Bug: Resource with reconcile-policy: skip doesn't populate ConfigMap

[skinny]

Describe the bug
Using ASO V2 I expect an UserAssignedIdentity to populate the ConfigMap described in the operaterSpec. This works, but when I introduce the serviceoperator.azure.com/reconcile-policy: skip (because this is an already existing identity) the ConfigMap is not created/populated

To Reproduce

• Deploy an UserAssignedIdentity with the following yaml :

apiVersion: managedidentity.azure.com/v1beta20181130
kind: UserAssignedIdentity
metadata:
  name: umi-my-app
  annotations:
    serviceoperator.azure.com/reconcile-policy: skip
spec:
  location: westeurope
  owner:
    name: rg-umi-my-app
  operatorSpec:
    configMaps:
      principalId:
        name: deploy-identity
        key: principalId
      clientId:
        name: deploy-identity
        key: clientId
      tenantId:
        name: deploy-identity
        key: tenantId

Expected behavior
The deploy-identity configmap should be created and populated just like when the UAI is created as a an ASO managed resource.

Screenshots
n/a

Additional context
n/a

[matthchr]

Just confirming here that I do believe this is a bug.

[b1zzu]

Hi, I just like to make sure that also the operatorSpec.secrets expected behavior should be the same as the operatorSpec.configMaps, as the problem I'm facing as to do with it

[skinny]

Looks like this issue is present on more resource types. Adding an existing storage account (in Azure) as an ASO resource will not populate either the ConfigMap or Secret as requested in the resource definition:

kind: StorageAccount
metadata:
  name: acmebranchdeployments
  annotations:
    serviceoperator.azure.com/reconcile-policy: skip
spec:
  location: westeurope
  kind: StorageV2
  sku:
    name: Standard_LRS
  owner:
    name: rg-test-cicd
  accessTier: Hot
  # Optional: Save the keys for the storage accokunt into a Kubernetes secret
  supportsHttpsTrafficOnly: true
  operatorSpec:
    configMaps:
      fileEndpoint:
        name: acme-app-storage-configmap
        key: fileEndpoint

The resource itself is succesfully populated with information from Azure but no ConfigMap or Secret is created.

[matthchr]

Yes, I hadn't updated the title to reflect that but was aware it will impact every resource that can export ConfigMaps (and I think Secrets as well) with skip annotation.

I'll fix up this issue title to more properly reflect the scope of the bug.

The good news is, a single fix will fix all of the resources at once.

[skinny]

Thanks! And yes both ConfigMaps and Secrets are affected and by a quick glance it looks like the code that generate those resources is only called for newly created resources

[matthchr]

Notes (mostly to myself) on fixing this:

We need to combine handleCreatePollerSuccess and skipReconcile methods in v2/internal/reconcilers/arm/azure_generic_arm_reconciler_instance.go.

I sorta think it makes sense to:

1. Rename handleCreatePollerSuccess to handleCreateOrUpdatePollerSuccess (as it deals with updates too).
2. Combine the two methods into a single method which takes a flag indicating which "flavor" it is. I'm normally not a huge fan of doing this but in this case it makes sense as the two methods should do 80% the same stuff, with only a few things being createOrUpdate specific and not happening also for the skip-reconcile case.

Obviously we'll need some tests to reproduce this issue too to confirm the fix works.