Skip to content

fix: clean up related resources when primary object is deleted#133

Open
ifdotpy wants to merge 1 commit intokcp-dev:mainfrom
ifdotpy:fix/116-related-resource-cleanup
Open

fix: clean up related resources when primary object is deleted#133
ifdotpy wants to merge 1 commit intokcp-dev:mainfrom
ifdotpy:fix/116-related-resource-cleanup

Conversation

@ifdotpy
Copy link

@ifdotpy ifdotpy commented Feb 19, 2026

Summary

Fixes #116 — related resources with origin: kcp are now cleaned up when the primary object is deleted, preventing orphaned finalizers that block workspace deletion.

Problem

When a primary object (e.g. ChatUIInstance) is deleted:

  1. handleDeletion() deletes the local copy and removes the primary finalizer
  2. handleDeletion() returns requeue=true, so processRelatedResources() is never called
  3. On the next reconcile, the primary object is gone — the controller has nothing to reconcile
  4. Related resources (e.g. a KCP Secret) retain syncagent.kcp.io/cleanup finalizer forever
  5. Workspace deletion is blocked indefinitely

Fix

  • Process related resources before primary deletion in syncer.go: when the primary object has a DeletionTimestamp, call processRelatedResources(primaryDeleting=true) before the primary syncer runs. This ensures cleanup happens while the local primary copy still exists (needed for reference resolution).
  • Add forceDelete field to objectSyncer: when set, triggers handleDeletion() even when the source object's DeletionTimestamp is nil. Used for origin: kcp related resources during primary deletion.
  • Remove early return in handleDeletion() that skipped related resource processing with the comment "For now we do not delete related resources".
  • Nil-guard for destSide.object after primary deletion to prevent panics when the local copy has already been removed.

Files changed

File Change
internal/sync/object_syncer.go Added forceDelete field; triggers deletion without DeletionTimestamp; removed early return
internal/sync/syncer.go Process related resources before primary deletion; nil-guard for destSide
internal/sync/syncer_related.go Added primaryDeleting parameter; set forceDelete=true for origin: kcp

Testing

Tested in our Platform Mesh environment (KCP + Gardener MSP clusters):

  1. Created ChatUIInstance with related origin: kcp Secret
  2. Deleted ChatUIInstance
  3. Verified: Secret finalizer removed, workspace deletion completes cleanly

Discussed the approach with @xrstf in Slack — processing deletions in the opposite order was confirmed as the right approach.

@ifdotpy
fix: clean up related resources when primary object is deleted (kcp-d…
bee9e24 
…ev#116)

When a primary object is deleted, related resources with origin:kcp are
now cleaned up before the primary syncer runs. This ensures finalizers
on KCP-side related resources are removed, preventing workspaces from
getting stuck in deletion.

Changes:
- Process related resources before primary deletion in syncer.go
- Add forceDelete field to objectSyncer for forced cleanup
- Remove early return in handleDeletion that skipped related resources
- Pass primaryDeleting flag through related resource processing

Fixes kcp-dev#116
@kcp-ci-bot
Copy link
Contributor

kcp-ci-bot commented Feb 19, 2026

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kcp-ci-bot kcp-ci-bot added the do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. label Feb 19, 2026
@kcp-ci-bot
Copy link
Contributor

kcp-ci-bot commented Feb 19, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign embik for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kcp-ci-bot kcp-ci-bot added do-not-merge/needs-kind Indicates a PR lacks a `kind/foo` label and requires one. dco-signoff: no Indicates the PR's author has not signed the DCO. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Feb 19, 2026
@kcp-ci-bot
Copy link
Contributor

kcp-ci-bot commented Feb 19, 2026

Hi @ifdotpy. Thanks for your PR.

I'm waiting for a kcp-dev member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kcp-ci-bot
Copy link
Contributor

kcp-ci-bot commented Feb 19, 2026

Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits.

📝 Please follow instructions in the contributing guide to update your commits with the DCO

Full details of the Developer Certificate of Origin can be found at developercertificate.org.

The list of commits missing DCO signoff:

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@kcp-ci-bot kcp-ci-bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Feb 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dco-signoff: no Indicates the PR's author has not signed the DCO. do-not-merge/needs-kind Indicates a PR lacks a `kind/foo` label and requires one. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: Remove syncagent.kcp.io/cleanup finalizer on related resources in kcp

2 participants

@ifdotpy @kcp-ci-bot

Comments