CLOUDP-239182: Ensure teams are always cleaned up (#1481)

igor-karpukhin · web-flow · commit d9963bc2cae3 · 2024-04-11T16:10:20.000+01:00
Ensure teams are always cleaned up
diff --git a/pkg/controller/atlasproject/atlasproject_controller.go b/pkg/controller/atlasproject/atlasproject_controller.go
@@ -177,7 +177,7 @@ func (r *AtlasProjectReconciler) Reconcile(ctx context.Context, req ctrl.Request
 
 	workflowCtx.EnsureStatusOption(status.AtlasProjectIDOption(projectID))
 
-	if result = r.ensureDeletionFinalizer(workflowCtx, atlasClient, project); !result.IsOk() {
+	if result = r.handleDeletion(workflowCtx, atlasClient, project); !result.IsOk() {
 		setCondition(workflowCtx, status.ProjectReadyType, result)
 		return result.ReconcileResult(), nil
 	}
@@ -228,7 +228,7 @@ func (r *AtlasProjectReconciler) Reconcile(ctx context.Context, req ctrl.Request
 	return workflow.OK().ReconcileResult(), nil
 }
 
-func (r *AtlasProjectReconciler) ensureDeletionFinalizer(workflowCtx *workflow.Context, atlasClient *mongodbatlas.Client, project *akov2.AtlasProject) (result workflow.Result) {
+func (r *AtlasProjectReconciler) handleDeletion(workflowCtx *workflow.Context, atlasClient *mongodbatlas.Client, project *akov2.AtlasProject) (result workflow.Result) {
 	log := workflowCtx.Log
 
 	if project.GetDeletionTimestamp().IsZero() {
@@ -255,6 +255,12 @@ func (r *AtlasProjectReconciler) ensureDeletionFinalizer(workflowCtx *workflow.C
 					return result
 				}
 
+				err := r.syncAssignedTeams(workflowCtx, project.ID(), project, nil)
+				if err != nil {
+					workflowCtx.SetConditionFalse(status.ProjectTeamsReadyType)
+					return workflow.Terminate(workflow.TeamNotCleaned, err.Error())
+				}
+
 				if err := r.deleteAtlasProject(workflowCtx.Context, atlasClient, project); err != nil {
 					result = workflow.Terminate(workflow.Internal, err.Error())
 					setCondition(workflowCtx, status.DeploymentReadyType, result)
diff --git a/pkg/controller/atlasproject/atlasproject_controller_test.go b/pkg/controller/atlasproject/atlasproject_controller_test.go
@@ -0,0 +1,158 @@
+package atlasproject
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+	"go.mongodb.org/atlas-sdk/v20231115008/admin"
+	"go.mongodb.org/atlas-sdk/v20231115008/mockadmin"
+	"go.mongodb.org/atlas/mongodbatlas"
+	"go.uber.org/zap"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+
+	atlasmocks "github.com/mongodb/mongodb-atlas-kubernetes/v2/internal/mocks/atlas"
+	akov2 "github.com/mongodb/mongodb-atlas-kubernetes/v2/pkg/api/v1"
+	"github.com/mongodb/mongodb-atlas-kubernetes/v2/pkg/api/v1/status"
+	"github.com/mongodb/mongodb-atlas-kubernetes/v2/pkg/controller/customresource"
+	"github.com/mongodb/mongodb-atlas-kubernetes/v2/pkg/controller/watch"
+	"github.com/mongodb/mongodb-atlas-kubernetes/v2/pkg/controller/workflow"
+)
+
+func TestAtlasProjectReconciler_handleDeletion(t *testing.T) {
+	t.Run("Should delete team from Atlas when AtlasProject with finalizer is deleted", func(t *testing.T) {
+		sch := runtime.NewScheme()
+		akov2.AddToScheme(sch)
+		corev1.AddToScheme(sch)
+		deletionTS := metav1.Now()
+
+		testTeam := &akov2.AtlasTeam{
+			TypeMeta:   metav1.TypeMeta{},
+			ObjectMeta: metav1.ObjectMeta{},
+			Spec: akov2.TeamSpec{
+				Name: "teamName",
+			},
+			Status: status.TeamStatus{
+				ID: "teamID",
+				Projects: []status.TeamProject{
+					{
+						ID:   "projectID",
+						Name: "testProject",
+					},
+				},
+			},
+		}
+		testProject := &akov2.AtlasProject{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       "AtlasProject",
+				APIVersion: "atlas.mongodb.com/v1",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:              "testProject",
+				Namespace:         "default",
+				DeletionTimestamp: &deletionTS,
+				Finalizers:        []string{customresource.FinalizerLabel},
+			},
+			Spec: akov2.AtlasProjectSpec{},
+			Status: status.AtlasProjectStatus{
+				ID: "projectID",
+				Teams: []status.ProjectTeamStatus{
+					{
+						ID: testTeam.Status.ID,
+					},
+				},
+			},
+		}
+
+		k8sClient := fake.NewClientBuilder().
+			WithScheme(sch).
+			WithObjects(testProject, testTeam).Build()
+
+		teamsMock := &atlasmocks.TeamsClientMock{
+			RemoveTeamFromOrganizationFunc: func(orgID string, teamID string) (*mongodbatlas.Response, error) {
+				return nil, nil
+			},
+			RemoveTeamFromOrganizationRequests: map[string]struct{}{},
+			ListFunc: func(orgID string) ([]mongodbatlas.Team, *mongodbatlas.Response, error) {
+				return []mongodbatlas.Team{
+					{
+						ID:        testTeam.Status.ID,
+						Name:      testTeam.Name,
+						Usernames: nil,
+					},
+				}, nil, nil
+			},
+			RemoveTeamFromProjectFunc: func(projectID string, teamID string) (*mongodbatlas.Response, error) {
+				return nil, nil
+			},
+		}
+
+		atlasClient := mongodbatlas.Client{
+			Projects: &atlasmocks.ProjectsClientMock{
+				GetProjectTeamsAssignedFunc: func(projectID string) (*mongodbatlas.TeamsAssigned, *mongodbatlas.Response, error) {
+					return &mongodbatlas.TeamsAssigned{
+						Links: nil,
+						Results: []*mongodbatlas.Result{
+							{
+								Links:     nil,
+								RoleNames: nil,
+								TeamID:    testTeam.Status.ID,
+							},
+						},
+						TotalCount: 0,
+					}, nil, nil
+				},
+				DeleteFunc: func(projectID string) (*mongodbatlas.Response, error) {
+					return nil, nil
+				},
+			},
+			Teams: teamsMock,
+		}
+		reconciler := AtlasProjectReconciler{
+			Client:                      k8sClient,
+			ResourceWatcher:             watch.ResourceWatcher{},
+			Log:                         zap.S(),
+			Scheme:                      sch,
+			ObjectDeletionProtection:    false,
+			SubObjectDeletionProtection: false,
+			AtlasProvider: &atlasmocks.TestProvider{
+				ClientFunc: func(secretRef *client.ObjectKey, log *zap.SugaredLogger) (*mongodbatlas.Client, string, error) {
+					return &atlasClient, "123", nil
+				},
+			},
+		}
+
+		mockPrivateEndpointAPI := mockadmin.NewPrivateEndpointServicesApi(t)
+		mockPrivateEndpointAPI.EXPECT().
+			ListPrivateEndpointServices(mock.Anything, mock.Anything, mock.Anything).
+			Return(admin.ListPrivateEndpointServicesApiRequest{ApiService: mockPrivateEndpointAPI})
+		mockPrivateEndpointAPI.EXPECT().
+			ListPrivateEndpointServicesExecute(admin.ListPrivateEndpointServicesApiRequest{ApiService: mockPrivateEndpointAPI}).
+			Return([]admin.EndpointService{}, nil, nil)
+
+		mockPeeringEndpointAPI := mockadmin.NewNetworkPeeringApi(t)
+		mockPeeringEndpointAPI.EXPECT().ListPeeringConnectionsWithParams(mock.Anything, mock.Anything).
+			Return(admin.ListPeeringConnectionsApiRequest{ApiService: mockPeeringEndpointAPI})
+		mockPeeringEndpointAPI.EXPECT().
+			ListPeeringConnectionsExecute(admin.ListPeeringConnectionsApiRequest{ApiService: mockPeeringEndpointAPI}).
+			Return(&admin.PaginatedContainerPeer{}, nil, nil)
+
+		workflowCtx := &workflow.Context{
+			Client:  &atlasClient,
+			Context: context.Background(),
+			SdkClient: &admin.APIClient{
+				PrivateEndpointServicesApi: mockPrivateEndpointAPI,
+				NetworkPeeringApi:          mockPeeringEndpointAPI,
+			},
+			Log: zap.S(),
+		}
+		workflowResult := reconciler.handleDeletion(workflowCtx, workflowCtx.Client, testProject)
+		assert.True(t, workflowResult.IsOk())
+		assert.Len(t, teamsMock.RemoveTeamFromOrganizationRequests, 1)
+	})
+}
diff --git a/pkg/controller/atlasproject/teams.go b/pkg/controller/atlasproject/teams.go
@@ -32,6 +32,7 @@ type TeamDataContainer struct {
 
 func (r *AtlasProjectReconciler) ensureAssignedTeams(workflowCtx *workflow.Context, project *akov2.AtlasProject, protected bool) workflow.Result {
 	resourcesToWatch := make([]watch.WatchedObject, 0, len(project.Spec.Teams))
+
 	defer func() {
 		workflowCtx.AddResourcesToWatch(resourcesToWatch...)
 		r.Log.Debugf("watching team resources: %v\r\n", r.WatchedResources)
@@ -43,7 +44,6 @@ func (r *AtlasProjectReconciler) ensureAssignedTeams(workflowCtx *workflow.Conte
 
 		if assignedTeam.TeamRef.Name == "" {
 			workflowCtx.Log.Warnf("missing team name. skipping assignment for entry %v", assignedTeam)
-
 			continue
 		}
 
diff --git a/pkg/controller/atlasproject/teams_test.go b/pkg/controller/atlasproject/teams_test.go
@@ -5,6 +5,8 @@ import (
 	"errors"
 	"testing"
 
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+
 	"go.uber.org/zap"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -16,7 +18,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
-	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 
 	"github.com/mongodb/mongodb-atlas-kubernetes/v2/internal/mocks/atlas"
 	akov2 "github.com/mongodb/mongodb-atlas-kubernetes/v2/pkg/api/v1"
@@ -269,13 +270,21 @@ func TestEnsureAssignedTeams(t *testing.T) {
 		akoProject := &akov2.AtlasProject{}
 		akoProject.WithAnnotations(map[string]string{customresource.AnnotationLastAppliedConfiguration: "{}"})
 		logger := zaptest.NewLogger(t).Sugar()
+
+		testScheme := runtime.NewScheme()
+		akov2.AddToScheme(testScheme)
+		k8sClient := fake.NewClientBuilder().
+			WithScheme(testScheme).
+			Build()
+
 		workflowCtx := &workflow.Context{
 			Client:  &atlasClient,
 			Log:     logger,
 			Context: context.Background(),
 		}
 		reconciler := &AtlasProjectReconciler{
-			Log: logger,
+			Log:    logger,
+			Client: k8sClient,
 		}
 		result := reconciler.ensureAssignedTeams(workflowCtx, akoProject, true)
 
@@ -303,8 +312,8 @@ func TestEnsureAssignedTeams(t *testing.T) {
 		}
 
 		testScheme := runtime.NewScheme()
-		testScheme.AddKnownTypes(akov2.GroupVersion, &akov2.AtlasProject{})
-		testScheme.AddKnownTypes(akov2.GroupVersion, &akov2.AtlasTeam{})
+		akov2.AddToScheme(testScheme)
+		corev1.AddToScheme(testScheme)
 		k8sClient := fake.NewClientBuilder().
 			WithScheme(testScheme).
 			WithObjects(team1, team2).
@@ -370,9 +379,8 @@ func TestUpdateTeamState(t *testing.T) {
 			Log:     logger,
 		}
 		testScheme := runtime.NewScheme()
-		testScheme.AddKnownTypes(akov2.GroupVersion, &akov2.AtlasProject{})
-		testScheme.AddKnownTypes(akov2.GroupVersion, &akov2.AtlasTeam{})
-		testScheme.AddKnownTypes(akov2.GroupVersion, &corev1.Secret{})
+		akov2.AddToScheme(testScheme)
+		corev1.AddToScheme(testScheme)
 		secret := &corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: "my-secret",
@@ -437,4 +445,78 @@ func TestUpdateTeamState(t *testing.T) {
 		k8sClient.Get(context.Background(), types.NamespacedName{Name: team.ObjectMeta.Name, Namespace: team.ObjectMeta.Namespace}, team)
 		assert.Equal(t, 1, len(team.Status.Projects))
 	})
+
+	t.Run("must remove a team from Atlas is a team is unassigned", func(t *testing.T) {
+		logger := zaptest.NewLogger(t).Sugar()
+		workflowCtx := &workflow.Context{
+			Context: context.Background(),
+			Log:     logger,
+		}
+		testScheme := runtime.NewScheme()
+		akov2.AddToScheme(testScheme)
+		corev1.AddToScheme(testScheme)
+		secret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "my-secret",
+			},
+			Data: map[string][]byte{
+				"orgId":         []byte("0987654321"),
+				"publicApiKey":  []byte("api-pub-key"),
+				"privateApiKey": []byte("api-priv-key"),
+			},
+			Type: "Opaque",
+		}
+		project := &akov2.AtlasProject{
+			Spec: akov2.AtlasProjectSpec{
+				Name: "projectName",
+				ConnectionSecret: &common.ResourceRefNamespaced{
+					Name: "my-secret",
+				},
+			},
+			Status: status.AtlasProjectStatus{
+				ID: "projectID",
+			},
+		}
+		team := &akov2.AtlasTeam{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "testTeam",
+				Namespace: "testNS",
+			},
+			Status: status.TeamStatus{
+				ID:       "testTeamStatus",
+				Projects: []status.TeamProject{},
+			},
+		}
+		teamsMock := &atlas.TeamsClientMock{
+			RemoveTeamFromOrganizationFunc: func(orgID string, teamID string) (*mongodbatlas.Response, error) {
+				return nil, nil
+			},
+			RemoveTeamFromOrganizationRequests: map[string]struct{}{},
+		}
+		atlasProvider := &atlas.TestProvider{
+			ClientFunc: func(secretRef *client.ObjectKey, log *zap.SugaredLogger) (*mongodbatlas.Client, string, error) {
+				return &mongodbatlas.Client{
+					Teams: teamsMock,
+				}, "0987654321", nil
+			},
+		}
+		k8sClient := fake.NewClientBuilder().
+			WithScheme(testScheme).
+			WithObjects(secret, project, team).
+			Build()
+		reconciler := &AtlasProjectReconciler{
+			Client:        k8sClient,
+			Log:           logger,
+			AtlasProvider: atlasProvider,
+		}
+		teamRef := &common.ResourceRefNamespaced{
+			Name:      team.Name,
+			Namespace: "testNS",
+		}
+
+		err := reconciler.updateTeamState(workflowCtx, project, teamRef, true)
+		assert.NoError(t, err)
+		k8sClient.Get(context.Background(), types.NamespacedName{Name: team.ObjectMeta.Name, Namespace: team.ObjectMeta.Namespace}, team)
+		assert.Len(t, teamsMock.RemoveTeamFromOrganizationRequests, 1)
+	})
 }
diff --git a/pkg/controller/workflow/reason.go b/pkg/controller/workflow/reason.go
@@ -88,6 +88,7 @@ const (
 	TeamInvalidSpec       ConditionReason = "TeamInvalidSpec"
 	TeamUsersNotReady     ConditionReason = "TeamUsersNotReady"
 	TeamDoesNotExist      ConditionReason = "TeamDoesNotExist"
+	TeamNotCleaned        ConditionReason = "TeamCleanupFailed"
 )
 
 // Atlas Federated Auth reasons
diff --git a/test/e2e/teams_test.go b/test/e2e/teams_test.go
@@ -128,7 +128,8 @@ func projectTeamsFlow(userData *model.TestDataProvider, teams []akov2.Team) {
 func ensureTeamsStatus(g Gomega, testData model.TestDataProvider, teams []akov2.Team, check func(res *akov2.AtlasTeam) bool) bool {
 	for _, team := range teams {
 		resource := &akov2.AtlasTeam{}
-		g.Expect(testData.K8SClient.Get(testData.Context, types.NamespacedName{Name: team.TeamRef.Name, Namespace: testData.Resources.Namespace}, resource)).Should(Succeed())
+		g.Expect(testData.K8SClient.Get(testData.Context,
+			types.NamespacedName{Name: team.TeamRef.Name, Namespace: testData.Resources.Namespace}, resource)).Should(Succeed())
 
 		if !check(resource) {
 			return false

Original file line number	Diff line number	Diff line change
`@@ -88,6 +88,7 @@ const (`
`88`	`88`	`TeamInvalidSpec ConditionReason = "TeamInvalidSpec"`
`89`	`89`	`TeamUsersNotReady ConditionReason = "TeamUsersNotReady"`
`90`	`90`	`TeamDoesNotExist ConditionReason = "TeamDoesNotExist"`
	`91`	`+ TeamNotCleaned ConditionReason = "TeamCleanupFailed"`
`91`	`92`	`)`
`92`	`93`
`93`	`94`	`// Atlas Federated Auth reasons`