Merge pull request #69 from datum-cloud/test/e2e

fix: resolve stale document bug on policy update and add comprehensive e2e coverage

Author: JoseSzycho

.github/workflows/test-environment-validation.yaml

@@ -1,6 +1,9 @@
 name: Test Environment Setup and Validation
 
 on:
+  push:
+    branches:
+      - main
   workflow_dispatch:
     inputs:
       test_suite:

config/overlays/ci/kustomization.yaml

@@ -29,6 +29,30 @@ images:
 
 patches:
   - path: patches/vector-sidecar-patch.yaml
+  # In kind, images are loaded directly via `kind load` — there is no registry
+  # to pull from. Setting imagePullPolicy: Never ensures the kubelet always uses
+  # the image that was loaded, and never falls back to a stale cached layer.
+  - target:
+      kind: Deployment
+      name: search-apiserver
+    patch: |-
+      - op: replace
+        path: /spec/template/spec/containers/0/imagePullPolicy
+        value: Never
+  - target:
+      kind: Deployment
+      name: search-controller-manager
+    patch: |-
+      - op: replace
+        path: /spec/template/spec/containers/0/imagePullPolicy
+        value: Never
+  - target:
+      kind: Deployment
+      name: resource-indexer
+    patch: |-
+      - op: add
+        path: /spec/template/spec/containers/0/imagePullPolicy
+        value: Never
   - target:
       kind: APIService
       name: v1alpha1.search.miloapis.com

config/overlays/dev/kustomization.yaml

@@ -28,6 +28,30 @@ images:
 
 patches:
   - path: patches/vector-sidecar-patch.yaml
+  # In kind, images are loaded directly via `kind load` — there is no registry
+  # to pull from. Setting imagePullPolicy: Never ensures the kubelet always uses
+  # the image that was loaded, and never falls back to a stale cached layer.
+  - target:
+      kind: Deployment
+      name: search-apiserver
+    patch: |-
+      - op: replace
+        path: /spec/template/spec/containers/0/imagePullPolicy
+        value: Never
+  - target:
+      kind: Deployment
+      name: search-controller-manager
+    patch: |-
+      - op: replace
+        path: /spec/template/spec/containers/0/imagePullPolicy
+        value: Never
+  - target:
+      kind: Deployment
+      name: resource-indexer
+    patch: |-
+      - op: add
+        path: /spec/template/spec/containers/0/imagePullPolicy
+        value: Never
   - target:
       kind: APIService
       name: v1alpha1.search.miloapis.com

internal/controllers/policy/policy_controller.go

@@ -2,9 +2,6 @@ package policy
 
 import (
 	"context"
-	"crypto/sha256"
-	"encoding/hex"
-	"encoding/json"
 	"fmt"
 	"sort"
 	"strings"
@@ -35,7 +32,9 @@ import (
 // single Kubernetes resource for background re-indexing (e.g. the NATS-backed
 type ResourceReindexPublisher interface {
 	// PublishResource publishes a single resource object for re-indexing.
-	PublishResource(ctx context.Context, resource map[string]any, resourceID string) error
+	// policyName, indexName, and specHash identify the policy version that triggered the re-index
+	// so the consumer can evaluate against the correct policy conditions.
+	PublishResource(ctx context.Context, resource map[string]any, resourceID, policyName, indexName, specHash string) error
 }
 
 // ResourceIndexPolicyReconciler reconciles a ResourceIndexPolicy object
@@ -437,17 +436,9 @@ func (r *ResourceIndexPolicyReconciler) Reconcile(ctx context.Context, req ctrl.
 
 }
 
-// computeSpecHash returns a short SHA-256 hex digest of the policy spec.
-// It is stored in an annotation to detect spec changes on aggregated API
-// servers that do not manage metadata.generation automatically.
+// computeSpecHash delegates to the shared utility for computing a policy spec hash.
 func computeSpecHash(spec *searchv1alpha1.ResourceIndexPolicySpec) string {
-	b, err := json.Marshal(spec)
-	if err != nil {
-		// Extremely unlikely; fall back to a zero string so we always re-index.
-		return ""
-	}
-	sum := sha256.Sum256(b)
-	return hex.EncodeToString(sum[:])
+	return utils.ComputeSpecHash(spec)
 }
 
 // publishReindexMessages lists all resources matching the policy's TargetResource
@@ -498,13 +489,16 @@ func (r *ResourceIndexPolicyReconciler) publishReindexMessages(
 			return fmt.Errorf("failed to list %v resources: %w", gvk, err)
 		}
 
+		indexName := policy.Status.IndexName
+		specHash := computeSpecHash(&policy.Spec)
+
 		for i := range list.Items {
 			obj := &list.Items[i]
 			logger.Info("Publishing re-index message", "resource", obj.GetName(), "namespace", obj.GetNamespace())
 			// Use "reindex/<policyName>/<uid>" as the resourceID so that duplicate
 			// messages from rapid policy updates are deduplicated by NATS.
 			resourceID := fmt.Sprintf("reindex/%s/%s", policy.Name, obj.GetUID())
-			if err := r.ReindexPublisher.PublishResource(ctx, obj.Object, resourceID); err != nil {
+			if err := r.ReindexPublisher.PublishResource(ctx, obj.Object, resourceID, policy.Name, indexName, specHash); err != nil {
 				logger.Error(err, "Failed to publish re-index message",
 					"resource", obj.GetName(), "namespace", obj.GetNamespace())
 				continue

internal/indexer/policy_cache.go

@@ -175,6 +175,13 @@ func (c *PolicyCache) WaitForCacheSync(ctx context.Context) bool {
 	return c.cache.WaitForCacheSync(ctx)
 }
 
+// GetPolicy returns a single cached policy by name, or nil if not found.
+func (c *PolicyCache) GetPolicy(name string) *policyevaluation.CachedPolicy {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	return c.policies[name]
+}
+
 // GetPolicies returns a snapshot of all cached policies.
 func (c *PolicyCache) GetPolicies() []*policyevaluation.CachedPolicy {
 	c.mu.RLock()

internal/indexer/reindex_consumer.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 
 	"github.com/nats-io/nats.go/jetstream"
+	"go.miloapis.net/search/internal/utils"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/klog/v2"
 )
@@ -58,49 +59,7 @@ func (r *ReindexConsumer) Start(ctx context.Context) error {
 			return
 		}
 
-		queued := false
-		policies := r.policyCache.GetPolicies()
-
-		for _, cp := range policies {
-			// Skip if index name is not set yet
-			if cp.Policy.Status.IndexName == "" {
-				klog.V(2).Infof("ReindexConsumer: policy %s has no IndexName in status, skipping", cp.Policy.Name)
-				continue
-			}
-
-			evalResult, err := cp.Evaluate(obj)
-			if err != nil {
-				klog.Errorf("ReindexConsumer: policy %s evaluation error: %v", cp.Policy.Name, err)
-				continue
-			}
-
-			if evalResult.Matched {
-				klog.V(4).Infof("ReindexConsumer: match policy=%s resource=%s/%s (id=%s)",
-					cp.Policy.Name, obj.GetNamespace(), obj.GetName(), event.ID)
-
-				// Transform into indexable document
-				doc := evalResult.Transform()
-
-				// Ensure UID is set as primary key
-				ensureUID(doc, resourceUID)
-
-				r.batcher.QueueUpsert(cp.Policy.Status.IndexName, doc, &msg)
-				queued = true
-			} else {
-				klog.V(4).Infof("ReindexConsumer: policy %s did not match resource %s/%s (id=%s), ensuring deletion", cp.Policy.Name, obj.GetNamespace(), obj.GetName(), event.ID)
-
-				// If it doesn't match this policy, we should ensure it's removed from the index
-				// in case it was previously indexed there.
-				r.batcher.QueueDelete(cp.Policy.Status.IndexName, resourceUID, &msg)
-				queued = true
-			}
-		}
-
-		// If the message wasn't queued for any operation (e.g. no policies), acknowledge it
-		if !queued {
-			klog.Warningf("ReindexConsumer: event (id=%s) matched no active policies in cache, skipping", event.ID)
-			msg.Ack()
-		}
+		r.processTargetedEvent(msg, event, obj, resourceUID)
 	})
 
 	if err != nil {
@@ -113,3 +72,58 @@ func (r *ReindexConsumer) Start(ctx context.Context) error {
 	klog.Info("Shutting down ReindexConsumer...")
 	return nil
 }
+
+// processTargetedEvent evaluates a resource against the specific policy identified
+// in the event. It verifies the cached policy's spec hash matches the event's
+// spec hash to ensure evaluation uses the correct (updated) conditions.
+func (r *ReindexConsumer) processTargetedEvent(msg jetstream.Msg, event ReindexEvent, obj *unstructured.Unstructured, resourceUID string) {
+	if event.PolicyName == "" || event.IndexName == "" {
+		klog.Warningf("ReindexConsumer: event (id=%s) missing policyName or indexName, dropping", event.ID)
+		msg.Ack()
+		return
+	}
+
+	cp := r.policyCache.GetPolicy(event.PolicyName)
+	if cp == nil {
+		// Policy not in cache yet — NAK so the message is redelivered
+		// after the informer propagates the policy to the cache.
+		klog.V(2).Infof("ReindexConsumer: policy %s not in cache yet, NAK for redelivery (id=%s)",
+			event.PolicyName, event.ID)
+		msg.Nak()
+		return
+	}
+
+	// Verify the cached policy spec matches the version that triggered re-indexing.
+	if event.SpecHash != "" {
+		cachedHash := utils.ComputeSpecHash(&cp.Policy.Spec)
+		if cachedHash != event.SpecHash {
+			// Cache is stale — NAK so the message is redelivered after
+			// the informer propagates the updated policy spec.
+			klog.V(2).Infof("ReindexConsumer: policy %s cache stale (cached=%s, event=%s), NAK for redelivery (id=%s)",
+				event.PolicyName, cachedHash[:8], event.SpecHash[:8], event.ID)
+			msg.Nak()
+			return
+		}
+	}
+
+	evalResult, err := cp.Evaluate(obj)
+	if err != nil {
+		klog.Errorf("ReindexConsumer: policy %s evaluation error: %v", event.PolicyName, err)
+		msg.Ack()
+		return
+	}
+
+	if evalResult.Matched {
+		klog.V(4).Infof("ReindexConsumer: match policy=%s resource=%s/%s (id=%s)",
+			event.PolicyName, obj.GetNamespace(), obj.GetName(), event.ID)
+
+		doc := evalResult.Transform()
+		ensureUID(doc, resourceUID)
+		r.batcher.QueueUpsert(event.IndexName, doc, &msg)
+	} else {
+		klog.V(4).Infof("ReindexConsumer: policy %s did not match resource %s/%s (id=%s), deleting from index",
+			event.PolicyName, obj.GetNamespace(), obj.GetName(), event.ID)
+
+		r.batcher.QueueDelete(event.IndexName, resourceUID, &msg)
+	}
+}

internal/indexer/reindex_publisher.go

@@ -15,6 +15,13 @@ type ReindexEvent struct {
 	ID string `json:"id"`
 	// Resource is the full Kubernetes resource object to be re-indexed.
 	Resource map[string]any `json:"resource"`
+	// PolicyName identifies the policy that triggered this re-index.
+	PolicyName string `json:"policyName"`
+	// IndexName is the Meilisearch index name from the policy status.
+	IndexName string `json:"indexName"`
+	// SpecHash is the SHA-256 hash of the policy spec at the time of publishing.
+	// The consumer uses this to ensure it evaluates against the correct policy version.
+	SpecHash string `json:"specHash"`
 }
 
 // ReindexPublisher publishes ReindexEvents to the REINDEX_EVENTS JetStream stream.
@@ -29,10 +36,13 @@ func NewReindexPublisher(js jetstream.JetStream, subject string) *ReindexPublish
 }
 
 // PublishResource publishes a single Kubernetes resource for re-indexing.
-func (p *ReindexPublisher) PublishResource(ctx context.Context, resource map[string]any, id string) error {
+func (p *ReindexPublisher) PublishResource(ctx context.Context, resource map[string]any, id, policyName, indexName, specHash string) error {
 	evt := ReindexEvent{
-		ID:       id,
-		Resource: resource,
+		ID:         id,
+		Resource:   resource,
+		PolicyName: policyName,
+		IndexName:  indexName,
+		SpecHash:   specHash,
 	}
 
 	data, err := json.Marshal(evt)

internal/utils/search.go

@@ -1,6 +1,9 @@
 package utils
 
 import (
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
 	"strings"
 
 	searchv1alpha1 "go.miloapis.net/search/pkg/apis/search/v1alpha1"
@@ -10,3 +13,15 @@ func GetSearchIndex(tg searchv1alpha1.TargetResource) string {
 	res := tg.Group + "_" + tg.Version + "_" + tg.Kind
 	return strings.ReplaceAll(res, ".", "-")
 }
+
+// ComputeSpecHash returns a SHA-256 hex digest of the policy spec.
+// Used by both the controller (to detect spec changes) and the re-index
+// consumer (to verify cache freshness before evaluating).
+func ComputeSpecHash(spec *searchv1alpha1.ResourceIndexPolicySpec) string {
+	b, err := json.Marshal(spec)
+	if err != nil {
+		return ""
+	}
+	sum := sha256.Sum256(b)
+	return hex.EncodeToString(sum[:])
+}