add bucketaccess sidecar reconciliation

Implement the final portion of BucketAccess provisioning after handoff
to the Sidecar.

Signed-off-by: Blaine Gardner <blaine.gardner@ibm.com>

Author: BlaineEXE

client/apis/objectstorage/v1alpha2/definitions.go

@@ -25,6 +25,10 @@ const (
 
 // Annotations
 const (
+	// BucketClaimBeingDeletedAnnotation : This annotation is applied by the COSI Controller to a
+	// Bucket when its BucketClaim is being deleted.
+	BucketClaimBeingDeletedAnnotation = `objectstorage.k8.io/bucketclaim-being-deleted`
+
 	// HasBucketAccessReferencesAnnotation : This annotation is applied by the COSI Controller to a
 	// BucketClaim when a BucketAccess that references the BucketClaim is created. The annotation
 	// remains for as long as any BucketAccess references the BucketClaim. Once all BucketAccesses

controller/internal/reconciler/bucketaccess.go

@@ -36,8 +36,8 @@ import (
 
 	cosiapi "sigs.k8s.io/container-object-storage-interface/client/apis/objectstorage/v1alpha2"
 	objectstoragev1alpha2 "sigs.k8s.io/container-object-storage-interface/client/apis/objectstorage/v1alpha2"
+	"sigs.k8s.io/container-object-storage-interface/internal/bucketaccess"
 	cosierr "sigs.k8s.io/container-object-storage-interface/internal/errors"
-	"sigs.k8s.io/container-object-storage-interface/internal/handoff"
 	cosipredicate "sigs.k8s.io/container-object-storage-interface/internal/predicate"
 )
 
@@ -67,7 +67,7 @@ func (r *BucketAccessReconciler) Reconcile(ctx context.Context, req ctrl.Request
 		return ctrl.Result{}, err
 	}
 
-	if handoff.BucketAccessManagedBySidecar(access) {
+	if bucketaccess.ManagedBySidecar(access) {
 		logger.V(1).Info("not reconciling BucketAccess that should be managed by sidecar")
 		return ctrl.Result{}, nil
 	}
@@ -142,12 +142,12 @@ func (r *BucketAccessReconciler) reconcile(
 		return cosierr.NonRetryableError(fmt.Errorf("deletion is not yet implemented")) // TODO
 	}
 
-	needInit, err := needsControllerInitialization(&access.Status)
+	initialized, err := bucketaccess.SidecarRequirementsPresent(&access.Status)
 	if err != nil {
 		logger.Error(err, "processed a degraded BucketAccess")
 		return cosierr.NonRetryableError(fmt.Errorf("processed a degraded BucketAccess: %w", err))
 	}
-	if !needInit {
+	if initialized {
 		// BucketAccessClass info should only be copied to the BucketAccess status once, upon
 		// initial provisioning. After the info is copied, make no attempt to fill in any missing or
 		// lost info because we don't know whether the current Class is compatible with the info
@@ -244,38 +244,6 @@ func (r *BucketAccessReconciler) reconcile(
 	return nil
 }
 
-// Return true if the Controller needs to initialize the BucketAccess with BucketClaim and
-// BucketAccessClass info. Return false if required info is set.
-// Return an error if any required info is only partially set. This indicates some sort of
-// degradation or bug.
-func needsControllerInitialization(s *cosiapi.BucketAccessStatus) (bool, error) {
-	requiredFields := map[string]bool{}
-	requiredFieldIsSet := func(fieldName string, isSet bool) {
-		requiredFields[fieldName] = isSet
-	}
-
-	requiredFieldIsSet("status.accessedBuckets", len(s.AccessedBuckets) > 0)
-	requiredFieldIsSet("status.driverName", s.DriverName != "")
-	requiredFieldIsSet("status.authenticationType", string(s.AuthenticationType) != "")
-
-	set := []string{}
-	for field, isSet := range requiredFields {
-		if isSet {
-			set = append(set, field)
-		}
-	}
-
-	if len(set) == 0 {
-		return true, nil
-	}
-
-	if len(set) == len(requiredFields) {
-		return false, nil
-	}
-
-	return false, fmt.Errorf("required Controller-managed fields are only partially set: %v", requiredFields)
-}
-
 // Get all BucketClaims that this BucketAccess references.
 // If any claims don't exist, assume they don't exist YET; mark them nil in the resulting map
 // without treating nonexistence as an error.

controller/internal/reconciler/bucketaccess_test.go

@@ -29,7 +29,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/utils/ptr"
 	cosiapi "sigs.k8s.io/container-object-storage-interface/client/apis/objectstorage/v1alpha2"
-	"sigs.k8s.io/container-object-storage-interface/internal/handoff"
+	"sigs.k8s.io/container-object-storage-interface/internal/bucketaccess"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
@@ -195,10 +195,10 @@ func TestBucketAccessReconcile(t *testing.T) {
 			status.Parameters,
 		)
 
-		assert.True(t, handoff.BucketAccessManagedBySidecar(access))   // MUST hand off to sidecar
-		needInit, err := needsControllerInitialization(&access.Status) // MUST be fully initialized
+		assert.True(t, bucketaccess.ManagedBySidecar(access))                       // MUST hand off to sidecar
+		initialized, err := bucketaccess.SidecarRequirementsPresent(&access.Status) // MUST be fully initialized
 		assert.NoError(t, err)
-		assert.False(t, needInit)
+		assert.True(t, initialized)
 
 		crw := &cosiapi.BucketClaim{}
 		err = c.Get(ctx, readWriteClaimNsName, crw)
@@ -267,10 +267,10 @@ func TestBucketAccessReconcile(t *testing.T) {
 		assert.Empty(t, status.AuthenticationType)
 		assert.Empty(t, status.Parameters)
 
-		assert.False(t, handoff.BucketAccessManagedBySidecar(access))  // MUST NOT hand off to sidecar
-		needInit, err := needsControllerInitialization(&access.Status) // MUST NOT be initialized
+		assert.False(t, bucketaccess.ManagedBySidecar(access))                      // MUST NOT hand off to sidecar
+		initialized, err := bucketaccess.SidecarRequirementsPresent(&access.Status) // MUST NOT be initialized
 		assert.NoError(t, err)
-		assert.True(t, needInit)
+		assert.False(t, initialized)
 
 		crw := &cosiapi.BucketClaim{}
 		err = c.Get(ctx, readWriteClaimNsName, crw)
@@ -315,10 +315,10 @@ func TestBucketAccessReconcile(t *testing.T) {
 		assert.Empty(t, status.AuthenticationType)
 		assert.Empty(t, status.Parameters)
 
-		assert.False(t, handoff.BucketAccessManagedBySidecar(access))  // MUST NOT hand off to sidecar
-		needInit, err := needsControllerInitialization(&access.Status) // MUST NOT be initialized
+		assert.False(t, bucketaccess.ManagedBySidecar(access))                      // MUST NOT hand off to sidecar
+		initialized, err := bucketaccess.SidecarRequirementsPresent(&access.Status) // MUST NOT be initialized
 		assert.NoError(t, err)
-		assert.True(t, needInit)
+		assert.False(t, initialized)
 
 		crw := &cosiapi.BucketClaim{}
 		err = c.Get(ctx, readWriteClaimNsName, crw)
@@ -371,10 +371,10 @@ func TestBucketAccessReconcile(t *testing.T) {
 		assert.Empty(t, status.AuthenticationType)
 		assert.Empty(t, status.Parameters)
 
-		assert.False(t, handoff.BucketAccessManagedBySidecar(access))  // MUST NOT hand off to sidecar
-		needInit, err := needsControllerInitialization(&access.Status) // MUST NOT be initialized
+		assert.False(t, bucketaccess.ManagedBySidecar(access))                      // MUST NOT hand off to sidecar
+		initialized, err := bucketaccess.SidecarRequirementsPresent(&access.Status) // MUST NOT be initialized
 		assert.NoError(t, err)
-		assert.True(t, needInit)
+		assert.False(t, initialized)
 
 		crw := &cosiapi.BucketClaim{}
 		err = c.Get(ctx, readWriteClaimNsName, crw)
@@ -424,10 +424,10 @@ func TestBucketAccessReconcile(t *testing.T) {
 		assert.Empty(t, status.AuthenticationType)
 		assert.Empty(t, status.Parameters)
 
-		assert.False(t, handoff.BucketAccessManagedBySidecar(access))  // MUST NOT hand off to sidecar
-		needInit, err := needsControllerInitialization(&access.Status) // MUST NOT be initialized
+		assert.False(t, bucketaccess.ManagedBySidecar(access))                      // MUST NOT hand off to sidecar
+		initialized, err := bucketaccess.SidecarRequirementsPresent(&access.Status) // MUST NOT be initialized
 		assert.NoError(t, err)
-		assert.True(t, needInit)
+		assert.False(t, initialized)
 
 		crw := &cosiapi.BucketClaim{}
 		err = c.Get(ctx, readWriteClaimNsName, crw)
@@ -474,10 +474,10 @@ func TestBucketAccessReconcile(t *testing.T) {
 		assert.Empty(t, status.AuthenticationType)
 		assert.Empty(t, status.Parameters)
 
-		assert.False(t, handoff.BucketAccessManagedBySidecar(access))  // MUST NOT hand off to sidecar
-		needInit, err := needsControllerInitialization(&access.Status) // MUST NOT be initialized
+		assert.False(t, bucketaccess.ManagedBySidecar(access))                      // MUST NOT hand off to sidecar
+		initialized, err := bucketaccess.SidecarRequirementsPresent(&access.Status) // MUST NOT be initialized
 		assert.NoError(t, err)
-		assert.True(t, needInit)
+		assert.False(t, initialized)
 
 		crw := &cosiapi.BucketClaim{}
 		err = c.Get(ctx, readWriteClaimNsName, crw)
@@ -526,10 +526,10 @@ func TestBucketAccessReconcile(t *testing.T) {
 		assert.Empty(t, status.AuthenticationType)
 		assert.Empty(t, status.Parameters)
 
-		assert.False(t, handoff.BucketAccessManagedBySidecar(access))  // MUST NOT hand off to sidecar
-		needInit, err := needsControllerInitialization(&access.Status) // MUST NOT be initialized
+		assert.False(t, bucketaccess.ManagedBySidecar(access))                      // MUST NOT hand off to sidecar
+		initialized, err := bucketaccess.SidecarRequirementsPresent(&access.Status) // MUST NOT be initialized
 		assert.NoError(t, err)
-		assert.True(t, needInit)
+		assert.False(t, initialized)
 
 		crw := &cosiapi.BucketClaim{}
 		err = c.Get(ctx, readWriteClaimNsName, crw)
@@ -594,10 +594,10 @@ func TestBucketAccessReconcile(t *testing.T) {
 			status.Parameters,
 		)
 
-		assert.True(t, handoff.BucketAccessManagedBySidecar(access))   // MUST hand off to sidecar
-		needInit, err := needsControllerInitialization(&access.Status) // MUST be fully initialized
+		assert.True(t, bucketaccess.ManagedBySidecar(access))                       // MUST hand off to sidecar
+		initialized, err := bucketaccess.SidecarRequirementsPresent(&access.Status) // MUST be fully initialized
 		assert.NoError(t, err)
-		assert.False(t, needInit)
+		assert.True(t, initialized)
 
 		crw := &cosiapi.BucketClaim{}
 		err = c.Get(ctx, readWriteClaimNsName, crw)
@@ -650,10 +650,10 @@ func TestBucketAccessReconcile(t *testing.T) {
 		assert.Empty(t, status.AuthenticationType)
 		assert.Empty(t, status.Parameters)
 
-		assert.False(t, handoff.BucketAccessManagedBySidecar(access))  // MUST NOT hand off to sidecar
-		needInit, err := needsControllerInitialization(&access.Status) // MUST NOT be initialized
+		assert.False(t, bucketaccess.ManagedBySidecar(access))                      // MUST NOT hand off to sidecar
+		initialized, err := bucketaccess.SidecarRequirementsPresent(&access.Status) // MUST NOT be initialized
 		assert.NoError(t, err)
-		assert.True(t, needInit)
+		assert.False(t, initialized)
 
 		crw := &cosiapi.BucketClaim{}
 		err = c.Get(ctx, readWriteClaimNsName, crw)
@@ -706,10 +706,10 @@ func TestBucketAccessReconcile(t *testing.T) {
 		assert.Empty(t, status.AuthenticationType)
 		assert.Empty(t, status.Parameters)
 
-		assert.False(t, handoff.BucketAccessManagedBySidecar(access))  // MUST NOT hand off to sidecar
-		needInit, err := needsControllerInitialization(&access.Status) // MUST NOT be initialized
+		assert.False(t, bucketaccess.ManagedBySidecar(access))                      // MUST NOT hand off to sidecar
+		initialized, err := bucketaccess.SidecarRequirementsPresent(&access.Status) // MUST NOT be initialized
 		assert.NoError(t, err)
-		assert.True(t, needInit)
+		assert.False(t, initialized)
 
 		crw := &cosiapi.BucketClaim{}
 		err = c.Get(ctx, readWriteClaimNsName, crw)

go.mod

@@ -13,8 +13,9 @@ require (
 	github.com/go-logr/logr v1.4.3
 	github.com/stretchr/testify v1.11.1
 	google.golang.org/grpc v1.75.1
+	k8s.io/api v0.34.3
 	k8s.io/apimachinery v0.34.3
-	k8s.io/client-go v0.34.3
+	k8s.io/client-go v0.34.2
 	k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d
 	sigs.k8s.io/container-object-storage-interface/client v0.0.0-20250925174816-5fce7c365e9c
 	sigs.k8s.io/container-object-storage-interface/proto v0.0.0-00010101000000-000000000000
@@ -23,89 +24,80 @@ require (
 
 require (
 	cel.dev/expr v0.24.0 // indirect
-	github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
+	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
-	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/emicklei/go-restful/v3 v3.13.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
-	github.com/go-openapi/jsonpointer v0.22.0 // indirect
-	github.com/go-openapi/jsonreference v0.21.1 // indirect
-	github.com/go-openapi/swag v0.25.1 // indirect
-	github.com/go-openapi/swag/cmdutils v0.25.1 // indirect
-	github.com/go-openapi/swag/conv v0.25.1 // indirect
-	github.com/go-openapi/swag/fileutils v0.25.1 // indirect
-	github.com/go-openapi/swag/jsonname v0.25.1 // indirect
-	github.com/go-openapi/swag/jsonutils v0.25.1 // indirect
-	github.com/go-openapi/swag/loading v0.25.1 // indirect
-	github.com/go-openapi/swag/mangling v0.25.1 // indirect
-	github.com/go-openapi/swag/netutils v0.25.1 // indirect
-	github.com/go-openapi/swag/stringutils v0.25.1 // indirect
-	github.com/go-openapi/swag/typeutils v0.25.1 // indirect
-	github.com/go-openapi/swag/yamlutils v0.25.1 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/btree v1.1.3 // indirect
-	github.com/google/cel-go v0.26.1 // indirect
+	github.com/google/cel-go v0.26.0 // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_golang v1.23.2 // indirect
-	github.com/prometheus/client_model v0.6.2 // indirect
-	github.com/prometheus/common v0.66.1 // indirect
-	github.com/prometheus/procfs v0.17.0 // indirect
-	github.com/spf13/cobra v1.10.1 // indirect
-	github.com/spf13/pflag v1.0.10 // indirect
-	github.com/stoewer/go-strcase v1.3.1 // indirect
+	github.com/prometheus/client_golang v1.22.0 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/common v0.62.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/spf13/cobra v1.9.1 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect
-	go.opentelemetry.io/otel v1.38.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 // indirect
-	go.opentelemetry.io/otel/metric v1.38.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.38.0 // indirect
-	go.opentelemetry.io/otel/trace v1.38.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.8.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
+	go.opentelemetry.io/otel v1.37.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 // indirect
+	go.opentelemetry.io/otel/metric v1.37.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.37.0 // indirect
+	go.opentelemetry.io/otel/trace v1.37.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/exp v0.0.0-20250911091902-df9299821621 // indirect
+	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/net v0.44.0 // indirect
-	golang.org/x/oauth2 v0.31.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
 	golang.org/x/sync v0.17.0 // indirect
 	golang.org/x/sys v0.36.0 // indirect
 	golang.org/x/term v0.35.0 // indirect
 	golang.org/x/text v0.29.0 // indirect
-	golang.org/x/time v0.13.0 // indirect
-	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250922171735-9219d122eba9 // indirect
+	golang.org/x/time v0.9.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250707201910-8d1bb00bc6a7 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250922171735-9219d122eba9 // indirect
 	google.golang.org/protobuf v1.36.9 // indirect
-	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/api v0.34.3 // indirect
-	k8s.io/apiextensions-apiserver v0.34.1 // indirect
-	k8s.io/apiserver v0.34.1 // indirect
-	k8s.io/component-base v0.34.1 // indirect
+	k8s.io/apiextensions-apiserver v0.34.0 // indirect
+	k8s.io/apiserver v0.34.0 // indirect
+	k8s.io/component-base v0.34.0 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
-	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.33.0 // indirect
+	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
+	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect