Prevent perpetual reconcile by hardcoding K8s-defaulted fields in component specs

The K8s API server fills zero-value fields with defaults when a resource is
written. Mutators using reflect.DeepEqual then see a mismatch between the
desired spec (Go zero values) and the live spec (K8s-filled defaults),
triggering an update on every reconcile cycle.

Explicitly set all K8s-defaulted fields in every component Deployment spec:

- Probe fields: Scheme, TimeoutSeconds, PeriodSeconds, SuccessThreshold,
  FailureThreshold
- Container / init-container fields: TerminationMessagePath,
  TerminationMessagePolicy, ImagePullPolicy (init containers are most
  sensitive — DeploymentPodInitContainerMutator does a full struct DeepEqual)
- Pod spec fields: RestartPolicy, DNSPolicy, SecurityContext,
  TerminationGracePeriodSeconds, SchedulerName
- Volume source fields: DefaultMode on Secret, ConfigMap, and Projected
  volume sources
- Use nil (not []T{}) for optional volume/volumemount slices so
  reflect.DeepEqual treats K8s-normalised absent and locally-absent the same

Extend UpdateResource to log the object's namespace and APIManager owner
name as structured fields, enabling the integration test's ReconcileCounter
to attribute each Deployment update to the correct CR instance.

Add ReconcileCounter and verifyNoDeploymentUpdates to the integration test
suite to assert ≤50 total Deployment update calls per APIManager install,
providing a regression test for this class of bug.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: borisurbanik

controllers/apps/apimanager_controller.go

@@ -160,7 +160,7 @@ func (r *APIManagerReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		return res, nil
 	}
 
-	specResult, specErr := r.reconcileAPIManagerLogic(instance)
+	specResult, specErr := r.reconcileAPIManagerLogic(r.WithRequest(req), instance)
 	statusResult, statusErr := r.reconcileAPIManagerStatus(instance, preflightChecksError)
 	if statusErr != nil {
 		return ctrl.Result{}, statusErr
@@ -402,8 +402,8 @@ func (r *APIManagerReconciler) setAPIManagerDefaults(cr *appsv1alpha1.APIManager
 	return ctrl.Result{Requeue: updated}, err
 }
 
-func (r *APIManagerReconciler) reconcileAPIManagerLogic(cr *appsv1alpha1.APIManager) (reconcile.Result, error) {
-	baseAPIManagerLogicReconciler := operator.NewBaseAPIManagerLogicReconciler(r.BaseReconciler, cr)
+func (r *APIManagerReconciler) reconcileAPIManagerLogic(b *reconcilers.BaseReconciler, cr *appsv1alpha1.APIManager) (reconcile.Result, error) {
+	baseAPIManagerLogicReconciler := operator.NewBaseAPIManagerLogicReconciler(b, cr)
 	imageReconciler := operator.NewAMPImagesReconciler(baseAPIManagerLogicReconciler)
 	result, err := imageReconciler.Reconcile()
 	if err != nil || result.Requeue {

go.mod

@@ -28,6 +28,7 @@ require (
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/viper v1.7.0
 	github.com/stretchr/testify v1.9.0
+	go.uber.org/zap v1.26.0
 	golang.org/x/mod v0.19.0
 	k8s.io/api v0.29.0
 	k8s.io/apimachinery v0.29.0
@@ -101,7 +102,6 @@ require (
 	github.com/subosito/gotenv v1.2.0 // indirect
 	go.mongodb.org/mongo-driver v1.14.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go.uber.org/zap v1.26.0 // indirect
 	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/net v0.33.0 // indirect

pkg/3scale/amp/component/apicast.go

@@ -17,6 +17,7 @@ import (
 	policyv1 "k8s.io/api/policy/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -139,36 +140,49 @@ func (apicast *Apicast) StagingDeployment(ctx context.Context, k8sclient client.
 					Annotations: apicast.stagingPodAnnotations(watchedSecretAnnotations),
 				},
 				Spec: v1.PodSpec{
-					Affinity:           apicast.Options.StagingAffinity,
-					Tolerations:        apicast.Options.StagingTolerations,
-					ServiceAccountName: "amp",
-					Volumes:            apicast.stagingVolumes(),
+					Affinity:                      apicast.Options.StagingAffinity,
+					Tolerations:                   apicast.Options.StagingTolerations,
+					ServiceAccountName:            "amp",
+					RestartPolicy:                 v1.RestartPolicyAlways,
+					DNSPolicy:                     v1.DNSClusterFirst,
+					SecurityContext:               &v1.PodSecurityContext{},
+					TerminationGracePeriodSeconds: ptr.To(int64(v1.DefaultTerminationGracePeriodSeconds)),
+					SchedulerName:                 v1.DefaultSchedulerName,
+					Volumes:                       apicast.stagingVolumes(),
 					Containers: []v1.Container{
 						{
-							Ports:           apicast.stagingContainerPorts(),
-							Env:             apicast.buildApicastStagingEnv(),
-							Image:           containerImage,
-							ImagePullPolicy: v1.PullIfNotPresent,
-							Name:            ApicastStagingName,
-							Resources:       apicast.Options.StagingResourceRequirements,
-							VolumeMounts:    apicast.stagingVolumeMounts(),
+							Ports:                    apicast.stagingContainerPorts(),
+							Env:                      apicast.buildApicastStagingEnv(),
+							Image:                    containerImage,
+							ImagePullPolicy:          v1.PullIfNotPresent,
+							Name:                     ApicastStagingName,
+							Resources:                apicast.Options.StagingResourceRequirements,
+							VolumeMounts:             apicast.stagingVolumeMounts(),
+							TerminationMessagePath:   v1.TerminationMessagePathDefault,
+							TerminationMessagePolicy: v1.TerminationMessageReadFile,
 							LivenessProbe: &v1.Probe{
 								ProbeHandler: v1.ProbeHandler{HTTPGet: &v1.HTTPGetAction{
-									Path: "/status/live",
-									Port: intstr.FromInt32(8090),
+									Path:   "/status/live",
+									Port:   intstr.FromInt32(8090),
+									Scheme: v1.URISchemeHTTP,
 								}},
 								InitialDelaySeconds: 10,
 								TimeoutSeconds:      5,
 								PeriodSeconds:       10,
+								SuccessThreshold:    1,
+								FailureThreshold:    3,
 							},
 							ReadinessProbe: &v1.Probe{
 								ProbeHandler: v1.ProbeHandler{HTTPGet: &v1.HTTPGetAction{
-									Path: "/status/ready",
-									Port: intstr.FromInt32(8090),
+									Path:   "/status/ready",
+									Port:   intstr.FromInt32(8090),
+									Scheme: v1.URISchemeHTTP,
 								}},
 								InitialDelaySeconds: 15,
 								TimeoutSeconds:      5,
 								PeriodSeconds:       30,
+								SuccessThreshold:    1,
+								FailureThreshold:    3,
 							},
 						},
 					},
@@ -219,15 +233,23 @@ func (apicast *Apicast) ProductionDeployment(ctx context.Context, k8sclient clie
 					Annotations: apicast.productionPodAnnotations(watchedSecretAnnotations),
 				},
 				Spec: v1.PodSpec{
-					Affinity:           apicast.Options.ProductionAffinity,
-					Tolerations:        apicast.Options.ProductionTolerations,
-					ServiceAccountName: "amp",
-					Volumes:            apicast.productionVolumes(),
+					Affinity:                      apicast.Options.ProductionAffinity,
+					Tolerations:                   apicast.Options.ProductionTolerations,
+					ServiceAccountName:            "amp",
+					RestartPolicy:                 v1.RestartPolicyAlways,
+					DNSPolicy:                     v1.DNSClusterFirst,
+					SecurityContext:               &v1.PodSecurityContext{},
+					TerminationGracePeriodSeconds: ptr.To(int64(v1.DefaultTerminationGracePeriodSeconds)),
+					SchedulerName:                 v1.DefaultSchedulerName,
+					Volumes:                       apicast.productionVolumes(),
 					InitContainers: []v1.Container{
 						{
-							Name:    ApicastProductionInitContainerName,
-							Image:   containerImage,
-							Command: []string{"sh", "-c", "until $(curl --output /dev/null --silent --fail --head http://system-master:3000/status); do sleep $SLEEP_SECONDS; done"},
+							Name:                     ApicastProductionInitContainerName,
+							Image:                    containerImage,
+							ImagePullPolicy:          v1.PullIfNotPresent,
+							Command:                  []string{"sh", "-c", "until $(curl --output /dev/null --silent --fail --head http://system-master:3000/status); do sleep $SLEEP_SECONDS; done"},
+							TerminationMessagePath:   v1.TerminationMessagePathDefault,
+							TerminationMessagePolicy: v1.TerminationMessageReadFile,
 							Env: []v1.EnvVar{
 								{
 									Name:  "SLEEP_SECONDS",
@@ -238,30 +260,38 @@ func (apicast *Apicast) ProductionDeployment(ctx context.Context, k8sclient clie
 					},
 					Containers: []v1.Container{
 						{
-							Ports:           apicast.productionContainerPorts(),
-							Env:             apicast.buildApicastProductionEnv(),
-							Image:           containerImage,
-							ImagePullPolicy: v1.PullIfNotPresent,
-							Name:            ApicastProductionName,
-							Resources:       apicast.Options.ProductionResourceRequirements,
-							VolumeMounts:    apicast.productionVolumeMounts(),
+							Ports:                    apicast.productionContainerPorts(),
+							Env:                      apicast.buildApicastProductionEnv(),
+							Image:                    containerImage,
+							ImagePullPolicy:          v1.PullIfNotPresent,
+							Name:                     ApicastProductionName,
+							Resources:                apicast.Options.ProductionResourceRequirements,
+							VolumeMounts:             apicast.productionVolumeMounts(),
+							TerminationMessagePath:   v1.TerminationMessagePathDefault,
+							TerminationMessagePolicy: v1.TerminationMessageReadFile,
 							LivenessProbe: &v1.Probe{
 								ProbeHandler: v1.ProbeHandler{HTTPGet: &v1.HTTPGetAction{
-									Path: "/status/live",
-									Port: intstr.FromInt32(8090),
+									Path:   "/status/live",
+									Port:   intstr.FromInt32(8090),
+									Scheme: v1.URISchemeHTTP,
 								}},
 								InitialDelaySeconds: 10,
 								TimeoutSeconds:      5,
 								PeriodSeconds:       10,
+								SuccessThreshold:    1,
+								FailureThreshold:    3,
 							},
 							ReadinessProbe: &v1.Probe{
 								ProbeHandler: v1.ProbeHandler{HTTPGet: &v1.HTTPGetAction{
-									Path: "/status/ready",
-									Port: intstr.FromInt32(8090),
+									Path:   "/status/ready",
+									Port:   intstr.FromInt32(8090),
+									Scheme: v1.URISchemeHTTP,
 								}},
 								InitialDelaySeconds: 15,
 								TimeoutSeconds:      5,
 								PeriodSeconds:       30,
+								SuccessThreshold:    1,
+								FailureThreshold:    3,
 							},
 						},
 					},
@@ -618,7 +648,8 @@ func (apicast *Apicast) productionVolumes() []v1.Volume {
 			Name: customPolicy.VolumeName(),
 			VolumeSource: v1.VolumeSource{
 				Secret: &v1.SecretVolumeSource{
-					SecretName: customPolicy.Secret.Name,
+					SecretName:  customPolicy.Secret.Name,
+					DefaultMode: ptr.To(v1.SecretVolumeSourceDefaultMode),
 				},
 			},
 		})
@@ -636,6 +667,7 @@ func (apicast *Apicast) productionVolumes() []v1.Volume {
 							Path: apicast.Options.ProductionTracingConfig.VolumeName(),
 						},
 					},
+					DefaultMode: ptr.To(v1.SecretVolumeSourceDefaultMode),
 				},
 			},
 		})
@@ -646,8 +678,9 @@ func (apicast *Apicast) productionVolumes() []v1.Volume {
 			Name: OpentelemetryConfigurationVolumeName,
 			VolumeSource: v1.VolumeSource{
 				Secret: &v1.SecretVolumeSource{
-					SecretName: apicast.Options.ProductionOpentelemetry.Secret.Name,
-					Optional:   &[]bool{false}[0],
+					SecretName:  apicast.Options.ProductionOpentelemetry.Secret.Name,
+					Optional:    &[]bool{false}[0],
+					DefaultMode: ptr.To(v1.SecretVolumeSourceDefaultMode),
 				},
 			},
 		})
@@ -658,7 +691,8 @@ func (apicast *Apicast) productionVolumes() []v1.Volume {
 			Name: customEnvVolumeName(customEnvSecret),
 			VolumeSource: v1.VolumeSource{
 				Secret: &v1.SecretVolumeSource{
-					SecretName: customEnvSecret.GetName(),
+					SecretName:  customEnvSecret.GetName(),
+					DefaultMode: ptr.To(v1.SecretVolumeSourceDefaultMode),
 				},
 			},
 		})
@@ -669,7 +703,8 @@ func (apicast *Apicast) productionVolumes() []v1.Volume {
 			Name: HTTPSCertificatesVolumeName,
 			VolumeSource: v1.VolumeSource{
 				Secret: &v1.SecretVolumeSource{
-					SecretName: *apicast.Options.ProductionHTTPSCertificateSecretName,
+					SecretName:  *apicast.Options.ProductionHTTPSCertificateSecretName,
+					DefaultMode: ptr.To(v1.SecretVolumeSourceDefaultMode),
 				},
 			},
 		})
@@ -686,7 +721,8 @@ func (apicast *Apicast) stagingVolumes() []v1.Volume {
 			Name: customPolicy.VolumeName(),
 			VolumeSource: v1.VolumeSource{
 				Secret: &v1.SecretVolumeSource{
-					SecretName: customPolicy.Secret.Name,
+					SecretName:  customPolicy.Secret.Name,
+					DefaultMode: ptr.To(v1.SecretVolumeSourceDefaultMode),
 				},
 			},
 		})
@@ -704,6 +740,7 @@ func (apicast *Apicast) stagingVolumes() []v1.Volume {
 							Path: apicast.Options.StagingTracingConfig.VolumeName(),
 						},
 					},
+					DefaultMode: ptr.To(v1.SecretVolumeSourceDefaultMode),
 				},
 			},
 		})
@@ -714,8 +751,9 @@ func (apicast *Apicast) stagingVolumes() []v1.Volume {
 			Name: OpentelemetryConfigurationVolumeName,
 			VolumeSource: v1.VolumeSource{
 				Secret: &v1.SecretVolumeSource{
-					SecretName: apicast.Options.StagingOpentelemetry.Secret.Name,
-					Optional:   &[]bool{false}[0],
+					SecretName:  apicast.Options.StagingOpentelemetry.Secret.Name,
+					Optional:    &[]bool{false}[0],
+					DefaultMode: ptr.To(v1.SecretVolumeSourceDefaultMode),
 				},
 			},
 		})
@@ -726,7 +764,8 @@ func (apicast *Apicast) stagingVolumes() []v1.Volume {
 			Name: customEnvVolumeName(customEnvSecret),
 			VolumeSource: v1.VolumeSource{
 				Secret: &v1.SecretVolumeSource{
-					SecretName: customEnvSecret.GetName(),
+					SecretName:  customEnvSecret.GetName(),
+					DefaultMode: ptr.To(v1.SecretVolumeSourceDefaultMode),
 				},
 			},
 		})
@@ -737,7 +776,8 @@ func (apicast *Apicast) stagingVolumes() []v1.Volume {
 			Name: HTTPSCertificatesVolumeName,
 			VolumeSource: v1.VolumeSource{
 				Secret: &v1.SecretVolumeSource{
-					SecretName: *apicast.Options.StagingHTTPSCertificateSecretName,
+					SecretName:  *apicast.Options.StagingHTTPSCertificateSecretName,
+					DefaultMode: ptr.To(v1.SecretVolumeSourceDefaultMode),
 				},
 			},
 		})