fix: prevent finalizer from blocking subscription deletion when TRLP is in bad state

liangwen12year · liangwen12year · commit 746d918998fc · 2026-04-20T17:32:01.000-04:00
Classify errors during deletion as permanent (admission rejection, invalid
spec, forbidden) vs transient (timeout, network, 5xx). Only take the
force-delete escape hatch on permanent errors where retrying won't help.
Transient errors return for requeue, preserving the shared TRLP.

When force-deleting or proceeding despite cleanup failure, emit a Kubernetes
Event on the subscription so operators have an auditable breadcrumb that an
orphaned TRLP may need manual cleanup.

Signed-off-by: Wen Liang &lt;liangwen12year@gmail.com&gt;
diff --git a/deployment/base/maas-controller/rbac/clusterrole.yaml b/deployment/base/maas-controller/rbac/clusterrole.yaml
@@ -26,6 +26,13 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
 - apiGroups:
   - ""
   resources:
diff --git a/maas-controller/pkg/controller/maas/maassubscription_controller.go b/maas-controller/pkg/controller/maas/maassubscription_controller.go
@@ -35,6 +35,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/tools/record"
 	"k8s.io/client-go/util/workqueue"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
@@ -52,7 +53,23 @@ import (
 // MaaSSubscriptionReconciler reconciles a MaaSSubscription object
 type MaaSSubscriptionReconciler struct {
 	client.Client
-	Scheme *runtime.Scheme
+	Scheme   *runtime.Scheme
+	Recorder record.EventRecorder
+}
+
+// isPermanentError returns true for errors that indicate a non-recoverable state
+// (admission rejection, invalid spec, forbidden) where retrying won't help.
+// Transient errors (timeouts, network, 5xx) return false and should be requeued.
+func isPermanentError(err error) bool {
+	if err == nil {
+		return false
+	}
+	return apierrors.IsInvalid(err) ||
+		apierrors.IsForbidden(err) ||
+		apierrors.IsConflict(err) ||
+		apierrors.IsNotAcceptable(err) ||
+		strings.Contains(err.Error(), "admission webhook") ||
+		strings.Contains(err.Error(), "denied the request")
 }
 
 //+kubebuilder:rbac:groups=maas.opendatahub.io,resources=maassubscriptions,verbs=get;list;watch;create;update;patch;delete
@@ -61,6 +78,7 @@ type MaaSSubscriptionReconciler struct {
 //+kubebuilder:rbac:groups=maas.opendatahub.io,resources=maasmodelrefs,verbs=get;list;watch
 //+kubebuilder:rbac:groups=kuadrant.io,resources=tokenratelimitpolicies,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=httproutes,verbs=get;list;watch
+//+kubebuilder:rbac:groups="",resources=events,verbs=create;patch
 //+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=httproutes/finalizers,verbs=update
 
 const (
@@ -760,9 +778,6 @@ func (r *MaaSSubscriptionReconciler) deleteModelTRLP(ctx context.Context, log lo
 
 func (r *MaaSSubscriptionReconciler) handleDeletion(ctx context.Context, log logr.Logger, subscription *maasv1alpha1.MaaSSubscription) (ctrl.Result, error) {
 	if controllerutil.ContainsFinalizer(subscription, maasSubscriptionFinalizer) {
-		// For each model referenced by this subscription, rebuild the aggregated TokenRateLimitPolicy
-		// without the deleted subscription's limits. If no other subscriptions reference the model,
-		// the TRLP will be deleted. This ensures zero-downtime rate limiting during subscription removal.
 		seen := make(map[string]struct{}, len(subscription.Spec.ModelRefs))
 		for _, modelRef := range subscription.Spec.ModelRefs {
 			k := modelRef.Namespace + "/" + modelRef.Name
@@ -772,14 +787,31 @@ func (r *MaaSSubscriptionReconciler) handleDeletion(ctx context.Context, log log
 			seen[k] = struct{}{}
 			log.Info("Rebuilding TokenRateLimitPolicy without deleted subscription", "model", modelRef.Namespace+"/"+modelRef.Name, "subscription", subscription.Name)
 			if err := r.reconcileTRLPForModel(ctx, log, modelRef.Namespace, modelRef.Name); err != nil {
-				log.Error(err, "failed to reconcile TokenRateLimitPolicy during deletion, will retry", "model", modelRef.Namespace+"/"+modelRef.Name)
-				return ctrl.Result{}, err
+				if !isPermanentError(err) {
+					log.Error(err, "transient TRLP reconciliation failure during deletion, will retry", "model", modelRef.Namespace+"/"+modelRef.Name)
+					return ctrl.Result{}, err
+				}
+				log.Error(err, "permanent TRLP reconciliation failure during deletion, falling back to force-delete", "model", modelRef.Namespace+"/"+modelRef.Name)
+				if delErr := r.deleteModelTRLP(ctx, log, modelRef.Namespace, modelRef.Name); delErr != nil {
+					log.Error(delErr, "TRLP force-delete also failed, proceeding with finalizer removal", "model", modelRef.Namespace+"/"+modelRef.Name)
+				}
+				if r.Recorder != nil {
+					r.Recorder.Eventf(subscription, "Warning", "TRLPCleanupFailed",
+						"TRLP cleanup failed for model %s/%s during deletion (permanent error: %v); finalizer removed, orphaned TRLP may need manual cleanup",
+						modelRef.Namespace, modelRef.Name, err)
+				}
 			}
 		}
-		// Also clean up stale TRLPs from modelRefs that were removed
-		// before the CR was deleted (edge case: edit + delete before reconcile).
 		if err := r.cleanupStaleTRLPs(ctx, log, subscription); err != nil {
-			return ctrl.Result{}, err
+			if !isPermanentError(err) {
+				log.Error(err, "transient stale TRLP cleanup failure during deletion, will retry")
+				return ctrl.Result{}, err
+			}
+			log.Error(err, "permanent stale TRLP cleanup failure during deletion, proceeding with finalizer removal")
+			if r.Recorder != nil {
+				r.Recorder.Eventf(subscription, "Warning", "StaleTRLPCleanupFailed",
+					"Stale TRLP cleanup failed during deletion (permanent error: %v); finalizer removed, orphaned TRLP may need manual cleanup", err)
+			}
 		}
 		controllerutil.RemoveFinalizer(subscription, maasSubscriptionFinalizer)
 		if err := r.Update(ctx, subscription); err != nil {
@@ -941,6 +973,8 @@ func conditionsSemanticallyEqual(a, b *metav1.Condition) bool {
 
 // SetupWithManager sets up the controller with the Manager.
 func (r *MaaSSubscriptionReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	r.Recorder = mgr.GetEventRecorderFor("maas-subscription-controller")
+
 	// Register field indexer for efficient lookup of MaaSSubscriptions by model reference.
 	// This avoids cluster-wide scans when finding subscriptions for a specific model.
 	if err := mgr.GetFieldIndexer().IndexField(
diff --git a/maas-controller/pkg/controller/maas/maassubscription_controller_test.go b/maas-controller/pkg/controller/maas/maassubscription_controller_test.go
@@ -18,6 +18,7 @@ package maas
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"strings"
 	"testing"
@@ -31,6 +32,8 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+	"sigs.k8s.io/controller-runtime/pkg/client/interceptor"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 
 	maasv1alpha1 "github.com/opendatahub-io/models-as-a-service/maas-controller/api/maas/v1alpha1"
@@ -1346,3 +1349,203 @@ func TestMaaSSubscriptionReconciler_WindowValuesInTRLP(t *testing.T) {
 		})
 	}
 }
+
+// permanentUpdateError returns an apierrors.StatusError that isPermanentError classifies
+// as non-recoverable (admission webhook rejection).
+func permanentUpdateError() error {
+	return &apierrors.StatusError{ErrStatus: metav1.Status{
+		Status:  metav1.StatusFailure,
+		Code:    422,
+		Reason:  metav1.StatusReasonInvalid,
+		Message: "admission webhook denied the request: invalid window format",
+	}}
+}
+
+// TestHandleDeletion_PermanentError_FallsBackToDeleteTRLP verifies that when
+// reconcileTRLPForModel fails with a permanent error (e.g. admission webhook rejects
+// the TRLP update), the handler falls back to force-deleting the TRLP and removes
+// the finalizer so the subscription deletion is not permanently blocked.
+func TestHandleDeletion_PermanentError_FallsBackToDeleteTRLP(t *testing.T) {
+	const (
+		modelName = "shared-model"
+		namespace = "default"
+		trlpName  = "maas-trlp-" + modelName
+	)
+
+	model := &maasv1alpha1.MaaSModelRef{
+		ObjectMeta: metav1.ObjectMeta{Name: modelName, Namespace: namespace},
+		Spec:       maasv1alpha1.MaaSModelSpec{ModelRef: maasv1alpha1.ModelReference{Kind: "ExternalModel", Name: modelName}},
+	}
+	route := &gatewayapiv1.HTTPRoute{
+		ObjectMeta: metav1.ObjectMeta{Name: modelName, Namespace: namespace},
+	}
+	existingTRLP := newPreexistingTRLP(trlpName, namespace, modelName, map[string]string{})
+	subA := newMaaSSubscription("sub-a", namespace, "team-a", modelName, 100)
+	subA.Finalizers = []string{maasSubscriptionFinalizer}
+	subB := newMaaSSubscription("sub-b", namespace, "team-b", modelName, 200)
+
+	c := fake.NewClientBuilder().
+		WithScheme(scheme).
+		WithRESTMapper(testRESTMapper()).
+		WithObjects(model, route, subA, subB, existingTRLP).
+		WithIndex(&maasv1alpha1.MaaSSubscription{}, "spec.modelRef", subscriptionModelRefIndexer).
+		WithInterceptorFuncs(interceptor.Funcs{
+			Update: func(ctx context.Context, cl client.WithWatch, obj client.Object, opts ...client.UpdateOption) error {
+				if u, ok := obj.(*unstructured.Unstructured); ok && u.GetKind() == "TokenRateLimitPolicy" {
+					return permanentUpdateError()
+				}
+				return cl.Update(ctx, obj, opts...)
+			},
+		}).
+		Build()
+
+	if err := c.Delete(context.Background(), subA); err != nil {
+		t.Fatalf("Delete sub-a: %v", err)
+	}
+
+	r := &MaaSSubscriptionReconciler{Client: c, Scheme: scheme}
+	req := ctrl.Request{NamespacedName: types.NamespacedName{Name: "sub-a", Namespace: namespace}}
+	if _, err := r.Reconcile(context.Background(), req); err != nil {
+		t.Fatalf("Reconcile: unexpected error: %v", err)
+	}
+
+	// TRLP should be deleted via the fallback deleteModelTRLP path
+	got := &unstructured.Unstructured{}
+	got.SetGroupVersionKind(schema.GroupVersionKind{Group: "kuadrant.io", Version: "v1alpha1", Kind: "TokenRateLimitPolicy"})
+	if err := c.Get(context.Background(), types.NamespacedName{Name: trlpName, Namespace: namespace}, got); !apierrors.IsNotFound(err) {
+		t.Errorf("expected TRLP to be deleted via fallback, but got err: %v", err)
+	}
+
+	// Finalizer should be removed
+	var sub maasv1alpha1.MaaSSubscription
+	if err := c.Get(context.Background(), types.NamespacedName{Name: "sub-a", Namespace: namespace}, &sub); !apierrors.IsNotFound(err) {
+		t.Errorf("expected sub-a to be fully deleted (finalizer removed), got err: %v", err)
+	}
+}
+
+// TestHandleDeletion_TransientError_RequeuesForRetry verifies that transient errors
+// (timeouts, network flakes) during deletion are returned for requeue rather than
+// triggering force-delete, which could collaterally damage shared TRLPs.
+func TestHandleDeletion_TransientError_RequeuesForRetry(t *testing.T) {
+	const (
+		modelName = "shared-model"
+		namespace = "default"
+		trlpName  = "maas-trlp-" + modelName
+	)
+
+	model := &maasv1alpha1.MaaSModelRef{
+		ObjectMeta: metav1.ObjectMeta{Name: modelName, Namespace: namespace},
+		Spec:       maasv1alpha1.MaaSModelSpec{ModelRef: maasv1alpha1.ModelReference{Kind: "ExternalModel", Name: modelName}},
+	}
+	route := &gatewayapiv1.HTTPRoute{
+		ObjectMeta: metav1.ObjectMeta{Name: modelName, Namespace: namespace},
+	}
+	existingTRLP := newPreexistingTRLP(trlpName, namespace, modelName, map[string]string{})
+	subA := newMaaSSubscription("sub-a", namespace, "team-a", modelName, 100)
+	subA.Finalizers = []string{maasSubscriptionFinalizer}
+	subB := newMaaSSubscription("sub-b", namespace, "team-b", modelName, 200)
+
+	// Transient error: generic timeout, not an admission rejection
+	c := fake.NewClientBuilder().
+		WithScheme(scheme).
+		WithRESTMapper(testRESTMapper()).
+		WithObjects(model, route, subA, subB, existingTRLP).
+		WithIndex(&maasv1alpha1.MaaSSubscription{}, "spec.modelRef", subscriptionModelRefIndexer).
+		WithInterceptorFuncs(interceptor.Funcs{
+			Update: func(ctx context.Context, cl client.WithWatch, obj client.Object, opts ...client.UpdateOption) error {
+				if u, ok := obj.(*unstructured.Unstructured); ok && u.GetKind() == "TokenRateLimitPolicy" {
+					return errors.New("simulated transient API server timeout")
+				}
+				return cl.Update(ctx, obj, opts...)
+			},
+		}).
+		Build()
+
+	if err := c.Delete(context.Background(), subA); err != nil {
+		t.Fatalf("Delete sub-a: %v", err)
+	}
+
+	r := &MaaSSubscriptionReconciler{Client: c, Scheme: scheme}
+	req := ctrl.Request{NamespacedName: types.NamespacedName{Name: "sub-a", Namespace: namespace}}
+	_, err := r.Reconcile(context.Background(), req)
+	if err == nil {
+		t.Fatal("Reconcile should return error on transient failure for requeue")
+	}
+
+	// TRLP should NOT be deleted — transient errors don't trigger force-delete
+	got := &unstructured.Unstructured{}
+	got.SetGroupVersionKind(schema.GroupVersionKind{Group: "kuadrant.io", Version: "v1alpha1", Kind: "TokenRateLimitPolicy"})
+	if getErr := c.Get(context.Background(), types.NamespacedName{Name: trlpName, Namespace: namespace}, got); getErr != nil {
+		t.Errorf("TRLP should still exist after transient error, but got: %v", getErr)
+	}
+
+	// Finalizer should NOT be removed — requeue will retry
+	var sub maasv1alpha1.MaaSSubscription
+	if getErr := c.Get(context.Background(), types.NamespacedName{Name: "sub-a", Namespace: namespace}, &sub); getErr != nil {
+		t.Fatalf("sub-a should still exist with finalizer, got: %v", getErr)
+	}
+	if !controllerutil.ContainsFinalizer(&sub, maasSubscriptionFinalizer) {
+		t.Error("sub-a finalizer should still be present after transient error")
+	}
+}
+
+// TestHandleDeletion_PermanentError_BothFail_StillRemovesFinalizer verifies that
+// when both TRLP reconciliation and force-delete fail with permanent errors, the
+// finalizer is still removed so the subscription is not stuck forever.
+func TestHandleDeletion_PermanentError_BothFail_StillRemovesFinalizer(t *testing.T) {
+	const (
+		modelName = "shared-model"
+		namespace = "default"
+		trlpName  = "maas-trlp-" + modelName
+	)
+
+	model := &maasv1alpha1.MaaSModelRef{
+		ObjectMeta: metav1.ObjectMeta{Name: modelName, Namespace: namespace},
+		Spec:       maasv1alpha1.MaaSModelSpec{ModelRef: maasv1alpha1.ModelReference{Kind: "ExternalModel", Name: modelName}},
+	}
+	route := &gatewayapiv1.HTTPRoute{
+		ObjectMeta: metav1.ObjectMeta{Name: modelName, Namespace: namespace},
+	}
+	existingTRLP := newPreexistingTRLP(trlpName, namespace, modelName, map[string]string{})
+	subA := newMaaSSubscription("sub-a", namespace, "team-a", modelName, 100)
+	subA.Finalizers = []string{maasSubscriptionFinalizer}
+	subB := newMaaSSubscription("sub-b", namespace, "team-b", modelName, 200)
+
+	// Permanent error on Update + fail List so deleteModelTRLP also fails
+	c := fake.NewClientBuilder().
+		WithScheme(scheme).
+		WithRESTMapper(testRESTMapper()).
+		WithObjects(model, route, subA, subB, existingTRLP).
+		WithIndex(&maasv1alpha1.MaaSSubscription{}, "spec.modelRef", subscriptionModelRefIndexer).
+		WithInterceptorFuncs(interceptor.Funcs{
+			Update: func(ctx context.Context, cl client.WithWatch, obj client.Object, opts ...client.UpdateOption) error {
+				if u, ok := obj.(*unstructured.Unstructured); ok && u.GetKind() == "TokenRateLimitPolicy" {
+					return permanentUpdateError()
+				}
+				return cl.Update(ctx, obj, opts...)
+			},
+			List: func(ctx context.Context, cl client.WithWatch, list client.ObjectList, opts ...client.ListOption) error {
+				if ul, ok := list.(*unstructured.UnstructuredList); ok && ul.GetKind() == "TokenRateLimitPolicyList" {
+					return permanentUpdateError()
+				}
+				return cl.List(ctx, list, opts...)
+			},
+		}).
+		Build()
+
+	if err := c.Delete(context.Background(), subA); err != nil {
+		t.Fatalf("Delete sub-a: %v", err)
+	}
+
+	r := &MaaSSubscriptionReconciler{Client: c, Scheme: scheme}
+	req := ctrl.Request{NamespacedName: types.NamespacedName{Name: "sub-a", Namespace: namespace}}
+	if _, err := r.Reconcile(context.Background(), req); err != nil {
+		t.Fatalf("Reconcile should not return error on permanent failure (finalizer must be removed), got: %v", err)
+	}
+
+	// Finalizer should be removed despite all cleanup failures
+	var sub maasv1alpha1.MaaSSubscription
+	if err := c.Get(context.Background(), types.NamespacedName{Name: "sub-a", Namespace: namespace}, &sub); !apierrors.IsNotFound(err) {
+		t.Errorf("expected sub-a to be fully deleted (finalizer removed despite permanent failures), got err: %v", err)
+	}
+}
