operator: fix endless reconciliation loops

some objects stay on a endless reconciliation loops because we
don't configure all the fields and they will differ later when
k8s updates them to defaults.

this commit fixes such problem.

Author: mangelajo

Makefile

@@ -174,9 +174,14 @@ uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified
 deploy: docker-build cluster grpcurl
 	./hack/deploy_with_helm.sh
 
+.PHONY: deploy-with-operator
 deploy-with-operator: docker-build build-operator cluster grpcurl
 	./hack/deploy_with_operator.sh
 
+.PHONY: operator-logs
+operator-logs:
+	kubectl logs -n jumpstarter-operator-system -l app.kubernetes.io/name=jumpstarter-operator -f
+
 deploy-with-operator-parallel:
 	make deploy-with-operator -j5 --output-sync=target
 

deploy/operator/go.mod

@@ -3,9 +3,11 @@ module github.com/jumpstarter-dev/jumpstarter-controller/deploy/operator
 go 1.24.0
 
 require (
+	github.com/go-logr/logr v1.4.2
 	github.com/jumpstarter-dev/jumpstarter-controller v0.7.1
 	github.com/onsi/ginkgo/v2 v2.22.2
 	github.com/onsi/gomega v1.36.2
+	github.com/pmezard/go-difflib v1.0.0
 	k8s.io/api v0.33.0
 	k8s.io/apimachinery v0.33.0
 	k8s.io/apiserver v0.33.0
@@ -42,7 +44,6 @@ require (
 	github.com/gin-gonic/gin v1.10.0 // indirect
 	github.com/go-chi/chi/v5 v5.2.0 // indirect
 	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect

deploy/operator/internal/controller/jumpstarter/compare.go

@@ -0,0 +1,158 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package jumpstarter
+
+import (
+	"fmt"
+
+	"github.com/go-logr/logr"
+	"github.com/pmezard/go-difflib/difflib"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/api/equality"
+	"sigs.k8s.io/yaml"
+)
+
+// deploymentNeedsUpdate checks if a deployment needs to be updated using K8s semantic equality.
+func deploymentNeedsUpdate(existing, desired *appsv1.Deployment) bool {
+	// Compare labels (only if desired.Labels is non-nil)
+	if desired.Labels != nil && !equality.Semantic.DeepEqual(existing.Labels, desired.Labels) {
+		return true
+	}
+
+	// Compare annotations (only if desired.Annotations is non-nil)
+	if desired.Annotations != nil && !equality.Semantic.DeepEqual(existing.Annotations, desired.Annotations) {
+		return true
+	}
+
+	// Compare the entire Spec using K8s semantic equality (handles nil vs empty automatically)
+	return !equality.Semantic.DeepEqual(existing.Spec, desired.Spec)
+}
+
+// configMapNeedsUpdate checks if a configmap needs to be updated using K8s semantic equality.
+func configMapNeedsUpdate(existing, desired *corev1.ConfigMap, log logr.Logger) bool {
+	// Compare labels (only if desired.Labels is non-nil)
+	if desired.Labels != nil && !equality.Semantic.DeepEqual(existing.Labels, desired.Labels) {
+		return true
+	}
+
+	// Compare annotations (only if desired.Annotations is non-nil)
+	if desired.Annotations != nil && !equality.Semantic.DeepEqual(existing.Annotations, desired.Annotations) {
+		return true
+	}
+
+	// Compare data (only if desired.Data is non-nil)
+	if desired.Data != nil && !equality.Semantic.DeepEqual(existing.Data, desired.Data) {
+		return true
+	}
+
+	// Compare binary data (only if desired.BinaryData is non-nil)
+	if desired.BinaryData != nil && !equality.Semantic.DeepEqual(existing.BinaryData, desired.BinaryData) {
+		return true
+	}
+
+	return false
+}
+
+// serviceAccountNeedsUpdate checks if a service account needs to be updated using K8s semantic equality.
+func serviceAccountNeedsUpdate(existing, desired *corev1.ServiceAccount) bool {
+	// Compare labels (only if desired.Labels is non-nil)
+	if desired.Labels != nil && !equality.Semantic.DeepEqual(existing.Labels, desired.Labels) {
+		return true
+	}
+
+	// Compare annotations (only if desired.Annotations is non-nil)
+	if desired.Annotations != nil && !equality.Semantic.DeepEqual(existing.Annotations, desired.Annotations) {
+		return true
+	}
+
+	return false
+}
+
+// roleNeedsUpdate checks if a role needs to be updated using K8s semantic equality.
+func roleNeedsUpdate(existing, desired *rbacv1.Role) bool {
+	// Compare labels (only if desired.Labels is non-nil)
+	if desired.Labels != nil && !equality.Semantic.DeepEqual(existing.Labels, desired.Labels) {
+		return true
+	}
+
+	// Compare annotations (only if desired.Annotations is non-nil)
+	if desired.Annotations != nil && !equality.Semantic.DeepEqual(existing.Annotations, desired.Annotations) {
+		return true
+	}
+
+	// Compare rules (only if non-nil in desired)
+	if desired.Rules != nil && !equality.Semantic.DeepEqual(existing.Rules, desired.Rules) {
+		return true
+	}
+
+	return false
+}
+
+// roleBindingNeedsUpdate checks if a role binding needs to be updated using K8s semantic equality.
+func roleBindingNeedsUpdate(existing, desired *rbacv1.RoleBinding) bool {
+	// Compare labels (only if desired.Labels is non-nil)
+	if desired.Labels != nil && !equality.Semantic.DeepEqual(existing.Labels, desired.Labels) {
+		return true
+	}
+
+	// Compare annotations (only if desired.Annotations is non-nil)
+	if desired.Annotations != nil && !equality.Semantic.DeepEqual(existing.Annotations, desired.Annotations) {
+		return true
+	}
+
+	// Compare subjects (only if non-nil in desired)
+	if desired.Subjects != nil && !equality.Semantic.DeepEqual(existing.Subjects, desired.Subjects) {
+		return true
+	}
+
+	// Compare role ref (only if non-zero in desired)
+	if desired.RoleRef.Name != "" && !equality.Semantic.DeepEqual(existing.RoleRef, desired.RoleRef) {
+		return true
+	}
+
+	return false
+}
+
+// generateDiff creates a unified diff between existing and desired resources.
+// It works with any Kubernetes resource type.
+// Returns the diff string and any error encountered during serialization.
+func generateDiff[T any](existing, desired *T) (string, error) {
+	// Serialize existing resource to YAML
+	existingYAML, err := yaml.Marshal(existing)
+	if err != nil {
+		return "", fmt.Errorf("failed to marshal existing resource: %w", err)
+	}
+
+	// Serialize desired resource to YAML
+	desiredYAML, err := yaml.Marshal(desired)
+	if err != nil {
+		return "", fmt.Errorf("failed to marshal desired resource: %w", err)
+	}
+
+	// Generate unified diff
+	diff := difflib.UnifiedDiff{
+		A:        difflib.SplitLines(string(existingYAML)),
+		B:        difflib.SplitLines(string(desiredYAML)),
+		FromFile: "Existing",
+		ToFile:   "Desired",
+		Context:  3,
+	}
+
+	return difflib.GetUnifiedDiffString(diff)
+}

deploy/operator/internal/controller/jumpstarter/endpoints/endpoints.go

@@ -49,30 +49,26 @@ func NewReconciler(client client.Client, scheme *runtime.Scheme) *Reconciler {
 func (r *Reconciler) createOrUpdateService(ctx context.Context, service *corev1.Service, owner metav1.Object) error {
 	log := logf.FromContext(ctx)
 
-	if owner != nil {
-		if err := controllerutil.SetControllerReference(owner, service, r.Scheme); err != nil {
-			return err
-		}
-	}
-
 	existingService := &corev1.Service{}
 	existingService.Name = service.Name
 	existingService.Namespace = service.Namespace
 
+	if err := controllerutil.SetControllerReference(owner, service, r.Scheme); err != nil {
+		return err
+	}
+
 	op, err := controllerutil.CreateOrUpdate(ctx, r.Client, existingService, func() error {
 		// Preserve immutable fields if service already exists
 		if existingService.CreationTimestamp.IsZero() {
 			// Service is being created, copy all fields from desired service
 			existingService.Spec = service.Spec
 			existingService.Labels = service.Labels
 			existingService.Annotations = service.Annotations
-		} else {
-			// Service exists, preserve immutable fields
-			preservedClusterIP := existingService.Spec.ClusterIP
-			preservedClusterIPs := existingService.Spec.ClusterIPs
-			preservedIPFamilies := existingService.Spec.IPFamilies
-			preservedIPFamilyPolicy := existingService.Spec.IPFamilyPolicy
+			if err := controllerutil.SetControllerReference(owner, service, r.Scheme); err != nil {
+				return err
+			}
 
+		} else {
 			// Preserve existing NodePorts to prevent "port already allocated" errors
 			if service.Spec.Type == corev1.ServiceTypeNodePort || service.Spec.Type == corev1.ServiceTypeLoadBalancer {
 				for i := range existingService.Spec.Ports {
@@ -83,15 +79,18 @@ func (r *Reconciler) createOrUpdateService(ctx context.Context, service *corev1.
 			}
 
 			// Update all mutable fields
-			existingService.Spec = service.Spec
+			if service.Spec.LoadBalancerClass != nil && *service.Spec.LoadBalancerClass != "" {
+				existingService.Spec.LoadBalancerClass = service.Spec.LoadBalancerClass
+			}
+			if service.Spec.ExternalTrafficPolicy != "" {
+				existingService.Spec.ExternalTrafficPolicy = service.Spec.ExternalTrafficPolicy
+			}
+
+			existingService.Spec.Ports = service.Spec.Ports
+			existingService.Spec.Selector = service.Spec.Selector
+			existingService.Spec.Type = service.Spec.Type
 			existingService.Labels = service.Labels
 			existingService.Annotations = service.Annotations
-
-			// Restore immutable fields
-			existingService.Spec.ClusterIP = preservedClusterIP
-			existingService.Spec.ClusterIPs = preservedClusterIPs
-			existingService.Spec.IPFamilies = preservedIPFamilies
-			existingService.Spec.IPFamilyPolicy = preservedIPFamilyPolicy
 		}
 
 		return nil
@@ -105,25 +104,12 @@ func (r *Reconciler) createOrUpdateService(ctx context.Context, service *corev1.
 		return err
 	}
 
-	// Log the operation result
-	switch op {
-	case controllerutil.OperationResultCreated:
-		log.Info("Created service",
-			"name", service.Name,
-			"namespace", service.Namespace,
-			"type", service.Spec.Type,
-			"selector", service.Spec.Selector)
-	case controllerutil.OperationResultUpdated:
-		log.Info("Updated service",
-			"name", service.Name,
-			"namespace", service.Namespace,
-			"type", service.Spec.Type,
-			"selector", service.Spec.Selector)
-	case controllerutil.OperationResultNone:
-		log.V(1).Info("Service already up to date",
-			"name", service.Name,
-			"namespace", service.Namespace)
-	}
+	log.Info("Service reconciled",
+		"name", service.Name,
+		"namespace", service.Namespace,
+		"type", service.Spec.Type,
+		"selector", service.Spec.Selector,
+		"operation", op)
 
 	return nil
 }