Expand ownership check for profile bundle controller

[rhmdnd]

The controller previously only watched ProfileBundle objects. When the
profileparser Deployment's pods changed state, the controller was never
notified.

Adding Owns means any change to the owned Deployment triggers a
reconciliation of the parent ProfileBundle, so the controller is
responsive to pod lifecycle events.

Also, once the controller found an existing pod with no startup error,
it exited the controller reconcilation loop without requeue — regardless
of whether the ProfileBundle was still in PENDING state. If the
profileparser hadn't finished (or never ran due to a rollout delay), the
controller would never check again.

This commit also updates the profile bundle controller to requeues every
10 seconds while the status is still DataStreamPending, ensuring the
controller keeps monitoring until the profileparser either succeeds
(sets VALID) or fails (sets INVALID / pod startup error detected).

This should improve the resilience of profile bundle parsing, especially
in testing, where we delete deployments after modifying the profile
bundle image to simulate operator updates.

Assisted-By: Opus 4.6

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rhmdnd

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [rhmdnd]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rhmdnd]

Note for reviewers - we should recheck the serial tests several times to ensure they come back green consistently before we merge this.

[github-actions]

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:1098-0989b32dbda372d19dc7f34b10a4c0dcfe5b4291

[openshift-ci]

@rhmdnd: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-rosa	0989b32	link	true	/test e2e-rosa
ci/prow/e2e-aws-parallel-arm	0989b32	link	true	/test e2e-aws-parallel-arm
ci/prow/e2e-aws-parallel	0989b32	link	true	/test e2e-aws-parallel

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[rhmdnd]

Serial tests passed on the first run, so that's a good sign. Parallel tests are failing and it looks like that failure is related to github.com//pull/1093

/test e2e-aws-serial-arm
/test e2e-aws-serial

[xiaojiey]

I tested with a special scenario, when setting profilebundle to a non-exist image. I can see the requeue working as expected. The only concern is the unconditional requeueing every 10 seconds while PENDING, for example this CrashLoopBackOff scenario when the profileparser container crashes repeatedly.

$ kubectl patch profilebundle ocp4 -n openshift-compliance --type=merge \ \
    -p '{"spec":{"contentImage":"quay.io/nonexistent/invalid:latest"}}'
profilebundle.compliance.openshift.io/ocp4 patched
$ oc get pb -w
NAME     CONTENTIMAGE                                 CONTENTFILE         STATUS
ocp4     quay.io/nonexistent/invalid:latest           ssg-rhcos4-ds.xml   PENDING
rhcos4   ghcr.io/complianceascode/k8scontent:latest   ssg-rhcos4-ds.xml   VALID
$ oc get pod -w
NAME                                             READY   STATUS              RESTARTS      AGE
compliance-operator-69ccf667d-kknvb              1/1     Running             2 (22m ago)   22m
ocp4-openshift-compliance-pp-5489bf48bd-rrmnj    0/1     Init:ErrImagePull   0             29s
ocp4-openshift-compliance-pp-7489f9c4f8-pjtfg    1/1     Running             0             3m42s
rhcos4-openshift-compliance-pp-9d8c7f955-jtc64   1/1     Running             0             21m
ocp4-openshift-compliance-pp-5489bf48bd-rrmnj    0/1     Init:ImagePullBackOff   0             44s
ocp4-openshift-compliance-pp-5489bf48bd-rrmnj    0/1     Init:ErrImagePull       0             59s
ocp4-openshift-compliance-pp-5489bf48bd-rrmnj    0/1     Init:ImagePullBackOff   0             71s
ocp4-openshift-compliance-pp-5489bf48bd-rrmnj    0/1     Init:ErrImagePull       0             109s
ocp4-openshift-compliance-pp-5489bf48bd-rrmnj    0/1     Init:ImagePullBackOff   0             2m1s
ocp4-openshift-compliance-pp-5489bf48bd-rrmnj    0/1     Init:ErrImagePull       0             3m20s
$ oc logs pod/compliance-operator-69ccf667d-kknvb | grep requeueing | tail -n 10
{"level":"info","ts":"2026-02-28T12:02:56.892Z","logger":"profilebundlectrl","msg":"ProfileBundle still pending, requeueing to check status","Request.Namespace":"openshift-compliance","Request.Name":"ocp4"}
{"level":"info","ts":"2026-02-28T12:03:06.893Z","logger":"profilebundlectrl","msg":"ProfileBundle still pending, requeueing to check status","Request.Namespace":"openshift-compliance","Request.Name":"ocp4"}
{"level":"info","ts":"2026-02-28T12:03:16.894Z","logger":"profilebundlectrl","msg":"ProfileBundle still pending, requeueing to check status","Request.Namespace":"openshift-compliance","Request.Name":"ocp4"}
{"level":"info","ts":"2026-02-28T12:03:26.895Z","logger":"profilebundlectrl","msg":"ProfileBundle still pending, requeueing to check status","Request.Namespace":"openshift-compliance","Request.Name":"ocp4"}
{"level":"info","ts":"2026-02-28T12:03:36.896Z","logger":"profilebundlectrl","msg":"ProfileBundle still pending, requeueing to check status","Request.Namespace":"openshift-compliance","Request.Name":"ocp4"}
{"level":"info","ts":"2026-02-28T12:03:46.898Z","logger":"profilebundlectrl","msg":"ProfileBundle still pending, requeueing to check status","Request.Namespace":"openshift-compliance","Request.Name":"ocp4"}
{"level":"info","ts":"2026-02-28T12:03:56.899Z","logger":"profilebundlectrl","msg":"ProfileBundle still pending, requeueing to check status","Request.Namespace":"openshift-compliance","Request.Name":"ocp4"}
{"level":"info","ts":"2026-02-28T12:04:06.900Z","logger":"profilebundlectrl","msg":"ProfileBundle still pending, requeueing to check status","Request.Namespace":"openshift-compliance","Request.Name":"ocp4"}
{"level":"info","ts":"2026-02-28T12:04:16.902Z","logger":"profilebundlectrl","msg":"ProfileBundle still pending, requeueing to check status","Request.Namespace":"openshift-compliance","Request.Name":"ocp4"}
{"level":"info","ts":"2026-02-28T12:05:39.379Z","logger":"profilebundlectrl","msg":"ProfileBundle still pending, requeueing to check status","Request.Namespace":"openshift-compliance","Request.Name":"ocp4"}

[rhmdnd]

I opened this using the wrong branch. Closing and submitting as a PR from my fork.

[rhmdnd]

Picking up the review as #1100 instead (I opened this using the wrong branch initially), otherwise 1100 is the exact same patch.