Expand ownership check for profile bundle controller

The controller previously only watched ProfileBundle objects. When the
profileparser Deployment's pods changed state, the controller was never
notified.

Adding Owns means any change to the owned Deployment triggers a
reconciliation of the parent ProfileBundle, so the controller is
responsive to pod lifecycle events.

Also, once the controller found an existing pod with no startup error,
it exited the controller reconcilation loop without requeue — regardless
of whether the ProfileBundle was still in PENDING state. If the
profileparser hadn't finished (or never ran due to a rollout delay), the
controller would never check again.

This commit also updates the profile bundle controller to requeues every
10 seconds while the status is still DataStreamPending, ensuring the
controller keeps monitoring until the profileparser either succeeds
(sets VALID) or fails (sets INVALID / pod startup error detected). In
particular, if the controller detects that the init containers for the
profileparser have completed and the bundle is still in a PENDING state,
we're deadlocked, and it should annotate the profileparser pod to rerun.

This should improve the resilience of profile bundle parsing, especially
in testing, where we delete deployments after modifying the profile
bundle image to simulate operator updates.

Assisted-By: Opus 4.6

Author: rhmdnd

pkg/controller/profilebundle/profilebundle_controller.go

@@ -42,6 +42,7 @@ var oneReplica int32 = 1
 func (r *ReconcileProfileBundle) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&compliancev1alpha1.ProfileBundle{}).
+		Owns(&appsv1.Deployment{}).
 		Complete(r)
 }
 
@@ -67,6 +68,7 @@ func add(mgr manager.Manager, r reconcile.Reconciler) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		Named("profilebundle-controller").
 		For(&compliancev1alpha1.ProfileBundle{}).
+		Owns(&appsv1.Deployment{}).
 		Complete(r)
 }
 
@@ -252,6 +254,38 @@ func (r *ReconcileProfileBundle) Reconcile(ctx context.Context, request reconcil
 	// Pod already exists and its init container at least ran - don't requeue
 	reqLogger.Info("Skip reconcile: Workload already up-to-date", "Deployment.Namespace", found.Namespace, "Deployment.Name", found.Name)
 
+	// If the ProfileBundle is still pending, the profileparser hasn't
+	// finished updating the status yet.
+	if instance.Status.DataStreamStatus == compliancev1alpha1.DataStreamPending {
+		// Check if the profileparser init container already completed.
+		// If the pod is Running and the profileparser finished, it means
+		// the profileparser ran for a previous content configuration and
+		// won't run again. This can happen when the operator restarts
+		// after updating the Deployment but before the rollout completes,
+		// leaving the old pod as the only one. Force a new rollout so
+		// the profileparser re-runs with the current content.
+		if profileparserCompleted(relevantPod) {
+			reqLogger.Info("ProfileBundle pending but profileparser already completed, forcing rollout",
+				"Pod.Name", relevantPod.Name, "Pod.Phase", relevantPod.Status.Phase)
+			updatedDepl := found.DeepCopy()
+			if updatedDepl.Spec.Template.Annotations == nil {
+				updatedDepl.Spec.Template.Annotations = make(map[string]string)
+			}
+			updatedDepl.Spec.Template.Annotations["compliance.openshift.io/restart"] = time.Now().Format(time.RFC3339)
+			err = r.Client.Update(context.TODO(), updatedDepl)
+			if err != nil {
+				reqLogger.Error(err, "Couldn't force profileparser rollout")
+				return reconcile.Result{}, err
+			}
+			return reconcile.Result{Requeue: true, RequeueAfter: 10 * time.Second}, nil
+		}
+
+		// The profileparser is still running. Requeue to check again.
+		reqLogger.Info("ProfileBundle still pending, requeueing to check status",
+			"Pod.Name", relevantPod.Name, "Pod.Phase", relevantPod.Status.Phase)
+		return reconcile.Result{Requeue: true, RequeueAfter: 10 * time.Second}, nil
+	}
+
 	// Handle upgrades
 	if instance.Status.DataStreamStatus == compliancev1alpha1.DataStreamValid &&
 		instance.Status.Conditions.GetCondition("Ready") == nil {
@@ -577,6 +611,17 @@ func podStartupError(pod *corev1.Pod) bool {
 	return false
 }
 
+// profileparserCompleted returns true if the profileparser init container
+// has already terminated successfully.
+func profileparserCompleted(pod *corev1.Pod) bool {
+	for _, initStatus := range pod.Status.InitContainerStatuses {
+		if initStatus.Name == "profileparser" {
+			return initStatus.State.Terminated != nil && initStatus.State.Terminated.ExitCode == 0
+		}
+	}
+	return false
+}
+
 func workloadNeedsUpdate(image string, depl *appsv1.Deployment) bool {
 	initContainers := depl.Spec.Template.Spec.InitContainers
 	if len(initContainers) != 2 {