HYPERFLEET-1122 - feat: add PodDisruptionBudgets for maestro deployments

[ldornele]

Summary

Adds PodDisruptionBudgets (PDBs) for all four Maestro deployments to protect against voluntary disruptions during cluster operations (node drains, upgrades, kubectl drain).

Changes

• New file: helm/maestro/templates/pdb.yaml
  • 4 PDBs created (maestro-pdb, maestro-db-pdb, maestro-mqtt-pdb, maestro-agent-pdb)
  • Each PDB configured with minAvailable: 1
  • Selectors match actual pod labels from deployment templates

Validation

✅ Acceptance Criteria

1. Four PDBs created with correct configuration:

$ kubectl get pdb -n maestro
NAME                MIN AVAILABLE   MAX UNAVAILABLE   ALLOWED DISRUPTIONS   AGE
maestro-agent-pdb   1               N/A               0                     2m39s
maestro-db-pdb      1               N/A               0                     2m39s
maestro-mqtt-pdb    1               N/A               0                     2m39s
maestro-pdb         1               N/A               0                     2m39s

2. PDBs protect pods from voluntary eviction:

$ kubectl drain $NODE --ignore-daemonsets --delete-emptydir-data
error when evicting pods/"maestro-6cbf645685-bdx56" -n "maestro" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
error when evicting pods/"maestro-agent-6876cb6c7d-d2hbk" -n "maestro" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
error when evicting pods/"maestro-mqtt-568559b686-5frxs" -n "maestro" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
error when evicting pods/"maestro-db-996ddd9cc-tkgtm" -n "maestro" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.

All four deployments are protected — eviction blocked until replicas scale up or PDB conditions are met.

Technical Notes

• Uses policy/v1 API (GA since Kubernetes 1.21, stable across all supported OpenShift versions)
• PDB selectors match deployment pod labels:
  • maestro-pdb: app: maestro, app.kubernetes.io/name: server
  • maestro-agent-pdb: app: maestro-agent, app.kubernetes.io/name: agent
  • maestro-db-pdb: name: maestro-db
  • maestro-mqtt-pdb: name: maestro-mqtt

Testing

• helm template renders 4 valid PDBs with correct selectors
• Deployed to test cluster, verified kubectl get pdb shows all 4
• kubectl drain correctly blocks pod eviction

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6b4d01c1-3862-4265-857f-9b8c6e616250

📥 Commits

Reviewing files that changed from the base of the PR and between e96b63d and 6dfbf04.

📒 Files selected for processing (1)

• helm/maestro/templates/pdb.yaml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

---

📝 Walkthrough

Summary by CodeRabbit

• New Features
  • Added disruption protection for core application components using Kubernetes PodDisruptionBudgets.
  • Protection is configured separately for the main service, agent, database, and messaging components, and is enabled based on the corresponding Helm settings.

Walkthrough

Adds conditional PodDisruptionBudget manifests for the Maestro server, PostgreSQL, Mosquitto, and agent. Each resource sets minAvailable: 1 and uses component-specific selectors and Helm metadata.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly names the main change: adding PodDisruptionBudgets for Maestro deployments.
Description check	✅ Passed	The description matches the change set and accurately describes the new PDB resources and validation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	No non-test/example log/echo statements interpolate or field token/password/credential/secret; PR only adds Helm PDB YAML. CWE-532 not triggered.
No Hardcoded Secrets	✅ Passed	No CWE-798/CWE-321 indicators: the new PDB template has only labels/selectors and no secret-like literals, base64 blobs, or embedded credentials.
No Weak Cryptography	✅ Passed	PASS: helm/maestro/templates/pdb.yaml only defines Kubernetes PDBs; no md5/des/rc4/SHA1-for-security, ECB, custom crypto, or secret comparisons (CWE-327/328/916).
No Injection Vectors	✅ Passed	PASS: The new Helm template is static PodDisruptionBudget YAML; no SQL string concat, exec.Command, template.HTML, or yaml.Unmarshal paths appear in the change.
No Privileged Containers	✅ Passed	No privileged-container flags found in helm/maestro/templates/pdb.yaml or the Helm tree; the new manifest only defines policy/v1 PodDisruptionBudgets (CWE-250/CWE-732 not triggered).
No Pii Or Sensitive Data In Logs	✅ Passed	PASS: The only changed file is a Helm PDB template; no slog/logr/zap/fmt.Print* calls or raw data logging were added, so no CWE-532 exposure.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

_{Comment @coderabbitai help to get the list of available commands.}

[rh-amarin]

Bug: | default true makes this guard always true — server PDB can't be disabled

{{- if .Values.server.enabled | default true }}

In Helm, default replaces any falsy value, including explicit false. So server.enabled: false in values evaluates to false | default true → true. The block always renders.

The other three guards do not have this issue. Either drop the | default true:

Suggested change

	{{- if .Values.server.enabled | default true }}
	{{- if .Values.server.enabled }}

Or, since values.yaml does not define server.enabled and the server is always-on, remove the guard entirely and make the server PDB unconditional (matching how postgresql/mosquitto behave when enabled).

[ldornele]

Fixed by removing | default true to match the other three guards. TY

[rh-amarin]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rh-amarin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [rh-amarin]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment