Update finalizer of ResourceExport to be domain-qualified

[Dyanngg]

Fixes #6741

[antoninbas]

Obviously this predates this PR, but I am surprised to see a webhook being in charge of adding the finalizer. Is there a recommendation to do that somewhere? I usually see it done in the controller itself (Reconcile). cc @luolanzone

[luolanzone]

Hi @antoninbas I think the Finalizer is not necessarily handled by the reconciler. If I recall it correctly, the main purpose is to stop deleting the ResourceExport during creation, because if it's already converted by the leader controller into ResourceImport, there will be no way to clean up the corresponding info in the ResourceImport when the ResourceExport is deleted by the user.

[antoninbas]

I am not sure, but would it make sense to update the finalizer as part of the Reconcile (we could do it earlier in the function), so that:

1. the legacy finalizer can be updated to the new one whenever an object is reconciled, reducing the possibility of the legacy finalizer "sticking around"
2. the rest of the code only needs to worry about the new finalizer

cc @luolanzone

[luolanzone]

@antoninbas do you mean to update the Finalizer to the new one in the reconcile? I think we can't guarantee the Finalizer can be updated for all ResourceExports before deletion, we still need to handle the case that both legacy and new one are in the ClusterSet. And this may lead a conflict that one reconciler is updating the Finalizer but another one is deleting it. So I feel we should have only one place to add the Finalizer.

[antoninbas]

finalizers are usually handled by the controller that owns the resource (that includes adding the finalizer but also processing the finalizer and removing the finalizer), so I am not sure I understand both of your points:

I think we can't guarantee the Finalizer can be updated for all ResourceExports before deletion

And this may lead a conflict that one reconciler is updating the Finalizer but another one is deleting it

Do we have more than one controller / reconciler responsible for the finalizer, or using the finalizer?

[Dyanngg]

Do we have more than one controller / reconciler responsible for the finalizer, or using the finalizer?

I'll try to put my understanding of it here as best as I can, using Service as example:

1. End users can create a ServiceExport in member clusters. A controller in member cluster [a] will try to create a ResourceExport for this object in the leader cluster. This is currently when a finalizer is put on the resource.
2. End users can also delete that ServiceExport in member cluster. That controller [a] is also responsible for deleting the ResourceExport in the leader cluster.
3. A controller [b] in the leader cluster watches for ResourceExports in its own cluster, and reconciles them (by creating corresponding ResourceImports). When it sees an ResourceExport being deleted, it performs necessary cleanups regarding ResourceImports, and then removes the finalizers on ResourceExport and allows it to be deleted.

So if we treat controller [a] solely as a client, not a controller/reconciler, then it's pretty clear that controller [b] actually "owns" ResourceExports. I think @antoninbas's suggestion would actually make sense here:

1. If we have controller [b] put up finalizers for ResourceExports at the beginning of Reconciles (and making sure the finalizer is set before dealing with ResourceImport logics), then allowing client [a] to create-delete ResourceExports in short succession is actually fine: the leader cluster has not even processed the event yet, so there will not be dangling ResourceImports that contains information of that deleted ResourceExport.
2. Even if there are ResourceImports in the leader cluster for the same named Service, it will only contain endpoints from ResourceExport created by another member cluster, which would actually have finalizers on it.

In other words, we change the logic to, we add a finalizer to ResourceExports only when we know there are going to be side-effects in the leader cluster, not when the resource is created at apiserver

[Dyanngg]

However @antoninbas do you think this change warrants a separate PR?

[luolanzone]

finalizers are usually handled by the controller that owns the resource (that includes adding the finalizer but also processing the finalizer and removing the finalizer), so I am not sure I understand both of your points:

I think we can't guarantee the Finalizer can be updated for all ResourceExports before deletion

And this may lead a conflict that one reconciler is updating the Finalizer but another one is deleting it

Do we have more than one controller / reconciler responsible for the finalizer, or using the finalizer?

At the moment, we have the webhook in the leader and the *Exporter controllers in the member cluster to add the Finalizer during ResourceExport creation, the reconciler itself in the leader will remove the Finalizer. The Finalizer in the webhook is a special one for AntreaClusterNetworkPolicyKind since it will be created by the end user if I recall it correctly. The original purpose is to stop the side-affect when the user or "the controller [a]" in the scenario mentioned by @Dyanngg delete the ResourceExport and leads to some dangling ResourceImports.
But you are right, it should be more clear if we can move all Finalizer operations to the leader controller, @Dyanngg could you help to double check and move forward? I think we may need a seperate PR for the change. Thanks.

[antoninbas]

Yes, we can handle this in a future PR

[luolanzone]

/test-multicluster-e2e

[XinShuYang]

/test-multicluster-e2e

[luolanzone]

/test-multicluster-e2e

[luolanzone]

/test-multicluster-e2e

[antoninbas]

LGTM

[Dyanngg]

/test-all /test-multicluster-e2e

[antoninbas]

LGTM

[Dyanngg]

/test-all /test-multicluster-e2e

[Dyanngg]

/test-multicluster-e2e

[luolanzone]

LGTM

[Dyanngg]

/test-multicluster-e2e All tests were passing before addressing the last comment

[antoninbas]

We should probably mention this in the release notes, so I'm adding the label for this