fix(controller): watch secondary resources instead of updating unowned resources

[onematchfox]

Controllers shouldn't be updating objects they do not own/manage. Instead, controllers should explicitly watch the unowned resources that they do not own and ensure that any affected objects that they do own are queued for reconciliation. Ref

This PR refactors the existing implementation so that controllers, such as the toolserver-controller, do not reconcile agents, and instead, the agent controller watches for changes to toolserver objects. For now, I've left all relationships in place with the most major difference being the removal of the secrets controller, whereby agents were reconciled based on secret updates. Now, the modelconfig controller watches for secret updates, and the agent controller, in turn, watches for model config updates. With these changes in place, we can also start introducing the use of predicates to limit unnecessary reconciliation and/or even revisiting whether these relationships are needed at all.

Side notes:

• In the current implementation (both existing code and post this PR), updates to related resources don't have much of an effect. I imagine, for example, that watching secrets was put in place with the idea being that if the API key for a model is updated, then agents would be restarted to ensure they use the new config. This isn't going to happen - not in the current code nor as a result of these changes. Perhaps it did in the past (I haven't gone back in history to look at how things worked when agents were defined in autogen). But going forward, we should either try and make sure that changes are correctly propagated or remove the watch as it just results in unnecessary reconciliation. Another example would be agents use of memory since memory isn't reflected anywhere in the representation of an agent at the moment but perhaps this is was just missed when switching over to ADK?
• I've left the shared Reconciler in place for the time being, although arguably this whole situation could have been avoided if the controller code had been kept isolated (with shared functionality/code exposed through a package where needed). I did start looking at extracting out controller-specific code, but stopped when I noticed the "dbclient Mutex" that is shared between the functions used by AgentReconciler and ToolServerReconciler

Related to #700

[Copilot]

Pull Request Overview

This PR refactors the controller architecture to follow Kubernetes best practices by having controllers watch secondary resources instead of directly updating unowned resources. The main change removes cross-controller reconciliation where controllers like toolserver-controller would directly reconcile agents they don't own.

Key changes:

• Removes the secrets controller that directly reconciled agents based on secret updates
• Adds watch relationships where agent controller watches for changes to toolserver, modelconfig, and memory resources
• Refactors finder methods to return resources instead of error-prone reconciliation chains

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
go/controller/internal/reconciler/reconciler.go	Removes cross-controller reconciliation logic and refactors finder methods to support watching pattern
go/controller/internal/controller/secret_controller.go	Completely removes the secret controller
go/controller/internal/controller/modelconfig_controller.go	Adds watch for Secret resources to trigger ModelConfig reconciliation
go/controller/internal/controller/agent_controller.go	Adds watches for Memory, ModelConfig, and ToolServer resources to trigger Agent reconciliation
go/controller/cmd/main.go	Removes registration of the deleted SecretReconciler

[Copilot]

The err variable from the secret validation is being passed as the reconciliation error to reconcileModelConfigStatus. This will mark the ModelConfig as failed when the secret doesn't exist, but the ModelConfig reconciliation itself may have succeeded. The error should only be passed if it represents an actual reconciliation failure.

[onematchfox]

The error should only be passed if it represents an actual reconciliation failure.

This is desired behaviour. If the secret doesn't exist, this should reflect in the status of ModelConfig.

[onematchfox]

An example of what the changes in this PR enable can be seen here, where we can start to make use of GenerationChangedPredicate to limit unnecessary reconciliation based on updates to status subresources. This would not be nearly as effective if applied against main as it stands today, because agents are explicitly reconciled based on updates to secondary resources. Note: That commit only applies the predicate to primary resources for the time being since it may, for example, be desirable to reconcile an Agent if the Status of a ModelConfig changes.

[EItanya]

First of all, awesome work! I'll be honest that I'm not the foremost expert on controller-runtime, so super thankful for these fixes/pointers.

In terms of your side points:

• You are correct that was the original intention, but awesome catch that it's not working anymore. In terms of the Memory object you are also correct. In the move to ADK, that particular object didn't move cleanly, I will create an issue explaining what happened, and add a note to the release.
• TBH I didn't add the mutex originally, I have an idea of why it's there, but now that we're backed by a DB I'm 99.9999% sure it's unnecessary and we should remove it.

I'm happy to work with you to make more of the proposed changes you've mentioned as I think they would be very important for the consistency of the reconcilers.