Quit RV controllers upon TEC recreation

[Jakob-Naucke]

to prevent racing of controllers on server side apply

Fixes: #216

@alicefr quirks discovered, lmk if they should be bugs:

• creating ApprovedImage without a TEC present will result in the image silently not being created
• deleting TEC without an ApprovedImage's RVs computed will leave the ApprovedImage behind, not garbage collected as Add missing ownership to approved images, machine and AK #187 perhaps intended?

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Jakob-Naucke

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[alicefr]

to prevent racing of controllers on server side apply

Fixes: #216

@alicefr quirks discovered, lmk if they should be bugs:

• creating ApprovedImage without a TEC present will result in the image silently not being created

Approved images are a bit independent from TEC, so I think they could be created head

• deleting TEC without an ApprovedImage's RVs computed will leave the ApprovedImage behind, not garbage collected as Add missing ownership to approved images, machine and AK #187 perhaps intended?

We can debate a bit on this. But I think ApprovedImages can be defined by the cluster admin manually or by another operator so they shouldn't be cleaned up by our operator. Although, in the test probably they remain

[alicefr]

I think we need to review if the approved image should be owned by TEC. I personally don't think so anymore. Then, I don't think this solution is required

[Jakob-Naucke]

• creating ApprovedImage without a TEC present will result in the image silently not being created

is a quirk of this fix, not an existing one because the watcher should quit on TEC deletion not on recreation. converting to draft.

• deleting TEC without an ApprovedImage's RVs computed will leave the ApprovedImage behind, not garbage collected as Add missing ownership to approved images, machine and AK #187 perhaps intended?

cannot reproduce correction: when deleting TEC before operator was running, the ApprovedImage will not have been adopted yet. this is probably expected.

[Jakob-Naucke]

Updated, back out of draft. Watcher should not quit on TEC deletion because it won't be able to remove the finalizer, instead, do not attempt computation on addition if no TEC present. @alicefr PTAL or delay that look until after CI revival if you prefer

[alicefr]

Updated, back out of draft. Watcher should not quit on TEC deletion because it won't be able to remove the finalizer, instead, do not attempt computation on addition if no TEC present. @alicefr PTAL or delay that look until after CI revival if you prefer

@Jakob-Naucke why do we need TEC for the computation? Is because the image of compute PCR is there?

[Jakob-Naucke]

Indeed, the image-pcrs configmap is owned by the TEC object, so the computed PCRs have nowhere to go without a TEC present

[alicefr]

Then maybe we could prioritize this #215 , and make approved images independent from the TEC CR

UPDATE: what if we just create the configmap independently of TEC and then let adopted by TEC CR when created

[alicefr]

In general, I think it is easier to react when objects are created rather the retroactively. Otherwise, we need a way to understand when the approved images existed but they weren't calculated yet

[openshift-ci]

@Jakob-Naucke: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/operator-lifecycle-verify	36414af	link	true	/test operator-lifecycle-verify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[Jakob-Naucke]

Closing in favour of #246