CLOUDP-125096: Unset conditions for unused resources (#566)

* Unset conditions if resource is no longer in use
* Move condition setting inside for each project service type
* Refactor IP Access List and Private Endpoints ensure functions

Author: fabritsius

pkg/api/v1/status/condition.go

@@ -111,6 +111,16 @@ func EnsureConditionExists(condition Condition, source []Condition) []Condition
 	return target
 }
 
+func RemoveConditionIfExists(conditionType ConditionType, source []Condition) []Condition {
+	updatedConditions := []Condition{}
+	for _, cond := range source {
+		if cond.Type != conditionType {
+			updatedConditions = append(updatedConditions, cond)
+		}
+	}
+	return updatedConditions
+}
+
 func (c Condition) WithReason(reason string) Condition {
 	c.Reason = reason
 	return c

pkg/controller/atlasproject/atlasproject_controller.go

@@ -34,7 +34,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
-	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 	"sigs.k8s.io/controller-runtime/pkg/source"
 
 	mdbv1 "github.com/mongodb/mongodb-atlas-kubernetes/pkg/api/v1"
@@ -182,67 +181,34 @@ func (r *AtlasProjectReconciler) Reconcile(context context.Context, req ctrl.Req
 	ctx.SetConditionTrue(status.ProjectReadyType)
 	r.EventRecorder.Event(project, "Normal", string(status.ProjectReadyType), "")
 
-	if result = ensureIPAccessList(ctx, projectID, project); !result.IsOk() {
-		setCondition(ctx, status.IPAccessListReadyType, result)
+	if result := ensureIPAccessList(ctx, projectID, project); !result.IsOk() {
+		logIfWarning(ctx, result)
 		return result.ReconcileResult(), nil
 	}
+	r.EventRecorder.Event(project, "Normal", string(status.IPAccessListReadyType), "")
 
-	allReady, result := r.allIPAccessListsAreReady(context, ctx, projectID)
-	if !result.IsOk() {
-		ctx.SetConditionFalse(status.IPAccessListReadyType)
+	if result = ensurePrivateEndpoint(ctx, projectID, project); !result.IsOk() {
+		logIfWarning(ctx, result)
 		return result.ReconcileResult(), nil
 	}
+	r.EventRecorder.Event(project, "Normal", string(status.PrivateEndpointReadyType), "")
 
-	if allReady {
-		ctx.SetConditionTrue(status.IPAccessListReadyType)
-		r.EventRecorder.Event(project, "Normal", string(status.IPAccessListReadyType), "")
-	} else {
-		ctx.SetConditionFalse(status.IPAccessListReadyType)
-		return reconcile.Result{Requeue: true}, nil
+	if result = r.ensureIntegration(ctx, projectID, project); !result.IsOk() {
+		logIfWarning(ctx, result)
+		return result.ReconcileResult(), nil
 	}
+	r.EventRecorder.Event(project, "Normal", string(status.IntegrationReadyType), "")
 
 	if result = ensureMaintenanceWindow(ctx, projectID, project); !result.IsOk() {
-		setCondition(ctx, status.MaintenanceWindowReadyType, result)
-		r.Log.Warnf("Maintenance window reconciliation failed with error : %s", result.GetMessage())
+		logIfWarning(ctx, result)
 		return result.ReconcileResult(), nil
 	}
 	r.EventRecorder.Event(project, "Normal", string(status.MaintenanceWindowReadyType), "")
-	ctx.SetConditionTrue(status.MaintenanceWindowReadyType)
-
-	if result = r.ensurePrivateEndpoint(ctx, projectID, project); !result.IsOk() {
-		return result.ReconcileResult(), nil
-	}
-	r.EventRecorder.Event(project, "Normal", string(status.PrivateEndpointReadyType), "")
-
-	if result = r.ensureIntegration(ctx, projectID, project); !result.IsOk() {
-		setCondition(ctx, status.IntegrationReadyType, result)
-		return result.ReconcileResult(), nil
-	}
-	r.EventRecorder.Event(project, "Normal", string(status.IntegrationReadyType), "")
 
 	ctx.SetConditionTrue(status.ReadyType)
 	return workflow.OK().ReconcileResult(), nil
 }
 
-// allIPAccessListsAreReady returns true if all ipAccessLists are in the ACTIVE state.
-func (r *AtlasProjectReconciler) allIPAccessListsAreReady(context context.Context, ctx *workflow.Context, projectID string) (bool, workflow.Result) {
-	atlasAccess, _, err := ctx.Client.ProjectIPAccessList.List(context, projectID, &mongodbatlas.ListOptions{})
-	if err != nil {
-		return false, workflow.Terminate(workflow.Internal, err.Error())
-	}
-	for _, ipAccessList := range atlasAccess.Results {
-		ipStatus, err := GetIPAccessListStatus(ctx.Client, ipAccessList)
-		if err != nil {
-			return false, workflow.Terminate(workflow.Internal, err.Error())
-		}
-		if ipStatus.Status != string(IPAccessListActive) {
-			r.Log.Infof("IP Access List %v is not active", ipAccessList)
-			return false, workflow.InProgress(workflow.ProjectIPAccessListNotActive, fmt.Sprintf("%s IP Access List is not yet active, current state: %s", getAccessListEntry(ipAccessList), ipStatus.Status))
-		}
-	}
-	return true, workflow.OK()
-}
-
 func (r *AtlasProjectReconciler) deleteAtlasProject(ctx context.Context, atlasClient mongodbatlas.Client, project *mdbv1.AtlasProject) (err error) {
 	log := r.Log.With("atlasproject", kube.ObjectKeyFromObject(project))
 	log.Infow("-> Starting AtlasProject deletion", "spec", project.Spec)
@@ -319,6 +285,10 @@ func removeString(slice []string, s string) (result []string) {
 // setCondition sets the condition from the result and logs the warnings
 func setCondition(ctx *workflow.Context, condition status.ConditionType, result workflow.Result) {
 	ctx.SetConditionFromResult(condition, result)
+	logIfWarning(ctx, result)
+}
+
+func logIfWarning(ctx *workflow.Context, result workflow.Result) {
 	if result.IsWarning() {
 		ctx.Log.Warnw(result.GetMessage())
 	}

pkg/controller/atlasproject/integrations.go

@@ -17,6 +17,22 @@ import (
 )
 
 func (r *AtlasProjectReconciler) ensureIntegration(ctx *workflow.Context, projectID string, project *mdbv1.AtlasProject) workflow.Result {
+	result := r.createOrDeleteIntegrations(ctx, projectID, project)
+	if !result.IsOk() {
+		ctx.SetConditionFromResult(status.IntegrationReadyType, result)
+		return result
+	}
+
+	if len(project.Spec.Integrations) == 0 {
+		ctx.UnsetCondition(status.IntegrationReadyType)
+		return workflow.OK()
+	}
+
+	ctx.SetConditionTrue(status.IntegrationReadyType)
+	return workflow.OK()
+}
+
+func (r *AtlasProjectReconciler) createOrDeleteIntegrations(ctx *workflow.Context, projectID string, project *mdbv1.AtlasProject) workflow.Result {
 	integrationsInAtlas, err := fetchIntegrations(ctx, projectID)
 	if err != nil {
 		return workflow.Terminate(workflow.ProjectIntegrationInternal, err.Error())
@@ -45,9 +61,7 @@ func (r *AtlasProjectReconciler) ensureIntegration(ctx *workflow.Context, projec
 	if ready := r.checkIntegrationsReady(ctx, project.Namespace, integrationsToUpdate, project.Spec.Integrations); !ready {
 		return workflow.InProgress(workflow.ProjectIntegrationReady, "in progress")
 	}
-	if len(project.Spec.Integrations) > 0 {
-		ctx.SetConditionTrue(status.IntegrationReadyType)
-	}
+
 	return workflow.OK()
 }
 

pkg/controller/atlasproject/ipaccess_list.go

@@ -40,6 +40,22 @@ func (i atlasProjectIPAccessList) Identifier() interface{} {
 // state of the IP Access list specified in the project CR. Any Access Lists which exist
 // in Atlas but are not specified in the CR are deleted.
 func ensureIPAccessList(ctx *workflow.Context, projectID string, project *mdbv1.AtlasProject) workflow.Result {
+	result := syncIPAccessListWithAtlas(ctx, projectID, project)
+	if !result.IsOk() {
+		ctx.SetConditionFromResult(status.IPAccessListReadyType, result)
+		return result
+	}
+
+	if len(project.Spec.ProjectIPAccessList) == 0 {
+		ctx.UnsetCondition(status.IPAccessListReadyType)
+		return workflow.OK()
+	}
+
+	ctx.SetConditionTrue(status.IPAccessListReadyType)
+	return result
+}
+
+func syncIPAccessListWithAtlas(ctx *workflow.Context, projectID string, project *mdbv1.AtlasProject) workflow.Result {
 	if err := validateIPAccessLists(project.Spec.ProjectIPAccessList); err != nil {
 		return workflow.Terminate(workflow.ProjectIPAccessInvalid, err.Error())
 	}
@@ -49,9 +65,38 @@ func ensureIPAccessList(ctx *workflow.Context, projectID string, project *mdbv1.
 		return result
 	}
 	ctx.EnsureStatusOption(status.AtlasProjectExpiredIPAccessOption(expired))
+
+	allReady, result := allIPAccessListsAreReady(context.Background(), ctx, projectID)
+	if !result.IsOk() {
+		return result
+	}
+
+	if !allReady {
+		return workflow.InProgress(workflow.ProjectIPAccessListNotActive, "IP Access List not ready")
+	}
+
 	return workflow.OK()
 }
 
+// allIPAccessListsAreReady returns true if all ipAccessLists are in the ACTIVE state.
+func allIPAccessListsAreReady(context context.Context, ctx *workflow.Context, projectID string) (bool, workflow.Result) {
+	atlasAccess, _, err := ctx.Client.ProjectIPAccessList.List(context, projectID, &mongodbatlas.ListOptions{})
+	if err != nil {
+		return false, workflow.Terminate(workflow.Internal, err.Error())
+	}
+	for _, ipAccessList := range atlasAccess.Results {
+		ipStatus, err := GetIPAccessListStatus(ctx.Client, ipAccessList)
+		if err != nil {
+			return false, workflow.Terminate(workflow.Internal, err.Error())
+		}
+		if ipStatus.Status != string(IPAccessListActive) {
+			ctx.Log.Infof("IP Access List %v is not active", ipAccessList)
+			return false, workflow.InProgress(workflow.ProjectIPAccessListNotActive, fmt.Sprintf("%s IP Access List is not yet active, current state: %s", getAccessListEntry(ipAccessList), ipStatus.Status))
+		}
+	}
+	return true, workflow.OK()
+}
+
 func validateIPAccessLists(ipAccessList []project.IPAccessList) error {
 	for _, list := range ipAccessList {
 		if err := validateSingleIPAccessList(list); err != nil {

pkg/controller/atlasproject/maintenancewindow.go

@@ -8,47 +8,60 @@ import (
 
 	mdbv1 "github.com/mongodb/mongodb-atlas-kubernetes/pkg/api/v1"
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/api/v1/project"
+	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/api/v1/status"
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/controller/workflow"
 )
 
 // ensureMaintenanceWindow ensures that the state of the Atlas Maintenance Window matches the
 // state of the Maintenance Window specified in the project CR. If a Maintenance Window exists
 // in Atlas but is not specified in the CR, it is deleted.
 func ensureMaintenanceWindow(ctx *workflow.Context, projectID string, atlasProject *mdbv1.AtlasProject) workflow.Result {
-	windowSpec := atlasProject.Spec.MaintenanceWindow
+	if isEmptyWindow(atlasProject.Spec.MaintenanceWindow) {
+		if condition, found := ctx.GetCondition(status.MaintenanceWindowReadyType); found {
+			ctx.Log.Debugw("Window is empty, deleting in Atlas")
+			if result := deleteInAtlas(ctx.Client, projectID); !result.IsOk() {
+				ctx.SetConditionFromResult(condition.Type, result)
+				return result
+			}
+			ctx.UnsetCondition(condition.Type)
+		}
+
+		return workflow.OK()
+	}
+
+	if result := syncAtlasWithSpec(ctx, projectID, atlasProject.Spec.MaintenanceWindow); !result.IsOk() {
+		ctx.SetConditionFromResult(status.MaintenanceWindowReadyType, result)
+		return result
+	}
+
+	ctx.SetConditionTrue(status.MaintenanceWindowReadyType)
+	return workflow.OK()
+}
+
+func syncAtlasWithSpec(ctx *workflow.Context, projectID string, windowSpec project.MaintenanceWindow) workflow.Result {
+	ctx.Log.Debugw("Validate the maintenance window")
 	if err := validateMaintenanceWindow(windowSpec); err != nil {
 		return workflow.Terminate(workflow.ProjectWindowInvalid, err.Error())
 	}
 
-	if isEmptyWindow(windowSpec) {
-		ctx.Log.Debugw("Window empty or undefined, deleting in Atlas")
-		if result := deleteInAtlas(ctx.Client, projectID); !result.IsOk() {
-			return result
-		}
-		return workflow.OK()
+	ctx.Log.Debugw("Checking if window needs update")
+	windowInAtlas, result := getInAtlas(ctx.Client, projectID)
+	if !result.IsOk() {
+		return result
 	}
 
-	if windowSpecified(windowSpec) {
-		ctx.Log.Debugw("Checking if window needs update")
-		windowInAtlas, result := getInAtlas(ctx.Client, projectID)
-		if !result.IsOk() {
+	if daysOrHoursAreDifferent(windowInAtlas, windowSpec) {
+		ctx.Log.Debugw("Creating or updating window")
+		// We set startASAP to false because the operator takes care of calling the API a second time if both
+		// startASAP and the new maintenance timeslots are defined
+		if result := createOrUpdateInAtlas(ctx.Client, projectID, windowSpec.WithStartASAP(false)); !result.IsOk() {
 			return result
 		}
-
-		if windowInAtlas.DayOfWeek == 0 || windowInAtlas.HourOfDay == nil ||
-			*windowInAtlas.HourOfDay != windowSpec.HourOfDay || windowInAtlas.DayOfWeek != windowSpec.DayOfWeek {
-			ctx.Log.Debugw("Creating or updating window")
-			// We set startASAP to false because the operator takes care of calling the API a second time if both
-			// startASAP and the new maintenance timeslots are defined
-			if result := createOrUpdateInAtlas(ctx.Client, projectID, windowSpec.WithStartASAP(false)); !result.IsOk() {
-				return result
-			}
-		} else if *windowInAtlas.AutoDeferOnceEnabled != windowSpec.AutoDefer {
-			// If autoDefer flag is different in Atlas, and we haven't updated the window previously, we toggle the flag
-			ctx.Log.Debugw("Toggling autoDefer")
-			if result := toggleAutoDeferInAtlas(ctx.Client, projectID); !result.IsOk() {
-				return result
-			}
+	} else if *windowInAtlas.AutoDeferOnceEnabled != windowSpec.AutoDefer {
+		// If autoDefer flag is different in Atlas, and we haven't updated the window previously, we toggle the flag
+		ctx.Log.Debugw("Toggling autoDefer")
+		if result := toggleAutoDeferInAtlas(ctx.Client, projectID); !result.IsOk() {
+			return result
 		}
 	}
 
@@ -91,10 +104,15 @@ func maxOneFlag(window project.MaintenanceWindow) bool {
 	return !(window.StartASAP && window.Defer)
 }
 
+func daysOrHoursAreDifferent(windowInAtlas *mongodbatlas.MaintenanceWindow, windowSpec project.MaintenanceWindow) bool {
+	return windowInAtlas.DayOfWeek == 0 || windowInAtlas.HourOfDay == nil ||
+		*windowInAtlas.HourOfDay != windowSpec.HourOfDay || windowInAtlas.DayOfWeek != windowSpec.DayOfWeek
+}
+
 // validateMaintenanceWindow performs validation of the Maintenance Window. Note, that we intentionally don't validate
 // that hour of day and day of week are in the bounds - this will be done by Atlas.
 func validateMaintenanceWindow(window project.MaintenanceWindow) error {
-	if isEmptyWindow(window) || (windowSpecified(window) && maxOneFlag(window)) {
+	if windowSpecified(window) && maxOneFlag(window) {
 		return nil
 	}
 	errorString := "projectMaintenanceWindow must respect the following constraints, or be empty : " +

pkg/controller/atlasproject/maintenancewindow_test.go

@@ -22,7 +22,7 @@ func TestValidateMaintenanceWindow(t *testing.T) {
 				Defer:     false,
 				AutoDefer: false,
 			},
-			valid: true,
+			valid: false,
 		},
 
 		// Only dayOfWeek specified, valid