by default. False otherwise.
-         */
-        public boolean isEnabledByDefault() {
-            return defaultValue;
-        }
+        String featureGatesValues = featureGates.entrySet()
+                .stream()
+                .map(featureGate -> featureGate.getKey() + "=" + featureGate.getValue().isEnabled())
+                .collect(Collectors.joining(","));
+        return "FeatureGates(%s)".formatted(featureGatesValues);
     }
 }

cluster-operator/src/main/java/io/strimzi/operator/cluster/Main.java

@@ -152,7 +152,8 @@ static CompositeFuture deployClusterOperatorVerticles(Vertx vertx, KubernetesCli
                 metricsProvider,
                 pfa,
                 config.getOperationTimeoutMs(),
-                config.getOperatorName()
+                config.getOperatorName(),
+                config.featureGates().useServerSideApply()
         );
 
         // Initialize the PodSecurityProvider factory to provide the user configured provider

cluster-operator/src/main/java/io/strimzi/operator/cluster/model/CertUtils.java

@@ -176,13 +176,19 @@ public static CertAndKey keyStoreCertAndKey(Secret secret, String keyCertName) {
      * changed. This method is used to evaluate whether rolling update of existing brokers is needed when secrets with
      * certificates change. It separates changes for existing certificates with other changes to the Secret such as
      * added or removed certificates (scale-up or scale-down).
+     * <p>
+     * Note: this method checks if secrets differ, not whether secret is being created for first time.
      *
      * @param current   Existing secret
      * @param desired   Desired secret
      *
      * @return  True if there is a key which exists in the data sections of both secrets and which changed.
      */
     public static boolean doExistingCertificatesDiffer(Secret current, Secret desired) {
+        if (current == null || desired == null) {
+            return false;
+        }
+
         Map<String, String> currentData = current.getData();
         Map<String, String> desiredData = desired.getData();
 

cluster-operator/src/main/java/io/strimzi/operator/cluster/model/KafkaCluster.java

@@ -1088,6 +1088,10 @@ private Map<String, String> preparePodSetAnnotations(Storage storage)   {
         controllerAnnotations.put(ANNO_STRIMZI_IO_KAFKA_VERSION, kafkaVersion.version());
         controllerAnnotations.put(Annotations.ANNO_STRIMZI_IO_STORAGE, ModelUtils.encodeStorageToJson(storage));
 
+        //Take ownership of the rolling update annotation (for SSA) and reset it
+        //as (potential) one-time roll was already ran by reconcile loop run if it was needed.
+        controllerAnnotations.put(Annotations.ANNO_STRIMZI_IO_MANUAL_ROLLING_UPDATE, "false");
+
         return controllerAnnotations;
     }
 

cluster-operator/src/main/java/io/strimzi/operator/cluster/model/ZookeeperCluster.java

@@ -409,7 +409,12 @@ public StrimziPodSet generatePodSet(int replicas,
                 ownerReference,
                 templatePodSet,
                 replicas,
-                Map.of(Annotations.ANNO_STRIMZI_IO_STORAGE, ModelUtils.encodeStorageToJson(storage)),
+                Map.of(
+                        Annotations.ANNO_STRIMZI_IO_STORAGE, ModelUtils.encodeStorageToJson(storage),
+                        //Take ownership of the rolling update annotation (for SSA) and reset it
+                        //as (potential) one-time roll was already ran by reconcile loop run if it was needed.
+                        Annotations.ANNO_STRIMZI_IO_MANUAL_ROLLING_UPDATE, "false"
+                ),
                 labels.strimziSelectorLabels(),
                 podNum -> WorkloadUtils.createStatefulPod(
                         reconciliation,