I wonder if we should start moving these type to their separate files. Otherwise very soon this one will become too long and hard to navigate. WDYT?

Ya, I was thinking that also. Currently I am unsure of how we want to structure the packages.

I am adding "XX_task.go" files to controllers golang package. Happy to hear from other options.

I had pictured this a bit different in my head:

• Find a Kuadrant object that is the root of the topology
• If there is none,
  • delete all Authorino objects that exist in the topology
  • return
• Otherwise
  • build the desired Authorino object for the Kuadrant root
  • create it if it doesn't exist as a child of the Kuadrant root
  • update it otherwise

I think want is being done is mostly what you listed above. The things that are not being done are:

• deleting the Authorino CRs when the there is not kuadrant root. The cluster is handling this by the owner reference
• update if otherwise. The current implantation also does not do this. I don't think it would be right to introduction that change now.

deleting the Authorino CRs when the there is not kuadrant root. The cluster is handling this by the owner reference

The cluster will only delete the Authorino CR if it is indeed owned by the Kuadrant one. So I guess what we are discussing is whether other instances of Authorino can co-exist in the same cluster. If so, then 2 questions open up:

1. Any instance of Authroino that exists in the same namespace as a Kuadrant CR will be linked to the Kuadrant CR by the linking function. Is that what we want?
2. What does it even mean having a second instance of Authorino running in the cluster while the one managed by Kuadrant is cluster-wide and without label selectors specified?

In general, I guess my thinking had to do with not seeing a need for checking the event type. The root of the topology must be a Kuadrant object or there should be no Authorino CR.

This is an interesting one. I wonder if the Kuadrant CR should reflect in its status that no corresponding Authorino CR exists and then use this update to the status to retry.

So currently the status controller will set the status in the kuadrant CR if the authorino CR is missing or if authorino is not in a ready state. That should be creating the retry events. Not sure if with the status controller outside the state of the world workflow if that can cause a timing issue.

Good point. I missed this reconciliation task that updates the status of the Kuadrant CR represented in the workflow then.

To cover for that, I think Authorino and Limitador reconciliation could be wrapped as two concurrent tasks of a "Data plane components reconciliation" workflow, with a postcondition taking care of the status update on the Kuadrant CR.

The task introduced by this PR then, focused on the Authorino CR only, may need to inject some hint of the status of Authorino (using the sync.Map) for the status updater to pick up – e.g., when it just created the CR or in case of failures like such as in this line.

If I understand the selection of the Kuadrant object above correctly, if a second Kuadrant CR is created (in another namespace), another Authorino instance will be created for it too. Is that what we want? I think the only way to support this is by also supporting sharded instances (#274).

If a second Kuadrant CR is created in the same namespace where another exists, then we know we won't create another instance of Authorino in that same namespace (with static name authorino), right? So why even continue if don't reconcile existing Authorino CRs? And if we do decide to reconcile those, as soon as it starts having any field set directly from the Kuadrant CR, then the current code could trigger an infinite loop of reconciliation events with 2+ Kuadrant CRs.

Don't think this matters any more as it is only the first kuadrant resource that we accept as the root.

It may not be obvious why this has to be the Kuadrant CR previously linked to the deleted Authorino object. We know this is true because in line 155, the Authorino object is built to exist in the same namespace as kobj.Namespace. If we continue with this approach for selecting the associated Kuadrant root, maybe add comment here?

I am not sure if this is still valid.

The association is made by name, not namespace. If it is by namespace, all authorinos in kuadrant-system will be linked to the root kuadrant CR?

Agreed. If we name the Authorino CR after the Kuadrant CR, then we can have just that instance linked and any other one not linked and assumed to have been created by the user manually.

Today I don't think we can rename the Authorino CR after the Kuadrant CR. I have tried to do this and it fails because of the status reconciler. Once the the status reconciler is move to the state of the world controller we can do a dynamic name based on the Kuadrant CR.

For now I can narrow this down to the hard coded name for the Authorino CR.

I am adding "XX_task.go" files to controllers golang package. Happy to hear from other options.

this will subscribe to events on any authorino in the cluster. Can we filter it to "owned authorino" instead?

The only thing more specific than this the subscriber allows us to go is by adding name of the resource. I'm afraid the only way for us to know that is if it's statically named. If it's dynamically named after the Kuadrant CR (as I suggested), then it won't work.

An alternative is labeling the Authorino resources we create and adding the label selector to the watcher. This would the Kuadrant Operator completely ignore any other instance manually created by users, not even adding them to the topology.

I would like to be more filtered on what events we get in general. I like the idea of using the labels to do this filtering and I am going to suggest that we create a common one called kuadrant.io/resource as this is not the only resource we should be filtering on. The same steps should be taken for the Limitador CR, as the step is mostly the very same, #871.

However I have come across a possible issue with the approach and you can create the issue today with the topology configmap. When you filter by labels and a user removes said labels, you do not get that event. This causes a number of issues. Operator restarts will try recreate the resource but fail, which is normally okay as you would also get the create event for that resource if it was labeled.

There is a problem here, and I am not to sure how much of an edge case it is, or even how easy it maybe to solve. I have one idea but it is not compatible with the controller-runtime as far as I am aware.

I am going to ask if adding the filtering by label or by field selector (needs research) can be added in a follow up PR. I am conscious of time and don't want to see this getting held up over bike sheding. For now we would get some more events than we really want.

Can't we use the linking function to say, "I want kuadrant CR childs". One of them should be authorino CR

There is a method to add ownerrefs. Up to you.

Ya, I looked at that and the ownerrefs method I found at least expects a schema to also be passed in, which we do have access to at this stage. So I went with manually adding the reference.

We may think about the order these objects are fetched.

In what sense are you say we should think about the order the resources are fetched. Is this how I get the the kuadrant CR's before the Authorino CR's or related to the kobjs[0] may not be the oldest on cluster and therefore the wrong one? The age of the CR is something I had though about so possible should fix.

We could probably pass the topology here. This is a pattern that likely will repeat a lot across tasks.

That's a good idea, but I am not going to do it in this PR. There was a topic I wish to discuss about unit testing where the input is a topology. I have a place holder issue, Kuadrant/policy-machinery#33. But for now I would like to leave this as is with its unit tests until there is a good way to generate the a topology for a unit test.

Can we please add a TODO to refactor this ASAP. I do not want to risk people passing different lists of Kuadrant objects to this function. I want to make sure it is going to be always the same Kuadrant object that will be returned to all tasks that depend on it to navigate the topology from the common root.

nit: redundant consecutive .Objects() call? 🤔

This would make the panic at the following redundant, do we want to remove the panic now?

Or we can remove setting a default ns env value and set it across all the makefile integration test commands that expect this env value to be set if we want to keep the panic?