handle conflicts for updating access key finalizer

Author: AshleyDumaine

api/v1alpha2/linodecluster_types.go

@@ -33,8 +33,7 @@ type LinodeClusterSpec struct {
 	// The Linode Region the LinodeCluster lives in.
 	Region string `json:"region"`
 
-	// ControlPlaneEndpoint represents the endpoint used to communicate with
-	// the LinodeCluster control plane.
+	// ControlPlaneEndpoint represents the endpoint used to communicate with the LinodeCluster control plane.
 	// If ControlPlaneEndpoint is unset then the Nodebalancer ip will be used.
 	// +optional
 	ControlPlaneEndpoint clusterv1.APIEndpoint `json:"controlPlaneEndpoint"`
@@ -48,25 +47,22 @@ type LinodeClusterSpec struct {
 	VPCRef *corev1.ObjectReference `json:"vpcRef,omitempty"`
 
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
-	// VPCID is the ID of an existing VPC in Linode. This allows using a VPC
-	// that is not managed by CAPL.
+	// VPCID is the ID of an existing VPC in Linode. This allows using a VPC that is not managed by CAPL.
 	// +optional
 	VPCID *int `json:"vpcID,omitempty"`
 
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
 	// +optional
-	// NodeBalancerFirewallRef is a reference to a NodeBalancer Firewall object.
-	// This makes the linode use the specified NodeBalancer Firewall.
+	// NodeBalancerFirewallRef is a reference to a NodeBalancer Firewall object. This makes the linode use the specified NodeBalancer Firewall.
 	NodeBalancerFirewallRef *corev1.ObjectReference `json:"nodeBalancerFirewallRef,omitempty"`
 
-	// ObjectStore defines a supporting Object Storage bucket for cluster
-	// operations. This is currently used for bootstrapping (e.g. Cloud-init).
+	// ObjectStore defines a supporting Object Storage bucket for cluster operations. This is currently used for
+	// bootstrapping (e.g. Cloud-init).
 	// +optional
 	ObjectStore *ObjectStore `json:"objectStore,omitempty"`
 
-	// CredentialsRef is a reference to a Secret that contains the credentials
-	// to use for provisioning this cluster. If not supplied then the
-	// credentials of the controller will be used.
+	// CredentialsRef is a reference to a Secret that contains the credentials to use for provisioning this cluster. If not
+	// supplied then the credentials of the controller will be used.
 	// +optional
 	CredentialsRef *corev1.SecretReference `json:"credentialsRef,omitempty"`
 }

config/crd/bases/infrastructure.cluster.x-k8s.io_linodeclusters.yaml

@@ -59,8 +59,7 @@ spec:
             properties:
               controlPlaneEndpoint:
                 description: |-
-                  ControlPlaneEndpoint represents the endpoint used to communicate with
-                  the LinodeCluster control plane.
+                  ControlPlaneEndpoint represents the endpoint used to communicate with the LinodeCluster control plane.
                   If ControlPlaneEndpoint is unset then the Nodebalancer ip will be used.
                 properties:
                   host:
@@ -77,9 +76,8 @@ spec:
                 type: object
               credentialsRef:
                 description: |-
-                  CredentialsRef is a reference to a Secret that contains the credentials
-                  to use for provisioning this cluster. If not supplied then the
-                  credentials of the controller will be used.
+                  CredentialsRef is a reference to a Secret that contains the credentials to use for provisioning this cluster. If not
+                  supplied then the credentials of the controller will be used.
                 properties:
                   name:
                     description: name is unique within a namespace to reference a
@@ -191,9 +189,9 @@ spec:
                       rule: self == oldSelf
                 type: object
               nodeBalancerFirewallRef:
-                description: |-
-                  NodeBalancerFirewallRef is a reference to a NodeBalancer Firewall object.
-                  This makes the linode use the specified NodeBalancer Firewall.
+                description: NodeBalancerFirewallRef is a reference to a NodeBalancer
+                  Firewall object. This makes the linode use the specified NodeBalancer
+                  Firewall.
                 properties:
                   apiVersion:
                     description: API version of the referent.
@@ -240,8 +238,8 @@ spec:
                   rule: self == oldSelf
               objectStore:
                 description: |-
-                  ObjectStore defines a supporting Object Storage bucket for cluster
-                  operations. This is currently used for bootstrapping (e.g. Cloud-init).
+                  ObjectStore defines a supporting Object Storage bucket for cluster operations. This is currently used for
+                  bootstrapping (e.g. Cloud-init).
                 properties:
                   credentialsRef:
                     description: CredentialsRef is a reference to a Secret that contains
@@ -269,9 +267,8 @@ spec:
                 description: The Linode Region the LinodeCluster lives in.
                 type: string
               vpcID:
-                description: |-
-                  VPCID is the ID of an existing VPC in Linode. This allows using a VPC
-                  that is not managed by CAPL.
+                description: VPCID is the ID of an existing VPC in Linode. This allows
+                  using a VPC that is not managed by CAPL.
                 type: integer
                 x-kubernetes-validations:
                 - message: Value is immutable

config/crd/bases/infrastructure.cluster.x-k8s.io_linodeclustertemplates.yaml

@@ -53,8 +53,7 @@ spec:
                     properties:
                       controlPlaneEndpoint:
                         description: |-
-                          ControlPlaneEndpoint represents the endpoint used to communicate with
-                          the LinodeCluster control plane.
+                          ControlPlaneEndpoint represents the endpoint used to communicate with the LinodeCluster control plane.
                           If ControlPlaneEndpoint is unset then the Nodebalancer ip will be used.
                         properties:
                           host:
@@ -73,9 +72,8 @@ spec:
                         type: object
                       credentialsRef:
                         description: |-
-                          CredentialsRef is a reference to a Secret that contains the credentials
-                          to use for provisioning this cluster. If not supplied then the
-                          credentials of the controller will be used.
+                          CredentialsRef is a reference to a Secret that contains the credentials to use for provisioning this cluster. If not
+                          supplied then the credentials of the controller will be used.
                         properties:
                           name:
                             description: name is unique within a namespace to reference
@@ -187,9 +185,9 @@ spec:
                               rule: self == oldSelf
                         type: object
                       nodeBalancerFirewallRef:
-                        description: |-
-                          NodeBalancerFirewallRef is a reference to a NodeBalancer Firewall object.
-                          This makes the linode use the specified NodeBalancer Firewall.
+                        description: NodeBalancerFirewallRef is a reference to a NodeBalancer
+                          Firewall object. This makes the linode use the specified
+                          NodeBalancer Firewall.
                         properties:
                           apiVersion:
                             description: API version of the referent.
@@ -236,8 +234,8 @@ spec:
                           rule: self == oldSelf
                       objectStore:
                         description: |-
-                          ObjectStore defines a supporting Object Storage bucket for cluster
-                          operations. This is currently used for bootstrapping (e.g. Cloud-init).
+                          ObjectStore defines a supporting Object Storage bucket for cluster operations. This is currently used for
+                          bootstrapping (e.g. Cloud-init).
                         properties:
                           credentialsRef:
                             description: CredentialsRef is a reference to a Secret
@@ -266,9 +264,8 @@ spec:
                         description: The Linode Region the LinodeCluster lives in.
                         type: string
                       vpcID:
-                        description: |-
-                          VPCID is the ID of an existing VPC in Linode. This allows using a VPC
-                          that is not managed by CAPL.
+                        description: VPCID is the ID of an existing VPC in Linode.
+                          This allows using a VPC that is not managed by CAPL.
                         type: integer
                         x-kubernetes-validations:
                         - message: Value is immutable

docs/src/reference/out.md

@@ -355,13 +355,13 @@ _Appears in:_
 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
 | `region` _string_ | The Linode Region the LinodeCluster lives in. |  |  |
-| `controlPlaneEndpoint` _[APIEndpoint](#apiendpoint)_ | ControlPlaneEndpoint represents the endpoint used to communicate with<br />the LinodeCluster control plane.<br />If ControlPlaneEndpoint is unset then the Nodebalancer ip will be used. |  |  |
+| `controlPlaneEndpoint` _[APIEndpoint](#apiendpoint)_ | ControlPlaneEndpoint represents the endpoint used to communicate with the LinodeCluster control plane.<br />If ControlPlaneEndpoint is unset then the Nodebalancer ip will be used. |  |  |
 | `network` _[NetworkSpec](#networkspec)_ | NetworkSpec encapsulates all things related to Linode network. |  |  |
 | `vpcRef` _[ObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#objectreference-v1-core)_ |  |  |  |
-| `vpcID` _integer_ | VPCID is the ID of an existing VPC in Linode. This allows using a VPC<br />that is not managed by CAPL. |  |  |
-| `nodeBalancerFirewallRef` _[ObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#objectreference-v1-core)_ | NodeBalancerFirewallRef is a reference to a NodeBalancer Firewall object.<br />This makes the linode use the specified NodeBalancer Firewall. |  |  |
-| `objectStore` _[ObjectStore](#objectstore)_ | ObjectStore defines a supporting Object Storage bucket for cluster<br />operations. This is currently used for bootstrapping (e.g. Cloud-init). |  |  |
-| `credentialsRef` _[SecretReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#secretreference-v1-core)_ | CredentialsRef is a reference to a Secret that contains the credentials<br />to use for provisioning this cluster. If not supplied then the<br />credentials of the controller will be used. |  |  |
+| `vpcID` _integer_ | VPCID is the ID of an existing VPC in Linode. This allows using a VPC that is not managed by CAPL. |  |  |
+| `nodeBalancerFirewallRef` _[ObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#objectreference-v1-core)_ | NodeBalancerFirewallRef is a reference to a NodeBalancer Firewall object. This makes the linode use the specified NodeBalancer Firewall. |  |  |
+| `objectStore` _[ObjectStore](#objectstore)_ | ObjectStore defines a supporting Object Storage bucket for cluster operations. This is currently used for<br />bootstrapping (e.g. Cloud-init). |  |  |
+| `credentialsRef` _[SecretReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#secretreference-v1-core)_ | CredentialsRef is a reference to a Secret that contains the credentials to use for provisioning this cluster. If not<br />supplied then the credentials of the controller will be used. |  |  |
 
 
 #### LinodeClusterStatus

internal/controller/linodeobjectstoragebucket_controller.go

@@ -27,6 +27,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/client-go/tools/record"
+	"k8s.io/client-go/util/retry"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	kutil "sigs.k8s.io/cluster-api/util"
 	conditions "sigs.k8s.io/cluster-api/util/conditions/v1beta2"
@@ -173,13 +174,14 @@ func (r *LinodeObjectStorageBucketReconciler) reconcileApply(ctx context.Context
 			bScope.Logger.Error(err, "failed to update bucket finalizer")
 			return err
 		}
-
-		if err := bScope.AddAccessKeyRefFinalizer(ctx, bScope.Bucket.Name); err != nil {
-			bScope.Logger.Error(err, "failed to update access key finalizer")
+		// Retry on conflict to handle the case where the access key is being updated concurrently.
+		if err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
+			return bScope.AddAccessKeyRefFinalizer(ctx, bScope.Bucket.Name)
+		}); err != nil {
+			bScope.Logger.Error(err, "failed to add access key finalizer")
 			r.setFailure(bScope, err)
 			return err
 		}
-
 	}
 
 	bucket, err := services.EnsureAndUpdateObjectStorageBucket(ctx, bScope)
@@ -216,7 +218,10 @@ func (r *LinodeObjectStorageBucketReconciler) reconcileDelete(ctx context.Contex
 	// Don't delete the bucket if the ForceDeleteBucket is false since there could be data in it that causes deletion to fail.
 
 	if bScope.Bucket.Spec.AccessKeyRef != nil {
-		if err := bScope.RemoveAccessKeyRefFinalizer(ctx, bScope.Bucket.Name); err != nil {
+		// Retry on conflict to handle the case where the access key is being updated concurrently.
+		if err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
+			return bScope.RemoveAccessKeyRefFinalizer(ctx, bScope.Bucket.Name)
+		}); err != nil {
 			bScope.Logger.Error(err, "failed to remove access key finalizer")
 			r.setFailure(bScope, err)
 			return err