fix: use update-in-place for PrometheusRule ConfigMaps

[Sanchit2662]

Description

This PR fixes a non-atomic reconciliation pattern in PrometheusRuleSyncer.Sync() that could cause temporary and silent loss of alerting and recording rules during PrometheusRule updates.

Previously, the operator deleted all existing rule ConfigMaps before recreating them. This introduced a time window where no rule ConfigMaps existed, allowing the config-reloader sidecar to trigger a Prometheus reload with missing or partial rules. The issue is triggered during normal reconciliation and can impact production alerting without any visible errors.

This change makes PrometheusRule reconciliation continuous and safe by switching to update-in-place semantics.

---

Type of change

• BUGFIX
• ENHANCEMENT

---

What was wrong (root cause)

PrometheusRuleSyncer.Sync() used a delete-then-create pattern for rule ConfigMaps:

// Delete and recreate the configmap(s).
for _, cm := range current {
    err := prs.cmClient.Delete(ctx, cm.Name, metav1.DeleteOptions{})
    if err != nil {
        return nil, err
    }
}

for _, cm := range configMaps {
    _, err := prs.cmClient.Create(ctx, &cm, metav1.CreateOptions{})
    if err != nil {
        return nil, err
    }
}

During this deletion window:

• ConfigMaps briefly do not exist
• The config-reloader detects the change and reloads Prometheus
• Prometheus reloads with missing alerting / recording rules
• No error is surfaced, resulting in a silent monitoring gap

This happens during any PrometheusRule update, including label or selector changes.

---

Impact

Before this fix:

• Alerting rules can temporarily disappear → alerts cannot fire
• Recording rules can disappear → dashboards and derived metrics break
• Failures are silent (no logs, no reconciliation errors)
• HA setups do not help (replicas reconcile simultaneously)

After this fix:

• Rules remain continuously available during reconciliation
• Config reloads always see a valid rule set
• Partial failures no longer result in empty rules
• Alerting behavior is predictable and safe

---

Fix summary

1. Added CreateOrUpdateConfigMap helper

A new utility function was added to atomically create or update ConfigMaps:

func CreateOrUpdateConfigMap(
    ctx context.Context,
    cmClient clientv1.ConfigMapInterface,
    desired *v1.ConfigMap,
) error

Key properties:

• Uses retry.RetryOnConflict
• Creates the ConfigMap if it does not exist
• Updates in place if it already exists
• Preserves external labels and annotations

---

2. Rewrote PrometheusRuleSyncer.Sync()

The reconciliation order was changed to avoid rule disappearance:

Before

1. Delete all ConfigMaps
2. Create new ConfigMaps
3. ❌ Rules temporarily missing

After

1. Create or update desired ConfigMaps
2. Delete only excess ConfigMaps that are no longer needed
3. ✅ Rules always present

This mirrors the existing CreateOrUpdateSecret pattern used for Alertmanager configuration.

---

Verification

• ✅ Code builds successfully
• ✅ Existing PrometheusRule sync tests pass
• ✅ No behavior change outside rule reconciliation logic

[Sanchit2662]

Hi @simonpasquier ,
This PR fixes a non-atomic delete-then-create pattern in PrometheusRule syncing that can briefly cause alerting and recording rules to disappear during reconciliation.
I’d really appreciate it if you could take some time to review it when you get a chance. Thanks a lot!

[simonpasquier]

Thanks!

The process isn't 100% atomic and safe (e.g. the config-reloader might see a in-progress update of the configmaps or a to-be-deleted configmap) but I don't see a (simple) way to make it better.