fix: Filter managed KongPluginBinding in finalizer reconciler

[randmonkey]

What this PR does / why we need it:
Only add finalizers to target objects and remove KongPluginBinding on removal of targets for managed KongPluginBindings.

Which issue this PR fixes

Fixes #786

Special notes for your reviewer:

PR Readiness Checklist:

Complete these before marking the PR as ready to review:

• the CHANGELOG.md release notes have been updated to reflect significant changes

[czeslavo]

Is it possible to cover this in an envtest?

[czeslavo]

That makes sense to me.

Suggested change

	// REVIEW: Here we judge whether KongPluginBinding is managed by checking its owner references and treat it as managed if it has a plugin as owner reference.
	// We judge whether KongPluginBinding is managed by checking its owner references and treat it as managed if it has a plugin as owner reference.

[randmonkey]

Is it possible to cover this in an envtest?

Current envtest do the reverse. They create unmanaged plugin bindings and check for finalizers.

[pmalek]

I believe we should filter out the unmanaged KongPluginBindings earlier so that they are not even reconciled by this controller.

I'd suggest something like:

diff --git a/controller/konnect/reconciler_generic_pluginbindingfinalizer.go b/controller/konnect/reconciler_generic_pluginbindingfinalizer.go
index ac1d7526..8cbe4879 100644
--- a/controller/konnect/reconciler_generic_pluginbindingfinalizer.go
+++ b/controller/konnect/reconciler_generic_pluginbindingfinalizer.go
@@ -4,7 +4,9 @@ import (
 	"context"
 	"fmt"
 
+	"github.com/samber/lo"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
@@ -64,6 +66,14 @@ func (r *KonnectEntityPluginBindingFinalizerReconciler[T, TEnt]) SetupWithManage
 	return b.Complete(r)
 }
 
+func ownerRefIsAnyKongPlugin() func(ownerRef metav1.OwnerReference) bool {
+	return func(ownerRef metav1.OwnerReference) bool {
+		return ownerRef.Kind == "KongPlugin" ||
+			// NOTE: We currently do not support KongClusterPlugin, but we keep this here for future use.
+			ownerRef.Kind == "KongClusterPlugin"
+	}
+}
+
 // enqueueObjectReferencedByKongPluginBinding watches for KongPluginBinding objects
 // that reference the given Konnect entity.
 // It returns the reconcile.Request slice containing the entity that the KongPluginBinding references.
@@ -74,6 +84,11 @@ func (r *KonnectEntityPluginBindingFinalizerReconciler[T, TEnt]) enqueueObjectRe
 			return nil
 		}
 
+		// If the KongPluginBinding is unmanaged (created not using an annotation), skip it, do not delete it.
+		if !lo.ContainsBy(kpb.OwnerReferences, ownerRefIsAnyKongPlugin()) {
+			return nil
+		}
+
 		var (
 			name string
 			e    T
@@ -125,6 +140,9 @@ func (r *KonnectEntityPluginBindingFinalizerReconciler[T, TEnt]) enqueueObjectRe
 }
 
 // Reconcile reconciles the Konnect entity that can be set as KongPluginBinding target.
+// It reconciles only entities that are referenced by managed KongPluginBindings,
+// i.e. those that are created by the controller out of konghq.com/plugins annotations.
+//
 // Its purpose is to:
 //   - check if the entity is marked for deletion and mark KongPluginBindings
 //     that reference it.

WDYT?

[pmalek]

Is it possible to cover this in an envtest?

Current envtest do the reverse. They create unmanaged plugin bindings and check for finalizers.

Tao's right. https://github.com/Kong/gateway-operator/blob/e3cd706111df252197188ae89157fd811bab1364/test/envtest/kongplugincleanupfinalizer_test.go should use the konghq.com/plugins annotations on these entities and check the finalizers. At the same time we should check that unmanaged KPB's do not cause those entities to have the finalizer: these entities are fully managed by the user and we should not interfere in the lifecycle of those.

WDYT?

[pmalek]

Solved in #805