27755794823

Committed 18 Jun 2026 11:18AM UTC coverage: 75.292% (-1.7%) from 77.003%

Build # 27755794823

Build Type

Pull #621

github

Committed by

web-flow

Commit Message

Merge 3e94622f3 into 69595b7d1

Pull Request Pull Request #621: feat(controller): implement deletion protection via controller-managed finalizers

Coverage Stats

397 of 636 new or added lines in 7 files covered. (62.42%)

15 existing lines in 3 files now uncovered.

4001 of 5314 relevant lines covered (75.29%)

33.24 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

71.7

/pkg/controller/profile_controller.go

// Copyright 2026 BWI GmbH and Solution Arsenal contributors
// SPDX-License-Identifier: Apache-2.0

package controller

import (
        "context"
        "fmt"
        "slices"

        corev1 "k8s.io/api/core/v1"
        apierrors "k8s.io/apimachinery/pkg/api/errors"
        metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
        "k8s.io/apimachinery/pkg/labels"
        "k8s.io/apimachinery/pkg/runtime"
        "k8s.io/apimachinery/pkg/types"
        "k8s.io/client-go/tools/events"
        ctrl "sigs.k8s.io/controller-runtime"
        "sigs.k8s.io/controller-runtime/pkg/client"
        "sigs.k8s.io/controller-runtime/pkg/handler"
        "sigs.k8s.io/controller-runtime/pkg/reconcile"

        solarv1alpha1 "go.opendefense.cloud/solar/api/solar/v1alpha1"
)

// bindingTargetKey returns a stable namespace/name key for a ReleaseBinding's target reference.
func bindingTargetKey(rb *solarv1alpha1.ReleaseBinding) string {
        ns := rb.Spec.TargetNamespace
        if ns == "" {
                ns = rb.Namespace
        }

        return ns + "/" + rb.Spec.TargetRef.Name
}

// targetKey returns the namespace/name key for a Target.
func targetKey(t *solarv1alpha1.Target) string {
        return t.Namespace + "/" + t.Name
}

// solarGroup is the API group for all solar resources.
const solarGroup = "solar.opendefense.cloud"

// grantPermits returns true if the ReferenceGrant allows a resource identified by
// (fromGroup, fromKind, fromNamespace) to reference a resource of (toGroup, toKind)
// in the grant's own namespace.
func grantPermits(grant *solarv1alpha1.ReferenceGrant, fromGroup, fromKind, fromNamespace, toGroup, toKind string) bool {
        hasFrom := false
        for _, f := range grant.Spec.From {
                if f.Namespace == fromNamespace && f.Kind == fromKind && f.Group == fromGroup {
                        hasFrom = true
                        break
                }
        }
        if !hasFrom {
                return false
        }
        for _, t := range grant.Spec.To {
                if t.Kind == toKind && t.Group == toGroup {
                        return true
                }
        }

        return false
}

// grantPermitsTargetAccess returns true if the ReferenceGrant allows a Profile in
// fromNamespace to reference Target resources in the grant's namespace.
func grantPermitsTargetAccess(grant *solarv1alpha1.ReferenceGrant, fromNamespace string) bool {
        return grantPermits(grant, solarGroup, "Profile", fromNamespace, solarGroup, "Target")
}

// grantsTargetResource returns true if the ReferenceGrant includes Target in its To list.
func grantsTargetResource(grant *solarv1alpha1.ReferenceGrant) bool {
        for _, t := range grant.Spec.To {
                if t.Kind == "Target" && t.Group == solarGroup {
                        return true
                }
        }

        return false
}

// grantPermitsComponentVersionAccess returns true if the ReferenceGrant allows a Release
// in fromNamespace to reference ComponentVersion resources in the grant's namespace.
func grantPermitsComponentVersionAccess(grant *solarv1alpha1.ReferenceGrant, fromNamespace string) bool {
        return grantPermits(grant, solarGroup, "Release", fromNamespace, solarGroup, "ComponentVersion")
}

// grantsComponentVersionResource returns true if the ReferenceGrant includes ComponentVersion in its To list.
func grantsComponentVersionResource(grant *solarv1alpha1.ReferenceGrant) bool {
        for _, t := range grant.Spec.To {
                if t.Kind == "ComponentVersion" && t.Group == solarGroup {
                        return true
                }
        }

        return false
}

// ProfileReconciler reconciles a Profile object.
// It evaluates the Profile's TargetSelector against all Targets in the namespace
// and creates/deletes ReleaseBindings accordingly.
// Cross-namespace Targets are included when a ReferenceGrant in the target's namespace
// grants the Profile's namespace access to "targets".
type ProfileReconciler struct {
        client.Client
        Scheme   *runtime.Scheme
        Recorder events.EventRecorder
        // WatchNamespace restricts reconciliation to this namespace.
        WatchNamespace string
}

//+kubebuilder:rbac:groups=solar.opendefense.cloud,resources=profiles,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=solar.opendefense.cloud,resources=profiles/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=solar.opendefense.cloud,resources=profiles/finalizers,verbs=update
//+kubebuilder:rbac:groups=solar.opendefense.cloud,resources=releasebindings,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups=solar.opendefense.cloud,resources=releases,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=solar.opendefense.cloud,resources=releases/finalizers,verbs=update
//+kubebuilder:rbac:groups=solar.opendefense.cloud,resources=targets,verbs=get;list;watch
//+kubebuilder:rbac:groups=solar.opendefense.cloud,resources=referencegrants,verbs=get;list;watch
//+kubebuilder:rbac:groups=events.k8s.io,resources=events,verbs=create;patch

// Reconcile evaluates the Profile's TargetSelector and ensures matching ReleaseBindings exist.
// It also manages a deletion-protection finalizer on the referenced Release.
func (r *ProfileReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
        log := ctrl.LoggerFrom(ctx)

        log.V(1).Info("Profile is being reconciled", "req", req)

        if r.WatchNamespace != "" && req.Namespace != r.WatchNamespace {
                return ctrl.Result{}, nil
        }

        // Fetch Profile
        profile := &solarv1alpha1.Profile{}
        if err := r.Get(ctx, req.NamespacedName, profile); err != nil {
                if apierrors.IsNotFound(err) {
                        return ctrl.Result{}, nil
                }

                return ctrl.Result{}, errLogAndWrap(log, err, "failed to get Profile")
        }

        // Handle deletion.
        if !profile.DeletionTimestamp.IsZero() {
                // Block until all owned ReleaseBindings are fully gone from the API before unprotecting
                // the Release. This ensures the Release is never deletable while bindings still reference it.
                // The Owns() watch in SetupWithManager re-triggers this reconcile when each binding is removed.
                allBindings := &solarv1alpha1.ReleaseBindingList{}
                if err := r.List(ctx, allBindings, client.InNamespace(profile.Namespace)); err != nil {
                        return ctrl.Result{}, errLogAndWrap(log, err, "failed to list owned ReleaseBindings for deletion")
                }
                ownedBindings := &solarv1alpha1.ReleaseBindingList{}
                for i := range allBindings.Items {
                        if metav1.IsControlledBy(&allBindings.Items[i], profile) {
                                ownedBindings.Items = append(ownedBindings.Items, allBindings.Items[i])
                        }
                }

                var ownedExist bool
                for i := range ownedBindings.Items {
                        rb := &ownedBindings.Items[i]
                        ownedExist = true
                        if rb.DeletionTimestamp.IsZero() {
                                if err := r.Delete(ctx, rb); err != nil && !apierrors.IsNotFound(err) {
                                        return ctrl.Result{}, errLogAndWrap(log, err, "failed to delete owned ReleaseBinding during Profile deletion")
                                }
                        }
                }
                if ownedExist {
                        // Re-triggered by Owns() watch when the last binding is fully removed.
                        return ctrl.Result{}, nil
                }

                if profile.Spec.ReleaseRef.Name != "" {
                        release := &solarv1alpha1.Release{}
                        if err := r.Get(ctx, types.NamespacedName{Name: profile.Spec.ReleaseRef.Name, Namespace: profile.Namespace}, release); err != nil {
                                if !apierrors.IsNotFound(err) {
                                        return ctrl.Result{}, errLogAndWrap(log, err, "failed to get Release for finalizer cleanup")
                                }
                        } else if err := r.removeReleaseRefFinalizerIfUnreferenced(ctx, profile, release); err != nil {
                                return ctrl.Result{}, err
                        }
                }

                if slices.Contains(profile.Finalizers, profileFinalizer) {
                        latest := &solarv1alpha1.Profile{}
                        if err := r.Get(ctx, req.NamespacedName, latest); err != nil {
                                return ctrl.Result{}, errLogAndWrap(log, err, "failed to get latest Profile for finalizer removal")
                        }
                        original := latest.DeepCopy()
                        latest.Finalizers = slices.DeleteFunc(latest.Finalizers, func(s string) bool { return s == profileFinalizer })
                        if err := r.Patch(ctx, latest, client.MergeFrom(original)); err != nil {
                                return ctrl.Result{}, errLogAndWrap(log, err, "failed to remove finalizer from Profile")
                        }
                }

                return ctrl.Result{}, nil
        }

        // Ensure self-finalizer exists.
        if !slices.Contains(profile.Finalizers, profileFinalizer) {
                latest := &solarv1alpha1.Profile{}
                if err := r.Get(ctx, req.NamespacedName, latest); err != nil {
                        return ctrl.Result{}, errLogAndWrap(log, err, "failed to get latest Profile for finalizer addition")
                }
                original := latest.DeepCopy()
                latest.Finalizers = append(latest.Finalizers, profileFinalizer)
                if err := r.Patch(ctx, latest, client.MergeFrom(original)); err != nil {
                        return ctrl.Result{}, errLogAndWrap(log, err, "failed to add finalizer to Profile")
                }
        }

        // Protect the referenced Release from deletion.
        if profile.Spec.ReleaseRef.Name != "" {
                release := &solarv1alpha1.Release{}
                if err := r.Get(ctx, types.NamespacedName{Name: profile.Spec.ReleaseRef.Name, Namespace: profile.Namespace}, release); err != nil {
                        if !apierrors.IsNotFound(err) {
                                return ctrl.Result{}, errLogAndWrap(log, err, "failed to get Release for protection finalizer")
                        }
                } else if !slices.Contains(release.Finalizers, releaseRefFinalizer) {
                        latest := release.DeepCopy()
                        latest.Finalizers = append(latest.Finalizers, releaseRefFinalizer)
                        if err := r.Patch(ctx, latest, client.MergeFrom(release)); err != nil {
                                return ctrl.Result{}, errLogAndWrap(log, err, "failed to add protection finalizer to Release")
                        }
                }
        }

        // Evaluate TargetSelector against all Targets
        selector, err := metav1.LabelSelectorAsSelector(&profile.Spec.TargetSelector)
        if err != nil {
                log.Error(err, "invalid targetSelector in Profile")

                return ctrl.Result{}, nil
        }

        // Collect matching targets from the profile's own namespace
        sameNsTargets := &solarv1alpha1.TargetList{}
        if err := r.List(ctx, sameNsTargets,
                client.InNamespace(profile.Namespace),
                client.MatchingLabelsSelector{Selector: selector},
        ); err != nil {
                return ctrl.Result{}, errLogAndWrap(log, err, "failed to list Targets")
        }

        allTargets := make([]solarv1alpha1.Target, 0, len(sameNsTargets.Items))
        allTargets = append(allTargets, sameNsTargets.Items...)

        // Collect cross-namespace targets via ReferenceGrants.
        // A ReferenceGrant in namespace B listing the profile's namespace in From and
        // "targets" in To allows this Profile to select Targets from namespace B.
        //
        // FIXME: listing all ReferenceGrants cluster-wide on every reconcile is a cache
        // scan only (no etcd round-trip, no host-cluster impact), but may become a
        // bottleneck at scale. Consider adding a field index on ReferenceGrants keyed by
        // the namespaces they grant access to so we can filter server-side.
        grantList := &solarv1alpha1.ReferenceGrantList{}
        if err := r.List(ctx, grantList); err != nil {
                return ctrl.Result{}, errLogAndWrap(log, err, "failed to list ReferenceGrants")
        }

        for i := range grantList.Items {
                grant := &grantList.Items[i]
                if grant.Namespace == profile.Namespace {
                        // same-namespace targets already covered above
                        continue
                }
                if !grantPermitsTargetAccess(grant, profile.Namespace) {
                        continue
                }
                crossNsTargets := &solarv1alpha1.TargetList{}
                if err := r.List(ctx, crossNsTargets,
                        client.InNamespace(grant.Namespace),
                        client.MatchingLabelsSelector{Selector: selector},
                ); err != nil {
                        return ctrl.Result{}, errLogAndWrap(log, err, "failed to list cross-namespace Targets in "+grant.Namespace)
                }
                allTargets = append(allTargets, crossNsTargets.Items...)
        }

        // Build set of desired ReleaseBindings (one per matching target, keyed by namespace/name)
        desiredTargets := map[string]solarv1alpha1.Target{}
        for _, t := range allTargets {
                desiredTargets[targetKey(&t)] = t
        }

        // List existing ReleaseBindings owned by this Profile
        allBindings := &solarv1alpha1.ReleaseBindingList{}
        if err := r.List(ctx, allBindings, client.InNamespace(profile.Namespace)); err != nil {
                return ctrl.Result{}, errLogAndWrap(log, err, "failed to list ReleaseBindings")
        }
        existingBindings := &solarv1alpha1.ReleaseBindingList{}
        for i := range allBindings.Items {
                if metav1.IsControlledBy(&allBindings.Items[i], profile) {
                        existingBindings.Items = append(existingBindings.Items, allBindings.Items[i])
                }
        }

        // Delete ReleaseBindings for targets that no longer match
        existingByKey := map[string]*solarv1alpha1.ReleaseBinding{}
        for i := range existingBindings.Items {
                rb := &existingBindings.Items[i]
                key := bindingTargetKey(rb)
                existingByKey[key] = rb

                if _, desired := desiredTargets[key]; !desired {
                        log.V(1).Info("Deleting ReleaseBinding for unmatched target", "key", key)
                        if err := r.Delete(ctx, rb); err != nil && !apierrors.IsNotFound(err) {
                                return ctrl.Result{}, errLogAndWrap(log, err, "failed to delete ReleaseBinding")
                        }

                        r.Recorder.Eventf(profile, nil, corev1.EventTypeNormal, "Deleted", "Delete",
                                "Deleted ReleaseBinding for target %s", key)
                }
        }

        // Create ReleaseBindings for new matching targets
        for key, target := range desiredTargets {
                if _, exists := existingByKey[key]; exists {
                        continue
                }

                crossNs := ""
                if target.Namespace != profile.Namespace {
                        crossNs = target.Namespace
                }

                rb := &solarv1alpha1.ReleaseBinding{
                        ObjectMeta: metav1.ObjectMeta{
                                // We need to truncated the name: 57 (input) + 1 (-) + 5 (appended by generated) = 63 (max chars allowed)
                                GenerateName: truncateName(fmt.Sprintf("%s-%s", profile.Name, target.Name), 57) + "-",
                                Namespace:    profile.Namespace,
                        },
                        Spec: solarv1alpha1.ReleaseBindingSpec{
                                TargetRef:       corev1.LocalObjectReference{Name: target.Name},
                                TargetNamespace: crossNs,
                                ReleaseRef:      profile.Spec.ReleaseRef,
                        },
                }
                if err := ctrl.SetControllerReference(profile, rb, r.Scheme); err != nil {
                        return ctrl.Result{}, errLogAndWrap(log, err, "failed to set controller reference on ReleaseBinding")
                }

                if err := r.Create(ctx, rb); err != nil {
                        if apierrors.IsAlreadyExists(err) {
                                continue
                        }

                        return ctrl.Result{}, errLogAndWrap(log, err, "failed to create ReleaseBinding")
                }

                log.V(1).Info("Created ReleaseBinding for target", "key", key)
                r.Recorder.Eventf(profile, nil, corev1.EventTypeNormal, "Created", "Create",
                        "Created ReleaseBinding for target %s", key)
        }

        // Update status
        original := profile.DeepCopy()
        profile.Status.MatchedTargets = len(desiredTargets)
        if profile.Status.MatchedTargets != original.Status.MatchedTargets {
                if err := r.Status().Update(ctx, profile); err != nil {
                        return ctrl.Result{}, errLogAndWrap(log, err, "failed to update Profile status")
                }
        }

        return ctrl.Result{}, nil
}

// SetupWithManager sets up the controller with the Manager.
func (r *ProfileReconciler) SetupWithManager(mgr ctrl.Manager) error {
        return ctrl.NewControllerManagedBy(mgr).
                For(&solarv1alpha1.Profile{}).
                Owns(&solarv1alpha1.ReleaseBinding{}).
                Watches(
                        &solarv1alpha1.Target{},
                        handler.EnqueueRequestsFromMapFunc(r.mapTargetToProfiles),
                ).
                Watches(
                        &solarv1alpha1.ReferenceGrant{},
                        handler.EnqueueRequestsFromMapFunc(r.mapReferenceGrantToProfiles),
                ).
                Complete(r)
}

// mapTargetToProfiles maps a Target to all Profiles that might match it,
// including Profiles in namespaces that have been granted access via ReferenceGrant.
func (r *ProfileReconciler) mapTargetToProfiles(ctx context.Context, obj client.Object) []reconcile.Request {
        log := ctrl.LoggerFrom(ctx)

        target, ok := obj.(*solarv1alpha1.Target)
        if !ok {
                return nil
        }

        targetLabels := labels.Set(target.Labels)
        var requests []reconcile.Request

        // Enqueue profiles in the target's own namespace
        profileList := &solarv1alpha1.ProfileList{}
        if err := r.List(ctx, profileList, client.InNamespace(target.Namespace)); err != nil {
                log.Error(err, "failed to list Profiles for Target mapping")

                return nil
        }

        for _, profile := range profileList.Items {
                selector, err := metav1.LabelSelectorAsSelector(&profile.Spec.TargetSelector)
                if err != nil {
                        continue
                }

                if selector.Matches(targetLabels) {
                        requests = append(requests, reconcile.Request{
                                NamespacedName: client.ObjectKeyFromObject(&profile),
                        })
                }
        }

        // Enqueue profiles in namespaces that have been granted access to targets in
        // this target's namespace via a ReferenceGrant.
        grantList := &solarv1alpha1.ReferenceGrantList{}
        if err := r.List(ctx, grantList, client.InNamespace(target.Namespace)); err != nil {
                log.Error(err, "failed to list ReferenceGrants for cross-namespace Target mapping")

                return requests
        }

        for i := range grantList.Items {
                grant := &grantList.Items[i]
                if !grantsTargetResource(grant) {
                        continue
                }
                for _, from := range grant.Spec.From {
                        if from.Namespace == target.Namespace || from.Kind != "Profile" {
                                continue
                        }
                        fromProfiles := &solarv1alpha1.ProfileList{}
                        if err := r.List(ctx, fromProfiles, client.InNamespace(from.Namespace)); err != nil {
                                log.Error(err, "failed to list Profiles in granted namespace", "namespace", from.Namespace)
                                continue
                        }
                        for _, p := range fromProfiles.Items {
                                selector, err := metav1.LabelSelectorAsSelector(&p.Spec.TargetSelector)
                                if err != nil {
                                        continue
                                }
                                if selector.Matches(targetLabels) {
                                        requests = append(requests, reconcile.Request{
                                                NamespacedName: client.ObjectKeyFromObject(&p),
                                        })
                                }
                        }
                }
        }

        return requests
}

// mapReferenceGrantToProfiles enqueues all Profiles in the namespaces listed in
// a ReferenceGrant's From field, allowing them to re-evaluate cross-namespace matches.
func (r *ProfileReconciler) mapReferenceGrantToProfiles(ctx context.Context, obj client.Object) []reconcile.Request {
        log := ctrl.LoggerFrom(ctx)

        grant, ok := obj.(*solarv1alpha1.ReferenceGrant)
        if !ok {
                return nil
        }

        if !grantsTargetResource(grant) {
                return nil
        }

        var requests []reconcile.Request
        for _, from := range grant.Spec.From {
                if from.Kind != "Profile" || from.Group != solarGroup {
                        continue
                }
                profiles := &solarv1alpha1.ProfileList{}
                if err := r.List(ctx, profiles, client.InNamespace(from.Namespace)); err != nil {
                        log.Error(err, "failed to list Profiles for ReferenceGrant mapping", "namespace", from.Namespace)
                        continue
                }
                for _, p := range profiles.Items {
                        requests = append(requests, reconcile.Request{
                                NamespacedName: client.ObjectKeyFromObject(&p),
                        })
                }
        }

        return requests
}

// removeReleaseRefFinalizerIfUnreferenced removes releaseRefFinalizer from release when no active
// Profile or ReleaseBinding (excluding the deleting Profile and its owned ReleaseBindings) still
// references it.
func (r *ProfileReconciler) removeReleaseRefFinalizerIfUnreferenced(ctx context.Context, deletingProfile *solarv1alpha1.Profile, release *solarv1alpha1.Release) error {
        if !slices.Contains(release.Finalizers, releaseRefFinalizer) {
                return nil
        }

        // Count Profiles (excluding self) referencing this Release.
        profileList := &solarv1alpha1.ProfileList{}
        if err := r.List(ctx, profileList,
                client.InNamespace(release.Namespace),
                client.MatchingFields{indexProfileByReleaseName: release.Name},
        ); err != nil {
                return errLogAndWrap(ctrl.LoggerFrom(ctx), err, "failed to list Profiles for Release finalizer check")
        }

        for _, p := range profileList.Items {
                if p.Name == deletingProfile.Name {
                        continue
                }
                if !p.DeletionTimestamp.IsZero() {
                        continue
                }

                return nil
        }

        // Count ReleaseBindings (excluding those owned by the deleting Profile) referencing this Release.
        bindingList := &solarv1alpha1.ReleaseBindingList{}
        if err := r.List(ctx, bindingList,
                client.InNamespace(release.Namespace),
                client.MatchingFields{indexReleaseBindingReleaseName: release.Name},
        ); err != nil {
                return errLogAndWrap(ctrl.LoggerFrom(ctx), err, "failed to list ReleaseBindings for Release finalizer check")
        }

        for _, rb := range bindingList.Items {
                if metav1.IsControlledBy(&rb, deletingProfile) {
                        continue // owned by the Profile being deleted; K8s GC will remove these
                }
                if !rb.DeletionTimestamp.IsZero() {
                        continue
                }

                // Check if this binding's owner Profile is also being deleted (concurrent deletion).
                ownerRef := metav1.GetControllerOf(&rb)
                if ownerRef != nil && ownerRef.Kind == "Profile" && ownerRef.APIVersion == solarv1alpha1.SchemeGroupVersion.String() {
                        ownerProfile := &solarv1alpha1.Profile{}
                        err := r.Get(ctx, types.NamespacedName{Name: ownerRef.Name, Namespace: rb.Namespace}, ownerProfile)
                        if apierrors.IsNotFound(err) || (err == nil && !ownerProfile.DeletionTimestamp.IsZero()) {
                                continue // owner Profile is gone or being deleted, this binding will be GC'd
                        }
                        if err != nil {
                                return errLogAndWrap(ctrl.LoggerFrom(ctx), err, "failed to check owner Profile for concurrent deletion")
                        }
                }

                return nil
        }

        freshRelease := &solarv1alpha1.Release{}
        if err := r.Get(ctx, client.ObjectKeyFromObject(release), freshRelease); err != nil {
                if apierrors.IsNotFound(err) {
                        return nil
                }

                return errLogAndWrap(ctrl.LoggerFrom(ctx), err, "failed to get latest Release for finalizer removal")
        }
        original := freshRelease.DeepCopy()
        freshRelease.Finalizers = slices.DeleteFunc(freshRelease.Finalizers, func(s string) bool { return s == releaseRefFinalizer })
        if err := r.Patch(ctx, freshRelease, client.MergeFrom(original)); err != nil {
                return errLogAndWrap(ctrl.LoggerFrom(ctx), err, "failed to remove protection finalizer from Release")
        }

        ctrl.LoggerFrom(ctx).V(1).Info("Removed protection finalizer from Release", "release", release.Name)

        return nil
}

opendefensecloud / solution-arsenal / 27755794823

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous