fix: remediator missing custom resource events

Prior to this change, the remediator watches were only being started
for new custom resources after the apply attempt had fully completed.
This left some time after the object was applied that the remediator
could miss events made by third-parties. Normally, this would be fine,
because the remediator would revert any change after the watch was
started. But if a DELETE event was missed, the object wouldn't be
recreated until the next apply attempt.

This change adds a CRD Controller to the remediator that watches CRDs
and executes any registered handlers when the CRD is established,
unestablished, or deleted. The remediator now registers CRD handlers
for each resource type it watches, starting and stopping watchers
as soon as possible, without waiting for a new apply attempt or
watch update retry.

Author: karlkfi

cmd/reconciler-manager/main.go

@@ -95,7 +95,7 @@ func main() {
 	}
 	watchFleetMembership := fleetMembershipCRDExists(dynamicClient, mgr.GetRESTMapper(), &setupLog)
 
-	crdController := controllers.NewCRDReconciler(
+	crdController := controllers.NewCRDController(mgr.GetCache(),
 		textlogger.NewLogger(textlogger.NewConfig()).WithName("controllers").WithName("CRD"))
 	if err := crdController.Register(mgr); err != nil {
 		setupLog.Error(err, "failed to register controller", "controller", "CRD")
@@ -108,11 +108,14 @@ func main() {
 		mgr.GetClient(), watcher, dynamicClient,
 		textlogger.NewLogger(textlogger.NewConfig()).WithName("controllers").WithName(configsync.RepoSyncKind),
 		mgr.GetScheme())
-	crdController.SetCRDHandler(configsync.RepoSyncCRDName, func() error {
-		if err := repoSyncController.Register(mgr, watchFleetMembership); err != nil {
-			return fmt.Errorf("registering %s controller: %w", configsync.RepoSyncKind, err)
+	crdController.SetCRDHandler(configsync.RepoSyncCRDName, func(_ context.Context, established bool) error {
+		if established {
+			if err := repoSyncController.Register(mgr, watchFleetMembership); err != nil {
+				return fmt.Errorf("registering %s controller: %w", configsync.RepoSyncKind, err)
+			}
+			setupLog.Info("RepoSync controller registration successful")
 		}
-		setupLog.Info("RepoSync controller registration successful")
+		// TODO: unregister RepoSync controller if CRD is deleted?
 		return nil
 	})
 	setupLog.Info("RepoSync controller registration scheduled")
@@ -122,11 +125,14 @@ func main() {
 		mgr.GetClient(), watcher, dynamicClient,
 		textlogger.NewLogger(textlogger.NewConfig()).WithName("controllers").WithName(configsync.RootSyncKind),
 		mgr.GetScheme())
-	crdController.SetCRDHandler(configsync.RootSyncCRDName, func() error {
-		if err := rootSyncController.Register(mgr, watchFleetMembership); err != nil {
-			return fmt.Errorf("registering %s controller: %w", configsync.RootSyncKind, err)
+	crdController.SetCRDHandler(configsync.RootSyncCRDName, func(_ context.Context, established bool) error {
+		if established {
+			if err := rootSyncController.Register(mgr, watchFleetMembership); err != nil {
+				return fmt.Errorf("registering %s controller: %w", configsync.RootSyncKind, err)
+			}
+			setupLog.Info("RootSync controller registration successful")
 		}
-		setupLog.Info("RootSync controller registration successful")
+		// TODO: unregister RootSync controller if CRD is deleted?
 		return nil
 	})
 	setupLog.Info("RootSync controller registration scheduled")

manifests/ns-reconciler-base-cluster-role.yaml

@@ -32,3 +32,6 @@ rules:
 - apiGroups: ["kpt.dev"]
   resources: ["resourcegroups/status"]
   verbs: ["*"]
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["get","list","watch"]

manifests/root-reconciler-base-cluster-role.yaml

@@ -32,3 +32,6 @@ rules:
 - apiGroups: ["kpt.dev"]
   resources: ["resourcegroups/status"]
   verbs: ["*"]
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["get","list","watch"]

pkg/reconciler/reconciler.go

@@ -37,6 +37,7 @@ import (
 	"kpt.dev/configsync/pkg/parse/events"
 	"kpt.dev/configsync/pkg/reconciler/finalizer"
 	"kpt.dev/configsync/pkg/reconciler/namespacecontroller"
+	"kpt.dev/configsync/pkg/reconcilermanager/controllers"
 	"kpt.dev/configsync/pkg/remediator"
 	"kpt.dev/configsync/pkg/remediator/conflict"
 	"kpt.dev/configsync/pkg/remediator/watch"
@@ -219,10 +220,44 @@ func Run(opts Options) {
 		klog.Fatalf("Error creating rest config for the remediator: %v", err)
 	}
 
+	// Start listening to signals
+	signalCtx := signals.SetupSignalHandler()
+
+	// Create the ControllerManager
+	ctrl.SetLogger(textlogger.NewLogger(textlogger.NewConfig()))
+	mgrOptions := ctrl.Options{
+		Scheme: core.Scheme,
+		MapperProvider: func(_ *rest.Config, _ *http.Client) (meta.RESTMapper, error) {
+			return mapper, nil
+		},
+		BaseContext: func() context.Context {
+			return signalCtx
+		},
+	}
+	// For Namespaced Reconcilers, set the default namespace to watch.
+	// Otherwise, all namespaced informers will watch at the cluster-scope.
+	// This prevents Namespaced Reconcilers from needing cluster-scoped read
+	// permissions.
+	if opts.ReconcilerScope != declared.RootScope {
+		mgrOptions.Cache.DefaultNamespaces = map[string]cache.Config{
+			string(opts.ReconcilerScope): {},
+		}
+	}
+	mgr, err := ctrl.NewManager(cfgForWatch, mgrOptions)
+	if err != nil {
+		klog.Fatalf("Instantiating Controller Manager: %v", err)
+	}
+
+	crdController := controllers.NewCRDController(mgr.GetCache(),
+		textlogger.NewLogger(textlogger.NewConfig()).WithName("controllers").WithName("CRD"))
+	if err := crdController.Register(mgr); err != nil {
+		klog.Fatalf("Instantiating CRD Controller: %v", err)
+	}
+
 	conflictHandler := conflict.NewHandler()
 	fightHandler := fight.NewHandler()
 
-	rem, err := remediator.New(opts.ReconcilerScope, opts.SyncName, cfgForWatch, baseApplier, conflictHandler, fightHandler, decls, opts.NumWorkers)
+	rem, err := remediator.New(opts.ReconcilerScope, opts.SyncName, cfgForWatch, baseApplier, conflictHandler, fightHandler, crdController, decls, opts.NumWorkers)
 	if err != nil {
 		klog.Fatalf("Instantiating Remediator: %v", err)
 	}
@@ -303,34 +338,6 @@ func Run(opts Options) {
 		parser = parse.NewNamespaceRunner(parseOpts)
 	}
 
-	// Start listening to signals
-	signalCtx := signals.SetupSignalHandler()
-
-	// Create the ControllerManager
-	ctrl.SetLogger(textlogger.NewLogger(textlogger.NewConfig()))
-	mgrOptions := ctrl.Options{
-		Scheme: core.Scheme,
-		MapperProvider: func(_ *rest.Config, _ *http.Client) (meta.RESTMapper, error) {
-			return mapper, nil
-		},
-		BaseContext: func() context.Context {
-			return signalCtx
-		},
-	}
-	// For Namespaced Reconcilers, set the default namespace to watch.
-	// Otherwise, all namespaced informers will watch at the cluster-scope.
-	// This prevents Namespaced Reconcilers from needing cluster-scoped read
-	// permissions.
-	if opts.ReconcilerScope != declared.RootScope {
-		mgrOptions.Cache.DefaultNamespaces = map[string]cache.Config{
-			string(opts.ReconcilerScope): {},
-		}
-	}
-	mgr, err := ctrl.NewManager(cfgForWatch, mgrOptions)
-	if err != nil {
-		klog.Fatalf("Instantiating Controller Manager: %v", err)
-	}
-
 	// This cancelFunc will be used by the Finalizer to stop all the other
 	// controllers (Parser & Remediator).
 	ctx, stopControllers := context.WithCancel(signalCtx)

pkg/reconcilermanager/controllers/crd_controller.go

@@ -22,57 +22,90 @@ import (
 	"github.com/go-logr/logr"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	v1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	controllerruntime "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/builder"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/event"
-	"sigs.k8s.io/controller-runtime/pkg/predicate"
+	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 )
 
 // CRDHandler is called by the CRDReconciler to handle establishment of a CRD.
-type CRDHandler func() error
+type CRDHandler func(ctx context.Context, established bool) error
 
-var _ reconcile.Reconciler = &CRDReconciler{}
+// CRDWatcher allows callers to add CRDHandlers for specific CRDs by name.
+type CRDWatcher interface {
+	SetCRDHandler(crdName string, handler CRDHandler)
+	RemoveCRDHandler(crdName string)
+}
+
+var _ reconcile.Reconciler = &CRDController{}
+var _ CRDWatcher = &CRDController{}
 
-// CRDReconciler watches CRDs and calls handlers once they are established.
-type CRDReconciler struct {
+// CRDController watches CRDs and calls handlers once they are established.
+type CRDController struct {
 	loggingController
+	cache cache.Cache
 
-	registerLock sync.Mutex
-	handlers     map[string]CRDHandler
-	handledCRDs  map[string]struct{}
+	registerLock    sync.Mutex
+	handlers        map[string]CRDHandler
+	handledCRDState map[string]bool
 }
 
-// NewCRDReconciler constructs a new CRDReconciler.
-func NewCRDReconciler(log logr.Logger) *CRDReconciler {
-	return &CRDReconciler{
+// NewCRDController constructs a new CRDReconciler.
+func NewCRDController(cache cache.Cache, log logr.Logger) *CRDController {
+	return &CRDController{
 		loggingController: loggingController{
 			log: log,
 		},
-		handlers:    make(map[string]CRDHandler),
-		handledCRDs: make(map[string]struct{}),
+		cache:           cache,
+		handlers:        make(map[string]CRDHandler),
+		handledCRDState: make(map[string]bool),
 	}
 }
 
 // SetCRDHandler adds an handler for the specified CRD.
 // The handler will be called when the CRD becomes established.
 // If the handler errors, it will be retried with backoff until success.
-// One the handler succeeds, it will not be called again, unless SetCRDHandler
-// is called again.
-func (r *CRDReconciler) SetCRDHandler(crdName string, crdHandler CRDHandler) {
+// One the handler succeeds as established, it will not be called again, unless
+// SetCRDHandler is called again or the CRD becomes unestablished or is deleted.
+func (r *CRDController) SetCRDHandler(crdName string, crdHandler CRDHandler) {
 	r.registerLock.Lock()
 	defer r.registerLock.Unlock()
 
 	r.handlers[crdName] = crdHandler
-	delete(r.handledCRDs, crdName)
+	delete(r.handledCRDState, crdName)
+}
+
+// RemoveCRDHandler removes the handler for the specified CRD.
+func (r *CRDController) RemoveCRDHandler(crdName string) {
+	r.registerLock.Lock()
+	defer r.registerLock.Unlock()
+
+	delete(r.handlers, crdName)
+	delete(r.handledCRDState, crdName)
 }
 
 // Reconcile the otel ConfigMap and update the Deployment annotation.
-func (r *CRDReconciler) Reconcile(ctx context.Context, req reconcile.Request) (reconcile.Result, error) {
+func (r *CRDController) Reconcile(ctx context.Context, req reconcile.Request) (reconcile.Result, error) {
 	crdName := req.Name
 	ctx = r.setLoggerValues(ctx, "crd", crdName)
 
+	// Established if CRD exists and .status.conditions[type="Established"].status = "True"
+	var established bool
+	crdObj := &apiextensionsv1.CustomResourceDefinition{}
+	if err := r.cache.Get(ctx, req.NamespacedName, crdObj); err != nil {
+		switch {
+		// Should never run into NoMatchFound, since CRD is a built-in resource.
+		case apierrors.IsNotFound(err):
+			established = false
+		default:
+			// Retry with backoff
+			return reconcile.Result{},
+				fmt.Errorf("getting CRD from cache: %s: %w", crdName, err)
+		}
+	} else {
+		established = crdIsEstablished(crdObj)
+	}
+
 	r.registerLock.Lock()
 	defer r.registerLock.Unlock()
 
@@ -81,57 +114,35 @@ func (r *CRDReconciler) Reconcile(ctx context.Context, req reconcile.Request) (r
 		// No handler for this CRD
 		return reconcile.Result{}, nil
 	}
-	if _, handled := r.handledCRDs[crdName]; handled {
-		// Already handled
-		return reconcile.Result{}, nil
+	if lastHandledState, found := r.handledCRDState[crdName]; found {
+		if lastHandledState == established {
+			// Already handled latest state
+			return reconcile.Result{}, nil
+		}
 	}
 
-	r.logger(ctx).V(3).Info("reconciling CRD", "crd", crdName)
+	r.logger(ctx).V(3).Info("reconciling CRD", "crd", crdName, "established", established)
 
-	if err := handler(); err != nil {
+	if err := handler(ctx, established); err != nil {
 		// Retry with backoff
 		return reconcile.Result{},
 			fmt.Errorf("reconciling CRD %s: %w", crdName, err)
 	}
-	// Mark CRD as handled
-	r.handledCRDs[crdName] = struct{}{}
+	// Record latest handled CRD state
+	r.handledCRDState[crdName] = established
 
-	r.logger(ctx).V(3).Info("reconciling CRD successful", "crd", crdName)
+	r.logger(ctx).V(3).Info("reconciling CRD successful", "crd", crdName, "established", established)
 
 	return controllerruntime.Result{}, nil
 }
 
 // Register the CRD controller with reconciler-manager.
-func (r *CRDReconciler) Register(mgr controllerruntime.Manager) error {
+func (r *CRDController) Register(mgr controllerruntime.Manager) error {
 	return controllerruntime.NewControllerManagedBy(mgr).
-		For(&apiextensionsv1.CustomResourceDefinition{},
-			builder.WithPredicates(
-				ignoreDeletesPredicate(),
-				crdIsEstablishedPredicate())).
+		For(&apiextensionsv1.CustomResourceDefinition{}).
 		Complete(r)
 }
 
-// ignoreDeletesPredicate returns a predicate that handles CREATE, UPDATE, and
-// GENERIC events, but not DELETE events.
-func ignoreDeletesPredicate() predicate.Predicate {
-	return predicate.Funcs{
-		DeleteFunc: func(_ event.DeleteEvent) bool {
-			return false
-		},
-	}
-}
-
-// crdIsEstablishedPredicate returns a predicate that only processes events for
-// established CRDs.
-func crdIsEstablishedPredicate() predicate.Predicate {
-	return predicate.NewPredicateFuncs(func(obj client.Object) bool {
-		if crd, ok := obj.(*apiextensionsv1.CustomResourceDefinition); ok {
-			return crdIsEstablished(crd)
-		}
-		return false
-	})
-}
-
 // crdIsEstablished returns true if the given CRD is established on the cluster,
 // which indicates if discovery knows about it yet. For more info see
 // https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/#create-a-customresourcedefinition

pkg/reconcilermanager/controllers/reposync_controller.go

@@ -74,7 +74,7 @@ type RepoSyncReconciler struct {
 	// configMapWatches stores which namespaces where we are currently watching ConfigMaps
 	configMapWatches map[string]bool
 
-	controller *controller.Controller
+	controller controller.Controller
 
 	cache cache.Cache
 }
@@ -472,6 +472,14 @@ func (r *RepoSyncReconciler) deleteManagedObjects(ctx context.Context, reconcile
 
 // Register RepoSync controller with reconciler-manager.
 func (r *RepoSyncReconciler) Register(mgr controllerruntime.Manager, watchFleetMembership bool) error {
+	r.lock.Lock()
+	defer r.lock.Unlock()
+
+	if r.controller != nil {
+		// Already registered
+		return nil
+	}
+
 	controllerBuilder := controllerruntime.NewControllerManagedBy(mgr).
 		WithOptions(controller.Options{
 			MaxConcurrentReconciles: 1,
@@ -504,7 +512,7 @@ func (r *RepoSyncReconciler) Register(mgr controllerruntime.Manager, watchFleetM
 	}
 
 	ctrlr, err := controllerBuilder.Build(r)
-	r.controller = &ctrlr
+	r.controller = ctrlr
 	r.cache = mgr.GetCache()
 	return err
 }
@@ -524,7 +532,7 @@ func (r *RepoSyncReconciler) watchConfigMaps(rs *v1beta1.RepoSync) error {
 
 	if _, ok := r.configMapWatches[rs.Namespace]; !ok {
 		klog.Infoln("Adding watch for ConfigMaps in namespace ", rs.Namespace)
-		ctrlr := *r.controller
+		ctrlr := r.controller
 
 		if err := ctrlr.Watch(source.Kind(r.cache, withNamespace(&corev1.ConfigMap{}, rs.Namespace),
 			handler.EnqueueRequestsFromMapFunc(r.mapConfigMapToRepoSyncs),