Deletion of KonnectAPIAuth makes impossible to delete any of dependant resources #2353
Description
Problem Statement
Deletion of KonnectAPIAuth (which contains the secret to access Konnect) makes impossible to delete any other dependent, Konnect-integrated resources. Because there is no way for the KO to authenticate to Konnect.
Proposed Solution
Introduce a mechanism and document it, which prevents (or at least makes less surprising) the aforementioned problem.
There are a couple of ways to do it, each with its own benefits and drawbacks.
-
Validation webhook for deletion request for
KonnectAPIAuthchecks if any other resources depend on it and, in such a case, forbids deletion with a descriptive message. The order of deletion has to be preserved because, withoutKonnectAPIAuthresource deletion of Konnect-related resources becomes impossible. -
Preventing deletion of
KonnectAPIAuthby a setting finalizer.
Such a finalizer is removed when all dependent resources are deleted, so deletion ofKonnectAPIAuthcan proceed. The user experience has a flaw, because the deletion ofKonnectAPIAuthhangs in such a situation without any message, and the user needs to delete all dependent resources manually to unstuck it. -
Cascade deletion
Deletion ofKonnectAPIAuthdeletes all resources that depend on it. It seems plausible from a technical perspective, but it's rather surprising from a user's point of view. Deleting the resource needed for authentication shouldn't remove other objects without any confirmation.
Considering the above, it seems that option 1 - validation webhook is the best.
Acceptance Criteria
- implement validation logic for the deletion of
KonnectAPIAuth