Fix ingress stuck in deletion when IngressClass is removed first

[aydosman]

Issue

#4341

Description

When an IngressClass is deleted before the Ingresses that reference it,
the reconciler correctly marks those Ingresses as inactive members and
attempts to remove their group finalizers via a PATCH/UPDATE. That update
triggers the ValidateUpdate admission webhook, which tries to look up the
now-missing IngressClass and denies the request. The finalizer is never
removed, leaving the Ingress permanently stuck with a DeletionTimestamp
and no way to clean it up short of manually editing the spec.

The fix is to skip all ValidateUpdate checks when the Ingress already has
a DeletionTimestamp set. An ingress in that state has no active invariants
to enforce — the only meaningful operation remaining is cleanup. This is
consistent with ValidateDelete, which already returns nil unconditionally.

Adds a test covering both the fixed path (deleting ingress with missing
IngressClass is allowed) and the unchanged path (non-deleting ingress with
missing IngressClass is still denied).

Checklist

• Added tests that cover your change (if possible)
• Added/modified documentation as required (such as the README.md, or the docs directory)
• Manually tested
• Made sure the title of the PR is a good description that can go into the release notes

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

• Backfilled missing tests for code in same general area 🎉
• Refactored something and made the world a better place 🌟

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: aydosman / name: Aydogan Osman (5d4c3e1)

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: aydosman
Once this PR has been reviewed and has the lgtm label, please assign oliviassss for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Welcome @aydosman!

It looks like this is your first PR to kubernetes-sigs/aws-load-balancer-controller 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/aws-load-balancer-controller has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @aydosman. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[aydosman]

Hi @zac-nixon @shraddhabang — this is a fix for #4341. The issue was that ValidateUpdate blocks finalizer removal when the IngressClass has already been deleted, leaving the Ingress permanently stuck. The fix skips webhook validation when DeletionTimestamp is set, consistent with how ValidateDelete already behaves. Unit tests included. Would appreciate an /ok-to-test when you get a chance.

[zac-nixon]

You're not really checking if the IngressClass is gone here. If the intended logic is to allow Ingress deletion to proceed when IngressClass is already gone, then adding a check for a NotFoundError is probably better.
https://github.com/aydosman/aws-load-balancer-controller/blob/5d4c3e1288ccfa840027d12c028ca3651c18de9d/webhooks/networking/ingress_validator.go#L90-L94

[aydosman]

@zac-nixon Thank you; I was going for the simplest solution. I will look at this at some point this week.