Only remove the cleanup finalizer if the cleanup succeeds

[inteon]

This addresses two problems:

• The finalizer was being removed unconditionally, regardless of whether solver.Cleanup succeeds
• The finalizer was assumed to be the first in the list of finalizers, potentially resulting in the removal of foreign finalizers and resulting in the cleanup finalizer never being removed.
• solver.Cleanup was invoked inconsistently from two different places, in handleFinalizer and in an acme.IsFinalState block, but in the former, the Status.Processing and Status.Presented fields were not being reset and in the latter case, the finalizer wasn't being removed if the cleanup succeeded.

Part of:

• Challenge Records Not Always Cleaned Up #3640

supersedes #5126

Kind

/kind cleanup

Release Note

NONE

[SgtCoDFish]

Most of this looks pretty self explanatory and makes sense. Just one question from me before I'd feel comfortable merging!

[SgtCoDFish]

question: Previously we swallowed the error and returned nil. Same in the if err := solver.CleanUp(ctx, ch); err != nil block below.

What's the motivation for the change to now start returning the error here (and below)? What effect will it have?

[inteon]

There are two situations in which a cleanup is performed:

• acme.IsFinalState(ch.Status.State)
• !ch.DeletionTimestamp.IsZero()

The old code swallowed errors when !ch.DeletionTimestamp.IsZero() but returned errors when acme.IsFinalState(ch.Status.State). So this change will only affect the first case.
In that case, the deletion of the challenge resource will be blocked until the handleFinalizer is successful. An error will be returned if something went wrong and the CleanUp function will be retried.
The previous behavior for the first case was that the CleanUp function was called once and the error was only logged and the finalizer deleted unconditionally.

[inteon]

So, the new behavior will block deletion until the cleanup succeeds & keep retrying (which was what is described here: #3640 and what the original PR tried to solve #5126).

[inteon]

🤔 I just found there is a counter-issue: #7234
Challenges that are stuck in their cleanup phase: cleanup is failing and the resource is not being deleted...

[inteon]

@erikgb convinced me that we should still move forward. I updated the PR.

[inteon]

/hold
There might be an unforeseen issue: #7286 (comment)

[cert-manager-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale

[cert-manager-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
/lifecycle rotten
/remove-lifecycle stale

[inteon]

Looks like issue #7234 will be solved in a different manner: #7234 (comment)

I think we are able to move forward with this PR.

/unhold

[erikgb]

Suggested change

	return !finalizers.Has(cmacme.ACMELegacyFinalizer) && !finalizers.Has(cmacme.ACMEDomainQualifiedFinalizer)
	return !finalizers.Has(cmacme.ACMEDomainQualifiedFinalizer)

I think this is clearer, as we require all challenges to have the new finalizer.

[inteon]

This function is called in two places:

• https://github.com/cert-manager/cert-manager/pull/7286/changes#diff-e9636826ce57cc3a7988b9d27b475a40c79c97a21eb80ba392dc9f137f770004R115 - Here, there will never be a legacy finalizer (since we drop it a few lines above)
• https://github.com/cert-manager/cert-manager/pull/7286/changes#diff-e9636826ce57cc3a7988b9d27b475a40c79c97a21eb80ba392dc9f137f770004R296 - Here, we want to also cleanup in case we only have a legacy finalizer.

So, I do think that is makes sense to check for both to make sure we cleanup in the second case.

[erikgb]

True, but the naming is confusing here. Have to look at the "surroundings" to understand how this works. But we can leave this for an eventual follow-up.

[inteon]

Yes, let's leave the name for now. I already reverted the name change I wanted to make.

[erikgb]

Is this change expected? Processing is part of the status subresource. This action should only assert that the finalizers are removed.

[erikgb]

/lgtm

Thanks @inteon. I would expect a bit of "noise" when unleashing this bugfix, but I am convinced that moving forward is correct and worth it.

[inteon]

/approve

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: inteon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [inteon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[inteon]

/retest

[cert-manager-prow]

@inteon: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-cert-manager-master-e2e-v1-32-upgrade	95eeab9	link	true	/test pull-cert-manager-master-e2e-v1-32-upgrade
pull-cert-manager-master-e2e-v1-32	95eeab9	link	true	/test pull-cert-manager-master-e2e-v1-32
pull-cert-manager-master-e2e-v1-33-upgrade	95eeab9	link	true	/test pull-cert-manager-master-e2e-v1-33-upgrade
pull-cert-manager-master-e2e-v1-34-upgrade	95eeab9	link	true	/test pull-cert-manager-master-e2e-v1-34-upgrade

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[inteon]

/retest