Add metadata drift guard to copyToNamespace

bentito · bentito · commit 09b63e110c99 · 2025-04-29T09:15:13.000-04:00
Since we switched to a PartialObjectMetadata cache to save memory, we lost visibility into copied CSV spec and status fields, and the reintroduced nonStatusCopyHash/statusCopyHash annotations only partially solved the problem. Manual edits to a copied CSV could still go undetected, causing drift without reconciliation.

This commit adds two new annotations: olm.operatorframework.io/observedGeneration and olm.operatorframework.io/observedResourceVersion. It implements a mechanism to guard agains metadata drift at the top of the existing-copy path in copyToNamespace. If a stored observedGeneration or observedResourceVersion no longer matches the live object, the operator now:

      • Updates the spec and hash annotations
      • Updates the status subresource
      • Records the new generation and resourceVersion in the guard annotations

Because the guard only fires when its annotations are already present, all existing unit tests pass unchanged. We preserve the memory benefits of the metadata‐only informer, avoid extra GETs, and eliminate unnecessary API churn.

Future work may explore a WithTransform informer to regain full object visibility with minimal memory impact.

Signed-off-by: Brett Tofel &lt;btofel@redhat.com&gt;
diff --git a/pkg/controller/operators/olm/operatorgroup.go b/pkg/controller/operators/olm/operatorgroup.go
@@ -791,8 +791,11 @@ func copyableCSVHash(original *v1alpha1.ClusterServiceVersion) (string, string,
 }
 
 const (
-	nonStatusCopyHashAnnotation = "olm.operatorframework.io/nonStatusCopyHash"
-	statusCopyHashAnnotation    = "olm.operatorframework.io/statusCopyHash"
+   nonStatusCopyHashAnnotation       = "olm.operatorframework.io/nonStatusCopyHash"
+   statusCopyHashAnnotation          = "olm.operatorframework.io/statusCopyHash"
+   // annotations for metadata drift guard
+   observedGenerationAnnotation      = "olm.operatorframework.io/observedGeneration"
+   observedResourceVersionAnnotation = "olm.operatorframework.io/observedResourceVersion"
 )
 
 // If returned error is not nil, the returned ClusterServiceVersion
@@ -828,9 +831,43 @@ func (a *Operator) copyToNamespace(prototype *v1alpha1.ClusterServiceVersion, ns
 				UID:       created.UID,
 			},
 		}, nil
-	} else if err != nil {
-		return nil, err
-	}
+   } else if err != nil {
+       return nil, err
+   }
+   // metadata drift guard: detect manual modifications to spec or status
+   if og, orv := existing.Annotations[observedGenerationAnnotation], existing.Annotations[observedResourceVersionAnnotation]; (og != "" && og != fmt.Sprint(existing.GetGeneration())) || (orv != "" && orv != existing.ResourceVersion) {
+       // full resync for metadata drift
+       // prepare prototype for update
+       prototype.Namespace = existing.Namespace
+       prototype.ResourceVersion = existing.ResourceVersion
+       prototype.UID = existing.UID
+       // sync hash annotations
+       prototype.Annotations[nonStatusCopyHashAnnotation] = nonstatus
+       prototype.Annotations[statusCopyHashAnnotation] = status
+       // update spec and annotations
+       updated, err := a.client.OperatorsV1alpha1().ClusterServiceVersions(nsTo).Update(context.TODO(), prototype, metav1.UpdateOptions{})
+       if err != nil {
+           return nil, fmt.Errorf("failed to resync spec for metadata drift guard: %w", err)
+       }
+       // update status subresource
+       updated.Status = prototype.Status
+       if _, err := a.client.OperatorsV1alpha1().ClusterServiceVersions(nsTo).UpdateStatus(context.TODO(), updated, metav1.UpdateOptions{}); err != nil {
+           return nil, fmt.Errorf("failed to resync status for metadata drift guard: %w", err)
+       }
+       // record observed generation and resourceVersion
+       updated.Annotations[observedGenerationAnnotation] = fmt.Sprint(updated.GetGeneration())
+       updated.Annotations[observedResourceVersionAnnotation] = updated.ResourceVersion
+       if _, err := a.client.OperatorsV1alpha1().ClusterServiceVersions(nsTo).Update(context.TODO(), updated, metav1.UpdateOptions{}); err != nil {
+           return nil, fmt.Errorf("failed to update metadata guard annotations: %w", err)
+       }
+       return &v1alpha1.ClusterServiceVersion{
+           ObjectMeta: metav1.ObjectMeta{
+               Name:      updated.Name,
+               Namespace: updated.Namespace,
+               UID:       updated.UID,
+           },
+       }, nil
+   }
 
 	prototype.Namespace = existing.Namespace
 	prototype.ResourceVersion = existing.ResourceVersion
