fix: reconciler bugs -- envtest failures, snapshot alias (session/3)#4
Merged
Conversation
Three fixes: 1. RBACPolicyReconciler: return Requeue:true after adding finalizer so GenerationChangedPredicate does not filter the follow-up reconcile 2. EPG integration test: set OperatorNamespace=security-system on EPGReconciler so PermissionSnapshot is created in the correct namespace 3. Lineage integration test: add required spec.permissions entry to PermissionSet probe to satisfy CRD validation Closes GUARDIAN-BL-ENVTEST-FAIL.
EPGReconciler now accepts ManagementClusterName. When the target cluster
matches this name and no existing snapshot exists, the snapshot is named
snapshot-management instead of snapshot-{cluster}. This aligns with the
SeamMembership controller reference and eliminates the redundant
snapshot-ccs-mgmt object.
Wired from MANAGEMENT_CLUSTER_NAME env var in main.go.
ontave
force-pushed
the
session/3-reconciler-bugs
branch
from
ff21929 to
c63db76
Compare
EPGReconciler.Recorder is clientevents.EventRecorder (k8s.io/client-go/tools/events), not record.EventRecorder. Fix test instantiation to match the controller's interface.
…tern RBACPolicyReconciler now returns Requeue=true after adding the finalizer (GenerationChangedPredicate filters metadata-only updates). Tests that verify audit events emitted during validation must reconcile twice.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Changes
rbacpolicy_controller.go -- after AddFinalizer+Update, return Requeue:true instead of nil. GenerationChangedPredicate filters metadata-only Update events; Requeue bypasses the predicate and forces immediate re-reconcile. Without this fix, all RBACPolicy/Profile tests timed out waiting for the reconciler to re-enter after finalizer addition.
lineage_immutability_test.go -- add required spec.permissions field to the probe PermissionSet. CRD admission validation rejects a PermissionSet with an empty permissions list.
epg_reconciler_test.go -- set OperatorNamespace on the EPGReconciler in TestMain. Without it, snapshots were created in namespace "" while the test asserted against security-system.
epg_controller.go -- add ManagementClusterName field and snapshotNameForCluster helper. Returns snapshot-management when the target cluster matches ManagementClusterName, otherwise snapshot-{cluster}.
main.go -- wire MANAGEMENT_CLUSTER_NAME env var through to EPGReconciler.
epg_controller_conformance_test.go -- add TestEPGReconciler_ManagementClusterSnapshotAlias.
Test plan
KUBEBUILDER_ASSETS=/tmp/envtest-bins/k8s/1.35.0-linux-amd64 go test ./test/integration/...-- all passgo test ./test/unit/...-- all pass