feat: migrate to Server-Side Apply (SSA) and enforce controller owner…

[SpaceFace02]

feat: migrate to Server-Side Apply (SSA) and enforce controller ownership
Fixes: #258

Migrate resource creation and updates from client-side POST/PUT to Server-Side Apply (SSA) where appropriate, and strengthen ownership semantics with controller references throughout.

This commit establishes ownership of various fields and CRD's, to prevent accidental overwrites or race conditions by other controllers It doesn't migrate all patches to SSA, if we plan to migrate completely to SSA, there would be significant code rework, and honestly, its not necessary for now.

All resources created by the operator now use controller: true in ownerReferences, enabling Kubernetes garbage collection:

• TEC owns: Deployments, Services, ConfigMaps, Jobs, ApprovedImages
• Machine owns: AttestationKey (transferred from TEC via merge patch once its approved automatically).
• AttestationKey owns: Secret (with controller: true + finalizer)

generate_owner_reference renamed to generate_owner_controller_reference to reflect that all owner refs are now controller refs with blockOwnerDeletion: true.

All controllers are owners, but not all owners have to be controllers. Kubernetes mandates only one controller. Multiple owners are fine for Garbage Collection and delete cascades.

New apply_resource! macro replaces create_or_info_if_exists! for idempotent resource creation via SSA (PATCH with Patch::Apply).

update_reference_values: uses full-data SSA patch on trustee-data ConfigMap (includes all keys: kbs-config.toml, policy.rego, reference-values.json) to prevent the field manager from implicitly relinquishing keys not in a partial patch.

If a field manager (controller owning a field of a CRD) makes a SSA patch, all fields of that patch are considered owned, and any previously owned fields not part of the patch are released from its control.

update_attestation_keys: uses full-object SSA patch on the Deployment (sends entire deployment.spec) to avoid stripping required fields like spec.selector. Metadata fields (managedFields, resourceVersion, uid) are excluded from the SSA body to prevent 400 errors.

do_mount_secret: kept as GET+mutate+replace (PUT) since it follows a read-modify-write pattern on the same field manager. Migrating this is significant code rework.

Owner transfer in approve_ak uses Merge patch (not SSA) because SSA would upsert into the ownerReferences array, leaving stale references of both TEC. In the end TEC and Machine would co-exist as controllers, which we don't want. Merge patch replaces the entire ownerReferences field atomically.

Single field manager trusted-cluster-operator used consistently via FIELD_MANAGER constant. register-server uses its own register-server field manager for Machine creation (POST with fieldManager query param, not SSA).

update_status! macro now requires explicit type and field manager parameters, enabling force-apply on the status subresource where multiple writers exist (e.g. ApprovedImage status).

• Duplicate volume entries: do_mount_secret now checks for existing volumes before adding, preventing 422 errors on reconciler retry.
• Secret controller filtering: update_attestation_keys and secret_reconcile now require controller: true on AttestationKey owner refs, not just kind == "AttestationKey".
• ConfigMap data loss: full-data SSA patch on trustee-data prevents kbs-config.toml and policy.rego from being garbage-collected when only reference-values.json is updated.

Added unit tests validating SSA body content, ownership, idempotency, field manager usage, and filtering logic across trustee, reference values, attestation key register, and register server modules.

Commit message co-authored-by: Cursor cursoragent@cursor.com

Summary by Sourcery

Migrate core Kubernetes interactions to server-side apply while standardizing controller ownership and field manager usage across the operator, register-server, and auxiliary binaries.

New Features:

• Introduce an apply_resource! macro to create or update namespaced resources idempotently via server-side apply with a consistent field manager.
• Add a deploy.sh helper script to stand up a kind cluster, build and deploy the operator stack, and create a sample VM for end-to-end validation.

Bug Fixes:

• Prevent duplicate secret volume mounts on trustee pods to avoid reconciliation errors on retries.
• Ensure trustee-data ConfigMap updates preserve existing keys when recomputing reference values, preventing configuration loss.
• Filter attestation key secrets and AK-owned secrets by controller=true owner references to avoid acting on non-controller-owned resources.

Enhancements:

• Adopt controller ownerReferences (controller=true, blockOwnerDeletion=true) across TEC-owned and Machine-owned resources to enable reliable garbage collection and lifecycle management.
• Standardize use of a FIELD_MANAGER constant and SSA-based Patch::Apply for status and spec updates where appropriate, including force-apply where multiple writers exist.
• Use merge patches instead of SSA for AttestationKey owner transfer to Machines to ensure ownerReferences are replaced atomically without leaving stale owners.
• Refine attestation key, trustee, reference value, and register-server tests to validate SSA payloads, ownership semantics, idempotency, and field manager behavior.
• Adjust register-server and attestation-key-register to set fieldManager on creates so the operator can attribute resource ownership correctly.
• Switch trustee deployment volume updates for attestation keys to full-object SSA patches to avoid losing required fields like selectors and to keep base volumes intact.

Tests:

• Extend unit and integration tests around attestation key approval, secret reconciliation, trustee reference value updates, approved image adoption, and machine creation to cover SSA flows, controller ownership, and force-applied status updates.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: SpaceFace02

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sourcery-ai]

Reviewer's Guide

Migrates key operator interactions to Kubernetes Server-Side Apply (SSA), standardizes controller ownership via controller=true ownerReferences and a shared FIELD_MANAGER, tightens AttestationKey/Machine/Secret ownership semantics, and adds focused tests around SSA bodies, ownership, and idempotency, plus a deploy helper script.

Sequence diagram for approve_ak SSA and ownership transfer

sequenceDiagram
    participant Operator as AttestationKeyController
    participant K8s as KubernetesAPI
    participant AK as AttestationKey
    participant Machine
    participant Secret

    Operator->>K8s: update_status!(AttestationKeyStatus) PATCH /status (SSA)
    K8s-->>Operator: updated AttestationKey

    Operator->>K8s: aks.patch(Patch::Merge ownerReferences)
    K8s-->>Operator: AttestationKey owned by Machine (controller=true)

    Operator->>K8s: Api<Secret>.get(secret_name)
    alt Secret does not exist
        K8s-->>Operator: 404 NotFound
        Operator->>K8s: apply_resource!(Secret, secret) PATCH (SSA)
        K8s-->>Operator: Secret created (owner AttestationKey controller=true)
    else Secret exists
        K8s-->>Operator: existing Secret
    end

Loading

Entity relationship diagram for controller ownership chain

erDiagram
    TrustedExecutionCluster ||--o{ Deployment : owns_controller
    TrustedExecutionCluster ||--o{ Service : owns_controller
    TrustedExecutionCluster ||--o{ ConfigMap : owns_controller
    TrustedExecutionCluster ||--o{ Job : owns_controller
    TrustedExecutionCluster ||--o{ ApprovedImage : owns_controller

    Machine ||--|| AttestationKey : owns_controller
    AttestationKey ||--|| Secret : owns_controller

Loading

File-Level Changes

Change	Details	Files
Introduce SSA-based creation/update helpers and field-managered status patches, and adopt them across operator controllers and helpers.	Add apply_resource! macro to perform SSA PATCH Apply with apiVersion/kind injection and a default trusted-cluster-operator field manager. Refactor update_status! macro to use SSA patchStatus with explicit resource type and field manager, with optional force for contested status fields. Replace create_or_info_if_exists! usages with apply_resource! for Deployments, Services, ConfigMaps, Secrets, Jobs, and ApprovedImage owner adoption, making creation idempotent and SSA-managed. Use a shared FIELD_MANAGER constant for operator SSA calls while keeping register-server and compute-pcrs with their own field managers where appropriate.	operator/src/lib.rs lib/src/lib.rs operator/src/attestation_key_register.rs operator/src/trustee.rs operator/src/reference_values.rs operator/src/register_server.rs compute-pcrs/src/main.rs tests/trusted_execution_cluster.rs
Tighten ownership semantics with controller ownerReferences and explicit ownership flows for TEC, Machine, AttestationKey, and Secret resources.	Rename generate_owner_reference to generate_owner_controller_reference and ensure returned OwnerReference sets controller=true and blockOwnerDeletion=true. Ensure operator-created resources (Deployments, Services, ConfigMaps, Jobs, ApprovedImages, Secrets) are owned by the appropriate controller (TEC or AttestationKey) via controller owner references. In approve_ak, detect Machine as owner-controller and use a merge patch (not SSA) to atomically replace ownerReferences, transferring control from TEC to Machine without leaving stale TEC controller refs. Require controller=true when treating Secrets or other resources as being controlled by AttestationKey, tightening filters in secret_reconcile and update_attestation_keys. Update integration tests to assert Machine/AttestationKey controller ownership and use field-managed POSTs for Machine, AttestationKey, and ApprovedImage creation.	lib/src/lib.rs operator/src/attestation_key_register.rs operator/src/trustee.rs operator/src/register_server.rs attestation-key-register/src/main.rs register-server/src/main.rs tests/trusted_execution_cluster.rs
Use full-object/full-data SSA patches where needed to avoid ownership loss or invalid partial specs, and keep some operations client-side where SSA is not appropriate.	Change trustee::update_reference_values to use a full-data SSA patch for the trustee-data ConfigMap so all keys (kbs-config.toml, policy.rego, reference-values.json) are preserved and remain owned. Change update_attestation_keys to patch the full Deployment spec with SSA while mutating an in-memory copy of spec.template.spec, ensuring required spec fields (e.g. selector) are kept and server-populated metadata is stripped from the apply body. Keep do_mount_secret as a read-modify-write GET+PUT path (non-SSA) and add duplicate-volume checks to make it idempotent on retries. Document that owner transfer in approve_ak uses merge patch without fieldManager to fully replace ownerReferences, since SSA would only upsert array elements.	operator/src/trustee.rs operator/src/attestation_key_register.rs lib/src/reference_values.rs
Refine reconciliation logic and filters around Secrets, volumes, and ApprovedImage handling to be idempotent and SSA-safe.	In trustee::update_attestation_keys, only consider Secrets whose ownerReferences include an AttestationKey with controller=true, and rebuild the projected volume/volumeMounts from those secrets while preserving existing volumes like trustee-data and attestation-policy. In do_mount_secret, avoid adding duplicate volume/volumeMount entries for an already-mounted secret volume, preventing 422s on repeated reconciliations. In image_add_reconcile, adopt ApprovedImage via SSA Apply with ownerReferences and then use SSA (with force on status) to update status alongside operator updates, using the global FIELD_MANAGER. Adjust delete/job reconciliation comments and behavior to clarify foreground client-side deletion for compute-pcrs Jobs.	operator/src/trustee.rs operator/src/reference_values.rs
Expand and adjust unit/integration tests and test utilities to validate SSA behavior, ownership, and idempotency, and drop tests that were tied to client-side create semantics.	Add detailed tests around approve_ak flow, ensuring ordered PATCH/GET interactions, correct SSA status body and approved condition, merge-patch semantics for owner transfer, and AttestationKey Secret creation with controller owner and finalizer. Add SSA-focused tests in trustee and reference_values modules covering trustee-data full-data SSA patches, idempotent secret mounts, SSA body correctness for update_attestation_keys projected volumes, and PCR/Job creation with correct owners and labels. Add SSA/force-status behavior tests for image_add_reconcile happy path, already-owned images, and failure when owner adoption SSA patch fails. Update register-server tests to assert POST with fieldManager, correct owner controller reference, and rework mock_client helpers to treat PATCH like POST for error simulation while removing create_already_exists tests that depend on conflict-tolerant create semantics.	operator/src/attestation_key_register.rs operator/src/trustee.rs operator/src/reference_values.rs register-server/src/main.rs tests/trusted_execution_cluster.rs test_utils/src/mock_client.rs
Introduce or adjust auxiliary tooling and scripts to match the new behavior and make local workflows easier.	Add deploy.sh helper script to tear down and recreate a kind cluster, install kubevirt and the operator, wait for TrustedExecutionCluster to be Installed, and deploy a sample VM. Adjust comments and minor code around reference values and controller launch to reflect SSA and controller semantics more clearly.	deploy.sh operator/src/main.rs lib/src/reference_values.rs

Assessment against linked issues

Issue	Objective	Addressed	Explanation
#258	Migrate the update_status! macro from client-side merge patching to server-side apply (SSA) with explicit field manager (and force option) to safely update status in multi-writer scenarios.	✅
#258	Replace client-side create/PUT/patch patterns for operator-managed resources with SSA-based apply directives where appropriate, while keeping or justifying any remaining client-side operations.	✅
#258	Ensure resources involved in potential race conditions (e.g., trustee-data ConfigMap, trustee Deployment for attestation keys, ApprovedImage ownership/status, AttestationKey flow) use SSA and controller-owned fields to avoid concurrent overwrites and last-write-wins issues.	✅

Possibly linked issues

• #: PR introduces SSA (apply_resource!, SSA status patches) and ownership fixes, implementing the issue’s SSA migration intent.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue

Prompt for AI Agents

Please address the comments from this code review:

## Individual Comments

### Comment 1
<location path="operator/src/trustee.rs" line_range="176-182" />
<code_context>
     let container = pod_spec.containers.get_mut(0).context(err)?;
     let vol_mounts = container.volume_mounts.get_or_insert_default();

+    // Additional check to prevent duplicate mounts.
     if add {
-        let (volume, volume_mount) = generate_secret_volume(id);
-        pod_spec.volumes.get_or_insert_default().push(volume);
-        vol_mounts.push(volume_mount);
+        let already_mounted = pod_spec
+            .volumes
+            .as_ref()
+            .is_some_and(|vs| vs.iter().any(|v| v.name == id));
+        if !already_mounted {
+            let (volume, volume_mount) = generate_secret_volume(id);
+            pod_spec.volumes.get_or_insert_default().push(volume);
</code_context>
<issue_to_address>
**issue (bug_risk):** Duplicate-volume check can prevent adding a missing volumeMount for partially configured pods

The `already_mounted` check only inspects `pod_spec.volumes`. In a partially configured pod where the volume exists but the `volumeMount` is missing, `add == true` will now skip adding both the volume and the mount, leaving the pod broken with no way for this code to self-heal. Instead, either:
- only skip when both the volume and corresponding `volumeMount` are present, or
- when the volume exists but the mount does not, add just the missing `volumeMount`.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[SpaceFace02]

Unit tests passing:

Integration tests passing:

[SpaceFace02]

/review @Jakob-Naucke

[SpaceFace02]

/cc @Jakob-Naucke

[SpaceFace02]

/cc @alicefr

[Jakob-Naucke]

So this sets the component (operator, compute-pcrs) as field manager for the status, but also just uses force the only time that it could actually conflict. I don't really see the downside of having just one field manager by that point but I'm open to hearing @alicefr's opinion before you refactor.

[SpaceFace02]

Previously, we had multiple writers to the Status Field of the ApprovedImage. the ComputePCR also updated the status with committed_condition (while status as PCR's are computing), and the operator requeued every 10 seconds to check whether the computation had completed and then updated the same field.

To fix this, ideally we should have only the operator update the status of the field. We can discuss this design decision in detail with Alice.

[SpaceFace02]

I don't really see the downside of having just one field manager by that point

Field manager is inherently a SSA concept, initially we had 2 writers to the same field, and updated it client side. There was no concept of field managers, because the client patch would overwrite any changes, even if written previously by another writer.

[alicefr]

To fix this, ideally we should have only the operator update the status of the field. We can discuss this design decision in detail with Alice.

Yeah, we need to revisit the design of the approved images ideally, there should be a single writer. Let's discuss it today

[Jakob-Naucke]

not sure why this is necessary, it's not like there's a new function that this function's name must disambiguate from

[SpaceFace02]

Mainly to disambiguate between a controller owner, and a linking owner.

[Jakob-Naucke]

What's an owner-controller?

[SpaceFace02]

Previously, we had the function generate_owner_reference which set controller to true.

This is ambiguous, because not all owners are controllers. A k8s object can have only 1 controller in its set of owner references (here). It can however have multiple non-controller linking owner references.

[Jakob-Naucke]

if we keep these renames and comment changes, I think they should be a separate commit. not sure if we do though, cc @alicefr

[alicefr]

yes, please try to generate clean commits it gets easier to review

[Jakob-Naucke]

It's generally good to expand the tests here. Maybe put new tests in a separate commit because this commit's almost unreadably big

[SpaceFace02]

Sure, had kept unit tests in the same commit as they test the same functionality introduced and made sense to be together. But I will split them for readability and ease of review.

[alicefr]

@SpaceFace02 please sign the commit. We should add a check that verifies that all the commits are signed. Filed #270

[alicefr]

@SpaceFace02 is there a way to split the single commit into multiple. This is kind of hard to review it

[SpaceFace02]

@SpaceFace02 is there a way to split the single commit into multiple. This is kind of hard to review it

Have split the commits into 3:
One for feature changes
one for uts
one for integration tests

[Jakob-Naucke]

Thank you for the separate commits! However, when a test update is necessary to how the code changes, it should be one commit so that bisects stay intact.

[Jakob-Naucke]

if we keep these renames and comment changes, I think they should be a separate commit. not sure if we do though, cc @alicefr

[Jakob-Naucke]

the numbers and HTTP endpoints are in the code, so I think this is just drift risk. if you like you can add the comment as to what happens at those respective points.

[Jakob-Naucke]

can drop, it's just one and could be reused

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.