Possibility of Stale Synced Data

[maxsmythe]

By default gatekeeper resets the cache of synced data whenever the list of watched resources changes.

This is not the case when the list of constraint kinds to watch changes.

This means that any cached resource deleted while the watch manager is restarting has the possibility of being stuck in the cache.

Generally speaking, we should be running a reconcile loop over cached data and removing any stale data.

This will both avoid the need to wipe the OPA cache each time the set of synced resources changes and the need to add any synchronization logic between the constrainttemplate controller and the config controller.

While we're at it, we should add the same kind of logic for constraints and constrainttemplates. This would allow us to remove finalizers altogether.

[maxsmythe]

@shomron I thought you might be interested in this bug as it directly relates to your doc. We should talk sometime about the eventual consistency and watch manager designs generally.

[shomron]

@maxsmythe I'm game. I'll go through the code again and we can schedule some time to chat.

[maxsmythe]

Sounds good. There are some necessary endpoints missing in the constraint framework that would need to be implemented as well.

[shomron]

@maxsmythe here is what I'm currently thinking for this issue. I've also written some WIP code to start giving it more shape. If the overall direction is agreeable, I can finish that up into a reviewable PR. Let me know what you think!

[maxsmythe]

Thanks! Sorry for the delay, I'll take a look tonight.

[shomron]

@maxsmythe thank you for the initial review. It was very thorough!

I've opened a related issue, open-policy-agent/frameworks#80, to support cascading delete of constraints when deleting a template. This will help tear down ordering dependencies between the two controllers.

[shomron]

@ritazh I just wanted to put this workstream on your radar and make sure we have alignment on the overall approach. Please take a look at the document when you have a chance and let me know if you have any concerns!

In the meantime I'll continue work on the related PR and get it into shape for final review hopefully by next week.

[shomron]

@maxsmythe is there anything remaining here or have we addressed the concerns in #490?

[maxsmythe]

I believe this is fixed!