Update the controller predicate logic

chiragkyal · chiragkyal · commit de5b0431e0ea · 2026-03-18T19:08:28.000+05:30
Signed-off-by: chiragkyal &lt;ckyal@redhat.com&gt;
diff --git a/pkg/controller/trustmanager/controller.go b/pkg/controller/trustmanager/controller.go
@@ -16,6 +16,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/event"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
@@ -95,13 +96,30 @@ func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error {
 		return []reconcile.Request{}
 	}
 
-	// predicate function to ignore events for objects not managed by controller.
-	controllerManagedResources := predicate.NewPredicateFuncs(func(object client.Object) bool {
+	isManagedResource := func(object client.Object) bool {
 		labels := object.GetLabels()
 		matches := labels != nil && labels[common.ManagedResourceLabelKey] == RequestEnqueueLabelValue
 		r.log.V(4).Info("predicate evaluation", "object", fmt.Sprintf("%T", object), "name", object.GetName(), "namespace", object.GetNamespace(), "labels", labels, "matches", matches)
 		return matches
-	})
+	}
+
+	// Predicate to filter events for resources managed by this controller.
+	// On updates, checks both old and new objects so that events where the
+	// managed label is removed still trigger reconciliation.
+	controllerManagedResources := predicate.Funcs{
+		CreateFunc: func(e event.CreateEvent) bool {
+			return isManagedResource(e.Object)
+		},
+		UpdateFunc: func(e event.UpdateEvent) bool {
+			return isManagedResource(e.ObjectOld) || isManagedResource(e.ObjectNew)
+		},
+		DeleteFunc: func(e event.DeleteEvent) bool {
+			return isManagedResource(e.Object)
+		},
+		GenericFunc: func(e event.GenericEvent) bool {
+			return isManagedResource(e.Object)
+		},
+	}
 
 	controllerManagedResourcePredicates := builder.WithPredicates(controllerManagedResources)
 
diff --git a/test/e2e/trustmanager_test.go b/test/e2e/trustmanager_test.go
@@ -371,6 +371,62 @@ var _ = Describe("TrustManager", Ordered, Label("Feature:TrustManager"), func()
 		})
 	})
 
+	// -------------------------------------------------------------------------
+	// Managed label removal reconciliation
+	// -------------------------------------------------------------------------
+
+	Context("managed label removal reconciliation", func() {
+		It("should restore the managed label when removed externally from resources", func() {
+			createTrustManager(newTrustManagerCR())
+
+			// The "app" label is the managed resource label used by the predicate
+			// to filter watch events. Removing it tests that the predicate checks
+			// both old and new objects on updates, so the event is not silently dropped.
+
+			By("removing managed label from ServiceAccount")
+			sa, err := clientset.CoreV1().ServiceAccounts(trustManagerNamespace).Get(ctx, trustManagerServiceAccountName, metav1.GetOptions{})
+			Expect(err).ShouldNot(HaveOccurred())
+			delete(sa.Labels, "app")
+			_, err = clientset.CoreV1().ServiceAccounts(trustManagerNamespace).Update(ctx, sa, metav1.UpdateOptions{})
+			Expect(err).ShouldNot(HaveOccurred())
+
+			By("verifying controller restores managed label on ServiceAccount")
+			Eventually(func(g Gomega) {
+				sa, err := clientset.CoreV1().ServiceAccounts(trustManagerNamespace).Get(ctx, trustManagerServiceAccountName, metav1.GetOptions{})
+				g.Expect(err).ShouldNot(HaveOccurred())
+				g.Expect(sa.Labels).Should(HaveKeyWithValue("app", trustManagerCommonName))
+			}, lowTimeout, fastPollInterval).Should(Succeed())
+
+			By("removing managed label from Deployment")
+			dep, err := clientset.AppsV1().Deployments(trustManagerNamespace).Get(ctx, trustManagerDeploymentName, metav1.GetOptions{})
+			Expect(err).ShouldNot(HaveOccurred())
+			delete(dep.Labels, "app")
+			_, err = clientset.AppsV1().Deployments(trustManagerNamespace).Update(ctx, dep, metav1.UpdateOptions{})
+			Expect(err).ShouldNot(HaveOccurred())
+
+			By("verifying controller restores managed label on Deployment")
+			Eventually(func(g Gomega) {
+				dep, err := clientset.AppsV1().Deployments(trustManagerNamespace).Get(ctx, trustManagerDeploymentName, metav1.GetOptions{})
+				g.Expect(err).ShouldNot(HaveOccurred())
+				g.Expect(dep.Labels).Should(HaveKeyWithValue("app", trustManagerCommonName))
+			}, lowTimeout, fastPollInterval).Should(Succeed())
+
+			By("removing managed label from ClusterRole")
+			cr, err := clientset.RbacV1().ClusterRoles().Get(ctx, trustManagerClusterRoleName, metav1.GetOptions{})
+			Expect(err).ShouldNot(HaveOccurred())
+			delete(cr.Labels, "app")
+			_, err = clientset.RbacV1().ClusterRoles().Update(ctx, cr, metav1.UpdateOptions{})
+			Expect(err).ShouldNot(HaveOccurred())
+
+			By("verifying controller restores managed label on ClusterRole")
+			Eventually(func(g Gomega) {
+				cr, err := clientset.RbacV1().ClusterRoles().Get(ctx, trustManagerClusterRoleName, metav1.GetOptions{})
+				g.Expect(err).ShouldNot(HaveOccurred())
+				g.Expect(cr.Labels).Should(HaveKeyWithValue("app", trustManagerCommonName))
+			}, lowTimeout, fastPollInterval).Should(Succeed())
+		})
+	})
+
 	// -------------------------------------------------------------------------
 	// Deployment configuration
 	// -------------------------------------------------------------------------
