feat: support configurable PodDisruptionBudget

[davidxia]

Summary

Resolves #414.

Adds a new pdb config object on SpiceDBCluster to give users control over the PodDisruptionBudget:

• pdb.disabled (bool, default false): when true, the operator deletes any existing PDB owned by the cluster and stops creating one
• pdb.maxUnavailable (integer or percentage string, e.g. "2" or "50%"): sets the PDB's maxUnavailable field; defaults to 1 when neither field is set (preserving existing behavior)
• pdb.minAvailable (integer or percentage string): sets the PDB's minAvailable field; mutually exclusive with pdb.maxUnavailable

Example usage

# Disable PDB
spec:
  config:
    pdb:
      disabled: true

# Allow 50% of pods to be unavailable during disruptions
spec:
  config:
    pdb:
      maxUnavailable: "50%"

# Require at least 3 pods to always be available
spec:
  config:
    pdb:
      minAvailable: "3"

Test plan

• All existing unit tests pass
• New unit tests added for: disabled PDB, custom maxUnavailable (integer and percentage), custom minAvailable, and validation error when both are set
• go test ./pkg/... passes

🤖 Generated with Claude Code

[github-actions]

CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅

[davidxia]

I have read the CLA Document and I hereby sign the CLA

[davidxia]

recheck

[ecordell]

One small change, otherwise this looks good! Thanks for the contribution!

FYI full customization of the PDB is possible with the patches feature, but I can see why we'd want these to have shortcuts.

[ecordell]

Can we also verify a match on the component labels too? metadata.LabelsForComponent(clusterName, metadata.ComponentPDBLabel). This way we can be sure to only delete a PDB that was operator created, and not one that happened to have a name that matches

[davidxia]

yup, updated below

[miparnisari]

could a test be written that covers this? i see in https://app.codecov.io/github/authzed/spicedb-operator/blob/main/pkg%2Fcontroller%2Fcontroller.go#L531 that ensurePdb has almost zero coverage

[davidxia]

I see ensurePdb() on main doesn't have any test coverage right now. So I tried to add coverage for at least my changes here.

I added TestEnsurePDB() in controller_test.go. The test logic isn't as nice as TestCredentialSecretsForCluster because ensurePDB()'s function signature isn't as testable as credentialSecretsForCluster()'s. But I don't want to increase the scope of this PR by changing ensurePDB()'s function signature.

How does it look? How can I get an updated coverage report?

[davidxia]

Thanks, I didn't see the patches functionality.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 83.33333% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 67.92%. Comparing base (cdb0fa2) to head (e24bc7e).

Files with missing lines	Patch %	Lines
pkg/controller/controller.go	61.11%	4 Missing and 3 partials ⚠️
pkg/config/config.go	94.44%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #422      +/-   ##
==========================================
+ Coverage   66.29%   67.92%   +1.63%     
==========================================
  Files          30       30              
  Lines        2572     2619      +47     
==========================================
+ Hits         1705     1779      +74     
+ Misses        753      725      -28     
- Partials      114      115       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[davidxia]

Anything I can do to help move this along?

[davidxia]

@miparnisari thanks, fixed a blocking golint violation

[ecordell]

LGTM, thanks for the contribution!