cass-operator's `spec.podTemplateSpec.spec.tolerations` is overwritten by `spec.tolerations` without error message

[hoyhbx]

What happened?

We were specify the tolerations for the podTemplateSpec through the field spec.podTemplateSpec.spec.tolerations but our configuration was overwritten by another field in the CR spec.tolerations without notice or warning.

Did you expect to see something different?

We expect our input to be rejected with clear error message up front, if the desired behavior of the handling of spec.podTemplateSpec.spec.tolerations is to be overwritten by spec.tolerations.

How to reproduce it (as minimally and precisely as possible):

1. Deploy the cass-operator
2. Deploy CassandraDB with the following CR yaml

   apiVersion: cassandra.datastax.com/v1beta1
   kind: CassandraDatacenter
   metadata:
   name: test-cluster
   spec:
   clusterName: cluster1
   podTemplateSpec:
   spec:
     containers: []
     tolerations:
     - effect: NoSchedule
       key: node-role.kubernetes.io/control-plane
       operator: Exists

Environment

• Cass Operator version:

  v1.10.3

• Kubernetes version information:

  Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.1", GitCommit:"86ec240af8cbd1b60bcc4c03c20da9b98005b92e", GitTreeState:"clean", BuildDate:"2021-12-16T11:41:01Z", GoVersion:"go1.17.5", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.0", GitCommit:"4ce5a8954017644c5420bae81d72b09b735c21f0", GitTreeState:"clean", BuildDate:"2022-05-19T15:39:43Z", GoVersion:"go1.18.1", Compiler:"gc", Platform:"linux/amd64"}

• Kubernetes cluster kind:

  kind

• Manifests:

Shown above in the reproduce section

• Cass Operator Logs:

insert Cass Operator logs relevant to the issue here

Anything else we need to know?: The root cause is at https://github.com/k8ssandra/cass-operator/blob/a6054d271b7034ab06fd97be9472b693ed523e49/pkg/reconciliation/construct_podtemplatespec.go#L635

One possible fix is to add a check in the admission webhook which rejects the CR if the field spec.podTemplateSpec.spec.tolerations is not empty. An alternative is to add a error level log message near https://github.com/k8ssandra/cass-operator/blob/a6054d271b7034ab06fd97be9472b693ed523e49/pkg/reconciliation/construct_podtemplatespec.go#L635 to print error in log to indicate that the toleration is overwritten by another field.

┆Issue is synchronized with this Jira Story by Unito

[burmanm]

The usage of PodTemplateSpec in cass-operator is generally undocumented and not recommended, there are multiple fields which are overwritten or modified without passing them directly to the pods and that's by design. For normal use cases, there should be no need to use PodTemplateSpec.

The controller-runtime does not allow warning validations in webhooks as of yet without a significant rewrite, until https://github.com/kubernetes-sigs/controller-runtime/issues/1896 is implemented.

We would probably add a warning for all PodTemplateSpec usages. As of now, we do not intend to support it or ensure backwards compatibility when using PodTemplateSpec. If you have a real reason to use it which isn't supported otherwise in the CRD, please create a feature request.