fix: Initialize TUF repository with user-provided PVC

[bouskaJ]

Summary by Sourcery

Enable TUF repository initialization on a user-supplied PVC by overhauling the init job creation and detection logic, refining exit code handling in the job container, and covering the new workflow with integration tests.

New Features:

• Support initializing TUF repository using a user-provided PVC
• Handle existing init jobs via label selectors and fail on duplicates
• Update init job command to exit successfully when repository is already initialized

Enhancements:

• Refactor init job handler into separate jobPresent and ensureInitJob methods
• Switch init jobs to use generated names and attach controller reference to the main resource
• Replace fixed-name job lookup with label-based job listing

Tests:

• Add e2e tests to verify repository initialization, cleanup, and reuse with a pre-created PVC
• Introduce a pod log retrieval helper for use in integration tests

[sourcery-ai]

Reviewer's Guide

Refactors the TUF init job controller to leverage label-based job discovery with modular handlers, adjusts job resource creation for GenerateName and correct controller references, wraps init script execution in a bash exit-code handler, and adds end-to-end tests validating PVC-backed repository initialization.

Sequence Diagram for TUF Initialization Job Handling Logic

sequenceDiagram
    participant C as TUF Controller (initJobAction)
    participant K8s as Kubernetes API

    C->>K8s: List Jobs (using label selector for Tuf instance)
    K8s-->>C: JobList or Error
    alt Error listing jobs
        C-->>C: Handle error, update Tuf Status
    else JobList received
        alt Multiple init jobs found (len(JobList.Items) > 1)
            C-->>C: Handle error (multiple jobs), update Tuf Status (Error)
        else Exactly one init job found (len(JobList.Items) == 1)
            C-->>C: Call jobPresent(job) // Check existing job's status
            alt Job Succeeded (jobUtils.IsCompleted & !jobUtils.IsFailed)
                C->>K8s: Update Tuf Status (RepositoryCondition=True, Ready)
            else Job Failed (jobUtils.IsCompleted & jobUtils.IsFailed)
                C->>K8s: Update Tuf Status (RepositoryCondition=False, Failure)
            else Job In Progress
                C-->>C: Requeue reconcile
            end
        else No init job found (len(JobList.Items) == 0)
            C-->>C: Call ensureInitJob() // Create new job
            C->>K8s: Create Job (metadata.generateName, ownerReferences: Tuf CR, labels)
            alt Job Creation Failed
                 C-->>C: Handle error, update Tuf Status
            else Job Creation Succeeded
                 C-->>C: Requeue reconcile (to monitor new job)
            end
        end
    end

Loading

Class Diagram for initJobAction and Utility Changes

classDiagram
    class initJobAction {
        +Handle(ctx, instance) *action.Result // Modified: Uses label-based discovery, delegates to jobPresent/ensureInitJob
        -jobPresent(ctx, job, instance) *action.Result // New: Handles existing job logic
        -ensureInitJob(ctx, labels, instance) *action.Result // New: Handles job creation with GenerateName & Tuf CR as owner
    }

    class `utils` {
        +EnsureTufInitJob(instance, sa, labels) func(*v2.Job) error // Modified: `labels` param added. Job's container command wrapped in bash for specific exit code handling (2 -> 0).
    }
    initJobAction ..> `utils` : Uses EnsureTufInitJob

    class `v2.Job` {
      ObjectMeta.GenerateName: string // Used for creation by ensureInitJob
      ObjectMeta.Labels: map~string,string~ // Used by ensureInitJob for creation & by Handle for lookup
      ObjectMeta.OwnerReferences // Set to Tuf CR by ensureInitJob
      Spec.Template.Spec.Containers.Command // Modified by EnsureTufInitJob to ["/bin/bash"]
      Spec.Template.Spec.Containers.Args // Modified by EnsureTufInitJob to ["-c", "script_with_exit_logic"]
    }
    initJobAction o-- `v2.Job` : Manages (Finds/Creates)

    class `jobUtils` {
      <<Package>>
      +IsCompleted(job v2.Job) bool
      +IsFailed(job v2.Job) bool
    }
    initJobAction ..> `jobUtils` : Uses for status checks

Loading

File-Level Changes

Change	Details	Files
Refactor TUF init job handling to use label selectors and modular helpers	Replaced direct job.GetJob lookup with FindByLabelSelector and switch-case on result count Extracted jobPresent and ensureInitJob methods to separate existing job checks from creation logic	internal/controller/tuf/actions/tuf_init_job.go
Adjust job creation parameters for uniqueness and proper ownership	Switched from fixed Job.Name to GenerateName for unique naming Updated ControllerReference to point at the Tuf instance instead of the PVC Applied consistent labels and proxy environment setup in CreateOrUpdate	internal/controller/tuf/actions/tuf_init_job.go
Enhance init container invocation with exit-code wrapper	Replaced container.Args with a bash command array invoking tuf-repo-init.sh Added logic to interpret exit code 2 as success while propagating other codes	internal/controller/tuf/utils/tuf_init_job.go
Add integration tests for user-provided PVC TUF initialization	Introduced securesign_1855_test.go to test PVC creation, init job execution, and cleanup Added GetPodLogs helper in test support for fetching and asserting init container logs	test/e2e/securesign_1855_test.go test/e2e/support/kubernetes/pod.go

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @bouskaJ - I've reviewed your changes and they look great!

Here's what I looked at during the review

• 🟡 General issues: 2 issues found
• 🟢 Security: all looks good
• 🟢 Testing: all looks good
• 🟢 Documentation: all looks good

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[osmman]

The current commit message doesn't follow the Conventional Commits standard. A chore commit type is intended for routine maintenance and tasks that don't modify production code, so feat or fix would be more appropriate here. Please rewrite the commit message to reflect the nature of the changes.