fix: consolidate garbage collection for namespaced and cluster-scoped workspaces

Fixes the bug in the garbage collector that caused unintended workspace
directory deletions.

Previously, both cluster-scoped and namespaced workspace
controllers started their own GC instances on the same root directory.
Each GC only checked their respective Workspace MR instances, causing race and deletions of workspace dirs of each other, e.g. cluster-scoped GC deleting workspace directories and vice versa.

The fix consolidates the GC logic to consider both Workspace MR types and runs a centralized GC controller, per root directory ( e.g. `/tofu` and `/tmp/tofu`)
It also considers edge cases due to potential usage of SafeStart, where namespaced or cluster-scoped Workspace CRDs might not be available immediately or not used at all.

- GC logic is now  controller-runtime `manager.Runnable` with proper shutdown context
- centralized gc.Setup() with ensuring "run once", whichever controller
- Added tests for CRD gating scenarios

Signed-off-by: Erhan Cagirici <erhan@upbound.io>

Author: erhancagirici

cmd/provider/main.go

@@ -41,6 +41,8 @@ import (
 	namespacedapis "github.com/upbound/provider-opentofu/apis/namespaced"
 	"github.com/upbound/provider-opentofu/internal/bootcheck"
 	clustercontroller "github.com/upbound/provider-opentofu/internal/controller/cluster"
+	"github.com/upbound/provider-opentofu/internal/controller/cluster/workspace"
+	"github.com/upbound/provider-opentofu/internal/controller/gc"
 	namespacedcontroller "github.com/upbound/provider-opentofu/internal/controller/namespaced"
 	"github.com/upbound/provider-opentofu/internal/features"
 )
@@ -144,6 +146,9 @@ func main() {
 		log.Info("Beta feature enabled", "flag", features.EnableBetaManagementPolicies)
 	}
 
+	// NOTE: cluster-scoped and namespaced Workspaces share a common
+	// workspace root directory. Update GC setup if they diverge
+	kingpin.FatalIfError(gc.Setup(mgr, workspace.GetTfDir(), log), "cannot setup Workspace garbage collector controller")
 	canSafeStart, err := canWatchCRD(ctx, mgr)
 	kingpin.FatalIfError(err, "SafeStart precheck failed")
 	if canSafeStart {

internal/controller/cluster/workspace/workspace.go

@@ -39,7 +39,6 @@ import (
 	"github.com/upbound/provider-opentofu/internal/clients"
 	"github.com/upbound/provider-opentofu/internal/features"
 	"github.com/upbound/provider-opentofu/internal/opentofu"
-	"github.com/upbound/provider-opentofu/internal/workdir"
 )
 
 const (
@@ -90,6 +89,11 @@ func envVarFallback(envvar string, fallback string) string {
 
 var tfDir = envVarFallback("XP_TF_DIR", "/tofu")
 
+// GetTfDir returns the OpenTofu working directory root.
+func GetTfDir() string {
+	return tfDir
+}
+
 type tofuclient interface {
 	Init(ctx context.Context, o ...opentofu.InitOption) error
 	Workspace(ctx context.Context, name string) error
@@ -107,12 +111,6 @@ func Setup(mgr ctrl.Manager, o controller.Options, timeout, pollJitter time.Dura
 	name := managed.ControllerName(v1beta1.WorkspaceGroupKind)
 
 	fs := afero.Afero{Fs: afero.NewOsFs()}
-	gcWorkspace := workdir.NewGarbageCollector(mgr.GetClient(), tfDir, workdir.WithFs(fs), workdir.WithLogger(o.Logger))
-	go gcWorkspace.Run(context.TODO(), false)
-
-	gcTmp := workdir.NewGarbageCollector(mgr.GetClient(), filepath.Join("/tmp", tfDir), workdir.WithFs(fs), workdir.WithLogger(o.Logger))
-	go gcTmp.Run(context.TODO(), false)
-
 	c := &connector{
 		kube:   mgr.GetClient(),
 		usage:  resource.NewLegacyProviderConfigUsageTracker(mgr.GetClient(), &v1beta1.ProviderConfigUsage{}),

internal/controller/gc/gc.go

@@ -0,0 +1,55 @@
+/*
+SPDX-FileCopyrightText: 2026 Upbound Inc. <https://upbound.io>
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package gc
+
+import (
+	"path/filepath"
+
+	"github.com/crossplane/crossplane-runtime/v2/pkg/logging"
+	"github.com/spf13/afero"
+	ctrl "sigs.k8s.io/controller-runtime"
+
+	"github.com/upbound/provider-opentofu/internal/workdir"
+)
+
+// Setup initializes and registers the garbage collectors with the manager.
+//
+// Two GC instances are created:
+// - One for the main workspace directory containing workspace roots
+// - One for /tmp directory containing temporary workspace files
+//
+// Each GC queries both cluster-scoped and namespaced workspaces to determine
+// which directories can be safely deleted.
+func Setup(mgr ctrl.Manager, tfDir string, logger logging.Logger) error {
+	fs := afero.Afero{Fs: afero.NewOsFs()}
+
+	// GC for main workspace directory
+	gcWorkspace := workdir.NewGarbageCollector(
+		mgr.GetClient(),
+		tfDir,
+		workdir.WithFs(fs),
+		workdir.WithLogger(logger),
+	)
+	if err := mgr.Add(gcWorkspace); err != nil {
+		return err
+	}
+
+	// GC for temporary workspace directory
+	gcTmp := workdir.NewGarbageCollector(
+		mgr.GetClient(),
+		filepath.Join("/tmp", tfDir),
+		workdir.WithFs(fs),
+		workdir.WithLogger(logger),
+	)
+	if err := mgr.Add(gcTmp); err != nil {
+		return err
+	}
+
+	logger.Debug("Workspace garbage collectors initialized successfully")
+
+	return nil
+}

internal/controller/namespaced/workspace/workspace.go

@@ -39,7 +39,6 @@ import (
 	"github.com/upbound/provider-opentofu/internal/clients"
 	"github.com/upbound/provider-opentofu/internal/features"
 	"github.com/upbound/provider-opentofu/internal/opentofu"
-	"github.com/upbound/provider-opentofu/internal/workdir"
 )
 
 const (
@@ -90,6 +89,11 @@ func envVarFallback(envvar string, fallback string) string {
 
 var tfDir = envVarFallback("XP_TF_DIR", "/tofu")
 
+// GetTfDir returns the OpenTofu working directory root.
+func GetTfDir() string {
+	return tfDir
+}
+
 type tofuclient interface {
 	Init(ctx context.Context, o ...opentofu.InitOption) error
 	Workspace(ctx context.Context, name string) error
@@ -107,12 +111,6 @@ func Setup(mgr ctrl.Manager, o controller.Options, timeout, pollJitter time.Dura
 	name := managed.ControllerName(v1beta1.WorkspaceGroupKind)
 
 	fs := afero.Afero{Fs: afero.NewOsFs()}
-	gcWorkspace := workdir.NewGarbageCollector(mgr.GetClient(), tfDir, workdir.WithFs(fs), workdir.WithLogger(o.Logger))
-	go gcWorkspace.Run(context.TODO(), true)
-
-	gcTmp := workdir.NewGarbageCollector(mgr.GetClient(), filepath.Join("/tmp", tfDir), workdir.WithFs(fs), workdir.WithLogger(o.Logger))
-	go gcTmp.Run(context.TODO(), true)
-
 	c := &connector{
 		kube:   mgr.GetClient(),
 		usage:  resource.NewProviderConfigUsageTracker(mgr.GetClient(), &v1beta1.ProviderConfigUsage{}),

internal/workdir/workdir.go

@@ -16,6 +16,8 @@ import (
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/spf13/afero"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	clusterv1beta1 "github.com/upbound/provider-opentofu/apis/cluster/v1beta1"
@@ -77,15 +79,19 @@ func NewGarbageCollector(c client.Client, parentDir string, o ...GarbageCollecto
 	return gc
 }
 
-// Run the garbage collector. Blocks until the supplied context is done.
-func (gc *GarbageCollector) Run(ctx context.Context, namespaced bool) {
+// Start runs the garbage collector. Blocks until the supplied context
+// is done.
+//
+// Implements manager.Runnable to allow controller-runtime
+// managers can manage the garbage collector.
+func (gc *GarbageCollector) Start(ctx context.Context) error {
 	t := time.NewTicker(gc.interval)
 	for {
 		select {
 		case <-ctx.Done():
-			return
+			return nil
 		case <-t.C:
-			if err := gc.collect(ctx, namespaced); err != nil {
+			if err := gc.collect(ctx); err != nil {
 				gc.log.Info("Garbage collection failed", "error", err)
 			}
 		}
@@ -97,26 +103,73 @@ func isUUID(u string) bool {
 	return err == nil
 }
 
-func (gc *GarbageCollector) collect(ctx context.Context, namespaced bool) error {
+func (gc *GarbageCollector) collect(ctx context.Context) error { //nolint:gocyclo // easier to follow as a unit
+	gc.log.Debug("Running workspace garbage collection", "dir", gc.parentDir)
 	exists := map[string]bool{}
-
-	if namespaced {
-		l := &namespacedv1beta1.WorkspaceList{}
-		if err := gc.kube.List(ctx, l); err != nil {
-			return errors.Wrap(err, errListWorkspaces)
+	listedAny := false
+
+	// List cluster-scoped workspaces
+	// Note: cluster-scoped Workspace CRD may not be available
+	// (e.g. disabled via ManagedResourceActivationPolicies)
+	clusterList := &clusterv1beta1.WorkspaceList{}
+	if err := gc.kube.List(ctx, clusterList); err != nil {
+		switch {
+		case apierrors.IsNotFound(err), meta.IsNoMatchError(err):
+			// cluster-scoped Workspace CRD not installed, so no instances (safe to continue)
+			gc.log.Debug("Cluster-scoped Workspace CRD not installed, skipping")
+		case apierrors.IsForbidden(err):
+			// cluster-scoped Workspaces might still exist, cannot safely determine
+			gc.log.Debug("No RBAC permissions to list cluster-scoped workspaces, aborting garbage collection")
+			return err
+		default:
+			// cluster-scoped Workspaces might still exist, cannot safely determine
+			gc.log.Debug("Failed to list cluster-scoped workspaces, aborting garbage collection")
+			return err
 		}
-		for _, ws := range l.Items {
+	} else {
+		listedAny = true
+		for _, ws := range clusterList.Items {
 			exists[string(ws.GetUID())] = true
 		}
-	} else {
-		l := &clusterv1beta1.WorkspaceList{}
-		if err := gc.kube.List(ctx, l); err != nil {
-			return errors.Wrap(err, errListWorkspaces)
+	}
+
+	// List namespaced workspaces
+	// Note: namespaced `Workspace` CRD may not be installed
+	// (e.g. disabled via ManagedResourceActivationPolicies)
+	namespacedList := &namespacedv1beta1.WorkspaceList{}
+	if err := gc.kube.List(ctx, namespacedList); err != nil {
+		switch {
+		case apierrors.IsNotFound(err), meta.IsNoMatchError(err):
+			// no workspaces of namespaced type can exist (safe to continue)
+			gc.log.Debug("Namespaced Workspace CRD not installed, skipping")
+		case apierrors.IsForbidden(err):
+			// Namespaced workspaces might exist, log and abort GC
+			gc.log.Debug("No RBAC permissions to list namespaced workspaces, aborting garbage collection")
+			return err
+		default:
+			// cannot safely determine whether the workspace, abort GC
+			gc.log.Debug("Failed to list namespaced workspaces, aborting garbage collection")
+			return err
 		}
-		for _, ws := range l.Items {
+	} else {
+		listedAny = true
+		for _, ws := range namespacedList.Items {
 			exists[string(ws.GetUID())] = true
 		}
 	}
+
+	// we reach this path IFF apiserver returned `NotFound` or `NoKindMatchError`
+	// for both List calls  of cluster-scoped and namespaced Workspace MRs,
+	// i.e. both APIs does not exist.
+	//
+	// This could potentially happen with a misconfigured
+	// ManagedResourceActivationPolicy that disabled both MR APIs.
+	// We avoid any GC here just to be safe.
+	if !listedAny {
+		gc.log.Debug("No Workspace MR APIs available, skipping garbage collection")
+		return nil
+	}
+
 	fis, err := gc.fs.ReadDir(gc.parentDir)
 	if err != nil {
 		return errors.Wrapf(err, errFmtReadDir, gc.parentDir)