fix: resolve merge conflict in sandboxclaim_controller

Author: noeljackson

extensions/controllers/sandboxclaim_controller.go

@@ -434,6 +434,7 @@ func (r *SandboxClaimReconciler) adoptSandboxFromCandidates(ctx context.Context,
 		// Remove warm pool labels so the sandbox no longer appears in warm pool queries
 		delete(adopted.Labels, warmPoolSandboxLabel)
 		delete(adopted.Labels, sandboxTemplateRefHash)
+		delete(adopted.Labels, templateContentHashLabel)
 
 		// Transfer ownership from SandboxWarmPool to SandboxClaim
 		adopted.OwnerReferences = nil
@@ -674,6 +675,27 @@ func (r *SandboxClaimReconciler) getOrCreateSandbox(ctx context.Context, claim *
 		return nil, nil
 	}
 
+	// Filter adoption candidates by template content hash to avoid adopting
+	// sandboxes created from a stale template spec.
+	if len(adoptionCandidates) > 0 {
+		template, err := r.getTemplate(ctx, claim)
+		if err == nil && template != nil {
+			contentHash := templateContentHash(template)
+			var filtered []*v1alpha1.Sandbox
+			for _, c := range adoptionCandidates {
+				if ch := c.Labels[templateContentHashLabel]; ch != "" && ch != contentHash {
+					logger.Info("skipping stale adoption candidate (content hash mismatch)",
+						"sandbox", c.Name,
+						"sandboxHash", ch,
+						"currentHash", contentHash)
+					continue
+				}
+				filtered = append(filtered, c)
+			}
+			adoptionCandidates = filtered
+		}
+	}
+
 	// Try to adopt from warm pool
 	if len(adoptionCandidates) > 0 {
 		logger.V(1).Info("Found warm pool adoption candidates", "count", len(adoptionCandidates), "claim", claim.Name, "warmpool", policy)

extensions/controllers/sandboxclaim_controller_test.go

@@ -1318,6 +1318,217 @@ func TestSandboxClaimCreationMetric(t *testing.T) {
 	})
 }
 
+func TestSandboxClaimAdoptionSkipsStaleContentHash(t *testing.T) {
+	scheme := newScheme(t)
+
+	template := &extensionsv1alpha1.SandboxTemplate{
+		ObjectMeta: metav1.ObjectMeta{Name: "test-template", Namespace: "default"},
+		Spec: extensionsv1alpha1.SandboxTemplateSpec{
+			PodTemplate: sandboxv1alpha1.PodTemplate{
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{{Name: "c", Image: "new-image:v2"}},
+				},
+			},
+		},
+	}
+
+	claim := &extensionsv1alpha1.SandboxClaim{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "hash-claim", Namespace: "default",
+			UID: "hash-claim-uid",
+		},
+		Spec: extensionsv1alpha1.SandboxClaimSpec{
+			TemplateRef: extensionsv1alpha1.SandboxTemplateRef{Name: "test-template"},
+		},
+	}
+
+	poolNameHash := sandboxcontrollers.NameHash("test-pool")
+	currentHash := templateContentHash(template)
+
+	// Stale sandbox: content hash from old template version.
+	staleSandbox := &sandboxv1alpha1.Sandbox{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "stale-sb", Namespace: "default",
+			CreationTimestamp: metav1.Time{Time: time.Now().Add(-1 * time.Hour)},
+			Labels: map[string]string{
+				warmPoolSandboxLabel:     poolNameHash,
+				sandboxTemplateRefHash:   sandboxcontrollers.NameHash("test-template"),
+				templateContentHashLabel: "oldold00",
+			},
+			OwnerReferences: []metav1.OwnerReference{{
+				APIVersion: "extensions.agents.x-k8s.io/v1alpha1", Kind: "SandboxWarmPool",
+				Name: "test-pool", UID: "wp-uid", Controller: ptr.To(true),
+			}},
+		},
+		Spec: sandboxv1alpha1.SandboxSpec{
+			Replicas: ptr.To(int32(1)),
+			PodTemplate: sandboxv1alpha1.PodTemplate{
+				Spec: corev1.PodSpec{Containers: []corev1.Container{{Name: "c", Image: "old-image:v1"}}},
+			},
+		},
+		Status: sandboxv1alpha1.SandboxStatus{
+			Conditions: []metav1.Condition{{
+				Type: string(sandboxv1alpha1.SandboxConditionReady), Status: metav1.ConditionTrue, Reason: "Ready",
+			}},
+		},
+	}
+
+	// Fresh sandbox: content hash matches current template.
+	freshSandbox := &sandboxv1alpha1.Sandbox{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "fresh-sb", Namespace: "default",
+			CreationTimestamp: metav1.Now(),
+			Labels: map[string]string{
+				warmPoolSandboxLabel:     poolNameHash,
+				sandboxTemplateRefHash:   sandboxcontrollers.NameHash("test-template"),
+				templateContentHashLabel: currentHash,
+			},
+			OwnerReferences: []metav1.OwnerReference{{
+				APIVersion: "extensions.agents.x-k8s.io/v1alpha1", Kind: "SandboxWarmPool",
+				Name: "test-pool", UID: "wp-uid", Controller: ptr.To(true),
+			}},
+		},
+		Spec: sandboxv1alpha1.SandboxSpec{
+			Replicas: ptr.To(int32(1)),
+			PodTemplate: sandboxv1alpha1.PodTemplate{
+				Spec: corev1.PodSpec{Containers: []corev1.Container{{Name: "c", Image: "new-image:v2"}}},
+			},
+		},
+		Status: sandboxv1alpha1.SandboxStatus{
+			Conditions: []metav1.Condition{{
+				Type: string(sandboxv1alpha1.SandboxConditionReady), Status: metav1.ConditionTrue, Reason: "Ready",
+			}},
+		},
+	}
+
+	reconciler := &SandboxClaimReconciler{
+		Client: fake.NewClientBuilder().
+			WithScheme(scheme).
+			WithObjects(template, claim, staleSandbox, freshSandbox).
+			WithStatusSubresource(claim).
+			Build(),
+		Scheme:   scheme,
+		Recorder: record.NewFakeRecorder(10),
+		Tracer:   asmetrics.NewNoOp(),
+	}
+
+	req := reconcile.Request{NamespacedName: types.NamespacedName{Name: "hash-claim", Namespace: "default"}}
+	_, err := reconciler.Reconcile(context.Background(), req)
+	if err != nil {
+		t.Fatalf("reconcile failed: %v", err)
+	}
+
+	// Should have adopted the fresh sandbox, not the stale one.
+	var adopted sandboxv1alpha1.Sandbox
+	err = reconciler.Get(context.Background(), types.NamespacedName{Name: "fresh-sb", Namespace: "default"}, &adopted)
+	if err != nil {
+		t.Fatalf("failed to get fresh sandbox: %v", err)
+	}
+	controllerRef := metav1.GetControllerOf(&adopted)
+	if controllerRef == nil || controllerRef.UID != claim.UID {
+		t.Fatalf("expected fresh-sb to be adopted by claim, got controller %v", controllerRef)
+	}
+
+	// Stale sandbox should still be owned by warm pool (not adopted).
+	var stale sandboxv1alpha1.Sandbox
+	err = reconciler.Get(context.Background(), types.NamespacedName{Name: "stale-sb", Namespace: "default"}, &stale)
+	if err != nil {
+		t.Fatalf("failed to get stale sandbox: %v", err)
+	}
+	staleRef := metav1.GetControllerOf(&stale)
+	if staleRef != nil && staleRef.UID == claim.UID {
+		t.Fatal("stale sandbox should not have been adopted by claim")
+	}
+}
+
+func TestSandboxClaimAdoptionRemovesContentHashLabel(t *testing.T) {
+	scheme := newScheme(t)
+
+	template := &extensionsv1alpha1.SandboxTemplate{
+		ObjectMeta: metav1.ObjectMeta{Name: "test-template", Namespace: "default"},
+		Spec: extensionsv1alpha1.SandboxTemplateSpec{
+			PodTemplate: sandboxv1alpha1.PodTemplate{
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{{Name: "c", Image: "img"}},
+				},
+			},
+		},
+	}
+
+	claim := &extensionsv1alpha1.SandboxClaim{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "label-claim", Namespace: "default", UID: "label-claim-uid",
+		},
+		Spec: extensionsv1alpha1.SandboxClaimSpec{
+			TemplateRef: extensionsv1alpha1.SandboxTemplateRef{Name: "test-template"},
+		},
+	}
+
+	poolNameHash := sandboxcontrollers.NameHash("test-pool")
+	contentHash := templateContentHash(template)
+
+	poolSandbox := &sandboxv1alpha1.Sandbox{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "pool-sb", Namespace: "default",
+			CreationTimestamp: metav1.Now(),
+			Labels: map[string]string{
+				warmPoolSandboxLabel:     poolNameHash,
+				sandboxTemplateRefHash:   sandboxcontrollers.NameHash("test-template"),
+				templateContentHashLabel: contentHash,
+			},
+			OwnerReferences: []metav1.OwnerReference{{
+				APIVersion: "extensions.agents.x-k8s.io/v1alpha1", Kind: "SandboxWarmPool",
+				Name: "test-pool", UID: "wp-uid", Controller: ptr.To(true),
+			}},
+		},
+		Spec: sandboxv1alpha1.SandboxSpec{
+			Replicas: ptr.To(int32(1)),
+			PodTemplate: sandboxv1alpha1.PodTemplate{
+				Spec: corev1.PodSpec{Containers: []corev1.Container{{Name: "c", Image: "img"}}},
+			},
+		},
+		Status: sandboxv1alpha1.SandboxStatus{
+			Conditions: []metav1.Condition{{
+				Type: string(sandboxv1alpha1.SandboxConditionReady), Status: metav1.ConditionTrue, Reason: "Ready",
+			}},
+		},
+	}
+
+	reconciler := &SandboxClaimReconciler{
+		Client: fake.NewClientBuilder().
+			WithScheme(scheme).
+			WithObjects(template, claim, poolSandbox).
+			WithStatusSubresource(claim).
+			Build(),
+		Scheme:   scheme,
+		Recorder: record.NewFakeRecorder(10),
+		Tracer:   asmetrics.NewNoOp(),
+	}
+
+	req := reconcile.Request{NamespacedName: types.NamespacedName{Name: "label-claim", Namespace: "default"}}
+	_, err := reconciler.Reconcile(context.Background(), req)
+	if err != nil {
+		t.Fatalf("reconcile failed: %v", err)
+	}
+
+	var adopted sandboxv1alpha1.Sandbox
+	err = reconciler.Get(context.Background(), types.NamespacedName{Name: "pool-sb", Namespace: "default"}, &adopted)
+	if err != nil {
+		t.Fatalf("failed to get adopted sandbox: %v", err)
+	}
+
+	// All warm pool labels should be removed after adoption.
+	if _, exists := adopted.Labels[warmPoolSandboxLabel]; exists {
+		t.Error("warmPoolSandboxLabel should be removed after adoption")
+	}
+	if _, exists := adopted.Labels[sandboxTemplateRefHash]; exists {
+		t.Error("sandboxTemplateRefHash should be removed after adoption")
+	}
+	if _, exists := adopted.Labels[templateContentHashLabel]; exists {
+		t.Error("templateContentHashLabel should be removed after adoption")
+	}
+}
+
 func newScheme(t *testing.T) *runtime.Scheme {
 	scheme := runtime.NewScheme()
 	if err := sandboxv1alpha1.AddToScheme(scheme); err != nil {

extensions/controllers/sandboxwarmpool_controller.go

@@ -16,6 +16,8 @@ package controllers
 
 import (
 	"context"
+	"crypto/sha256"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"slices"
@@ -39,10 +41,25 @@ import (
 )
 
 const (
-	sandboxTemplateRefHash = "agents.x-k8s.io/sandbox-template-ref-hash"
-	warmPoolSandboxLabel   = "agents.x-k8s.io/warm-pool-sandbox"
+	sandboxTemplateRefHash       = "agents.x-k8s.io/sandbox-template-ref-hash"
+	warmPoolSandboxLabel         = "agents.x-k8s.io/warm-pool-sandbox"
+	templateContentHashLabel     = "agents.x-k8s.io/template-content-hash"
 )
 
+// templateContentHash computes a SHA-256 hash over the JSON-serialized
+// SandboxTemplate spec, returning the first 8 hex chars. This captures
+// everything the template defines and is used to detect spec drift between
+// warm pool sandboxes and the current template.
+func templateContentHash(template *extensionsv1alpha1.SandboxTemplate) string {
+	data, err := json.Marshal(template.Spec)
+	if err != nil {
+		// Spec is always serializable; this should never happen.
+		return "00000000"
+	}
+	sum := sha256.Sum256(data)
+	return fmt.Sprintf("%x", sum[:])[:8]
+}
+
 // SandboxWarmPoolReconciler reconciles a SandboxWarmPool object
 type SandboxWarmPoolReconciler struct {
 	client.Client
@@ -144,6 +161,37 @@ func (r *SandboxWarmPoolReconciler) reconcilePool(ctx context.Context, warmPool
 		}
 	}
 
+	// Compute the current template content hash to detect spec drift.
+	currentContentHash := ""
+	if template, err := r.getTemplate(ctx, warmPool); err == nil {
+		currentContentHash = templateContentHash(template)
+	} else if !k8serrors.IsNotFound(err) {
+		log.Error(err, "Failed to get template for content hash")
+		allErrors = errors.Join(allErrors, err)
+	}
+
+	// Delete sandboxes whose template content hash doesn't match the
+	// current template spec (stale from a prior template version).
+	if currentContentHash != "" {
+		var freshSandboxes []sandboxv1alpha1.Sandbox
+		for _, sb := range activeSandboxes {
+			sbHash := sb.Labels[templateContentHashLabel]
+			if sbHash != "" && sbHash != currentContentHash {
+				log.Info("Deleting stale warm pool sandbox (template content hash mismatch)",
+					"sandbox", sb.Name,
+					"sandboxHash", sbHash,
+					"currentHash", currentContentHash)
+				if err := r.Delete(ctx, &sb); err != nil {
+					log.Error(err, "Failed to delete stale sandbox", "sandbox", sb.Name)
+					allErrors = errors.Join(allErrors, err)
+				}
+				continue
+			}
+			freshSandboxes = append(freshSandboxes, sb)
+		}
+		activeSandboxes = freshSandboxes
+	}
+
 	const warmPoolReadinessGracePeriod = 5 * time.Minute
 
 	now := time.Now()
@@ -248,10 +296,14 @@ func (r *SandboxWarmPoolReconciler) createPoolSandbox(ctx context.Context, warmP
 		return err
 	}
 
+	// Compute template content hash for spec-drift detection.
+	contentHash := templateContentHash(template)
+
 	// Build labels for the Sandbox CR
 	sandboxLabels := map[string]string{
-		warmPoolSandboxLabel:   poolNameHash,
-		sandboxTemplateRefHash: sandboxcontrollers.NameHash(warmPool.Spec.TemplateRef.Name),
+		warmPoolSandboxLabel:     poolNameHash,
+		sandboxTemplateRefHash:   sandboxcontrollers.NameHash(warmPool.Spec.TemplateRef.Name),
+		templateContentHashLabel: contentHash,
 	}
 
 	// Copy template pod labels into sandbox pod template
@@ -261,6 +313,7 @@ func (r *SandboxWarmPoolReconciler) createPoolSandbox(ctx context.Context, warmP
 	}
 	// Propagate template ref hash to pod template for NetworkPolicy targeting
 	podLabels[sandboxTemplateRefHash] = sandboxcontrollers.NameHash(warmPool.Spec.TemplateRef.Name)
+	podLabels[templateContentHashLabel] = contentHash
 
 	podAnnotations := make(map[string]string)
 	for k, v := range template.Spec.PodTemplate.ObjectMeta.Annotations {