fix: Instability of cleanup process of old configmaps and secrets

CTlog, Rekor and Fulcio has broblem when newly created object has
been deleted during clean up process of old objects.

Author: osmman

internal/controller/ctlog/actions/server_config.go

@@ -2,7 +2,9 @@ package actions
 
 import (
 	"context"
+	"errors"
 	"fmt"
+	"strconv"
 
 	rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1"
 	"github.com/securesign/operator/internal/controller/common/action"
@@ -131,10 +133,15 @@ func (i serverConfig) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog)
 		},
 	}
 
+	annotations := map[string]string{
+		"rhtas.redhat.com/generation": strconv.FormatInt(instance.Generation, 10),
+	}
+
 	if _, err = utils.CreateOrUpdate(ctx, i.Client,
 		newConfig,
 		ensure.ControllerReference[*corev1.Secret](instance, i.Client),
 		ensure.Labels[*corev1.Secret](maps.Keys(configLabels), configLabels),
+		ensure.Annotations[*corev1.Secret](maps.Keys(annotations), annotations),
 		utils.EnsureSecretData(true, cfg),
 	); err != nil {
 		return i.Error(ctx, fmt.Errorf("could not create Server config: %w", err), instance,
@@ -147,13 +154,35 @@ func (i serverConfig) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog)
 			})
 	}
 
-	// try to discover existing config and clear them out
+	defer i.cleanup(ctx, instance, newConfig.Name, configLabels)
+
+	instance.Status.ServerConfigRef = &rhtasv1alpha1.LocalObjectReference{Name: newConfig.Name}
+
+	i.Recorder.Eventf(instance, corev1.EventTypeNormal, "CTLogConfigCreated", "Secret with ctlog configuration created: %s", newConfig.Name)
+	meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
+		Type:               ConfigCondition,
+		Status:             metav1.ConditionTrue,
+		Reason:             constants.Ready,
+		Message:            "Server config created",
+		ObservedGeneration: instance.Generation,
+	})
+	return i.StatusUpdate(ctx, instance)
+}
+
+func (i serverConfig) cleanup(ctx context.Context, instance *rhtasv1alpha1.CTlog, newSecretName string, configLabels map[string]string) {
+	if newSecretName == "" {
+		i.Logger.Error(errors.New("new Secret name is empty"), "unable to clean old objects", "namespace", instance.Namespace)
+		return
+	}
+
+	// try to discover existing secrets and clear them out
 	partialConfigs, err := utils.ListSecrets(ctx, i.Client, instance.Namespace, labels2.SelectorFromSet(configLabels).String())
 	if err != nil {
 		i.Logger.Error(err, "problem with listing configmaps", "namespace", instance.Namespace)
+		return
 	}
 	for _, partialConfig := range partialConfigs.Items {
-		if partialConfig.Name == newConfig.Name {
+		if partialConfig.Name == newSecretName {
 			continue
 		}
 
@@ -166,18 +195,6 @@ func (i serverConfig) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog)
 		i.Logger.Info("Remove invalid Secret with ctlog configuration", "Name", partialConfig.Name)
 		i.Recorder.Eventf(instance, corev1.EventTypeNormal, "CTLogConfigDeleted", "Secret with ctlog configuration deleted: %s", partialConfig.Name)
 	}
-
-	instance.Status.ServerConfigRef = &rhtasv1alpha1.LocalObjectReference{Name: newConfig.Name}
-
-	i.Recorder.Eventf(instance, corev1.EventTypeNormal, "CTLogConfigCreated", "Secret with ctlog configuration created: %s", newConfig.Name)
-	meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
-		Type:               ConfigCondition,
-		Status:             metav1.ConditionTrue,
-		Reason:             constants.Ready,
-		Message:            "Server config created",
-		ObservedGeneration: instance.Generation,
-	})
-	return i.StatusUpdate(ctx, instance)
 }
 
 func (i serverConfig) handlePrivateKey(instance *rhtasv1alpha1.CTlog) (*ctlogUtils.KeyConfig, error) {

internal/controller/fulcio/actions/server_config.go

@@ -2,8 +2,10 @@ package actions
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"reflect"
+	"strconv"
 
 	rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1"
 	"github.com/securesign/operator/internal/controller/common/action"
@@ -115,10 +117,16 @@ func (i serverConfig) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio
 			Namespace:    instance.Namespace,
 		},
 	}
+
+	annotations := map[string]string{
+		"rhtas.redhat.com/generation": strconv.FormatInt(instance.Generation, 10),
+	}
+
 	if _, err = kubernetes.CreateOrUpdate(ctx, i.Client,
 		newConfig,
 		ensure.ControllerReference[*v1.ConfigMap](instance, i.Client),
 		ensure.Labels[*v1.ConfigMap](maps.Keys(configLabel), configLabel),
+		ensure.Annotations[*v1.ConfigMap](maps.Keys(annotations), annotations),
 		kubernetes.EnsureConfigMapData(
 			true,
 			map[string]string{
@@ -129,13 +137,35 @@ func (i serverConfig) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio
 		return i.Error(ctx, fmt.Errorf("could not create Server config: %w", err), instance)
 	}
 
+	defer i.cleanup(ctx, instance, newConfig.Name, configLabel)
+
+	i.Recorder.Eventf(instance, v1.EventTypeNormal, "FulcioConfigUpdated", "Fulcio config updated: %s", newConfig.Name)
+	instance.Status.ServerConfigRef = &rhtasv1alpha1.LocalObjectReference{Name: newConfig.Name}
+
+	meta.SetStatusCondition(&instance.Status.Conditions,
+		metav1.Condition{
+			Type:    constants.Ready,
+			Status:  metav1.ConditionFalse,
+			Reason:  constants.Creating,
+			Message: "Server config created"},
+	)
+	return i.StatusUpdate(ctx, instance)
+}
+
+func (i serverConfig) cleanup(ctx context.Context, instance *rhtasv1alpha1.Fulcio, newConfigName string, configLabels map[string]string) {
+	if newConfigName == "" {
+		i.Logger.Error(errors.New("new ConfigMap name is empty"), "unable to clean old objects", "namespace", instance.Namespace)
+		return
+	}
+
 	// remove old server configmaps
-	partialConfigs, err := kubernetes.ListConfigMaps(ctx, i.Client, instance.Namespace, labels2.SelectorFromSet(configLabel).String())
+	partialConfigs, err := kubernetes.ListConfigMaps(ctx, i.Client, instance.Namespace, labels2.SelectorFromSet(configLabels).String())
 	if err != nil {
 		i.Logger.Error(err, "problem with finding configmap")
+		return
 	}
 	for _, partialConfig := range partialConfigs.Items {
-		if partialConfig.Name == newConfig.Name {
+		if partialConfig.Name == newConfigName {
 			continue
 		}
 
@@ -147,21 +177,10 @@ func (i serverConfig) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio
 		})
 		if err != nil {
 			i.Logger.Error(err, "problem with deleting configmap", "name", partialConfig.Name)
-		} else {
-			i.Logger.Info("Remove invalid ConfigMap with rekor-server configuration", "name", partialConfig.Name)
-			i.Recorder.Eventf(instance, v1.EventTypeNormal, "FulcioConfigDeleted", "Fulcio config deleted: %s", partialConfig.Name)
+			i.Recorder.Eventf(instance, v1.EventTypeWarning, "FulcioConfigDeleted", "Unable to delete secret: %s", partialConfig.Name)
+			continue
 		}
+		i.Logger.Info("Remove invalid ConfigMap with Fulcio configuration", "name", partialConfig.Name)
+		i.Recorder.Eventf(instance, v1.EventTypeNormal, "FulcioConfigDeleted", "Fulcio config deleted: %s", partialConfig.Name)
 	}
-
-	i.Recorder.Eventf(instance, v1.EventTypeNormal, "FulcioConfigUpdated", "Fulcio config updated: %s", newConfig.Name)
-	instance.Status.ServerConfigRef = &rhtasv1alpha1.LocalObjectReference{Name: newConfig.Name}
-
-	meta.SetStatusCondition(&instance.Status.Conditions,
-		metav1.Condition{
-			Type:    constants.Ready,
-			Status:  metav1.ConditionFalse,
-			Reason:  constants.Creating,
-			Message: "Server config created"},
-	)
-	return i.StatusUpdate(ctx, instance)
 }

internal/controller/rekor/actions/server/sharding_config.go

@@ -2,8 +2,10 @@ package server
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"reflect"
+	"strconv"
 
 	rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1"
 	"github.com/securesign/operator/internal/controller/common/action"
@@ -88,22 +90,49 @@ func (i shardingConfig) Handle(ctx context.Context, instance *rhtasv1alpha1.Reko
 			Namespace:    instance.Namespace,
 		},
 	}
+
+	annotations := map[string]string{
+		"rhtas.redhat.com/generation": strconv.FormatInt(instance.Generation, 10),
+	}
+
 	if _, err = kubernetes.CreateOrUpdate(ctx, i.Client,
 		newConfig,
 		ensure.ControllerReference[*v1.ConfigMap](instance, i.Client),
 		ensure.Labels[*v1.ConfigMap](maps.Keys(labels), labels),
+		ensure.Annotations[*v1.ConfigMap](maps.Keys(annotations), annotations),
 		kubernetes.EnsureConfigMapData(true, content),
 	); err != nil {
 		return i.Error(ctx, fmt.Errorf("could not create sharding config: %w", err), instance)
 	}
 
+	defer i.cleanup(ctx, instance, newConfig.Name, labels)
+
+	i.Recorder.Eventf(instance, v1.EventTypeNormal, "ShardingConfigCreated", "ConfigMap with sharding configuration created: %s", newConfig.Name)
+	instance.Status.ServerConfigRef = &rhtasv1alpha1.LocalObjectReference{Name: newConfig.Name}
+
+	meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
+		Type:    actions.ServerCondition,
+		Status:  metav1.ConditionFalse,
+		Reason:  constants.Creating,
+		Message: "Sharding config created",
+	})
+	return i.StatusUpdate(ctx, instance)
+}
+
+func (i shardingConfig) cleanup(ctx context.Context, instance *rhtasv1alpha1.Rekor, newConfigName string, configLabels map[string]string) {
+	if newConfigName == "" {
+		i.Logger.Error(errors.New("new ConfigMap name is empty"), "unable to clean old objects", "namespace", instance.Namespace)
+		return
+	}
+
 	// remove old server configmaps
-	partialConfigs, err := kubernetes.ListConfigMaps(ctx, i.Client, instance.Namespace, labels2.SelectorFromSet(labels).String())
+	partialConfigs, err := kubernetes.ListConfigMaps(ctx, i.Client, instance.Namespace, labels2.SelectorFromSet(configLabels).String())
 	if err != nil {
 		i.Logger.Error(err, "problem with finding configmap")
+		return
 	}
 	for _, partialConfig := range partialConfigs.Items {
-		if partialConfig.Name == newConfig.Name {
+		if partialConfig.Name == newConfigName {
 			continue
 		}
 
@@ -115,22 +144,12 @@ func (i shardingConfig) Handle(ctx context.Context, instance *rhtasv1alpha1.Reko
 		})
 		if err != nil {
 			i.Logger.Error(err, "problem with deleting configmap", "name", partialConfig.Name)
-		} else {
-			i.Logger.Info("Remove invalid ConfigMap with rekor-sharding configuration", "name", partialConfig.Name)
-			i.Recorder.Eventf(instance, v1.EventTypeNormal, "ShardingConfigDeleted", "ConfigMap with sharding configuration deleted: %s", partialConfig.Name)
+			i.Recorder.Eventf(instance, v1.EventTypeWarning, "ShardingConfigDeleted", "Unable to delete secret: %s", partialConfig.Name)
+			continue
 		}
+		i.Logger.Info("Remove invalid ConfigMap with rekor-sharding configuration", "name", partialConfig.Name)
+		i.Recorder.Eventf(instance, v1.EventTypeNormal, "ShardingConfigDeleted", "ConfigMap with sharding configuration deleted: %s", partialConfig.Name)
 	}
-
-	i.Recorder.Eventf(instance, v1.EventTypeNormal, "ShardingConfigCreated", "ConfigMap with sharding configuration created: %s", newConfig.Name)
-	instance.Status.ServerConfigRef = &rhtasv1alpha1.LocalObjectReference{Name: newConfig.Name}
-
-	meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
-		Type:    actions.ServerCondition,
-		Status:  metav1.ConditionFalse,
-		Reason:  constants.Creating,
-		Message: "Sharding config created",
-	})
-	return i.StatusUpdate(ctx, instance)
 }
 
 func createShardingConfigData(sharding []rhtasv1alpha1.RekorLogRange) (map[string]string, error) {

test/e2e/support/common.go

@@ -16,6 +16,7 @@ import (
 	monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	v12 "k8s.io/api/apps/v1"
 	v13 "k8s.io/api/batch/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/client-go/kubernetes"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
@@ -124,6 +125,10 @@ func DumpNamespace(ctx context.Context, cli client.Client, ns string) {
 	// Example usage with mock data
 	k8s := map[string]logTarget{}
 
+	secretList := &metav1.PartialObjectMetadataList{}
+	gvk := schema.GroupVersionKind{Group: "", Version: "v1", Kind: "Secret"}
+	secretList.SetGroupVersionKind(gvk)
+
 	toDump := map[string]client.ObjectList{
 		"securesign.yaml": &v1alpha1.SecuresignList{},
 		"fulcio.yaml":     &v1alpha1.FulcioList{},
@@ -138,6 +143,7 @@ func DumpNamespace(ctx context.Context, cli client.Client, ns string) {
 		"job.yaml":        &v13.JobList{},
 		"cronjob.yaml":    &v13.CronJobList{},
 		"event.yaml":      &v1.EventList{},
+		"secret.yaml":     secretList,
 	}
 
 	core.GinkgoWriter.Println("----------------------- Dumping namespace " + ns + " -----------------------")