chore: Restrict fix/service-account-deletion to SA race condition only

lbeckman314 · lbeckman314 · commit d413aa45e17e · 2026-05-28T19:55:19.000-07:00
Move backend.go and backend_test.go resource cleanup changes to review/service-account-deletion (PR #1423) per reviewer request. PR #1421 should only contain the ServiceAccount deletion race condition fix. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Assisted-by: Claude Code:claude [Claude Code]
diff --git a/compute/kubernetes/backend.go b/compute/kubernetes/backend.go
@@ -296,6 +296,29 @@ func (b *Backend) cleanResources(ctx context.Context, taskId string) error {
 		b.log.Error("deleting Job", "error", err)
 	}
 
+	// Delete PVC
+	err = resources.DeletePVC(ctx, taskId, b.conf.Kubernetes.JobsNamespace, b.client, b.log)
+	if err != nil {
+		errs = multierror.Append(errs, err)
+		b.log.Error("deleting Worker PVC", "error", err)
+	}
+
+	// Delete per-task ConfigMap only if ConfigMapTemplate was configured
+	if b.conf.Kubernetes.ConfigMapTemplate != "" {
+		err = resources.DeleteConfigMap(ctx, taskId, b.conf.Kubernetes.JobsNamespace, b.client, b.log)
+		if err != nil {
+			errs = multierror.Append(errs, err)
+			b.log.Error("deleting Worker ConfigMap", "error", err)
+		}
+	}
+
+	// Delete RoleBinding
+	err = resources.DeleteRoleBinding(ctx, taskId, b.conf.Kubernetes.JobsNamespace, b.client, b.log)
+	if err != nil {
+		errs = multierror.Append(errs, err)
+		b.log.Error("deleting Job", "error", err)
+	}
+
 	// Determine the ServiceAccount for this task.
 	// Default to the conventional task-scoped name; override if the task
 	// specifies an externally-managed SA via the _WORKER_SA tag.
@@ -314,6 +337,13 @@ func (b *Backend) cleanResources(ctx context.Context, taskId string) error {
 		b.log.Error("deleting Worker ServiceAccount", "taskID", taskId, "error", err)
 	}
 
+	// Delete Role
+	err = resources.DeleteRole(ctx, taskId, b.conf.Kubernetes.JobsNamespace, b.client, b.log)
+	if err != nil {
+		errs = multierror.Append(errs, err)
+		b.log.Error("deleting Worker Role", "error", err)
+	}
+
 	// Delete PV
 	err = resources.DeletePV(ctx, taskId, b.conf.Kubernetes.JobsNamespace, b.client, b.log)
 	if err != nil {
@@ -671,8 +701,6 @@ func (b *Backend) CleanOrphanedResources(ctx context.Context) {
 		}
 	}
 
-	// TODO: Add Executor Jobs here beacause orphaned tasks can result in orphaned jobs
-
 	for taskID := range taskIDs {
 		clean, err := b.isResourceCleanupNeeded(ctx, taskID)
 		if err != nil {
diff --git a/compute/kubernetes/backend_test.go b/compute/kubernetes/backend_test.go
@@ -86,14 +86,6 @@ func TestTaskSubmission(t *testing.T) {
 	// Create a fake Kubernetes client
 	fakeClient := fake.NewSimpleClientset()
 
-	// Inject a deterministic UID on every Job create so ownerRef propagation can be verified.
-	const testJobUID = "test-job-uid-1234"
-	fakeClient.PrependReactor("create", "jobs", func(action k8stesting.Action) (bool, runtime.Object, error) {
-		obj := action.(k8stesting.CreateAction).GetObject().(*batchv1.Job)
-		obj.UID = testJobUID
-		return false, obj, nil
-	})
-
 	// Create a mock configuration
 	conf := config.DefaultConfig()
 	conf.Kubernetes.Namespace = "test-namespace"
@@ -163,18 +155,12 @@ spec:
 		t.Errorf("expected Job name '%s', got '%s'", task.Id, job.Name)
 	}
 
-	// Verify that the ConfigMap was created with the Job's UID in its ownerRef.
+	// Verify that the ConfigMap was created
 	configMapName := "funnel-worker-config-" + task.Id
-	cm, err := fakeClient.CoreV1().ConfigMaps(conf.Kubernetes.JobsNamespace).Get(context.Background(), configMapName, metav1.GetOptions{})
+	_, err = fakeClient.CoreV1().ConfigMaps(conf.Kubernetes.JobsNamespace).Get(context.Background(), configMapName, metav1.GetOptions{})
 	if err != nil {
 		t.Fatalf("failed to get ConfigMap: %v", err)
 	}
-	if len(cm.OwnerReferences) == 0 {
-		t.Fatal("expected ConfigMap to have an ownerReference, but got none")
-	}
-	if got := cm.OwnerReferences[0].UID; got != testJobUID {
-		t.Errorf("expected ConfigMap ownerRef UID %q, got %q", testJobUID, got)
-	}
 
 	// Clean up resources
 	err = backend.cleanResources(context.Background(), task.Id)
@@ -188,9 +174,11 @@ spec:
 		t.Error("expected Job to be deleted, but it still exists")
 	}
 
-	// ConfigMap deletion is handled by Kubernetes garbage collection via ownerReferences,
-	// not explicitly by cleanResources. The fake clientset does not simulate cascading GC,
-	// so we only verify the ownerRef is set correctly (asserted above).
+	// Verify that the ConfigMap was deleted
+	_, err = fakeClient.CoreV1().ConfigMaps(conf.Kubernetes.JobsNamespace).Get(context.Background(), configMapName, metav1.GetOptions{})
+	if err == nil {
+		t.Error("expected ConfigMap to be deleted, but it still exists")
+	}
 
 }
 
