draft

Signed-off-by: Jose Vazquez <jose.vazquez@mongodb.com>

pkg/controller/atlasdeployment/atlasdeployment_controller.go

@@ -181,7 +181,7 @@ func (r *AtlasDeploymentReconciler) Reconcile(context context.Context, req ctrl.
 	}
 
 	handleDeployment := r.selectDeploymentHandler(deployment)
-	if result, _ := handleDeployment(workflowCtx, project, deployment, req); !result.IsOk() {
+	if result, _ := handleDeployment(context, workflowCtx, project, deployment, req); !result.IsOk() {
 		workflowCtx.SetConditionFromResult(status.DeploymentReadyType, result)
 		return result.ReconcileResult(), nil
 	}
@@ -341,7 +341,7 @@ func (r *AtlasDeploymentReconciler) selectDeploymentHandler(deployment *mdbv1.At
 }
 
 // handleAdvancedDeployment ensures the state of the deployment using the Advanced Deployment API
-func (r *AtlasDeploymentReconciler) handleAdvancedDeployment(workflowCtx *workflow.Context, project *mdbv1.AtlasProject, deployment *mdbv1.AtlasDeployment, req reconcile.Request) (workflow.Result, error) {
+func (r *AtlasDeploymentReconciler) handleAdvancedDeployment(ctx context.Context, workflowCtx *workflow.Context, project *mdbv1.AtlasProject, deployment *mdbv1.AtlasDeployment, req reconcile.Request) (workflow.Result, error) {
 	c, result := r.ensureAdvancedDeploymentState(workflowCtx, project, deployment)
 	if c != nil && c.StateName != "" {
 		workflowCtx.EnsureStatusOption(status.AtlasDeploymentStateNameOption(c.StateName))
@@ -370,7 +370,7 @@ func (r *AtlasDeploymentReconciler) handleAdvancedDeployment(workflowCtx *workfl
 	}
 
 	if err := r.ensureBackupScheduleAndPolicy(
-		context.Background(),
+		ctx,
 		workflowCtx, project.ID(),
 		deployment,
 		backupEnabled,
@@ -394,8 +394,8 @@ func (r *AtlasDeploymentReconciler) handleAdvancedDeployment(workflowCtx *workfl
 }
 
 // handleServerlessInstance ensures the state of the serverless instance using the serverless API
-func (r *AtlasDeploymentReconciler) handleServerlessInstance(workflowCtx *workflow.Context, project *mdbv1.AtlasProject, deployment *mdbv1.AtlasDeployment, req reconcile.Request) (workflow.Result, error) {
-	c, result := ensureServerlessInstanceState(workflowCtx, project, deployment.Spec.ServerlessSpec)
+func (r *AtlasDeploymentReconciler) handleServerlessInstance(ctx context.Context, workflowCtx *workflow.Context, project *mdbv1.AtlasProject, deployment *mdbv1.AtlasDeployment, req reconcile.Request) (workflow.Result, error) {
+	c, result := r.ensureServerlessInstanceState(ctx, workflowCtx, project, deployment)
 	return r.ensureConnectionSecretsAndSetStatusOptions(workflowCtx, project, deployment, result, c)
 }
 
@@ -562,7 +562,7 @@ func (r *AtlasDeploymentReconciler) removeDeletionFinalizer(context context.Cont
 	return nil
 }
 
-type deploymentHandlerFunc func(workflowCtx *workflow.Context, project *mdbv1.AtlasProject, deployment *mdbv1.AtlasDeployment, req reconcile.Request) (workflow.Result, error)
+type deploymentHandlerFunc func(ctx context.Context, workflowCtx *workflow.Context, project *mdbv1.AtlasProject, deployment *mdbv1.AtlasDeployment, req reconcile.Request) (workflow.Result, error)
 
 type atlasClusterType int
 

pkg/controller/atlasdeployment/backup.go

@@ -78,7 +78,7 @@ func (r *AtlasDeploymentReconciler) ensureBackupSchedule(
 	bSchedule := &mdbv1.AtlasBackupSchedule{}
 	err := r.Client.Get(ctx, *backupScheduleRef, bSchedule)
 	if err != nil {
-		return nil, fmt.Errorf("%v backupschedule resource is not found. e: %w", *backupScheduleRef, err)
+		return nil, fmt.Errorf("%v AtlasBackupSchedule resource is not found. e: %w", *backupScheduleRef, err)
 	}
 
 	resourceVersionIsValid := customresource.ValidateResourceVersion(service, bSchedule, r.Log)
@@ -132,7 +132,7 @@ func (r *AtlasDeploymentReconciler) ensureBackupPolicy(
 	bPolicy := &mdbv1.AtlasBackupPolicy{}
 	err := r.Client.Get(ctx, bPolicyRef, bPolicy)
 	if err != nil {
-		return nil, fmt.Errorf("unable to get backuppolicy resource %s. e: %w", bPolicyRef.String(), err)
+		return nil, fmt.Errorf("unable to get AtlasBackupPolicy resource %s. e: %w", bPolicyRef.String(), err)
 	}
 
 	resourceVersionIsValid := customresource.ValidateResourceVersion(service, bPolicy, r.Log)
@@ -251,13 +251,13 @@ func (r *AtlasDeploymentReconciler) updateBackupScheduleAndPolicy(
 	}
 
 	if equal {
-		r.Log.Debug("backupschedules are equal, nothing to change")
+		r.Log.Debug("backup schedules are equal, nothing to change")
 		return nil
 	}
 
 	r.Log.Debugf("applying backup configuration: %v", *bSchedule)
 	if _, _, err := service.Client.CloudProviderSnapshotBackupPolicies.Update(ctx, projectID, clusterName, apiScheduleReq); err != nil {
-		return fmt.Errorf("unable to create backupschedule %s. e: %w", client.ObjectKeyFromObject(bSchedule).String(), err)
+		return fmt.Errorf("unable to create backup schedule %s. e: %w", client.ObjectKeyFromObject(bSchedule).String(), err)
 	}
 	r.Log.Infof("successfully updated backup configuration for deployment %v", clusterName)
 	return nil

pkg/controller/atlasdeployment/serverless_deployment.go

@@ -13,8 +13,12 @@ import (
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/controller/workflow"
 )
 
-func ensureServerlessInstanceState(ctx *workflow.Context, project *mdbv1.AtlasProject, serverlessSpec *mdbv1.ServerlessSpec) (atlasDeployment *mongodbatlas.Cluster, _ workflow.Result) {
-	atlasDeployment, resp, err := ctx.Client.ServerlessInstances.Get(context.Background(), project.Status.ID, serverlessSpec.Name)
+func (r *AtlasDeploymentReconciler) ensureServerlessInstanceState(ctx context.Context, workflowCtx *workflow.Context, project *mdbv1.AtlasProject, deployment *mdbv1.AtlasDeployment) (atlasDeployment *mongodbatlas.Cluster, _ workflow.Result) {
+	if deployment == nil || deployment.Spec.ServerlessSpec == nil {
+		return nil, workflow.Terminate(workflow.ServerlessPrivateEndpointReady, "deployment spec is empty")
+	}
+	serverlessSpec := deployment.Spec.ServerlessSpec
+	atlasDeployment, resp, err := workflowCtx.Client.ServerlessInstances.Get(context.Background(), project.Status.ID, serverlessSpec.Name)
 	if err != nil {
 		if resp == nil {
 			return atlasDeployment, workflow.Terminate(workflow.Internal, err.Error())
@@ -24,8 +28,8 @@ func ensureServerlessInstanceState(ctx *workflow.Context, project *mdbv1.AtlasPr
 			return atlasDeployment, workflow.Terminate(workflow.DeploymentNotCreatedInAtlas, err.Error())
 		}
 
-		ctx.Log.Infof("Serverless Instance %s doesn't exist in Atlas - creating", serverlessSpec.Name)
-		atlasDeployment, _, err = ctx.Client.ServerlessInstances.Create(context.Background(), project.Status.ID, &mongodbatlas.ServerlessCreateRequestParams{
+		workflowCtx.Log.Infof("Serverless Instance %s doesn't exist in Atlas - creating", serverlessSpec.Name)
+		atlasDeployment, _, err = workflowCtx.Client.ServerlessInstances.Create(context.Background(), project.Status.ID, &mongodbatlas.ServerlessCreateRequestParams{
 			Name: serverlessSpec.Name,
 			ProviderSettings: &mongodbatlas.ServerlessProviderSettings{
 				BackingProviderName: serverlessSpec.ProviderSettings.BackingProviderName,
@@ -40,7 +44,7 @@ func ensureServerlessInstanceState(ctx *workflow.Context, project *mdbv1.AtlasPr
 
 	switch atlasDeployment.StateName {
 	case status.StateIDLE:
-		result := ensureServerlessPrivateEndpoints(ctx, project.ID(), serverlessSpec, atlasDeployment.Name)
+		result := ensureServerlessPrivateEndpoints(ctx, workflowCtx, project.ID(), deployment, atlasDeployment.Name, false)
 		return atlasDeployment, result
 	case status.StateCREATING:
 		return atlasDeployment, workflow.InProgress(workflow.DeploymentCreating, "deployment is provisioning")

pkg/controller/atlasdeployment/serverless_private_endpoint.go

@@ -2,6 +2,7 @@ package atlasdeployment
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/util/stringutil"
@@ -14,6 +15,7 @@ import (
 
 	mdbv1 "github.com/mongodb/mongodb-atlas-kubernetes/pkg/api/v1"
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/api/v1/provider"
+	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/controller/customresource"
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/controller/workflow"
 )
 
@@ -28,10 +30,30 @@ const (
 	SPEStatusFailed     = "FAILED"     //stage 2
 )
 
-func ensureServerlessPrivateEndpoints(service *workflow.Context, groupID string, deploymentSpec *mdbv1.ServerlessSpec, deploymentName string) workflow.Result {
-	if deploymentSpec == nil {
+func ensureServerlessPrivateEndpoints(ctx context.Context, service *workflow.Context, groupID string, deployment *mdbv1.AtlasDeployment, deploymentName string, protected bool) workflow.Result {
+	if deployment == nil || deployment.Spec.ServerlessSpec == nil {
 		return workflow.Terminate(workflow.ServerlessPrivateEndpointReady, "deployment spec is empty")
 	}
+	deploymentSpec := deployment.Spec.ServerlessSpec
+
+	canReconcile, err := canServerlessPrivateEndpointsReconcile(ctx, service.Client, protected, groupID, deployment)
+	if err != nil {
+		result := workflow.Terminate(workflow.Internal, fmt.Sprintf("unable to resolve ownership for deletion protection: %s", err))
+		service.SetConditionFromResult(status.AlertConfigurationReadyType, result)
+
+		return result
+	}
+
+	if !canReconcile {
+		result := workflow.Terminate(
+			workflow.AtlasDeletionProtection,
+			"unable to reconcile Serverless Private Endpoints due to deletion protection being enabled. see https://dochub.mongodb.org/core/ako-deletion-protection for further information",
+		)
+		service.SetConditionFromResult(status.AlertConfigurationReadyType, result)
+
+		return result
+	}
+
 	providerName := GetServerlessProvider(deploymentSpec)
 	if providerName == provider.ProviderGCP {
 		if len(deploymentSpec.PrivateEndpoints) == 0 {
@@ -57,6 +79,36 @@ func ensureServerlessPrivateEndpoints(service *workflow.Context, groupID string,
 	return result
 }
 
+func canServerlessPrivateEndpointsReconcile(ctx context.Context, atlasClient mongodbatlas.Client, protected bool, groupID string, deployment *mdbv1.AtlasDeployment) (bool, error) {
+	if !protected {
+		return true, nil
+	}
+
+	latestConfig := &mdbv1.AtlasDeployment{}
+	latestConfigString, ok := deployment.Annotations[customresource.AnnotationLastAppliedConfiguration]
+	if ok {
+		if err := json.Unmarshal([]byte(latestConfigString), latestConfig); err != nil {
+			return false, err
+		}
+	}
+
+	list, _, err := atlasClient.ServerlessPrivateEndpoints.List(
+		ctx,
+		groupID,
+		deployment.Spec.ServerlessSpec.Name,
+		&mongodbatlas.ListOptions{},
+	)
+	if err != nil {
+		return false, err
+	}
+
+	if len(list) == 0 {
+		return true, nil
+	}
+
+	return false, nil
+}
+
 func GetServerlessProvider(deploymentSpec *mdbv1.ServerlessSpec) provider.ProviderName {
 	if deploymentSpec.ProviderSettings.ProviderName != provider.ProviderServerless {
 		return deploymentSpec.ProviderSettings.ProviderName

pkg/controller/atlasdeployment/serverless_private_endpoint_test.go

@@ -0,0 +1,11 @@
+package atlasdeployment
+
+import "testing"
+
+func TestCanServerlessPrivateEndpointsReconcile(t *testing.T) {
+	t.Run("should return true when subResourceDeletionProtection is disabled", func(t *testing.T) {
+		// result, err := canCloudProviderAccessReconcile(context.TODO(), mongodbatlas.Client{}, false, &mdbv1.AtlasProject{})
+		// require.NoError(t, err)
+		// require.True(t, result)
+	})
+}

test/int/deployment_test.go

@@ -865,7 +865,7 @@ var _ = Describe("AtlasDeployment", Label("int", "AtlasDeployment"), func() {
 				lastGeneration++
 			})
 
-			By(fmt.Sprintf("Update Instance Size Margins with AutoScaling for Deployemnt %s", kube.ObjectKeyFromObject(createdDeployment)), func() {
+			By(fmt.Sprintf("Update Instance Size Margins with AutoScaling for Deployment %s", kube.ObjectKeyFromObject(createdDeployment)), func() {
 				regionConfig := createdDeployment.Spec.AdvancedDeploymentSpec.ReplicationSpecs[0].RegionConfigs[0]
 				regionConfig.AutoScaling.Compute.MinInstanceSize = "M20"
 				regionConfig.ElectableSpecs.InstanceSize = "M20"