fix: updated api binding finalization (#168)

* fix: updated api binding finalization

On-behalf-of: SAP [email protected]

* updated tests

On-behalf-of: SAP [email protected]

* linter fixes

On-behalf-of: SAP [email protected]

* fixed typo

On-behalf-of: SAP [email protected]

* fixed continue error

On-behalf-of: SAP [email protected]

* fix: changed finalizer name and added organization check

On-behalf-of: SAP [email protected]

* refactored tests

On-behalf-of: SAP [email protected]

* fixed linter issue

On-behalf-of: SAP [email protected]

* chore: refactored tests

On-behalf-of: SAP [email protected]

* feat: introduced integration tests

On-behalf-of: SAP [email protected]

* Update internal/subroutine/authorization_model_generation_integration_test.go

Co-authored-by: Aaron Schweig <[email protected]>

* Update internal/subroutine/authorization_model_generation_integration_test.go

Co-authored-by: Aaron Schweig <[email protected]>

* Update internal/subroutine/authorization_model_generation_integration_test.go

Co-authored-by: Aaron Schweig <[email protected]>

* chore: removed e-mail

On-behalf-of: SAP [email protected]

* feat: introduced isolated integration tests

On-behalf-of: SAP [email protected]

* updated naming

On-behalf-of: SAP [email protected]

* updated task file

On-behalf-of: SAP [email protected]

* fixed path to kcp binary

On-behalf-of: SAP [email protected]

* updated kcp version in task file

On-behalf-of: SAP [email protected]

* fixed linter errors

On-behalf-of: SAP [email protected]

* fixed imports

On-behalf-of: SAP [email protected]

* removed previos intetration tests

On-behalf-of: SAP [email protected]

* chore: removed package variables

On-behalf-of: SAP [email protected]

* feat: added api binding controller in tests

On-behalf-of: SAP [email protected]

* fixed linter error

On-behalf-of: SAP [email protected]

---------

Co-authored-by: Aaron Schweig <[email protected]>

Author: OlegErshov

Taskfile.yaml

@@ -7,7 +7,7 @@ vars:
   ENVTEST_VERSION: release-0.19
   CRD_DIRECTORY: config/crd/bases
   KCP_APIGEN_VERSION: v0.21.0
-  KCP_VERSION: 0.26.1
+  KCP_VERSION: 0.28.3
   GOLANGCI_LINT_VERSION: v2.5.0
   GOARCH:
     sh: go env GOARCH
@@ -76,15 +76,17 @@ tasks:
       GOPRIVATE: github.com/platform-mesh 
       KUBEBUILDER_ASSETS:
         sh: $(pwd)/{{.LOCAL_BIN}}/setup-envtest use {{.ENVTEST_K8S_VERSION}} --bin-dir $(pwd)/{{.LOCAL_BIN}} -p path
+      TEST_KCP_ASSETS:
+        sh: echo $(pwd)/{{.LOCAL_BIN}}
       GO111MODULE: on
     cmds:
       - go test -count=1 ./... {{.ADDITIONAL_COMMAND_ARGS}}
   test:
-    deps: [setup:envtest]
+    deps: [setup:envtest, setup:kcp]
     cmds:
       - task: envtest
   cover:
-    deps: [setup:envtest]
+    deps: [setup:envtest, setup:kcp]
     cmds:
       - task: envtest
         vars:

cmd/operator.go

@@ -59,8 +59,6 @@ func logicalClusterClientFromKey(mgr ctrl.Manager, log *logger.Logger) NewLogica
 
 		parsed.Path = fmt.Sprintf("/clusters/%s", clusterKey)
 
-		log.Info().Msg(fmt.Sprintf("HOST from logical cluster client from key -- %s", parsed.String()))
-
 		cfg.Host = parsed.String()
 
 		return client.New(cfg, client.Options{

go.mod

@@ -70,6 +70,7 @@ require (
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kcp-dev/apimachinery/v2 v2.0.1-0.20250728122101-adbf20db3e51 // indirect
 	github.com/mailru/easyjson v0.9.0 // indirect
+	github.com/martinlindhe/base36 v1.1.1 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect

go.sum

@@ -130,6 +130,8 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4=
 github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
+github.com/martinlindhe/base36 v1.1.1 h1:1F1MZ5MGghBXDZ2KJ3QfxmiydlWOGB8HCEtkap5NkVg=
+github.com/martinlindhe/base36 v1.1.1/go.mod h1:vMS8PaZ5e/jV9LwFKlm0YLnXl/hpOihiBxKkIoc3g08=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
@@ -208,6 +210,7 @@ github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=

internal/controller/apibinding_controller.go

@@ -2,13 +2,19 @@ package controller
 
 import (
 	"context"
+	"net/url"
+	"strings"
 
 	kcpv1alpha1 "github.com/kcp-dev/kcp/sdk/apis/apis/v1alpha1"
+	"github.com/kcp-dev/logicalcluster/v3"
 	platformeshconfig "github.com/platform-mesh/golang-commons/config"
 	"github.com/platform-mesh/golang-commons/controller/lifecycle/builder"
 	lifecyclesubroutine "github.com/platform-mesh/golang-commons/controller/lifecycle/subroutine"
 	"github.com/platform-mesh/golang-commons/logger"
+	"github.com/rs/zerolog/log"
+	"k8s.io/client-go/rest"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 
 	"github.com/platform-mesh/golang-commons/controller/lifecycle/multicluster"
@@ -18,11 +24,46 @@ import (
 	mcreconcile "sigs.k8s.io/multicluster-runtime/pkg/reconcile"
 )
 
+func getAllClient(mcMgr mcmanager.Manager) (client.Client, error) {
+	allCfg := rest.CopyConfig(mcMgr.GetLocalManager().GetConfig())
+
+	parsed, err := url.Parse(allCfg.Host)
+	if err != nil {
+		log.Error().Err(err).Msg("unable to parse host from config")
+		return nil, err
+	}
+
+	parts := strings.Split(parsed.Path, "clusters")
+
+	parsed.Path, err = url.JoinPath(parts[0], "clusters", logicalcluster.Wildcard.String())
+	if err != nil {
+		log.Error().Err(err).Msg("unable to join path")
+		return nil, err
+	}
+
+	allCfg.Host = parsed.String()
+
+	log.Info().Str("host", allCfg.Host).Msg("using host")
+
+	allClient, err := client.New(allCfg, client.Options{
+		Scheme: mcMgr.GetLocalManager().GetScheme(),
+	})
+	if err != nil {
+		return nil, err
+	}
+	return allClient, nil
+}
+
 func NewAPIBindingReconciler(logger *logger.Logger, mcMgr mcmanager.Manager) *APIBindingReconciler {
+	allclient, err := getAllClient(mcMgr)
+	if err != nil {
+		log.Fatal().Err(err).Msg("unable to create new client")
+	}
+
 	return &APIBindingReconciler{
 		log: logger,
 		mclifecycle: builder.NewBuilder("apibinding", "apibinding-controller", []lifecyclesubroutine.Subroutine{
-			subroutine.NewAuthorizationModelGenerationSubroutine(mcMgr),
+			subroutine.NewAuthorizationModelGenerationSubroutine(mcMgr, allclient),
 		}, logger).
 			BuildMultiCluster(mcMgr),
 	}

internal/controller/store_controller.go

@@ -2,10 +2,7 @@ package controller
 
 import (
 	"context"
-	"net/url"
-	"strings"
 
-	"github.com/kcp-dev/logicalcluster/v3"
 	"github.com/platform-mesh/golang-commons/controller/lifecycle/builder"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/discovery"
@@ -37,28 +34,7 @@ type StoreReconciler struct {
 }
 
 func NewStoreReconciler(log *logger.Logger, fga openfgav1.OpenFGAServiceClient, mcMgr mcmanager.Manager) *StoreReconciler {
-
-	allCfg := rest.CopyConfig(mcMgr.GetLocalManager().GetConfig())
-
-	parsed, err := url.Parse(allCfg.Host)
-	if err != nil {
-		log.Fatal().Err(err).Msg("unable to parse host from config")
-	}
-
-	parts := strings.Split(parsed.Path, "clusters")
-
-	parsed.Path, err = url.JoinPath(parts[0], "clusters", logicalcluster.Wildcard.String())
-	if err != nil {
-		log.Fatal().Err(err).Msg("unable to join path")
-	}
-
-	allCfg.Host = parsed.String()
-
-	log.Info().Str("host", allCfg.Host).Msg("using host")
-
-	allClient, err := client.New(allCfg, client.Options{
-		Scheme: mcMgr.GetLocalManager().GetScheme(),
-	})
+	allClient, err := getAllClient(mcMgr)
 	if err != nil {
 		log.Fatal().Err(err).Msg("unable to create new client")
 	}

internal/subroutine/authorization_model_generation.go

@@ -19,22 +19,25 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	mcmanager "sigs.k8s.io/multicluster-runtime/pkg/manager"
 
 	securityv1alpha1 "github.com/platform-mesh/security-operator/api/v1alpha1"
 )
 
-func NewAuthorizationModelGenerationSubroutine(mcMgr mcmanager.Manager) *AuthorizationModelGenerationSubroutine {
+func NewAuthorizationModelGenerationSubroutine(mcMgr mcmanager.Manager, allClient client.Client) *AuthorizationModelGenerationSubroutine {
 	return &AuthorizationModelGenerationSubroutine{
-		mgr: mcMgr,
+		mgr:       mcMgr,
+		allClient: allClient,
 	}
 }
 
 var _ lifecyclesubroutine.Subroutine = &AuthorizationModelGenerationSubroutine{}
 
 type AuthorizationModelGenerationSubroutine struct {
-	mgr mcmanager.Manager
+	mgr       mcmanager.Manager
+	allClient client.Client
 }
 
 var modelTpl = template.Must(template.New("model").Parse(`module {{ .Name }}
@@ -86,19 +89,19 @@ func (a *AuthorizationModelGenerationSubroutine) Finalize(ctx context.Context, i
 
 	bindingToDelete := instance.(*kcpv1alpha1.APIBinding)
 
-	cluster, err := a.mgr.ClusterFromContext(ctx)
+	bindingCluster, err := a.mgr.ClusterFromContext(ctx)
 	if err != nil {
 		return ctrl.Result{}, errors.NewOperatorError(fmt.Errorf("unable to get cluster from context: %w", err), true, false)
 	}
 
 	var bindings kcpv1alpha1.APIBindingList
-	err = cluster.GetClient().List(ctx, &bindings)
+	err = a.allClient.List(ctx, &bindings)
 	if err != nil {
 		return ctrl.Result{}, errors.NewOperatorError(err, true, true)
 	}
 
 	var toDeleteAccountInfo accountv1alpha1.AccountInfo
-	err = cluster.GetClient().Get(ctx, types.NamespacedName{Name: "account"}, &toDeleteAccountInfo)
+	err = bindingCluster.GetClient().Get(ctx, types.NamespacedName{Name: "account"}, &toDeleteAccountInfo)
 	if err != nil {
 		log.Error().Err(err).Msg("unable to get account info for binding deletion")
 		return ctrl.Result{}, errors.NewOperatorError(err, true, true)
@@ -110,16 +113,16 @@ func (a *AuthorizationModelGenerationSubroutine) Finalize(ctx context.Context, i
 			continue
 		}
 
-		bindingCluster, err := a.mgr.GetCluster(ctx, string(logicalcluster.From(&binding)))
+		bindingWsCluster, err := a.mgr.GetCluster(ctx, string(logicalcluster.From(&binding)))
 		if err != nil {
 			return ctrl.Result{}, errors.NewOperatorError(err, true, true)
 		}
 
 		var accountInfo accountv1alpha1.AccountInfo
-		err = bindingCluster.GetClient().Get(ctx, types.NamespacedName{Name: "account"}, &accountInfo)
+		err = bindingWsCluster.GetClient().Get(ctx, types.NamespacedName{Name: "account"}, &accountInfo)
 		if kerrors.IsNotFound(err) || meta.IsNoMatchError(err) {
-			// If the accountinfo does not exist, we can skip the model generation.
-			return ctrl.Result{}, nil
+			// If the accountinfo does not exist, skip this binding and continue with others
+			continue
 		}
 		if err != nil {
 			return ctrl.Result{}, errors.NewOperatorError(err, true, true)
@@ -140,26 +143,52 @@ func (a *AuthorizationModelGenerationSubroutine) Finalize(ctx context.Context, i
 		return ctrl.Result{}, nil
 	}
 
-	err = cluster.GetClient().Delete(ctx, &securityv1alpha1.AuthorizationModel{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: fmt.Sprintf("%s-%s", bindingToDelete.Spec.Reference.Export.Name, bindingToDelete.Spec.Reference.Export.Path),
-		},
-	})
+	apiExportCluster, err := a.mgr.GetCluster(ctx, bindingToDelete.Status.APIExportClusterName)
 	if err != nil {
-		if kerrors.IsNotFound(err) {
-			// If the model does not exist, we can skip the deletion.
-			return ctrl.Result{}, nil
-		}
+		return ctrl.Result{}, errors.NewOperatorError(fmt.Errorf("failed to get cluster %q: %w", bindingToDelete.Status.APIExportClusterName, err), true, false)
+	}
+	apiExportClient := apiExportCluster.GetClient()
+
+	var apiExport kcpv1alpha1.APIExport
+	err = apiExportClient.Get(ctx, types.NamespacedName{Name: bindingToDelete.Spec.Reference.Export.Name}, &apiExport)
+	if err != nil {
+		log.Error().Err(err).Msg("failed to get apiexport for binding deletion")
 		return ctrl.Result{}, errors.NewOperatorError(err, true, true)
 	}
 
+	for _, latestResourceSchema := range apiExport.Spec.LatestResourceSchemas {
+		var resourceSchema kcpv1alpha1.APIResourceSchema
+		err := apiExportClient.Get(ctx, types.NamespacedName{Name: latestResourceSchema}, &resourceSchema)
+		if err != nil {
+			log.Error().Err(err).Msg("failed to get resource schema for binding deletion")
+			return ctrl.Result{}, errors.NewOperatorError(err, true, true)
+		}
+
+		authModelName := fmt.Sprintf("%s-%s", resourceSchema.Spec.Names.Plural, toDeleteAccountInfo.Spec.Organization.Name)
+		err = apiExportClient.Delete(ctx, &securityv1alpha1.AuthorizationModel{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: authModelName,
+			},
+		})
+		if err != nil {
+			if kerrors.IsNotFound(err) {
+				// If the model does not exist, we can skip the deletion.
+				log.Info().Msg(fmt.Sprintf("authorization model %s does not exist", authModelName))
+				continue
+			}
+			log.Error().Err(err).Msg("failed to delete authorization model")
+			return ctrl.Result{}, errors.NewOperatorError(err, true, true)
+		}
+		log.Info().Msg(fmt.Sprintf("authorization model %s has been deleted", authModelName))
+	}
+
 	return ctrl.Result{}, nil
 
 }
 
 // Finalizers implements lifecycle.Subroutine.
 func (a *AuthorizationModelGenerationSubroutine) Finalizers(_ lifecyclecontrollerruntime.RuntimeObject) []string {
-	return []string{}
+	return []string{"core.platform-mesh.io/apibinding-finalizer"}
 }
 
 // GetName implements lifecycle.Subroutine.