Reference implementation doesn't unbind workloads when their labels change

[sadlerap]

The following manifest should result in a binding being made to the deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: test-1
    app-custom: foo
  name: test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test-1
  template:
    metadata:
      labels:
        app: test-1
    spec:
      containers:
      - name: test
        image: ghcr.io/servicebinding/conformance/generic-test-app:main
        imagePullPolicy: IfNotPresent
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /env
            port: 8080
            scheme: HTTP
      restartPolicy: Always
---
apiVersion: v1
data:
  password: YmFy
  type: YmF6
  username: Zm9v
kind: Secret
metadata:
  name: test-secret
type: Opaque
---
apiVersion: servicebinding.io/v1beta1
kind: ServiceBinding
metadata:
  name: test-binding
spec:
  service:
    apiVersion: v1
    kind: Secret
    name: test-secret
  workload:
    apiVersion: apps/v1
    kind: Deployment
    selector:
      matchLabels:
        app-custom: foo

This works as expected with the reference implementation - the deployment gets bound as expected. However, if we alter the app-custom label on the deployment after it's been created, the deployment is not unbound:

kubectl label --overwrite deployments.apps test app-custom=bar
kubectl get deployments.apps test -o jsonpath='{.spec.template.spec.volumes}' # should return nothing, but it doesn't

As far as I can tell, the spec isn't clear on what is supposed to happen here, but I think deprojecting the binding from the workload is the behavior we should probably have.

[scothis]

Yep, this is a bug. I can see two different paths that can cause a bound workload to be orphaned:

1. the labels on the workload change to no longer match the selector
2. the workload label selector changes to no longer match the workload

In either case, we currently know which ServiceBindings were projected into the workload. Instead of looking up the target workload by name or selector we can get all resources of the target apiVersion/kind and the filter that list by previously bound resources and those that need to be projected. Loading unnecessary workload resources is overhead introduced by this approach.

Another approach is to stash the previously reconciled ServiceBinding spec as an annotation on the ServiceBinding resource. The controller can then compare the current and previous spec to determine what workloads need to be processed for that ServiceBinding. This approach is more efficient but trickier to keep in sync.

[sadlerap]

I'm not sure I understand how the second approach you described is supposed to work. If a workload gets its label removed, how are we going to know we need to unbind it?

[scothis]

If a workload gets its label removed, how are we going to know we need to unbind it?

Same issue exists today. The mutating webhook that intercepts workloads will attempt to restore any value that was removed.

I've started to prototype the first approach, should be able to put up a PR for feedback this week.