bug: verify existing ownership of CRD managed by ResourceGraphDefinition to prevent conflict

a-buck · a-buck · commit d92d623a30a1 · 2025-05-19T18:21:20.000+01:00
this prevents 2 ResourceGraphDefinitions fighting to manage the same CRD
diff --git a/pkg/client/crd.go b/pkg/client/crd.go
@@ -20,6 +20,7 @@ import (
 	"fmt"
 	"time"
 
+	"github.com/kro-run/kro/pkg/metadata"
 	v1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -95,7 +96,7 @@ func newCRDWrapper(cfg CRDWrapperConfig) *CRDWrapper {
 // breaking changes.
 func (w *CRDWrapper) Ensure(ctx context.Context, crd v1.CustomResourceDefinition) error {
 	log := logr.FromContext(ctx)
-	_, err := w.Get(ctx, crd.Name)
+	existing, err := w.Get(ctx, crd.Name)
 	if err != nil {
 		if !apierrors.IsNotFound(err) {
 			return fmt.Errorf("failed to check for existing CRD: %w", err)
@@ -106,6 +107,10 @@ func (w *CRDWrapper) Ensure(ctx context.Context, crd v1.CustomResourceDefinition
 			return fmt.Errorf("failed to create CRD: %w", err)
 		}
 	} else {
+		if err := w.verifyNoConflict(existing, crd); err != nil {
+			return err
+		}
+
 		log.Info("Updating existing CRD", "name", crd.Name)
 		if err := w.patch(ctx, crd); err != nil {
 			return fmt.Errorf("failed to patch CRD: %w", err)
@@ -177,3 +182,15 @@ func (w *CRDWrapper) waitForReady(ctx context.Context, name string) error {
 			return false, nil
 		})
 }
+
+func (w *CRDWrapper) verifyNoConflict(existingCRD *v1.CustomResourceDefinition, newCRD v1.CustomResourceDefinition) error {
+	if !metadata.IsKROOwned(existingCRD.ObjectMeta) {
+		return fmt.Errorf("conflict detected: CRD %s already exists and is not owned by KRO", existingCRD.Name)
+	}
+
+	if !metadata.HasMatchingKROOwner(existingCRD.ObjectMeta, newCRD.ObjectMeta) {
+		return fmt.Errorf("conflict detected: CRD %s has ownership by another ResourceGraphDefinition", existingCRD.Name)
+	}
+
+	return nil
+}
diff --git a/pkg/client/crd_test.go b/pkg/client/crd_test.go
@@ -0,0 +1,134 @@
+package client
+
+import (
+	"testing"
+
+	v1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/kro-run/kro/pkg/metadata"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCRDWrapper_verifyNoConflict(t *testing.T) {
+	tests := []struct {
+		name        string
+		existingCRD *v1.CustomResourceDefinition
+		newCRD      v1.CustomResourceDefinition
+		wantErr     bool
+		errMsg      string
+	}{
+		{
+			name: "successful verification - same owner",
+			existingCRD: &v1.CustomResourceDefinition{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test.crd",
+					Labels: map[string]string{
+						metadata.OwnedLabel:                       "true",
+						metadata.ResourceGraphDefinitionNameLabel: "test-rgd",
+						metadata.ResourceGraphDefinitionIDLabel:   "test-id",
+					},
+				},
+			},
+			newCRD: v1.CustomResourceDefinition{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test.crd",
+					Labels: map[string]string{
+						metadata.OwnedLabel:                       "true",
+						metadata.ResourceGraphDefinitionNameLabel: "test-rgd",
+						metadata.ResourceGraphDefinitionIDLabel:   "test-id",
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "conflict - not owned by KRO",
+			existingCRD: &v1.CustomResourceDefinition{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test.crd",
+					Labels: map[string]string{
+						metadata.ResourceGraphDefinitionNameLabel: "test-rgd",
+						metadata.ResourceGraphDefinitionIDLabel:   "test-id",
+					},
+				},
+			},
+			newCRD: v1.CustomResourceDefinition{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test.crd",
+					Labels: map[string]string{
+						metadata.OwnedLabel:                       "true",
+						metadata.ResourceGraphDefinitionNameLabel: "test-rgd",
+						metadata.ResourceGraphDefinitionIDLabel:   "test-id",
+					},
+				},
+			},
+			wantErr: true,
+			errMsg:  "conflict detected: CRD test.crd already exists and is not owned by KRO",
+		},
+		{
+			name: "conflict - different RGD name",
+			existingCRD: &v1.CustomResourceDefinition{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test.crd",
+					Labels: map[string]string{
+						metadata.OwnedLabel:                       "true",
+						metadata.ResourceGraphDefinitionNameLabel: "existing-rgd",
+						metadata.ResourceGraphDefinitionIDLabel:   "test-id",
+					},
+				},
+			},
+			newCRD: v1.CustomResourceDefinition{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test.crd",
+					Labels: map[string]string{
+						metadata.OwnedLabel:                       "true",
+						metadata.ResourceGraphDefinitionNameLabel: "new-rgd",
+						metadata.ResourceGraphDefinitionIDLabel:   "test-id",
+					},
+				},
+			},
+			wantErr: true,
+			errMsg:  "conflict detected: CRD test.crd has ownership by another ResourceGraphDefinition",
+		},
+		{
+			name: "conflict - different RGD ID",
+			existingCRD: &v1.CustomResourceDefinition{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test.crd",
+					Labels: map[string]string{
+						metadata.OwnedLabel:                       "true",
+						metadata.ResourceGraphDefinitionNameLabel: "test-rgd",
+						metadata.ResourceGraphDefinitionIDLabel:   "existing-id",
+					},
+				},
+			},
+			newCRD: v1.CustomResourceDefinition{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test.crd",
+					Labels: map[string]string{
+						metadata.OwnedLabel:                       "true",
+						metadata.ResourceGraphDefinitionNameLabel: "test-rgd",
+						metadata.ResourceGraphDefinitionIDLabel:   "new-id",
+					},
+				},
+			},
+			wantErr: true,
+			errMsg:  "conflict detected: CRD test.crd has ownership by another ResourceGraphDefinition",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			w := &CRDWrapper{}
+			err := w.verifyNoConflict(tt.existingCRD, tt.newCRD)
+
+			if tt.wantErr {
+				assert.Error(t, err)
+				assert.Equal(t, tt.errMsg, err.Error())
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
diff --git a/pkg/metadata/labels.go b/pkg/metadata/labels.go
@@ -53,6 +53,17 @@ func IsKROOwned(meta metav1.ObjectMeta) bool {
 	return ok && booleanFromString(v)
 }
 
+// HasMatchingKROOwner returns true if resources have the same RGD owner
+func HasMatchingKROOwner(a, b metav1.ObjectMeta) bool {
+	aOwnerName := a.Labels[ResourceGraphDefinitionNameLabel]
+	aOwnerID := a.Labels[ResourceGraphDefinitionIDLabel]
+
+	bOwnerName := b.Labels[ResourceGraphDefinitionNameLabel]
+	bOwnerID := b.Labels[ResourceGraphDefinitionIDLabel]
+
+	return aOwnerName == bOwnerName && aOwnerID == bOwnerID
+}
+
 // SetKROOwned sets the OwnedLabel to true on the resource.
 func SetKROOwned(meta metav1.ObjectMeta) {
 	setLabel(&meta, OwnedLabel, stringFromBoolean(true))
