castai
diff --git a/‎internal/actions/check_node_deleted.go‎
Lines changed: 25 additions & 5 deletions b/‎internal/actions/check_node_deleted.go‎
Lines changed: 25 additions & 5 deletions
diff --git a/‎internal/actions/check_node_handler_test.go‎
Lines changed: 65 additions & 0 deletions b/‎internal/actions/check_node_handler_test.go‎
Lines changed: 65 additions & 0 deletions
diff --git a/‎internal/actions/check_node_status.go‎
Lines changed: 34 additions & 19 deletions b/‎internal/actions/check_node_status.go‎
Lines changed: 34 additions & 19 deletions
diff --git a/‎internal/actions/check_node_status_test.go‎
Lines changed: 3 additions & 14 deletions b/‎internal/actions/check_node_status_test.go‎
Lines changed: 3 additions & 14 deletions
diff --git a/‎internal/actions/csr/svc.go‎
Lines changed: 22 additions & 22 deletions b/‎internal/actions/csr/svc.go‎
Lines changed: 22 additions & 22 deletions
@@ -3,10 +3,13 @@ package actions
 import (
 	"context"
 	"errors"
+	"fmt"
 	"reflect"
 	"time"
 
 	"github.com/sirupsen/logrus"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 
 	"github.com/castai/cluster-controller/internal/castai"
@@ -49,7 +52,6 @@ func (h *CheckNodeDeletedHandler) Handle(ctx context.Context, action *castai.Clu
 		"node_name":      req.NodeName,
 		"node_id":        req.NodeID,
 		"type":           reflect.TypeOf(action.Data().(*castai.ActionCheckNodeDeleted)).String(),
-		"provider_id":    req.ProviderId,
 		ActionIDLogField: action.ID,
 	})
 	log.Info("checking if node is deleted")
@@ -61,15 +63,33 @@ func (h *CheckNodeDeletedHandler) Handle(ctx context.Context, action *castai.Clu
 		boff,
 		h.cfg.retries,
 		func(ctx context.Context) (bool, error) {
-			n, err := getNodeByIDs(ctx, h.clientset, req.NodeName, req.NodeID, req.ProviderId)
-			if n != nil {
-				return false, errNodeNotDeleted
+			n, err := h.clientset.CoreV1().Nodes().Get(ctx, req.NodeName, metav1.GetOptions{})
+			if apierrors.IsNotFound(err) {
+				return false, nil
 			}
 
-			if errors.Is(err, errNodeNotFound) {
+			if n == nil {
 				return false, nil
 			}
 
+			currentNodeID, ok := n.Labels[castai.LabelNodeID]
+			if !ok {
+				log.Info("node doesn't have castai node id label")
+			}
+			if currentNodeID != "" {
+				if currentNodeID != req.NodeID {
+					log.Info("node name was reused. Original node is deleted")
+					return false, nil
+				}
+				if currentNodeID == req.NodeID {
+					return false, fmt.Errorf("current node id = request node ID %w", errNodeNotDeleted)
+				}
+			}
+
+			if n != nil {
+				return false, errNodeNotDeleted
+			}
+
 			return true, err
 		},
 		func(err error) {
 
@@ -0,0 +1,65 @@
+package actions
+
+import (
+	"context"
+	"testing"
+
+	"github.com/google/uuid"
+	"github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/require"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes/fake"
+
+	"github.com/castai/cluster-controller/internal/castai"
+)
+
+//nolint:goconst
+func TestCheckNodeDeletedHandler(t *testing.T) {
+	r := require.New(t)
+
+	log := logrus.New()
+	log.SetLevel(logrus.DebugLevel)
+
+	t.Run("return error when node is not deleted", func(t *testing.T) {
+		nodeName := "node1"
+		node := &v1.Node{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: nodeName,
+			},
+		}
+		clientset := fake.NewSimpleClientset(node)
+
+		h := CheckNodeDeletedHandler{
+			log:       log,
+			clientset: clientset,
+			cfg:       checkNodeDeletedConfig{},
+		}
+
+		action := &castai.ClusterAction{
+			ID:                     uuid.New().String(),
+			ActionCheckNodeDeleted: &castai.ActionCheckNodeDeleted{NodeName: "node1"},
+		}
+
+		err := h.Handle(context.Background(), action)
+		r.EqualError(err, "node is not deleted")
+	})
+
+	t.Run("handle check successfully when node is not found", func(t *testing.T) {
+		clientset := fake.NewSimpleClientset()
+
+		h := CheckNodeDeletedHandler{
+			log:       log,
+			clientset: clientset,
+			cfg:       checkNodeDeletedConfig{},
+		}
+
+		action := &castai.ClusterAction{
+			ID:                     uuid.New().String(),
+			ActionCheckNodeDeleted: &castai.ActionCheckNodeDeleted{NodeName: "node1"},
+		}
+
+		err := h.Handle(context.Background(), action)
+		r.NoError(err)
+	})
+}
@@ -2,13 +2,13 @@ package actions
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"reflect"
 	"time"
 
 	"github.com/sirupsen/logrus"
 	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 
@@ -39,7 +39,6 @@ func (h *CheckNodeStatusHandler) Handle(ctx context.Context, action *castai.Clus
 	log := h.log.WithFields(logrus.Fields{
 		"node_name":      req.NodeName,
 		"node_id":        req.NodeID,
-		"provider_id":    req.ProviderId,
 		"node_status":    req.NodeStatus,
 		"type":           reflect.TypeOf(action.Data().(*castai.ActionCheckNodeStatus)).String(),
 		ActionIDLogField: action.ID,
@@ -72,28 +71,42 @@ func (h *CheckNodeStatusHandler) checkNodeDeleted(ctx context.Context, log *logr
 		b,
 		waitext.Forever,
 		func(ctx context.Context) (bool, error) {
-			n, err := getNodeByIDs(ctx, h.clientset, req.NodeName, req.NodeID, req.ProviderId)
-			if n != nil {
-				return false, errNodeNotDeleted
+			n, err := h.clientset.CoreV1().Nodes().Get(ctx, req.NodeName, metav1.GetOptions{})
+			if apierrors.IsNotFound(err) {
+				return false, nil
 			}
 
-			if errors.Is(err, errNodeNotValid) {
-				log.WithFields(map[string]interface{}{
-					"node":        req.NodeName,
-					"node_id":     req.NodeID,
-					"provider_id": req.ProviderId,
-				}).Warnf("node is not valid")
-				return false, errNodeNotValid
-			}
+			// If node is nil - deleted
+			// If label is present and doesn't match - node was reused - deleted
+			// If label is present and matches - node is not deleted
+			// If label is not present and node is not nil - node is not deleted (potentially corrupted state).
 
-			if errors.Is(err, errNodeNotFound) {
+			if n == nil {
 				return false, nil
 			}
 
+			currentNodeID, ok := n.Labels[castai.LabelNodeID]
+			if !ok {
+				log.Info("node doesn't have castai node id label")
+			}
+			if currentNodeID != "" {
+				if currentNodeID != req.NodeID {
+					log.Info("node name was reused. Original node is deleted")
+					return false, nil
+				}
+				if currentNodeID == req.NodeID {
+					return false, fmt.Errorf("current node id is equal to requested node id: %v %w", req.NodeID, errNodeNotDeleted)
+				}
+			}
+
+			if n != nil {
+				return false, errNodeNotDeleted
+			}
+
 			return true, err
 		},
 		func(err error) {
-			log.Warnf("check node %s status failed, will retry: %v", req.NodeName, err)
+			h.log.Warnf("check node %s status failed, will retry: %v", req.NodeName, err)
 		},
 	)
 }
@@ -115,7 +128,7 @@ func (h *CheckNodeStatusHandler) checkNodeReady(ctx context.Context, _ *logrus.E
 	defer watch.Stop()
 	for r := range watch.ResultChan() {
 		if node, ok := r.Object.(*corev1.Node); ok {
-			if isNodeReady(node, req.NodeID, req.ProviderId) {
+			if isNodeReady(node, req.NodeID) {
 				return nil
 			}
 		}
@@ -124,11 +137,13 @@ func (h *CheckNodeStatusHandler) checkNodeReady(ctx context.Context, _ *logrus.E
 	return fmt.Errorf("timeout waiting for node %s to become ready", req.NodeName)
 }
 
-func isNodeReady(node *corev1.Node, castNodeID, providerID string) bool {
+func isNodeReady(node *corev1.Node, castNodeID string) bool {
 	// if node has castai node id label, check if it matches the one we are waiting for
 	// if it doesn't match, we can skip this node.
-	if err := isNodeIDProviderIDValid(node, castNodeID, providerID); err != nil {
-		return false
+	if val, ok := node.Labels[castai.LabelNodeID]; ok {
+		if val != "" && val != castNodeID {
+			return false
+		}
 	}
 	for _, cond := range node.Status.Conditions {
 		if cond.Type == corev1.NodeReady && cond.Status == corev1.ConditionTrue && !containsUninitializedNodeTaint(node.Spec.Taints) {
 
@@ -19,7 +19,6 @@ import (
 	"github.com/castai/cluster-controller/internal/castai"
 )
 
-// nolint:goconst
 func TestCheckStatus_Deleted(t *testing.T) {
 	log := logrus.New()
 	log.SetLevel(logrus.DebugLevel)
@@ -80,7 +79,7 @@ func TestCheckStatus_Deleted(t *testing.T) {
 		}
 
 		err := h.Handle(context.Background(), action)
-		r.EqualError(err, errNodeNotValid.Error())
+		r.EqualError(err, "node is not deleted")
 	})
 
 	t.Run("handle check successfully when node is not found", func(t *testing.T) {
@@ -132,7 +131,7 @@ func TestCheckStatus_Deleted(t *testing.T) {
 		}
 
 		err := h.Handle(context.Background(), action)
-		r.EqualError(err, errNodeNotValid.Error())
+		r.NoError(err)
 	})
 }
 
@@ -177,12 +176,6 @@ func TestCheckStatus_Ready(t *testing.T) {
 		node := &v1.Node{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: nodeName,
-				Labels: map[string]string{
-					castai.LabelNodeID: "node1-id",
-				},
-			},
-			Spec: v1.NodeSpec{
-				ProviderID: "aws:///us-east-1",
 			},
 			Status: v1.NodeStatus{
 				Conditions: []v1.NodeCondition{
@@ -205,8 +198,6 @@ func TestCheckStatus_Ready(t *testing.T) {
 			ID: uuid.New().String(),
 			ActionCheckNodeStatus: &castai.ActionCheckNodeStatus{
 				NodeName:           "node1",
-				NodeID:             "node1-id",
-				ProviderId:         "aws:///us-east-1",
 				NodeStatus:         castai.ActionCheckNodeStatus_READY,
 				WaitTimeoutSeconds: &timeout,
 			},
@@ -247,8 +238,7 @@ func TestCheckStatus_Ready(t *testing.T) {
 				},
 			},
 			Spec: v1.NodeSpec{
-				Taints:     []v1.Taint{taintCloudProviderUninitialized},
-				ProviderID: "aws:///us-east-1",
+				Taints: []v1.Taint{taintCloudProviderUninitialized},
 			},
 		}
 		clientset := fake.NewClientset(node)
@@ -263,7 +253,6 @@ func TestCheckStatus_Ready(t *testing.T) {
 			ID: uuid.New().String(),
 			ActionCheckNodeStatus: &castai.ActionCheckNodeStatus{
 				NodeName:           "node1",
-				ProviderId:         "aws:///us-east-1",
 				NodeStatus:         castai.ActionCheckNodeStatus_READY,
 				WaitTimeoutSeconds: &timeout,
 			},
 
@@ -24,12 +24,15 @@ import (
 )
 
 const (
-	approveCSRTimeout              = 4 * time.Minute
-	groupSystemNodesName           = "system:nodes"
+	approveCSRTimeout    = 4 * time.Minute
+	groupSystemNodesName = "system:nodes"
+	// kubeletBootstrapRequestingUser is the observed requestor for node's CSRs from real GKE clusters.
 	kubeletBootstrapRequestingUser = "kubelet-bootstrap"
-	clusterControllerSAName        = "system:serviceaccount:castai-agent:castai-cluster-controller"
-	approvedMessage                = "This CSR was approved by CAST AI"
-	csrOutdatedAfter               = time.Hour
+	// kubeletNodepoolBootstrapRequestingUser is the observed requestor for node's CSRs for GKE clusters 1.33+.
+	kubeletNodepoolBootstrapRequestingUser = "kubelet-nodepool-bootstrap"
+	clusterControllerSAName                = "system:serviceaccount:castai-agent:castai-cluster-controller"
+	approvedMessage                        = "This CSR was approved by CAST AI"
+	csrOutdatedAfter                       = time.Hour
 )
 
 func NewApprovalManager(log logrus.FieldLogger, clientset kubernetes.Interface) *ApprovalManager {
@@ -148,8 +151,8 @@ func (m *ApprovalManager) runAutoApproveForCastAINodes(ctx context.Context, c <-
 					"signer": csr.SignerName(),
 					"csr":    csr.Name(),
 				})
-				if shouldSkip(log, csr) {
-					log.Debug("skipping csr")
+				if skip, reason := shouldSkip(csr); skip {
+					log.Infof("skipping csr due to reason: %s", reason)
 					return
 				}
 				log.Info("auto approving csr")
@@ -221,32 +224,26 @@ func (m *ApprovalManager) handle(ctx context.Context, log logrus.FieldLogger, cs
 	return errors.New("certificate signing request was not approved")
 }
 
-func shouldSkip(log logrus.FieldLogger, csr *wrapper.CSR) bool {
+func shouldSkip(csr *wrapper.CSR) (bool, string) {
 	if csr.Approved() {
-		log.Debug("csr already approved")
-		return true
+		return true, "csr already approved"
 	}
 	if time.Since(csr.CreatedAt()) > csrOutdatedAfter {
-		log.Debug("csr is outdated")
-		return true
+		return true, fmt.Sprintf("csr is outdated, %v is larger than %v", time.Since(csr.CreatedAt()), csrOutdatedAfter)
 	}
 	if !managedSigner(csr.SignerName()) {
-		log.Debug("csr unknown signer")
-		return true
+		return true, fmt.Sprintf("csr unknown signer: %s", csr.SignerName())
 	}
 	if !managedCSRNamePrefix(csr.Name()) {
-		log.Debug("csr name not managed by CAST AI: ", csr.Name())
-		return true
+		return true, fmt.Sprintf("csr name not managed by CAST AI: %s", csr.Name())
 	}
 	if !managedCSRRequestingUser(csr.RequestingUser()) {
-		log.Debug("csr requesting user is not managed by CAST AI")
-		return true
+		return true, fmt.Sprintf("csr requesting user is not managed by CAST AI: %s", csr.RequestingUser())
 	}
 	if !managerSubjectCommonName(csr.ParsedCertificateRequest().Subject.CommonName) {
-		log.Debug("csr common name is not managed by CAST AI")
-		return true
+		return true, fmt.Sprintf("csr common name is not managed by CAST AI %s", csr.ParsedCertificateRequest().Subject.CommonName)
 	}
-	return false
+	return false, ""
 }
 
 func managedSigner(signerName string) bool {
@@ -259,7 +256,10 @@ func managedCSRNamePrefix(n string) bool {
 }
 
 func managedCSRRequestingUser(s string) bool {
-	return s == kubeletBootstrapRequestingUser || s == clusterControllerSAName || strings.HasPrefix(s, "system:node:")
+	return s == kubeletBootstrapRequestingUser || // kubelet bootstrap user variation
+		s == kubeletNodepoolBootstrapRequestingUser || // kubelet bootstrap user variation (observed initially on GKE 1.33+)
+		s == clusterControllerSAName || // if created by CC
+		strings.HasPrefix(s, "system:node:") // Post-bootstrap node user; usually for serving certificate
 }
 
 func managerSubjectCommonName(commonName string) bool {