Add user documentation for drift detection and external deletion

Add user-facing documentation covering periodic resync configuration,
drift detection behavior, and external deletion handling. Update the
enhancement proposal to reflect the final two-tier resync period
resolution design.

Author: eshulman2

enhancements/drift-detection.md

@@ -2,10 +2,10 @@
 
 | Field | Value |
 |-------|-------|
-| **Status** | implementable |
+| **Status** | implemented |
 | **Author(s)** | @eshulman |
 | **Created** | 2026-02-03 |
-| **Last Updated** | 2026-02-03 |
+| **Last Updated** | 2026-02-10 |
 | **Tracking Issue** | TBD |
 
 ## Summary
@@ -227,7 +227,7 @@ Drift detection covers all **mutable fields** that ORC actuators implement updat
 
 **Mitigation**:
 - Disabled by default; when enabled, recommend conservative intervals (e.g., 10 hours)
-- Add random jitter to resync times to avoid thundering herd: since reconciliation already uses "requeue after X duration", jitter simply adds a random offset (e.g., ±10%) to the resync period, spreading resyncs over time rather than having them fire simultaneously
+- Add random jitter to resync times to avoid thundering herd: since reconciliation already uses "requeue after X duration", jitter simply adds a random offset (e.g., [0%, +20%]) to the resync period, spreading resyncs over time rather than having them fire simultaneously
 - Allow operators to disable or lengthen resync for stable resources
 
 ### Controller Resource Consumption
@@ -275,3 +275,37 @@ Implement a watcher that periodically lists all resources from OpenStack and com
 ## Implementation History
 
 - 2026-02-03: Enhancement proposed
+- 2026-02-03: Implemented — all tasks completed
+
+### Implemented Components
+
+The following have been implemented:
+
+**API Changes**
+- Added `spec.resyncPeriod` field (`*metav1.Duration`) to all ORC resource types
+- Added `status.lastSyncTime` field (`*metav1.Time`) to all ORC resource types
+
+**Periodic Resync**
+- `shouldReconcile` updated to check `lastSyncTime` against `resyncPeriod` for time-based resync
+- Jitter ([0%, +20%]) applied to resync scheduling via `resync.CalculateJitteredDuration`
+- `status.lastSyncTime` written on every successful reconciliation cycle
+- Resources in terminal error state are not rescheduled
+
+**External Deletion Handling**
+- `IsImported()` method added to `APIObjectAdapter` interface (all resource adapters)
+- `GetOrCreateOSResource` branches on management policy and import status when 404 is received:
+  - Managed, non-imported resources → `(nil, nil)` to trigger recreation
+  - Unmanaged or imported resources → terminal error
+- `status.ClearStatusID` clears `status.id` before recreation (using JSON merge patch with explicit `null`)
+- `reconcileNormal` handles the `(nil, nil)` recreation signal from `GetOrCreateOSResource`
+
+**E2E Tests**
+- `network-resync-period`: verifies `lastSyncTime` is updated after configured period
+- `network-resync-disabled`: verifies `lastSyncTime` is not updated when `resyncPeriod: 0`
+- `network-resync-terminal-error`: verifies terminal errors are not rescheduled
+- `network-resync-jitter`: verifies independent jitter-based scheduling for multiple resources
+- `network-external-deletion`: verifies managed ORC-created network is recreated with new ID after external deletion
+- `network-external-deletion-import`: verifies imported network enters terminal error state after external deletion
+
+**Documentation**
+- `website/docs/user-guide/drift-detection.md`: user-facing documentation covering external deletion behavior, resync configuration, verification steps, and implications for dependent resources

website/docs/user-guide/drift-detection.md

@@ -0,0 +1,189 @@
+# Drift Detection and External Deletion Handling
+
+ORC can periodically reconcile resources to detect and correct configuration drift — changes made to OpenStack resources outside of ORC's control. This feature also detects when managed resources have been deleted directly from OpenStack and recreates them automatically.
+
+## Enabling Drift Detection
+
+Drift detection is disabled by default. Enable it per-resource by setting `spec.resyncPeriod`:
+
+```yaml
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: Network
+metadata:
+  name: critical-network
+spec:
+  cloudCredentialsRef:
+    secretName: openstack-clouds
+    cloudName: openstack
+  managementPolicy: managed
+  resyncPeriod: 1h   # Re-check OpenStack every hour
+  resource:
+    description: Critical application network
+```
+
+The `resyncPeriod` field accepts any Go duration string: `10m`, `1h`, `24h`, etc.
+
+**Default:** `0` (disabled). When disabled, ORC only reconciles resources in response to spec changes or controller restarts.
+
+!!! note
+
+    Conservative resync periods (e.g., `1h` or `10h`) are recommended in production to avoid excessive OpenStack API calls.
+
+## How It Works
+
+After a resource reaches a stable state (`Progressing=False`), ORC schedules a reconciliation after the configured `resyncPeriod`. On each resync:
+
+1. ORC fetches the current state of the OpenStack resource.
+2. For **managed** resources: if drift is detected, ORC updates the resource to match the Kubernetes spec.
+3. For **unmanaged** resources: ORC refreshes `status.resource` to reflect the current OpenStack state, but makes no changes.
+4. The next resync is scheduled.
+
+A small random jitter ([0%, +20%]) is applied to `resyncPeriod` to spread reconciliations and avoid thundering-herd effects.
+
+!!! note
+
+    Resources in a terminal error state (`Progressing=False` with reason `InvalidConfiguration` or `UnrecoverableError`) are **not** periodically resynced. Terminal errors require manual intervention to resolve.
+
+## Tracking Sync Status
+
+Every ORC resource has a `status.lastSyncTime` field that records when ORC last successfully reconciled with OpenStack:
+
+```bash
+kubectl get network critical-network -o jsonpath='{.status.lastSyncTime}'
+# 2026-02-03T10:30:00Z
+```
+
+ORC persists this timestamp in the Kubernetes status. After a controller restart, it uses `lastSyncTime` to determine when the next resync should occur, preventing a thundering herd of reconciliations on startup.
+
+## External Deletion Handling
+
+When a resource is deleted directly from OpenStack (bypassing ORC), the behavior depends on how ORC originally obtained the resource.
+
+### ORC-Created Resources (Managed, Not Imported)
+
+If you created the resource through ORC's `spec.resource` field, ORC **recreates** it automatically:
+
+1. ORC detects the resource is missing from OpenStack (the ID stored in `status.id` no longer exists).
+2. ORC clears `status.id`.
+3. On the next reconcile, ORC creates a new OpenStack resource.
+4. The new resource ID is stored in `status.id`.
+
+The ORC object continues to exist and becomes `Available=True` again once the resource is recreated.
+
+```yaml
+# This type of resource will be recreated if deleted from OpenStack
+spec:
+  managementPolicy: managed
+  resyncPeriod: 10m  # Enable resync to detect deletion quickly
+  resource:          # Resource was created by ORC
+    description: My application network
+```
+
+!!! warning
+
+    Recreation produces a new OpenStack resource with a **new ID**. Any OpenStack resources (outside ORC) that referenced the old ID will need to be updated manually.
+
+### Imported Resources (Terminal Error)
+
+If you imported an existing resource using `spec.import`, ORC reports a **terminal error** when the resource is deleted from OpenStack:
+
+- `Available=False`
+- `Progressing=False`
+- Condition reason: `UnrecoverableError`
+- Message: `resource has been deleted from OpenStack`
+
+ORC does **not** recreate imported resources because it did not create them originally, and recreating a new empty resource would not restore what was lost.
+
+```yaml
+# This type of resource enters terminal error if deleted from OpenStack
+spec:
+  managementPolicy: managed
+  import:
+    id: "12345678-1234-1234-1234-123456789abc"  # Was imported by ID
+```
+
+```yaml
+# This type also enters terminal error if deleted from OpenStack
+spec:
+  managementPolicy: unmanaged
+  import:
+    filter:
+      name: public  # Was imported by filter
+```
+
+To recover: manually recreate the OpenStack resource and update the ORC object's `spec.import.id` to the new resource ID, or delete and recreate the ORC object.
+
+### Summary Table
+
+| Resource Type | How Obtained | External Deletion Behavior |
+|--------------|--------------|---------------------------|
+| Managed, ORC-created | `spec.resource` | **Recreated** automatically |
+| Managed, imported by ID | `spec.import.id` | **Terminal error** |
+| Managed, imported by filter | `spec.import.filter` | **Terminal error** |
+| Unmanaged | `spec.import.*` | **Terminal error** |
+
+## Verifying Recreation Occurred
+
+When an ORC-created resource is recreated after external deletion, `status.id` changes to reflect the new OpenStack resource ID. Monitor this to detect recreation events:
+
+```bash
+# Record the current ID
+ORIGINAL_ID=$(kubectl get network my-network -o jsonpath='{.status.id}')
+echo "Original ID: $ORIGINAL_ID"
+
+# ... some time later, check if it changed ...
+CURRENT_ID=$(kubectl get network my-network -o jsonpath='{.status.id}')
+if [ "$ORIGINAL_ID" != "$CURRENT_ID" ]; then
+  echo "Resource was recreated! New ID: $CURRENT_ID"
+fi
+```
+
+You can also watch the resource for status changes:
+
+```bash
+kubectl get network my-network -w
+```
+
+During recreation, you will observe:
+
+1. `Available=False`, `Progressing=True` — ORC is recreating the resource
+2. `Available=True`, `Progressing=False` — Recreation complete, `status.id` has new value
+
+## Implications for Dependent Resources
+
+OpenStack enforces referential integrity for most resource relationships (e.g., a Network cannot be deleted while Subnets exist). If an external deletion manages to bypass these constraints (e.g., direct database manipulation), the behavior of dependent ORC resources follows these rules:
+
+### If a Parent Resource Is Recreated
+
+When a parent resource (e.g., Network) is recreated by ORC, dependent resources that reference it (e.g., Subnets) detect the parent as available again but may encounter errors when OpenStack rejects operations referencing the old parent ID. **Manual intervention may be required** to recreate dependent resources against the new parent.
+
+### If a Parent Resource Enters Terminal Error
+
+When a parent resource enters terminal error:
+
+- **Dependent resources waiting on it** (e.g., a Subnet waiting for its Network): ORC will not proceed — it waits until the parent becomes available again. The dependent is not itself in an error state; it is just waiting.
+- **Dependent resources already created**: ORC continues managing them normally. If ORC attempts to update a dependent resource that references a deleted parent in OpenStack, the behavior depends on what OpenStack returns for that operation.
+
+!!! warning
+
+    If a parent resource is externally deleted in a way that bypasses OpenStack's referential integrity checks, the resulting state may require manual cleanup of both the parent and dependent resources. This is an unusual operational scenario and not specific to drift detection.
+
+## Interaction with `managementPolicy: unmanaged`
+
+Unmanaged resources are never modified by ORC. With `resyncPeriod` set, ORC will periodically refresh `status.resource` to reflect the current OpenStack state. However, if the OpenStack resource is deleted, ORC will report a terminal error — it does not recreate unmanaged resources under any circumstances.
+
+```yaml
+spec:
+  managementPolicy: unmanaged
+  resyncPeriod: 1h   # Refresh status every hour, but never modify OpenStack
+  import:
+    id: "12345678-1234-1234-1234-123456789abc"
+```
+
+## Drift Detection Without Resync
+
+Even with `resyncPeriod: 0` (the default, disabled), ORC will still detect external deletion when another event triggers reconciliation — for example, when you make a spec change or the controller restarts. The recreation or terminal error behavior is the same; the difference is only in how quickly ORC detects the deletion.
+
+!!! tip
+
+    If you want rapid detection of external deletions for critical resources, set a short `resyncPeriod` (e.g., `10m`).

website/docs/user-guide/index.md

@@ -122,6 +122,15 @@ spec:
     ipVersion: 4
 ```
 
+### Drift Detection and External Deletion
+
+ORC can periodically reconcile resources to detect configuration drift and recreate managed resources that are deleted directly from OpenStack. See [Drift Detection](drift-detection.md) for details on:
+
+- How to enable periodic resync with `spec.resyncPeriod`
+- How ORC handles externally deleted resources (recreation vs. terminal error)
+- How to verify that recreation occurred by checking `status.id`
+- Implications for dependent resources
+
 ### Understanding Status and Conditions
 
 Every ORC resource reports its status through two conditions: `Available` (whether the resource is ready for use) and `Progressing` (whether ORC is still working on it). For detailed information about conditions and their meanings, see [Troubleshooting: Status Conditions Explained](../troubleshooting.md#status-conditions-explained).

website/mkdocs.yml

@@ -7,7 +7,9 @@ nav:
   - Getting Started:
     - Installation: installation.md
     - Quick Start: getting-started.md
-  - User Guide: user-guide/index.md
+  - User Guide:
+    - Overview: user-guide/index.md
+    - Drift Detection: user-guide/drift-detection.md
   - CRD Reference: crd-reference.md
   - Troubleshooting: troubleshooting.md
   - Contributing: