bug: verify existing ownership of CRD managed by ResourceGraphDefinition to prevent conflict

[a-buck]

Hi 👋 This PR intends to fix #554. This is my first first PR to the project - please don't hesitate to give me feedback.

This PR adds a check to verify ownership of the CRD created by a ResourceGraphDefinition, and returns an error if the CRD already exists (not managed by KRO), or exists and is managed by a different ResourceGraphDefinition.

Example: Given a CustomResourceDefinition that pre-exists and is managed by another ResourceGraphDefinition

apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  labels:
    kro.run/kro-version: devel
    kro.run/owned: "true"
    kro.run/resource-graph-definition-id: e44f64c5-6f4c-4442-9824-73cf3ba5e162
    kro.run/resource-graph-definition-name: noop2
  name: noops.kro.run
# rest of resource trimmed for brevity

If another ResourceGraphDefinition is created that also attempts to manage this CRD, an error will be surfaced in the status. I trimmed some fields for brevity

apiVersion: kro.run/v1alpha1
kind: ResourceGraphDefinition
metadata:
  annotations:
  finalizers:
  - kro.run/finalizer
  generation: 1
  name: noop
spec:
  resources: []
  schema:
    apiVersion: v1alpha1
    group: kro.run
    kind: NoOp
    spec: {}
    status: {}
status:
  conditions:
  - lastTransitionTime: "2025-05-19T17:01:17Z"
    message: Directed Acyclic Graph is synced
    reason: ""
    status: "True"
    type: GraphVerified
  - lastTransitionTime: "2025-05-19T17:01:17Z"
    message: Custom Resource Definition is synced
    reason: 'conflict detected: CRD noops.kro.run has ownership by another ResourceGraphDefinition'
    status: "False"
    type: CustomResourceDefinitionSynced
  - lastTransitionTime: "2025-05-19T17:01:17Z"
    message: micro controller is ready
    reason: CRD not-synced
    status: Unknown
    type: ReconcilerReady
  state: Inactive

[barney-s]

Thankyou for the PR. Would you please rebase to latest main. ?

[a-hilaly]

Can we also check for the existence of these labels, for example aOwnerName, ok := .... I believe If those labels don't exist we should return false or an error saying labels are missing. Also can we have some unit tests for it?

[a-buck]

Apologies for the delay in responding. I added a test cases including when there are no ownership labels. Is that sufficient?

[a-hilaly]

Yep that's great, tahnks!

[k8s-triage-robot]

Unknown CLA label state. Rechecking for CLA labels.

Send feedback to sig-contributor-experience at kubernetes/community.

/check-cla
/easycla

[a-hilaly]

ping @a-buck any chance you can take a look at this?

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: a-buck / name: Alex B (36c2cf1, 13bc019, 5bb081b)

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: a-buck
Once this PR has been reviewed and has the lgtm label, please ask for approval from barney-s. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[a-hilaly]

Neat - thank you @a-buck! I left a few comments below

[a-hilaly]

nit: can you document that the caller is reponsible of making sure that kro labels exist? otherwise we can just delegate this existance check to this function.

[a-hilaly]

nit: s/verifyNoConflict/verifyOwnership/

[a-hilaly]

can you please add a comment/godoc explaining why we need to check this

[a-hilaly]

cc @a-buck are you still working on this?