fix: remove RGD owner ID check to allow RGDs to adopt their CRD (#826)

* fix: remove RGD owner ID check to allow RGDs to adopt their CRD

Currently, when a user deletes an RGD, and recreates it, the new RGD
is no longer able to adopt the CRD the first RGD left dangling.

This change removes the RGD ID check, ensuring, if an RGD with the same
name as the one that created the CRD is created, it can adopt it.

* log errors if RGD ID conflicts

* Rework pkg utility function and seperation of concerns

---------

Co-authored-by: Amine <[email protected]>

Author: michaelhtm

pkg/client/crd.go

@@ -125,8 +125,28 @@ func (w *CRDWrapper) Ensure(ctx context.Context, crd v1.CustomResourceDefinition
 			return fmt.Errorf("failed to create CRD: %w", err)
 		}
 	} else {
-		if err := w.verifyOwnership(existing, crd); err != nil {
-			return err
+		kroOwned, nameMatch, idMatch := metadata.CompareRGDOwnership(existing.ObjectMeta, crd.ObjectMeta)
+		if !kroOwned {
+			return fmt.Errorf(
+				"failed to update CRD %s: CRD already exists and is not owned by KRO", crd.Name,
+			)
+		}
+
+		if !nameMatch {
+			existingRGDName := existing.Labels[metadata.ResourceGraphDefinitionNameLabel]
+			return fmt.Errorf(
+				"failed to update CRD %s: CRD is owned by another ResourceGraphDefinition %s",
+				crd.Name, existingRGDName,
+			)
+		}
+
+		if nameMatch && !idMatch {
+			log.Info(
+				"Adopting CRD with different RGD ID - RGD may have been deleted and recreated",
+				"crd", crd.Name,
+				"existingRGDID", existing.Labels[metadata.ResourceGraphDefinitionIDLabel],
+				"newRGDID", crd.Labels[metadata.ResourceGraphDefinitionIDLabel],
+			)
 		}
 
 		log.Info("Updating existing CRD", "name", crd.Name)
@@ -200,19 +220,3 @@ func (w *CRDWrapper) waitForReady(ctx context.Context, name string) error {
 			return false, nil
 		})
 }
-
-// verifyOwnership checks that an existing CRD is owned by KRO and by the same
-// ResourceGraphDefinition that is attempting to update it. This prevents conflicts
-// where multiple ResourceGraphDefinitions try to manage the same CRD, or where a
-// CRD created outside of KRO is accidentally overwritten.
-func (w *CRDWrapper) verifyOwnership(existingCRD *v1.CustomResourceDefinition, newCRD v1.CustomResourceDefinition) error {
-	if !metadata.IsKROOwned(&existingCRD.ObjectMeta) {
-		return fmt.Errorf("conflict detected: CRD %s already exists and is not owned by KRO", existingCRD.Name)
-	}
-
-	if !metadata.HasMatchingKROOwner(existingCRD.ObjectMeta, newCRD.ObjectMeta) {
-		return fmt.Errorf("conflict detected: CRD %s has ownership by another ResourceGraphDefinition", existingCRD.Name)
-	}
-
-	return nil
-}

pkg/client/crd_test.go

@@ -53,17 +53,33 @@ func IsKROOwned(meta metav1.Object) bool {
 	return ok && booleanFromString(v)
 }
 
-// HasMatchingKROOwner returns true if resources have the same RGD owner.
-// Note: The caller is responsible for ensuring that KRO labels exist on both
-// resources before calling this function.
-func HasMatchingKROOwner(a, b metav1.ObjectMeta) bool {
-	aOwnerName := a.Labels[ResourceGraphDefinitionNameLabel]
-	aOwnerID := a.Labels[ResourceGraphDefinitionIDLabel]
+// CompareRGDOwnership compares RGD ownership labels between two resources.
+// Returns three booleans:
+//   - kroOwned: whether the existing resource is owned by KRO
+//   - nameMatch: whether both resources have the same RGD name
+//   - idMatch: whether both resources have the same RGD ID
+//
+// This allows callers to distinguish between different ownership scenarios:
+//   - kroOwned=true, nameMatch=true, idMatch=true: same RGD, normal update
+//   - kroOwned=true, nameMatch=true, idMatch=false: same RGD name, different ID (adoption)
+//   - kroOwned=true, nameMatch=false: different RGD (conflict)
+//   - kroOwned=false: not owned by KRO (conflict)
+func CompareRGDOwnership(existing, desired metav1.ObjectMeta) (kroOwned, nameMatch, idMatch bool) {
+	kroOwned = IsKROOwned(&existing)
+	if !kroOwned {
+		return false, false, false
+	}
+
+	existingOwnerName := existing.Labels[ResourceGraphDefinitionNameLabel]
+	existingOwnerID := existing.Labels[ResourceGraphDefinitionIDLabel]
+
+	desiredOwnerName := desired.Labels[ResourceGraphDefinitionNameLabel]
+	desiredOwnerID := desired.Labels[ResourceGraphDefinitionIDLabel]
 
-	bOwnerName := b.Labels[ResourceGraphDefinitionNameLabel]
-	bOwnerID := b.Labels[ResourceGraphDefinitionIDLabel]
+	nameMatch = existingOwnerName == desiredOwnerName
+	idMatch = existingOwnerID == desiredOwnerID
 
-	return aOwnerName == bOwnerName && aOwnerID == bOwnerID
+	return kroOwned, nameMatch, idMatch
 }
 
 // SetKROOwned sets the OwnedLabel to true on the resource.

pkg/metadata/labels.go

@@ -65,62 +65,90 @@ func TestIsKROOwned(t *testing.T) {
 	}
 }
 
-func TestHasMatchingKROOwner(t *testing.T) {
+func TestCompareRGDOwnership(t *testing.T) {
 	cases := []struct {
-		name       string
-		aOwnerName string
-		aOwnerID   string
-		bOwnerName string
-		bOwnerID   string
-		expected   bool
+		name              string
+		existingLabels    map[string]string
+		desiredLabels     map[string]string
+		expectedKROOwned  bool
+		expectedNameMatch bool
+		expectedIDMatch   bool
 	}{
 		{
-			name:       "matching owners",
-			aOwnerName: "test-rgd",
-			aOwnerID:   "test-uid-123",
-			bOwnerName: "test-rgd",
-			bOwnerID:   "test-uid-123",
-			expected:   true,
+			name: "same RGD - normal update",
+			existingLabels: map[string]string{
+				OwnedLabel:                       "true",
+				ResourceGraphDefinitionNameLabel: "test-rgd",
+				ResourceGraphDefinitionIDLabel:   "test-id",
+			},
+			desiredLabels: map[string]string{
+				OwnedLabel:                       "true",
+				ResourceGraphDefinitionNameLabel: "test-rgd",
+				ResourceGraphDefinitionIDLabel:   "test-id",
+			},
+			expectedKROOwned:  true,
+			expectedNameMatch: true,
+			expectedIDMatch:   true,
 		},
 		{
-			name:       "different owner names",
-			aOwnerName: "test-rgd-a",
-			aOwnerID:   "test-uid-123",
-			bOwnerName: "test-rgd-b",
-			bOwnerID:   "test-uid-123",
-			expected:   false,
+			name: "not owned by KRO",
+			existingLabels: map[string]string{
+				ResourceGraphDefinitionNameLabel: "test-rgd",
+				ResourceGraphDefinitionIDLabel:   "test-id",
+			},
+			desiredLabels: map[string]string{
+				OwnedLabel:                       "true",
+				ResourceGraphDefinitionNameLabel: "test-rgd",
+				ResourceGraphDefinitionIDLabel:   "test-id",
+			},
+			expectedKROOwned:  false,
+			expectedNameMatch: false,
+			expectedIDMatch:   false,
 		},
 		{
-			name:       "different owner IDs",
-			aOwnerName: "test-rgd",
-			aOwnerID:   "test-uid-123",
-			bOwnerName: "test-rgd",
-			bOwnerID:   "test-uid-456",
-			expected:   false,
+			name: "different RGD name - conflict",
+			existingLabels: map[string]string{
+				OwnedLabel:                       "true",
+				ResourceGraphDefinitionNameLabel: "existing-rgd",
+				ResourceGraphDefinitionIDLabel:   "test-id",
+			},
+			desiredLabels: map[string]string{
+				OwnedLabel:                       "true",
+				ResourceGraphDefinitionNameLabel: "new-rgd",
+				ResourceGraphDefinitionIDLabel:   "test-id",
+			},
+			expectedKROOwned:  true,
+			expectedNameMatch: false,
+			expectedIDMatch:   true,
 		},
 		{
-			name:     "no owner labels",
-			expected: true,
+			name: "same RGD name, different ID - adoption",
+			existingLabels: map[string]string{
+				OwnedLabel:                       "true",
+				ResourceGraphDefinitionNameLabel: "test-rgd",
+				ResourceGraphDefinitionIDLabel:   "existing-id",
+			},
+			desiredLabels: map[string]string{
+				OwnedLabel:                       "true",
+				ResourceGraphDefinitionNameLabel: "test-rgd",
+				ResourceGraphDefinitionIDLabel:   "new-id",
+			},
+			expectedKROOwned:  true,
+			expectedNameMatch: true,
+			expectedIDMatch:   false,
 		},
 	}
 
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
-			labelsA := map[string]string{}
-			labelsB := map[string]string{}
-			if tc.aOwnerName != "" {
-				labelsA[ResourceGraphDefinitionNameLabel] = tc.aOwnerName
-				labelsA[ResourceGraphDefinitionIDLabel] = tc.aOwnerID
-			}
-			if tc.bOwnerName != "" {
-				labelsB[ResourceGraphDefinitionNameLabel] = tc.bOwnerName
-				labelsB[ResourceGraphDefinitionIDLabel] = tc.bOwnerID
-			}
+			existing := metav1.ObjectMeta{Labels: tc.existingLabels}
+			desired := metav1.ObjectMeta{Labels: tc.desiredLabels}
 
-			metaA := metav1.ObjectMeta{Labels: labelsA}
-			metaB := metav1.ObjectMeta{Labels: labelsB}
-			result := HasMatchingKROOwner(metaA, metaB)
-			assert.Equal(t, tc.expected, result)
+			kroOwned, nameMatch, idMatch := CompareRGDOwnership(existing, desired)
+
+			assert.Equal(t, tc.expectedKROOwned, kroOwned)
+			assert.Equal(t, tc.expectedNameMatch, nameMatch)
+			assert.Equal(t, tc.expectedIDMatch, idMatch)
 		})
 	}
 }