Gate compute-service deletion on agent pods being evicted

A running nova-compute pod would re-register the service immediately
after deletion, undoing the offboarding. Introduce AgentPodsEvicted
condition computed by HypervisorController and block service deletion
in the offboarding controller until it is True.

The condition is only evaluated once VM eviction has finished
(Evicting=False) and the offboarding taint is present on the node.
Pods are listed per-namespace via --agent-namespaces (chart default:
monsoon3; the operator refuses to start without it) in pages of 100,
with the pod cache disabled so the operator does not start a
cluster-wide pod informer. RequeueAfter is used to poll since pods
are not watched.

Author: fwiesel

api/v1/hypervisor_types.go

@@ -71,6 +71,11 @@ const (
 
 	// ConditionTypeAggregatesUpdated is the type of condition for aggregates updated status of a hypervisor
 	ConditionTypeAggregatesUpdated = "AggregatesUpdated"
+
+	// ConditionTypeAgentPodsEvicted gates compute-service deletion during
+	// offboarding: a running nova-compute pod would otherwise re-register
+	// the service we are about to delete.
+	ConditionTypeAgentPodsEvicted = "AgentPodsEvicted"
 )
 
 // Condition Reasons

charts/openstack-hypervisor-operator/templates/deployment.yaml

@@ -45,6 +45,8 @@ spec:
           value: {{ quote .Values.controllerManager.manager.env.certificateIssuerName }}
         - name: LABEL_SELECTOR
           value: {{ quote .Values.controllerManager.manager.env.labelSelector }}
+        - name: AGENT_NAMESPACES
+          value: {{ quote .Values.controllerManager.manager.env.agentNamespaces }}
         - name: KUBERNETES_CLUSTER_DOMAIN
           value: {{ quote .Values.kubernetesClusterDomain }}
         image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Chart.AppVersion }}

charts/openstack-hypervisor-operator/templates/role.yaml

@@ -20,6 +20,12 @@ rules:
   - nodes/status
   verbs:
   - get
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - list
 - apiGroups:
   - apps
   resources:

charts/openstack-hypervisor-operator/values.yaml

@@ -7,6 +7,7 @@ controllerManager:
     - --certificate-namespace=$(CERTIFICATE_NAMESPACE)
     - --certificate-issuer-name=$(CERTIFICATE_ISSUER_NAME)
     - --label-selector=$(LABEL_SELECTOR)
+    - --agent-namespaces=$(AGENT_NAMESPACES)
     containerSecurityContext:
       allowPrivilegeEscalation: false
       capabilities:
@@ -16,6 +17,7 @@ controllerManager:
       certificateIssuerName: nova-hypervisor-agents-ca-issuer
       certificateNamespace: monsoon3
       labelSelector: ""
+      agentNamespaces: "monsoon3"
       osAuthUrl: ""
       osProjectDomainName: ""
       osProjectName: ""

cmd/main.go

@@ -25,6 +25,7 @@ import (
 	"fmt"
 	"os"
 	gruntime "runtime"
+	"strings"
 
 	"github.com/sapcc/go-api-declarations/bininfo"
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
@@ -97,6 +98,10 @@ func main() {
 		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
 	flag.StringVar(&global.LabelSelector, "label-selector", "", "Label selector to filter watched resources (namely nodes).")
 
+	var agentNamespacesFlag string
+	flag.StringVar(&agentNamespacesFlag, "agent-namespaces", "",
+		"Comma-separated list of namespaces to search for agent pods (nova-compute, neutron) during offboarding.")
+
 	flag.StringVar(&certificateNamespace, "certificate-namespace", "monsoon3", "The namespace for the certificates. ")
 	flag.StringVar(&certificateIssuerName, "certificate-issuer-name", "nova-hypervisor-agents-ca-issuer",
 		"Name of the certificate issuer.")
@@ -111,13 +116,38 @@ func main() {
 	opts.BindFlags(flag.CommandLine)
 	flag.Parse()
 
+	// Handle --version before validating required runtime flags so that
+	// `./manager --version` works without providing --agent-namespaces.
 	if version {
 		fmt.Printf("%s %s (%s/%s) %s\n",
 			bininfo.Component(), bininfo.VersionOr("devel"), gruntime.GOOS, gruntime.GOARCH,
 			bininfo.CommitOr("edge"))
 		os.Exit(0)
 	}
 
+	if agentNamespacesFlag != "" {
+		// Deduplicate. Without this, repeated entries (e.g. from templated
+		// values) would cause redundant pod-list calls and inflate the
+		// AgentPodsEvicted condition message with duplicate pod names.
+		seen := map[string]struct{}{}
+		for ns := range strings.SplitSeq(agentNamespacesFlag, ",") {
+			ns = strings.TrimSpace(ns)
+			if ns == "" {
+				continue
+			}
+			if _, ok := seen[ns]; ok {
+				continue
+			}
+			seen[ns] = struct{}{}
+			global.AgentNamespaces = append(global.AgentNamespaces, ns)
+		}
+	}
+
+	if len(global.AgentNamespaces) == 0 {
+		setupLog.Error(errors.New("--agent-namespaces is required"), "invalid configuration")
+		os.Exit(1)
+	}
+
 	if certificateIssuerName == "" {
 		setupLog.Error(errors.New("certificate-issuer-name cannot be empty"), "invalid certificate issuer name")
 		os.Exit(1)
@@ -226,6 +256,13 @@ func main() {
 
 		// Optionally configure the cache to listen/watch for specific labeled resources only
 		Cache: cacheOptions,
+		// Pods are listed directly (not cached) to avoid a cluster-wide pod
+		// informer — a single large namespace would cause an OOM on startup.
+		Client: client.Options{
+			Cache: &client.CacheOptions{
+				DisableFor: []client.Object{&corev1.Pod{}},
+			},
+		},
 	})
 
 	if err != nil {

go.mod

@@ -43,7 +43,7 @@ require (
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/logr v1.4.3
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.22.4 // indirect

internal/controller/hypervisor_controller.go

@@ -21,13 +21,17 @@ import (
 	"context"
 	"fmt"
 	"slices"
+	"sort"
 	"strings"
+	"time"
 
+	"github.com/go-logr/logr"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -69,6 +73,7 @@ type HypervisorController struct {
 
 // +kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=nodes/status,verbs=get
+// +kubebuilder:rbac:groups="",resources=pods,verbs=list
 // +kubebuilder:rbac:groups=kvm.cloud.sap,resources=hypervisors,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=kvm.cloud.sap,resources=hypervisors/status,verbs=get;update;patch
 
@@ -100,8 +105,22 @@ func (hv *HypervisorController) Reconcile(ctx context.Context, req ctrl.Request)
 		}
 		// continue with creation
 	} else {
-		// update Status if needed
-		base := hypervisor.DeepCopy()
+		// First, propagate spec/metadata derived from the Node (labels,
+		// annotations -> aggregates/traits, lifecycle). This must run on
+		// every reconcile, including those where status will also change
+		// (e.g. AgentPodsEvicted=False during termination); otherwise the
+		// Hypervisor spec/labels go stale.
+		specBase := hypervisor.DeepCopy()
+		syncLabelsAndAnnotations(nodeLabels, hypervisor, node)
+		if !equality.Semantic.DeepEqual(hypervisor, specBase) {
+			if err := hv.Patch(ctx, hypervisor, k8sclient.MergeFromWithOptions(specBase,
+				k8sclient.MergeFromWithOptimisticLock{}), k8sclient.FieldOwner(HypervisorControllerName)); err != nil {
+				return ctrl.Result{}, err
+			}
+		}
+
+		// Then, compute and persist any status changes derived from the Node.
+		statusBase := hypervisor.DeepCopy()
 
 		// transfer internal IP
 		for _, address := range node.Status.Addresses {
@@ -123,26 +142,43 @@ func (hv *HypervisorController) Reconcile(ctx context.Context, req ctrl.Request)
 			})
 		}
 
-		if !equality.Semantic.DeepEqual(hypervisor, base) {
+		// Only evaluate after VM eviction; a spurious True on a fresh node
+		// (agents not yet scheduled) would be misleading.
+		var statusRequeueAfter time.Duration
+		if hypervisor.Spec.Maintenance == kvmv1.MaintenanceTermination &&
+			meta.IsStatusConditionFalse(hypervisor.Status.Conditions, kvmv1.ConditionTypeEvicting) &&
+			nodeHasOffboardingTaint(node) {
+			cond, err := hv.computeAgentPodsEvictedCondition(ctx, log, node.Name)
+			if err != nil {
+				return ctrl.Result{}, fmt.Errorf("failed to compute %s condition: %w", kvmv1.ConditionTypeAgentPodsEvicted, err)
+			}
+			meta.SetStatusCondition(&hypervisor.Status.Conditions, cond)
+			if cond.Status == metav1.ConditionFalse {
+				// No pod watch — rely on periodic requeue.
+				statusRequeueAfter = defaultPollTime
+			}
+		}
+
+		if !equality.Semantic.DeepEqual(hypervisor, statusBase) {
 			// Capture values to apply - only mutate fields this controller owns
 			newInternalIP := hypervisor.Status.InternalIP
 			terminatingCondition := meta.FindStatusCondition(hypervisor.Status.Conditions, kvmv1.ConditionTypeTerminating)
+			agentPodsCondition := meta.FindStatusCondition(hypervisor.Status.Conditions, kvmv1.ConditionTypeAgentPodsEvicted)
 
-			return ctrl.Result{}, utils.PatchHypervisorStatusWithRetry(ctx, hv.Client, hypervisor.Name, HypervisorControllerName, func(h *kvmv1.Hypervisor) {
+			if err := utils.PatchHypervisorStatusWithRetry(ctx, hv.Client, hypervisor.Name, HypervisorControllerName, func(h *kvmv1.Hypervisor) {
 				h.Status.InternalIP = newInternalIP
 				if terminatingCondition != nil {
 					meta.SetStatusCondition(&h.Status.Conditions, *terminatingCondition)
 				}
-			})
-		}
-
-		syncLabelsAndAnnotations(nodeLabels, hypervisor, node)
-		if equality.Semantic.DeepEqual(hypervisor, base) {
-			return ctrl.Result{}, nil
+				if agentPodsCondition != nil {
+					meta.SetStatusCondition(&h.Status.Conditions, *agentPodsCondition)
+				}
+			}); err != nil {
+				return ctrl.Result{}, err
+			}
 		}
 
-		return ctrl.Result{}, hv.Patch(ctx, hypervisor, k8sclient.MergeFromWithOptions(base,
-			k8sclient.MergeFromWithOptimisticLock{}), k8sclient.FieldOwner(HypervisorControllerName))
+		return ctrl.Result{RequeueAfter: statusRequeueAfter}, nil
 	}
 
 	syncLabelsAndAnnotations(nodeLabels, hypervisor, node)
@@ -262,3 +298,89 @@ func transportLabels(source, destination *metav1.ObjectMeta) {
 		}
 	}
 }
+
+// nodeHasOffboardingTaint reports whether the offboarding NoExecute taint has
+// been applied to the node. The pod list is only meaningful after that point —
+// before it, no agents have been evicted yet.
+func nodeHasOffboardingTaint(node *corev1.Node) bool {
+	for _, t := range node.Spec.Taints {
+		if t.Key == taintKeyOffboarding && t.Effect == corev1.TaintEffectNoExecute {
+			return true
+		}
+	}
+	return false
+}
+
+// computeAgentPodsEvictedCondition checks whether pods that would be evicted
+// by the offboarding taint are still running. Only call once Evicting=False.
+func (hv *HypervisorController) computeAgentPodsEvictedCondition(ctx context.Context, log logr.Logger, nodeName string) (metav1.Condition, error) {
+	offboardingTaint := corev1.Taint{
+		Key:    taintKeyOffboarding,
+		Effect: corev1.TaintEffectNoExecute,
+	}
+
+	var agentPods []string
+	for _, ns := range global.AgentNamespaces {
+		var continueToken string
+		for {
+			pods := &corev1.PodList{}
+			if err := hv.List(ctx, pods,
+				k8sclient.InNamespace(ns),
+				k8sclient.MatchingFieldsSelector{
+					Selector: fields.OneTermEqualSelector("spec.nodeName", nodeName),
+				},
+				&k8sclient.ListOptions{Limit: 100, Continue: continueToken},
+			); err != nil {
+				return metav1.Condition{}, fmt.Errorf("failed to list pods on node %s in namespace %q: %w", nodeName, ns, err)
+			}
+
+			for _, pod := range pods.Items {
+				if pod.Status.Phase == corev1.PodSucceeded || pod.Status.Phase == corev1.PodFailed {
+					continue
+				}
+				if podToleratesTaint(log, &pod, &offboardingTaint) {
+					continue
+				}
+				agentPods = append(agentPods, pod.Namespace+"/"+pod.Name)
+			}
+
+			if pods.Continue == "" {
+				break
+			}
+			continueToken = pods.Continue
+		}
+	}
+
+	if len(agentPods) == 0 {
+		return metav1.Condition{
+			Type:    kvmv1.ConditionTypeAgentPodsEvicted,
+			Status:  metav1.ConditionTrue,
+			Reason:  "NoAgentPods",
+			Message: "No agent pods are running on this node",
+		}, nil
+	}
+
+	sort.Strings(agentPods)
+	return metav1.Condition{
+		Type:    kvmv1.ConditionTypeAgentPodsEvicted,
+		Status:  metav1.ConditionFalse,
+		Reason:  "AgentPodsRunning",
+		Message: fmt.Sprintf("%d agent pod(s) still running on node: %s", len(agentPods), strings.Join(agentPods, ", ")),
+	}, nil
+}
+
+// podToleratesTaint reports whether the pod tolerates the taint indefinitely.
+// Tolerations with a finite TolerationSeconds are excluded: the pod will
+// eventually be evicted and must not be treated as safe to ignore.
+func podToleratesTaint(log logr.Logger, pod *corev1.Pod, taint *corev1.Taint) bool {
+	for i := range pod.Spec.Tolerations {
+		t := &pod.Spec.Tolerations[i]
+		if t.TolerationSeconds != nil {
+			continue
+		}
+		if t.ToleratesTaint(log, taint, false) {
+			return true
+		}
+	}
+	return false
+}