Use patch to set finalizers

[jackkleeman]

For pods in terminating state, their deletion timestamp is constantly
increasing, I'm not sure why but I suspect its do to with gatekeeper. As
a result, their resource version increases. This means that when we try
to remove the finalizer, there is an error 'this object has already
changed'. I think that using a patch will fix this.

{"level":"error","ts":1575303739.4736946,"logger":"controller","msg":"could not remove finalizer","kind":"Config","gvk":"/v1, Kind=Pod","name":"s-ledger-exporter-76877648cd-xmzwz","namespace":"io-gmon","error":"Operation cannot be fulfilled on pods \"s-ledger-exporter-76877648cd-xmzwz\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"github.com/open-policy-agent/gatekeeper/vendor/github.com/go-logr/zapr.(*zapLogger).Error\n\t/home/travis/gopath/src/github.com/open-policy-agent/gatekeeper/vendor/github.com/go-logr/zapr/zapr.go:128\ngit.luolix.top/open-policy-agent/gatekeeper/pkg/controller/config.(*finalizerCleanup).Clean.func1\n\t/home/travis/gopath/src/github.com/open-policy-agent/gatekeeper/pkg/controller/config/config_controller.go:347\ngit.luolix.top/open-policy-agent/gatekeeper/vendor/k8s.io/apimachinery/pkg/util/wait.ExponentialBackoff\n\t/home/travis/gopath/src/github.com/open-policy-agent/gatekeeper/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:203\ngit.luolix.top/open-policy-agent/gatekeeper/pkg/controller/config.(*finalizerCleanup).Clean\n\t/home/travis/gopath/src/github.com/open-policy-agent/gatekeeper/pkg/controller/config/config_controller.go:377"}

[maxsmythe]

No objections to changing this to patch.

I'm curious why you think gatekeeper would change the deletion timestamp? Gatekeeper does not modify those.

I do see this bit of information WRT deletion timestamps and pods, unsure if it's relevant:

kubernetes/kubernetes#71494

[jackkleeman]

I'm curious why you think gatekeeper would change the deletion timestamp

Just a guess. Something pretty strange is going on!

[jackkleeman]

@maxsmythe are there integration tests which explicitly test for finalizer removal?

[maxsmythe]

Yep, the config controller tests look for sync finalizer removal:

gatekeeper/pkg/controller/config/config_controller_test.go

Line 169 in 3b704ce

return errors.New("testns namespace still has sync finalizer")

[ritazh]

Would be nice to add a test for sync finalizer removal in e2e, similar to here: https://github.com/open-policy-agent/gatekeeper/blob/master/test/bats/test.bats#L82

[maxsmythe]

@ritazh Is this blocking for you?

[ritazh]

no. I have created #323 to track.