Temporary AtlasDatabaseUser non-deletion during reconciliation blocks Namespace deletion

[ggiacobazzi]

What did you do to encounter the bug?

• Create a namespace
• Create an AtlasDatabaseUser with the deleteAfterDate field in order to create a temporary user in the previously created namespace
• After the deleteAfterDate indicated, delete the namespace

What did you expect?
The reconciliation process deletes the AtlasDatabaseUser managed resource (removes the finalizer) if it's in the DatabaseUserExpired condition so that it does not block the deletion of the namespace.

What happened instead?
The AtlasDatabaseUser managed resource is not deleted by the reconciliation process if it sees that it is expired and thus blocks the subsequent deletion of the namespace.

Example code:
-> AtlasDatabaseUser:

apiVersion: atlas.mongodb.com/v1
kind: AtlasDatabaseUser
metadata:
  annotations:
    mongodb.com/atlas-resource-policy: delete
  creationTimestamp: '2025-02-17T13:39:00Z'
  deletionGracePeriodSeconds: 0
  deletionTimestamp: '2025-02-21T00:01:56Z'
  finalizers:
    - mongodbatlas/finalizer
  [...]
spec:
  awsIamType: NONE
  databaseName: admin
  deleteAfterDate: '2025-02-20'
  oidcAuthType: NONE
  passwordSecretRef:
    name: abc
  projectRef:
    name: abc
    namespace: atlas-operator
  roles:
    - databaseName: abc
      roleName: dbAdmin
  scopes:
    - name: saas-develop
      type: CLUSTER
  username: abc
  x509Type: NONE
status:
  conditions:
    - lastTransitionTime: '2025-02-20T01:33:22Z'
      status: 'False'
      type: Ready
    - lastTransitionTime: '2025-02-17T13:39:01Z'
      status: 'True'
      type: ResourceVersionIsValid
    - lastTransitionTime: '2025-02-17T13:39:01Z'
      status: 'True'
      type: ValidationSucceeded
    - lastTransitionTime: '2025-02-20T01:33:22Z'
      message: an expired user cannot be managed
      reason: DatabaseUserExpired
      status: 'False'
      type: DatabaseUserReady
  name: abc
  observedGeneration: 2
  passwordVersion: 'abc'

-> Namespace:

kind: Namespace
apiVersion: v1
metadata:
  name: core-abc
  creationTimestamp: '2025-02-19T08:32:59Z'
  deletionTimestamp: '2025-02-20T07:33:17Z'
spec:
  finalizers:
    - kubernetes
status:
  phase: Terminating
  conditions:
    - type: NamespaceDeletionDiscoveryFailure
      status: 'False'
      lastTransitionTime: '2025-02-20T07:33:29Z'
      reason: ResourcesDiscovered
      message: All resources successfully discovered
    - type: NamespaceDeletionGroupVersionParsingFailure
      status: 'False'
      lastTransitionTime: '2025-02-20T07:33:29Z'
      reason: ParsedGroupVersions
      message: All legacy kube types successfully parsed
    - type: NamespaceDeletionContentFailure
      status: 'False'
      lastTransitionTime: '2025-02-20T07:33:29Z'
      reason: ContentDeleted
      message: All content successfully deleted, may be waiting on finalization
    - type: NamespaceContentRemaining
      status: 'True'
      lastTransitionTime: '2025-02-20T07:33:29Z'
      reason: SomeResourcesRemain
      message: >-
        Some resources are remaining: atlasdatabaseusers.atlas.mongodb.com has 1
        resource instances
    - type: NamespaceFinalizersRemaining
      status: 'True'
      lastTransitionTime: '2025-02-20T07:33:29Z'
      reason: SomeFinalizersRemain
      message: >-
        Some content in the namespace has finalizers remaining:
        mongodbatlas/finalizer in 1 resource instances

Operator Information

• 2.7.0

[s-urbaniak]

@ggiacobazzi thank you for the issue report 👍 indeed that's a valid edge case to unset the finalizer and allow deletion. Self-assigning.

[github-actions]

This issue has gone 30 days without any activity and meets the project’s definition of 'stale'. This will be auto-closed if there is no new activity over the next 60 days. If the issue is still relevant and active, you can simply comment with a 'bump' to keep it open. Thanks for keeping our repository healthy!