mongodb · josvazg · Mar 26, 2025 · Mar 10, 2025 · Mar 11, 2025 · Mar 11, 2025
@@ -110,10 +110,10 @@ func (r *AtlasProjectReconciler) Reconcile(ctx context.Context, req ctrl.Request
 			}
 		}
 
-		err := customresource.ApplyLastConfigSkipped(ctx, atlasProject, r.Client)
-		if err != nil {
-			log.Errorw("Failed to apply last skipped config", "error", err)
-			return workflow.Terminate(workflow.Internal, err).ReconcileResult(), nil
+		if err := r.clearLastAppliedMigratedResources(ctx, atlasProject); err != nil {
+			result = workflow.Terminate(workflow.Internal, err)
+			log.Errorw("Failed to clear migrated independent resources", "error", err)
+			return result.ReconcileResult(), nil
 		}
 
 		return workflow.OK().ReconcileResult(), nil
@@ -376,3 +376,24 @@ func lastAppliedSpecFrom(atlasProject *akov2.AtlasProject) (*akov2.AtlasProjectS
 
 	return &lastApplied.Spec, nil
 }
+
+func (r *AtlasProjectReconciler) clearLastAppliedMigratedResources(ctx context.Context, atlasProject *akov2.AtlasProject) error {
+	clearedCfg, err := customresource.ParseLastConfigApplied[akov2.AtlasProjectSpec](atlasProject)
+	if err != nil {
+		return fmt.Errorf("failed to parse last applied config annotation: %w", err)
+	}
+	if clearedCfg == nil { // nothing to patch
+		return nil
+	}
+	// clear all resources migrated as independent CRDs to avoid eager
+	// reconciliation that might conflict with independent CRs and apply
+	clearedCfg.CustomRoles = nil
+	clearedCfg.PrivateEndpoints = nil
+	clearedCfg.ProjectIPAccessList = nil
+	clearedCfg.NetworkPeers = nil
+
+	if err := customresource.PatchLastConfigApplied(ctx, r.Client, atlasProject, clearedCfg); err != nil {
+		return fmt.Errorf("failed to clear migrated resources in last applied config annotation: %w", err)
+	}
+	return nil
+}
@@ -23,6 +23,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/tools/record"
+	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	"sigs.k8s.io/controller-runtime/pkg/client/interceptor"
@@ -31,6 +32,7 @@ import (
 	"github.com/mongodb/mongodb-atlas-kubernetes/v2/api"
 	akov2 "github.com/mongodb/mongodb-atlas-kubernetes/v2/api/v1"
 	"github.com/mongodb/mongodb-atlas-kubernetes/v2/api/v1/common"
+	"github.com/mongodb/mongodb-atlas-kubernetes/v2/api/v1/project"
 	atlas_controllers "github.com/mongodb/mongodb-atlas-kubernetes/v2/internal/controller/atlas"
 	"github.com/mongodb/mongodb-atlas-kubernetes/v2/internal/controller/customresource"
 	"github.com/mongodb/mongodb-atlas-kubernetes/v2/internal/controller/workflow"
@@ -418,9 +420,8 @@ func TestLastSpecFrom(t *testing.T) {
 
 		"should return nil when there is no last spec": {},
 		"should return error when last spec annotation is wrong": {
-			annotations: map[string]string{"mongodb.com/last-applied-configuration": "{wrong}"},
-			expectedError: "error reading AtlasProject Spec from annotation [mongodb.com/last-applied-configuration]:" +
-				" invalid character 'w' looking for beginning of object key string",
+			annotations:   map[string]string{"mongodb.com/last-applied-configuration": "{wrong}"},
+			expectedError: "invalid character 'w' looking for beginning of object key string",
 		},
 		"should return last spec": {
 			annotations: map[string]string{"mongodb.com/last-applied-configuration": "{\"name\": \"my-project\"}"},
@@ -442,6 +443,142 @@ func TestLastSpecFrom(t *testing.T) {
 	}
 }
 
+func TestSkipClearsMigratedResourcesLastConfig(t *testing.T) {
+	ctx := context.Background()
+	prj := akov2.AtlasProject{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        "test-project",
+			Namespace:   "test-ns",
+			Annotations: map[string]string{},
+		},
+		Spec: akov2.AtlasProjectSpec{
+			Name:                      "test-project",
+			PrivateEndpoints:          []akov2.PrivateEndpoint{{}},
+			CloudProviderAccessRoles:  []akov2.CloudProviderAccessRole{{}},
+			CloudProviderIntegrations: []akov2.CloudProviderIntegration{{}},
+			AlertConfigurations:       []akov2.AlertConfiguration{{}},
+			NetworkPeers:              []akov2.NetworkPeer{{}},
+			X509CertRef:               &common.ResourceRefNamespaced{},
+			Integrations:              []project.Integration{{}},
+			EncryptionAtRest:          &akov2.EncryptionAtRest{},
+			Auditing:                  &akov2.Auditing{},
+			Settings:                  &akov2.ProjectSettings{},
+			CustomRoles:               []akov2.CustomRole{{}},
+			Teams:                     []akov2.Team{{}},
+			BackupCompliancePolicyRef: &common.ResourceRefNamespaced{},
+			ConnectionSecret:          &common.ResourceRefNamespaced{},
+			ProjectIPAccessList:       []project.IPAccessList{{}},
+			MaintenanceWindow:         project.MaintenanceWindow{},
+		},
+	}
+	prj.Annotations[customresource.AnnotationLastAppliedConfiguration] = jsonize(t, prj.Spec)
+	prj.Annotations[customresource.ReconciliationPolicyAnnotation] = customresource.ReconciliationPolicySkip
+	testScheme := runtime.NewScheme()
+	require.NoError(t, akov2.AddToScheme(testScheme))
+	require.NoError(t, corev1.AddToScheme(testScheme))
+	k8sClient := fake.NewClientBuilder().
+		WithScheme(testScheme).
+		WithObjects(&prj).
+		WithStatusSubresource(&prj).
+		Build()
+
+	req := ctrl.Request{NamespacedName: types.NamespacedName{
+		Name:      prj.Name,
+		Namespace: prj.Namespace,
+	}}
+	r := AtlasProjectReconciler{
+		Client:        k8sClient,
+		Log:           zaptest.NewLogger(t).Sugar(),
+		EventRecorder: record.NewFakeRecorder(30),
+		AtlasProvider: &atlas.TestProvider{
+			IsCloudGovFunc: func() bool {
+				return false
+			},
+			IsSupportedFunc: func() bool {
+				return true
+			},
+		},
+	}
+
+	result, err := r.Reconcile(ctx, req)
+
+	require.Equal(t, reconcile.Result{}, result)
+	require.NoError(t, err)
+	require.NoError(t, k8sClient.Get(ctx, client.ObjectKeyFromObject(&prj), &prj))
+	lastApplied, err := customresource.ParseLastConfigApplied[akov2.AtlasProjectSpec](&prj)
+	require.NoError(t, err)
+	wantLastApplied := &akov2.AtlasProjectSpec{
+		Name:                      "test-project",
+		PrivateEndpoints:          nil,
+		CustomRoles:               nil,
+		NetworkPeers:              nil,
+		ProjectIPAccessList:       nil,
+		CloudProviderAccessRoles:  []akov2.CloudProviderAccessRole{{}},
+		CloudProviderIntegrations: []akov2.CloudProviderIntegration{{}},
+		AlertConfigurations:       []akov2.AlertConfiguration{{}},
+		X509CertRef:               &common.ResourceRefNamespaced{},
+		Integrations:              []project.Integration{{}},
+		EncryptionAtRest:          &akov2.EncryptionAtRest{},
+		Auditing:                  &akov2.Auditing{},
+		Settings:                  &akov2.ProjectSettings{},
+		Teams:                     []akov2.Team{{}},
+		BackupCompliancePolicyRef: &common.ResourceRefNamespaced{},
+		ConnectionSecret:          &common.ResourceRefNamespaced{},
+	}
+	assert.Equal(t, wantLastApplied, lastApplied)
+}
+
+func TestSkipClearsMigratedResourcesLastConfigDoesNotPanic(t *testing.T) {
+	ctx := context.Background()
+	prj := akov2.AtlasProject{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        "test-project",
+			Namespace:   "test-ns",
+			Annotations: map[string]string{},
+		},
+		Spec: akov2.AtlasProjectSpec{
+			Name: "test-project",
+		},
+	}
+	prj.Annotations[customresource.ReconciliationPolicyAnnotation] = customresource.ReconciliationPolicySkip
+	testScheme := runtime.NewScheme()
+	require.NoError(t, akov2.AddToScheme(testScheme))
+	require.NoError(t, corev1.AddToScheme(testScheme))
+	k8sClient := fake.NewClientBuilder().
+		WithScheme(testScheme).
+		WithObjects(&prj).
+		WithStatusSubresource(&prj).
+		Build()
+
+	req := ctrl.Request{NamespacedName: types.NamespacedName{
+		Name:      prj.Name,
+		Namespace: prj.Namespace,
+	}}
+	r := AtlasProjectReconciler{
+		Client:        k8sClient,
+		Log:           zaptest.NewLogger(t).Sugar(),
+		EventRecorder: record.NewFakeRecorder(30),
+		AtlasProvider: &atlas.TestProvider{
+			IsCloudGovFunc: func() bool {
+				return false
+			},
+			IsSupportedFunc: func() bool {
+				return true
+			},
+		},
+	}
+
+	result, err := r.Reconcile(ctx, req)
+
+	require.Equal(t, reconcile.Result{}, result)
+	require.NoError(t, err)
+	require.NoError(t, k8sClient.Get(ctx, client.ObjectKeyFromObject(&prj), &prj))
+	lastApplied, err := customresource.ParseLastConfigApplied[akov2.AtlasProjectSpec](&prj)
+	require.NoError(t, err)
+	wantLastApplied := (*akov2.AtlasProjectSpec)(nil)
+	assert.Equal(t, wantLastApplied, lastApplied)
+}
+
 func jsonize(t *testing.T, obj any) string {
 	t.Helper()
 

@@ -22,20 +22,6 @@ type roleController struct {
 	service customroles.CustomRoleService
 }
 
-func shouldCustomRolesSkipReconciling(atlasProject *akov2.AtlasProject) (bool, error) {
-	lastSkippedSpec := akov2.AtlasProjectSpec{}
-	lastSkippedSpecString, ok := atlasProject.Annotations[customresource.AnnotationLastSkippedConfiguration]
-	if ok {
-		if err := json.Unmarshal([]byte(lastSkippedSpecString), &lastSkippedSpec); err != nil {
-			return false, fmt.Errorf("failed to parse last skipped configuration: %w", err)
-		}
-
-		return len(lastSkippedSpec.CustomRoles) == 0, nil
-	}
-
-	return false, nil
-}
-
 func getLastAppliedCustomRoles(atlasProject *akov2.AtlasProject) ([]akov2.CustomRole, error) {
 	lastAppliedSpec := akov2.AtlasProjectSpec{}
 	lastAppliedSpecStr, ok := atlasProject.Annotations[customresource.AnnotationLastAppliedConfiguration]
@@ -76,16 +62,6 @@ func convertToInternalRoles(roles []akov2.CustomRole) []customroles.CustomRole {
 }
 
 func ensureCustomRoles(workflowCtx *workflow.Context, project *akov2.AtlasProject) workflow.Result {
-	skipped, err := shouldCustomRolesSkipReconciling(project)
-	if err != nil {
-		return workflow.Terminate(workflow.Internal, err)
-	}
-
-	if skipped {
-		workflowCtx.UnsetCondition(api.ProjectCustomRolesReadyType)
-		return workflow.OK()
-	}
-
 	lastAppliedCustomRoles, err := getLastAppliedCustomRoles(project)
 	if err != nil {
 		return workflow.Terminate(workflow.Internal, err)

@@ -21,57 +21,6 @@ import (
 	"github.com/mongodb/mongodb-atlas-kubernetes/v2/internal/pointer"
 )
 
-func TestShouldCustomRolesSkipReconciling(t *testing.T) {
-	tests := []struct {
-		name        string
-		annotations map[string]string
-		expected    bool
-		shouldFail  bool
-	}{
-		{
-			name:        "No annotations present",
-			annotations: map[string]string{},
-			expected:    false,
-			shouldFail:  false,
-		},
-		{
-			name:        "Annotation present but invalid JSON",
-			annotations: map[string]string{customresource.AnnotationLastSkippedConfiguration: "invalid"},
-			expected:    false,
-			shouldFail:  true,
-		},
-		{
-			name:        "Annotation present with empty CustomRoles",
-			annotations: map[string]string{customresource.AnnotationLastSkippedConfiguration: "{\"CustomRoles\": []}"},
-			expected:    true,
-			shouldFail:  false,
-		},
-		{
-			name:        "Annotation present with non-empty CustomRoles",
-			annotations: map[string]string{customresource.AnnotationLastSkippedConfiguration: "{\"CustomRoles\": [{\"Name\": \"role1\"}]}"},
-			expected:    false,
-			shouldFail:  false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			atlasProject := &akov2.AtlasProject{
-				ObjectMeta: metav1.ObjectMeta{
-					Annotations: tt.annotations,
-				},
-			}
-			result, err := shouldCustomRolesSkipReconciling(atlasProject)
-			if tt.shouldFail {
-				assert.Error(t, err)
-			} else {
-				assert.NoError(t, err)
-			}
-			assert.Equal(t, tt.expected, result)
-		})
-	}
-}
-
 func TestEnsureCustomRoles(t *testing.T) {
 	testRole := []akov2.CustomRole{
 		{

@@ -1,15 +1,13 @@
 package atlasproject
 
 import (
-	"encoding/json"
 	"errors"
 	"fmt"
 	"reflect"
 
 	"github.com/mongodb/mongodb-atlas-kubernetes/v2/api"
 	akov2 "github.com/mongodb/mongodb-atlas-kubernetes/v2/api/v1"
 	"github.com/mongodb/mongodb-atlas-kubernetes/v2/api/v1/status"
-	"github.com/mongodb/mongodb-atlas-kubernetes/v2/internal/controller/customresource"
 	"github.com/mongodb/mongodb-atlas-kubernetes/v2/internal/controller/workflow"
 	"github.com/mongodb/mongodb-atlas-kubernetes/v2/internal/translation/ipaccesslist"
 )
@@ -130,18 +128,6 @@ func handleIPAccessList(ctx *workflow.Context, project *akov2.AtlasProject) work
 	ctx.Log.Debug("starting ip access list processing")
 	defer ctx.Log.Debug("finished ip access list processing")
 
-	skipped, err := shouldIPAccessListSkipReconciliation(project)
-	if err != nil {
-		return workflow.Terminate(workflow.Internal, err)
-	}
-
-	if skipped {
-		ctx.EnsureStatusOption(status.AtlasProjectExpiredIPAccessOption(nil))
-		ctx.UnsetCondition(api.IPAccessListReadyType)
-
-		return workflow.OK()
-	}
-
 	lastApplied, err := mapLastAppliedIPAccessList(project)
 	if err != nil {
 		return workflow.Terminate(workflow.Internal, fmt.Errorf("failed to get last applied configuration: %w", err))
@@ -157,20 +143,6 @@ func handleIPAccessList(ctx *workflow.Context, project *akov2.AtlasProject) work
 	return c.reconcile()
 }
 
-func shouldIPAccessListSkipReconciliation(atlasProject *akov2.AtlasProject) (bool, error) {
-	lastSkippedSpec := akov2.AtlasProjectSpec{}
-	lastSkippedSpecString, ok := atlasProject.Annotations[customresource.AnnotationLastSkippedConfiguration]
-	if ok {
-		if err := json.Unmarshal([]byte(lastSkippedSpecString), &lastSkippedSpec); err != nil {
-			return false, fmt.Errorf("failed to parse last skipped configuration: %w", err)
-		}
-
-		return len(lastSkippedSpec.ProjectIPAccessList) == 0, nil
-	}
-
-	return false, nil
-}
-
 func mapLastAppliedIPAccessList(atlasProject *akov2.AtlasProject) (ipaccesslist.IPAccessEntries, error) {
 	lastApplied, err := lastAppliedSpecFrom(atlasProject)
 	if err != nil {