Skip to content

fix: clean up related resources when primary object is deleted#133

Merged
kcp-ci-bot merged 3 commits intokcp-dev:mainfrom
ifdotpy:fix/116-related-resource-cleanup
Feb 23, 2026
Merged

fix: clean up related resources when primary object is deleted#133
kcp-ci-bot merged 3 commits intokcp-dev:mainfrom
ifdotpy:fix/116-related-resource-cleanup

Conversation

@ifdotpy
Copy link
Contributor

@ifdotpy ifdotpy commented Feb 19, 2026
edited
Loading

Summary

Fixes #116 — related resources with origin: kcp are now cleaned up when the primary object is deleted, preventing orphaned finalizers that block workspace deletion.

Problem

When a primary object (e.g. ChatUIInstance) is deleted:

  1. handleDeletion() deletes the local copy and removes the primary finalizer
  2. handleDeletion() returns requeue=true, so processRelatedResources() is never called
  3. On the next reconcile, the primary object is gone — the controller has nothing to reconcile
  4. Related resources (e.g. a KCP Secret) retain syncagent.kcp.io/cleanup finalizer forever
  5. Workspace deletion is blocked indefinitely

Fix

  • Process related resources before primary deletion in syncer.go: when the primary object has a DeletionTimestamp, call processRelatedResources(primaryDeleting=true) before the primary syncer runs. This ensures cleanup happens while the local primary copy still exists (needed for reference resolution).
  • Add forceDelete field to objectSyncer: when set, triggers handleDeletion() even when the source object's DeletionTimestamp is nil. Used for origin: kcp related resources during primary deletion.
  • Remove early return in handleDeletion() that skipped related resource processing with the comment "For now we do not delete related resources".
  • Nil-guard for destSide.object after primary deletion to prevent panics when the local copy has already been removed.

Files changed

File Change
internal/sync/object_syncer.go Added forceDelete field; triggers deletion without DeletionTimestamp; removed early return
internal/sync/syncer.go Process related resources before primary deletion; nil-guard for destSide
internal/sync/syncer_related.go Added primaryDeleting parameter; set forceDelete=true for origin: kcp

Testing

Tested in our Platform Mesh environment (KCP + Gardener MSP clusters):

  1. Created ChatUIInstance with related origin: kcp Secret
  2. Deleted ChatUIInstance
  3. Verified: Secret finalizer removed, workspace deletion completes cleanly

Discussed the approach with @xrstf in Slack — processing deletions in the opposite order was confirmed as the right approach.

Release Notes

Related resources with origin kcp are now cleaned up when the primary object is deleted, preventing orphaned finalizers that block workspace/namespace deletion.

@kcp-ci-bot kcp-ci-bot added do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. do-not-merge/needs-kind Indicates a PR lacks a `kind/foo` label and requires one. dco-signoff: no Indicates the PR's author has not signed the DCO. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Feb 19, 2026
@kcp-ci-bot
Copy link
Contributor

kcp-ci-bot commented Feb 19, 2026

Hi @ifdotpy. Thanks for your PR.

I'm waiting for a kcp-dev member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kcp-ci-bot kcp-ci-bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Feb 19, 2026
@xrstf
Copy link
Contributor

xrstf commented Feb 20, 2026

Can you please an add e2e testcase that shows that this is working, so we do not break it in the future?

@kcp-ci-bot kcp-ci-bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Feb 20, 2026
@ifdotpy ifdotpy force-pushed the fix/116-related-resource-cleanup branch 2 times, most recently from dca44ae to ec3489e Compare February 20, 2026 11:59
@kcp-ci-bot kcp-ci-bot added dco-signoff: yes Indicates the PR's author has signed the DCO. and removed dco-signoff: no Indicates the PR's author has not signed the DCO. labels Feb 20, 2026
@ifdotpy
Copy link
Contributor Author

ifdotpy commented Feb 20, 2026

@xrstf done

xrstf
xrstf reviewed Feb 20, 2026
View reviewed changes
xrstf
xrstf reviewed Feb 20, 2026
View reviewed changes
@ifdotpy
test: add e2e test for related resource cleanup on primary deletion
f404ab7 
Adds a regression test that verifies syncagent.kcp.io/cleanup finalizers
are properly removed from kcp-origin related resources when the primary
object is deleted. Without the fix, the finalizer remains indefinitely,
blocking namespace/workspace deletion.

Signed-off-by: Igor Fominykh <ifdotpy@gmail.com>
@ifdotpy
fix: clean up related resources when primary object is deleted (kcp-d…
5493247 
…ev#116)

When a primary object is deleted, related resources with origin kcp
retain their syncagent.kcp.io/cleanup finalizer indefinitely because
processRelatedResources() is never called during deletion.

Process related resources before the primary syncer handles deletion,
passing forceDelete=true for kcp-origin related resources so their
finalizers are properly removed.

Signed-off-by: Igor Fominykh <ifdotpy@gmail.com>
@ifdotpy ifdotpy force-pushed the fix/116-related-resource-cleanup branch from ec3489e to 5493247 Compare February 20, 2026 13:30
@xrstf
Copy link
Contributor

xrstf commented Feb 20, 2026

/test all
/approve
/kind bug

@kcp-ci-bot kcp-ci-bot added kind/bug Categorizes issue or PR as related to a bug. and removed do-not-merge/needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels Feb 20, 2026
@kcp-ci-bot
Copy link
Contributor

kcp-ci-bot commented Feb 20, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: xrstf

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kcp-ci-bot kcp-ci-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 20, 2026
@ifdotpy
fix: align struct field formatting in syncer.go
b0766d2 
Fix whitespace alignment flagged by gimps import formatter.

Signed-off-by: Igor Fominykh <ifdotpy@gmail.com>
@ifdotpy
Copy link
Contributor Author

ifdotpy commented Feb 20, 2026

/retest

@kcp-ci-bot
Copy link
Contributor

kcp-ci-bot commented Feb 20, 2026

@ifdotpy: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

Details

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@xrstf
Copy link
Contributor

xrstf commented Feb 20, 2026

/ok-to-test

@kcp-ci-bot kcp-ci-bot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Feb 20, 2026
@SimonTheLeg
Copy link
Member

SimonTheLeg commented Feb 23, 2026

hi @ifdotpy Thanks for you contribution. For this PR to merge, it will require a release note block.

Basically you need to edit your PR description and at the bottom add a release note block like this (without the tabs, GH markdown, just won't let me do it otherwise)

	```release-note
	related resources are now cleaned up when the primary object is deleted
	```

here is another PR as an example kcp-dev/kcp#3780

@kcp-ci-bot kcp-ci-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Feb 23, 2026
@ifdotpy
Copy link
Contributor Author

ifdotpy commented Feb 23, 2026

hi @ifdotpy Thanks for you contribution. For this PR to merge, it will require a release note block.

Basically you need to edit your PR description and at the bottom add a release note block like this (without the tabs, GH markdown, just won't let me do it otherwise)

	```release-note
	related resources are now cleaned up when the primary object is deleted


here is another PR as an example [kcp-dev/kcp#3780](https://github.com/kcp-dev/kcp/pull/3780)

done!

ntnn
ntnn approved these changes Feb 23, 2026
View reviewed changes
Copy link
Member

@ntnn ntnn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Last thing that was missing for tide. Thanks for the contribution!

@kcp-ci-bot kcp-ci-bot added the lgtm Indicates that a PR is ready to be merged. label Feb 23, 2026
@kcp-ci-bot
Copy link
Contributor

kcp-ci-bot commented Feb 23, 2026

LGTM label has been added.

DetailsGit tree hash: ead15efee1b448a590212b0e9207c9061d2a1152

@kcp-ci-bot kcp-ci-bot merged commit 5d9fc7a into kcp-dev:main Feb 23, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xrstf xrstf xrstf left review comments

@ntnn ntnn ntnn approved these changes

Assignees

@ntnn ntnn

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has signed the DCO. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: Remove syncagent.kcp.io/cleanup finalizer on related resources in kcp

5 participants

@ifdotpy @kcp-ci-bot @xrstf @SimonTheLeg @ntnn