Skip to content

Clean up PolicyBindings when user invitations are deleted#543

Open
scotwells wants to merge 1 commit intomainfrom
fix/issue-535-userinvitation-policybinding-gc
Open

Clean up PolicyBindings when user invitations are deleted#543
scotwells wants to merge 1 commit intomainfrom
fix/issue-535-userinvitation-policybinding-gc

Conversation

@scotwells
Copy link
Copy Markdown
Contributor

@scotwells scotwells commented Mar 27, 2026

Summary

  • Wires the existing finalizer into the UserInvitation controller so invitation-related PolicyBindings (getinvitation and acceptinvitation) are deleted before an invitation is removed
  • Removes a redundant manual PolicyBinding deletion in the acceptance path since the finalizer now handles cleanup of both bindings
  • Adds unit tests verifying finalizer registration and PolicyBinding garbage collection
  • Adds an end-to-end Chainsaw test for the full invitation lifecycle

Context

When a UserInvitation was deleted (accepted, expired, or revoked), the associated PolicyBindings in milo-system were left behind because the controller's finalizer was registered but never invoked during reconciliation. This produced 49 orphaned PolicyBindings in production stuck in ResourceSelectorValidationFailed state.

Closes #535

Test plan

  • Unit tests verify finalizer is added on first reconcile
  • Unit tests verify both PolicyBindings are deleted on UserInvitation deletion
  • Existing unit tests updated to account for finalizer registration cycle
  • Chainsaw e2e test validates full lifecycle: create invitation → verify PolicyBindings → delete invitation → verify cleanup
  • e2e test confirmed to detect the bug in CI (test-only branch failed as expected)

🤖 Generated with Claude Code

@joggrbot
Copy link
Copy Markdown
Contributor

joggrbot bot commented Mar 27, 2026
edited
Loading

📝 Documentation Analysis

All docs are up to date! 🎉

✅ Latest commit analyzed: 8ae29a2 | Powered by Joggr

@scotwells @claude
fix: clean up PolicyBindings when UserInvitations are deleted
8ae29a2 
Wire the existing finalizer into the UserInvitation controller's
Reconcile loop so PolicyBindings for getinvitation and acceptinvitation
permissions are deleted before a UserInvitation is removed.

The finalizer handler was already implemented and registered but never
invoked, leaving PolicyBindings orphaned in milo-system after
invitation acceptance, expiry, or revocation.

Closes #535

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@scotwells scotwells force-pushed the fix/issue-535-userinvitation-policybinding-gc branch from 9bfb9d5 to 8ae29a2 Compare March 27, 2026 15:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Orphaned PolicyBindings for deleted UserInvitations not garbage collected

1 participant

@scotwells