opendefensecloud / solution-arsenal / 27812533209
75%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 65
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 75.441% (-1.2%) from 76.621%
27812533209

push

github

web-flow 
feat(controller): implement deletion protection via controller-managed finalizers (#621)

## What
Implements deletion protection for `ComponentVersion`, `Release`,
`Registry`, and `ReleaseBinding` resources using controller-managed
finalizers, preventing cascade-deletion accidents when upstream
resources are deleted while still referenced.

Closes #308 

## Why
Before this change, deleting a `Component` while `ComponentVersions`
still pointed to it, or a `Release` while active deployments existed,
would cause dangling references and silent failures downstream. This
adds a guard at the API level: referenced resources cannot be deleted
until all their referencers are gone.

## Testing
All 17 envtest/Ginkgo suites pass. Each new controller is covered by
dedicated tests:
- Add-finalizer-on-create (both self-finalizer and protection finalizer)
- Block-deletion-while-referenced (Consistently assert DeletionTimestamp
present, resource not gone)
- Remove-protection-finalizer-when-last-reference-deleted
- Retain-protection-finalizer-when-a-second-referencer-still-exists
(multi-referencer scenario)
- Profile-owned-binding guard: `removeReleaseRefFinalizer` deferred to
Profile controller while `profileFinalizer` is present, verified with a
test-only blocker finalizer

`make test-e2e` timeout bumped from the implicit 10 m Go default to 15
m; new controllers add reconcile cycles to namespace teardown
(previously resources were GC'd immediately).

## Notes for reviewers

**New controllers** — `ComponentVersionReconciler`,
`ReleaseBindingReconciler`, and `RegistryBindingReconciler` are
registered in `solar-controller-manager`. During a rolling upgrade, the
brief window between old pod termination and new pod startup leaves
existing resources unprotected; this is unavoidable with a rolling
deploy and the window is short.

**RBAC changes** — `patch`/`update` verbs added to `components`,
`componentversions`, `profiles`, `registries`, and `registrybindings`;
new `/final... (continued)

414 of 657 new or added lines in 7 files covered. (63.01%)

4 existing lines in 1 file now uncovered.

4021 of 5330 relevant lines covered (75.44%)

34.46 hits per line

Uncovered Changes

Lines Coverage File
65
59.12
 pkg/controller/releasebinding_controller.go
52
71.77
 -4.97% pkg/controller/profile_controller.go
40
71.43
 -5.16% pkg/controller/helpers.go
29
78.47
 -2.22% pkg/controller/release_controller.go
28
70.53
 pkg/controller/componentversion_controller.go
18
73.13
 pkg/controller/registrybinding_controller.go
11
73.01
 0.41% pkg/controller/target_controller.go

Coverage Regressions

Lines Coverage File
4
73.01
 0.41% pkg/controller/target_controller.go
Jobs
ID Job ID Ran Files Coverage
1 27812533209.1 65
75.44
 GitHub Action Run
Source Files on build 27812533209