Trash: Keep provisioned objects out of the trash (#111714)

pkg/storage/unified/resource/server.go

@@ -1097,6 +1097,11 @@ func (s *server) isTrashItemAuthorized(ctx context.Context, iter ListIterator, t
 		return false
 	}
 
+	// provisioned objects should not be retrievable in the trash
+	if obj.GetAnnotation(utils.AnnoKeyManagerKind) != "" {
+		return false
+	}
+
 	// Trash is only accessible to admins or the user who deleted the object
 	return obj.GetUpdatedBy() == user.GetUID() || trashChecker(iter.Name(), iter.Folder())
 }

pkg/storage/unified/resource/storage_backend.go

@@ -889,12 +889,13 @@ func (k *kvStorageBackend) processTrashEntries(ctx context.Context, req *resourc
 	pagedKeys := applyPagination(filteredKeys, lastSeenRV, sortAscending)
 
 	iter := kvHistoryIterator{
-		keys:          pagedKeys,
-		currentIndex:  -1,
-		ctx:           ctx,
-		listRV:        listRV,
-		sortAscending: sortAscending,
-		dataStore:     k.dataStore,
+		keys:            pagedKeys,
+		currentIndex:    -1,
+		ctx:             ctx,
+		listRV:          listRV,
+		sortAscending:   sortAscending,
+		dataStore:       k.dataStore,
+		skipProvisioned: true,
 	}
 
 	err = fn(&iter)
@@ -907,12 +908,13 @@ func (k *kvStorageBackend) processTrashEntries(ctx context.Context, req *resourc
 
 // kvHistoryIterator implements ListIterator for KV storage history
 type kvHistoryIterator struct {
-	ctx           context.Context
-	keys          []DataKey
-	currentIndex  int
-	listRV        int64
-	sortAscending bool
-	dataStore     *dataStore
+	ctx             context.Context
+	keys            []DataKey
+	currentIndex    int
+	listRV          int64
+	sortAscending   bool
+	skipProvisioned bool
+	dataStore       *dataStore
 
 	// current
 	rv     int64
@@ -962,6 +964,11 @@ func (i *kvHistoryIterator) Next() bool {
 	i.folder = meta.GetFolder()
 	i.err = nil
 
+	// if the resource is provisioned and we are skipping provisioned resources, continue onto the next one
+	if i.skipProvisioned && meta.GetAnnotation(utils.AnnoKeyManagerKind) != "" {
+		return i.Next()
+	}
+
 	return true
 }
 

pkg/storage/unified/resource/storage_backend_test.go

@@ -1041,6 +1041,36 @@ func TestKvStorageBackend_ListTrash_Success(t *testing.T) {
 	rv2, err := backend.WriteEvent(ctx, writeEvent)
 	require.NoError(t, err)
 
+	// Do the same for a provisioned object
+	provisionedObj, err := createTestObjectWithName("provisioned-obj", appsNamespace, "test-data")
+	require.NoError(t, err)
+	metaAccessorProvisioned, err := utils.MetaAccessor(provisionedObj)
+	require.NoError(t, err)
+	metaAccessorProvisioned.SetAnnotation(utils.AnnoKeyManagerKind, "repo")
+
+	writeEventProvisioned := WriteEvent{
+		Type: resourcepb.WatchEvent_ADDED,
+		Key: &resourcepb.ResourceKey{
+			Namespace: "default",
+			Group:     "apps",
+			Resource:  "resources",
+			Name:      "provisioned-obj",
+		},
+		Value:      objectToJSONBytes(t, provisionedObj),
+		Object:     metaAccessorProvisioned,
+		PreviousRV: 0,
+	}
+
+	rv3, err := backend.WriteEvent(ctx, writeEventProvisioned)
+	require.NoError(t, err)
+
+	writeEventProvisioned.Type = resourcepb.WatchEvent_DELETED
+	writeEventProvisioned.PreviousRV = rv3
+	writeEventProvisioned.Object = metaAccessorProvisioned
+	writeEventProvisioned.ObjectOld = metaAccessorProvisioned
+	_, err = backend.WriteEvent(ctx, writeEventProvisioned)
+	require.NoError(t, err)
+
 	// List the trash (deleted items)
 	listReq := &resourcepb.ListRequest{
 		Options: &resourcepb.ListOptions{
@@ -1081,7 +1111,7 @@ func TestKvStorageBackend_ListTrash_Success(t *testing.T) {
 
 	require.NoError(t, err)
 	require.Greater(t, rv, int64(0))
-	require.Len(t, trashItems, 1) // Should have the deleted item
+	require.Len(t, trashItems, 1) // Should have the non-provisioned deleted item
 
 	// Verify the trash item
 	require.Equal(t, "test-resource", trashItems[0].name)