feat(x2a): real K8s jobs for analyze and migrate (#2304)

* First draft: Real Job creation

* job template is able to git pull

* Working full init job including git

* init phase coomplete, skeleton for other phases

* With fixes tests, yarn full

* app-config reset

* rbac

* reverting aap and rbac to main

* prettier

* Working Analyze phase + owner reference delete secret

* analyze job works

* migrate changes

* remove callback url call

* Working analyze + migration steps

* api report

* After rebase

* Error handling on bash script

* Tests error

Author: elai-shalev

workspaces/x2a/plugins/x2a-backend/src/router/common.ts

@@ -32,6 +32,8 @@ import {
   x2aAdminWritePermission,
 } from '@red-hat-developer-hub/backstage-plugin-x2a-common';
 
+import type { RouterDeps } from './types';
+
 const isUserOfAdminViewPermission = async (
   request: Request,
   permissionsSvc: PermissionsService,
@@ -108,10 +110,44 @@ const removeSensitiveFromJob = (job?: UnsecureJob): Job | undefined => {
   return newJob;
 };
 
+// TODO: Remove once collectArtifacts (or the `report` command) is implemented
+// and jobs update their own status on completion. Until then this is the only
+// mechanism that syncs stale DB records with actual K8s job state.
+async function reconcileJobStatus(
+  job: Job,
+  deps: Pick<RouterDeps, 'kubeService' | 'x2aDatabase' | 'logger'>,
+): Promise<Job> {
+  if (!['pending', 'running'].includes(job.status)) {
+    return job;
+  }
+  if (!job.k8sJobName) {
+    return job;
+  }
+
+  const k8sStatus = await deps.kubeService.getJobStatus(job.k8sJobName);
+
+  if (k8sStatus.status === 'success' || k8sStatus.status === 'error') {
+    const log = (await deps.kubeService.getJobLogs(job.k8sJobName)) as string;
+    const updated = await deps.x2aDatabase.updateJob({
+      id: job.id,
+      status: k8sStatus.status,
+      finishedAt: new Date(),
+      log,
+    });
+    deps.logger.info(
+      `Reconciled job ${job.id}: DB had '${job.status}', K8s reports '${k8sStatus.status}'`,
+    );
+    return updated ?? job;
+  }
+
+  return job;
+}
+
 export {
   isUserOfAdminViewPermission,
   isUserOfAdminWritePermission,
   authorize,
   getUserRef,
+  reconcileJobStatus,
   removeSensitiveFromJob,
 };

workspaces/x2a/plugins/x2a-backend/src/router/modules.ts

@@ -21,7 +21,11 @@ import { InputError, NotFoundError } from '@backstage/errors';
 import { Module } from '@red-hat-developer-hub/backstage-plugin-x2a-common';
 
 import type { RouterDeps } from './types';
-import { getUserRef, removeSensitiveFromJob } from './common';
+import {
+  getUserRef,
+  reconcileJobStatus,
+  removeSensitiveFromJob,
+} from './common';
 
 export function registerModuleRoutes(
   router: express.Router,
@@ -236,7 +240,16 @@ export function registerModuleRoutes(
         projectId,
         moduleId,
       });
-      const hasActiveJob = existingJobs.some(job =>
+
+      // Reconcile jobs that appear active against K8s
+      const reconciledJobs = await Promise.all(
+        existingJobs
+          .filter(job => ['pending', 'running'].includes(job.status))
+          .map(job =>
+            reconcileJobStatus(job, { kubeService, x2aDatabase, logger }),
+          ),
+      );
+      const hasActiveJob = reconciledJobs.some(job =>
         ['pending', 'running'].includes(job.status),
       );
 

workspaces/x2a/plugins/x2a-backend/src/router/projects.ts

@@ -30,6 +30,7 @@ import {
   getUserRef,
   isUserOfAdminViewPermission,
   isUserOfAdminWritePermission,
+  reconcileJobStatus,
 } from './common';
 import { ProjectsGet, ProjectsPost } from '../schema/openapi';
 
@@ -255,10 +256,18 @@ export function registerProjectRoutes(
 
       // Check for existing running init job
       const existingJobs = await x2aDatabase.listJobsForProject({ projectId });
-      const hasActiveInitJob = existingJobs.some(
+      const activeInitJobs = existingJobs.filter(
         job =>
           job.phase === 'init' && ['pending', 'running'].includes(job.status),
       );
+      const reconciledInitJobs = await Promise.all(
+        activeInitJobs.map(job =>
+          reconcileJobStatus(job, { kubeService, x2aDatabase, logger }),
+        ),
+      );
+      const hasActiveInitJob = reconciledInitJobs.some(job =>
+        ['pending', 'running'].includes(job.status),
+      );
 
       if (hasActiveInitJob) {
         return res.status(409).json({

workspaces/x2a/plugins/x2a-backend/src/schema/openapi.yaml

@@ -293,8 +293,6 @@ paths:
                   $ref: '#/components/schemas/AAPCredentials'
               required:
                 - phase
-                - sourceRepoAuth
-                - targetRepoAuth
       responses:
         '200':
           description: Migration job created successfully

workspaces/x2a/plugins/x2a-backend/src/schema/openapi/generated/models/ProjectsProjectIdModulesModuleIdRunPostRequest.model.ts

@@ -26,7 +26,7 @@ import { ModulePhase } from '../models/ModulePhase.model';
  */
 export interface ProjectsProjectIdModulesModuleIdRunPostRequest {
   phase: ModulePhase;
-  sourceRepoAuth: GitRepoAuth;
-  targetRepoAuth: GitRepoAuth;
+  sourceRepoAuth?: GitRepoAuth;
+  targetRepoAuth?: GitRepoAuth;
   aapCredentials?: AAPCredentials;
 }

workspaces/x2a/plugins/x2a-backend/src/schema/openapi/generated/router.ts

@@ -447,9 +447,7 @@ export const spec = {
                   }
                 },
                 "required": [
-                  "phase",
-                  "sourceRepoAuth",
-                  "targetRepoAuth"
+                  "phase"
                 ]
               }
             }

workspaces/x2a/plugins/x2a-backend/src/services/JobResourceBuilder.test.ts

@@ -368,6 +368,7 @@ describe('JobResourceBuilder', () => {
   describe('buildJobSecret', () => {
     const jobId = 'job-456';
     const projectId = 'proj-123';
+    const phase = 'init';
     const gitCredentials = {
       sourceRepo: {
         url: 'https://github.com/org/source',
@@ -385,6 +386,7 @@ describe('JobResourceBuilder', () => {
       const secret = JobResourceBuilder.buildJobSecret(
         jobId,
         projectId,
+        phase,
         gitCredentials,
       );
 
@@ -399,6 +401,7 @@ describe('JobResourceBuilder', () => {
       const secret = JobResourceBuilder.buildJobSecret(
         jobId,
         projectId,
+        phase,
         gitCredentials,
       );
 
@@ -413,6 +416,7 @@ describe('JobResourceBuilder', () => {
       const secret = JobResourceBuilder.buildJobSecret(
         jobId,
         projectId,
+        phase,
         gitCredentials,
       );
 
@@ -427,6 +431,7 @@ describe('JobResourceBuilder', () => {
       const secret = JobResourceBuilder.buildJobSecret(
         jobId,
         projectId,
+        phase,
         gitCredentials,
       );
 
@@ -444,16 +449,18 @@ describe('JobResourceBuilder', () => {
       const secret = JobResourceBuilder.buildJobSecret(
         jobId,
         projectId,
+        phase,
         gitCredentials,
       );
 
-      expect(secret.metadata?.name).toBe(`x2a-job-secret-${jobId}`);
+      expect(secret.metadata?.name).toBe(`x2a-job-secret-${phase}-${jobId}`);
     });
 
     it('should include description annotation', () => {
       const secret = JobResourceBuilder.buildJobSecret(
         jobId,
         projectId,
+        phase,
         gitCredentials,
       );
 
@@ -468,6 +475,7 @@ describe('JobResourceBuilder', () => {
       const secret = JobResourceBuilder.buildJobSecret(
         jobId,
         projectId,
+        phase,
         gitCredentials,
       );
 
@@ -646,7 +654,7 @@ describe('JobResourceBuilder', () => {
           },
           {
             secretRef: {
-              name: 'x2a-job-secret-job-123',
+              name: 'x2a-job-secret-init-job-123',
             },
           },
         ]);
@@ -820,7 +828,7 @@ describe('JobResourceBuilder', () => {
 
         const container = job.spec?.template.spec?.containers![0];
         // Script handles unknown phases with exit 1
-        expect(container!.args![0]).toContain('ERROR: Unknown phase');
+        expect(container!.args![0]).toContain('Unknown phase');
       });
     });
   });

workspaces/x2a/plugins/x2a-backend/src/services/JobResourceBuilder.ts

@@ -132,9 +132,8 @@ export class JobResourceBuilder {
    * Builds a Kubernetes Secret for a specific job containing ephemeral Git credentials
    *
    * Note: ownerReferences are NOT set here because the job doesn't exist yet at secret
-   * creation time. The job secret will be cleaned up by Kubernetes TTL after the job
-   * completes (via ttlSecondsAfterFinished setting on the job). For explicit cleanup,
-   * the deleteJobSecret method can be called.
+   * creation time. After job creation, KubeService.createJob() sets the ownerReference
+   * on this secret so it is automatically garbage-collected when the Job is deleted.
    *
    * @param jobId - The job UUID
    * @param projectId - The project UUID
@@ -144,12 +143,13 @@ export class JobResourceBuilder {
   static buildJobSecret(
     jobId: string,
     projectId: string,
+    phase: string,
     gitCredentials: {
       sourceRepo: GitRepo;
       targetRepo: GitRepo;
     },
   ): V1Secret {
-    const secretName = `x2a-job-secret-${jobId}`;
+    const secretName = `x2a-job-secret-${phase}-${jobId}`;
 
     return {
       apiVersion: 'v1',
@@ -196,7 +196,7 @@ export class JobResourceBuilder {
     const shortId = crypto.randomBytes(4).toString('hex');
     const jobName = `job-x2a-${params.phase}-${shortId}`;
     const projectSecretName = `x2a-project-secret-${params.projectId}`;
-    const jobSecretName = `x2a-job-secret-${params.jobId}`;
+    const jobSecretName = `x2a-job-secret-${params.phase}-${params.jobId}`;
 
     return {
       apiVersion: 'batch/v1',
@@ -247,7 +247,9 @@ export class JobResourceBuilder {
           spec: {
             restartPolicy: 'Never',
             // Init container: Clone source and target repositories
-            initContainers: [this.buildGitFetchInitContainer(params.jobId)],
+            initContainers: [
+              this.buildGitFetchInitContainer(params.jobId, params.phase),
+            ],
             containers: [
               {
                 name: 'x2a',
@@ -421,8 +423,11 @@ export class JobResourceBuilder {
    * @param jobId - The job UUID (for secret reference)
    * @returns V1Container for the init container
    */
-  private static buildGitFetchInitContainer(jobId: string): V1Container {
-    const jobSecretName = `x2a-job-secret-${jobId}`;
+  private static buildGitFetchInitContainer(
+    jobId: string,
+    phase: string,
+  ): V1Container {
+    const jobSecretName = `x2a-job-secret-${phase}-${jobId}`;
 
     return {
       name: 'git-fetch',

workspaces/x2a/plugins/x2a-backend/src/services/KubeService.test.ts

@@ -22,6 +22,7 @@ import { X2AConfig } from '../../config';
 const mockCoreV1Api = {
   createNamespacedSecret: jest.fn(),
   readNamespacedSecret: jest.fn(),
+  replaceNamespacedSecret: jest.fn(),
   deleteNamespacedSecret: jest.fn(),
   listNamespacedPod: jest.fn(),
   readNamespacedPodLog: jest.fn(),
@@ -251,6 +252,16 @@ describe('KubeService', () => {
     beforeEach(() => {
       // Mock createProjectSecret and createJobSecret to succeed
       mockCoreV1Api.createNamespacedSecret.mockResolvedValue({});
+      // Mock readNamespacedSecret and replaceNamespacedSecret for ownerReference patching
+      mockCoreV1Api.readNamespacedSecret.mockResolvedValue({
+        apiVersion: 'v1',
+        kind: 'Secret',
+        metadata: {
+          name: 'x2a-job-secret-init-job-123',
+          namespace: 'test-namespace',
+        },
+      });
+      mockCoreV1Api.replaceNamespacedSecret.mockResolvedValue({});
     });
 
     it('should create both project and job secrets before creating job', async () => {
@@ -278,7 +289,7 @@ describe('KubeService', () => {
           namespace: 'test-namespace',
           body: expect.objectContaining({
             metadata: expect.objectContaining({
-              name: 'x2a-job-secret-job-123',
+              name: 'x2a-job-secret-init-job-123',
             }),
             stringData: expect.objectContaining({
               SOURCE_REPO_URL: 'https://github.com/org/source',
@@ -319,7 +330,7 @@ describe('KubeService', () => {
                     name: 'x2a',
                     envFrom: [
                       { secretRef: { name: 'x2a-project-secret-proj-123' } },
-                      { secretRef: { name: 'x2a-job-secret-job-123' } },
+                      { secretRef: { name: 'x2a-job-secret-init-job-123' } },
                     ],
                   }),
                 ]),
@@ -330,6 +341,53 @@ describe('KubeService', () => {
       });
       expect(result.k8sJobName).toBeDefined();
     });
+
+    it('should set ownerReference on job secret after job creation', async () => {
+      mockBatchV1Api.createNamespacedJob.mockResolvedValue({
+        metadata: { name: 'job-x2a-init-abc123', uid: 'uid-456' },
+      });
+
+      await kubeService.createJob(params);
+
+      // Should read the job secret
+      expect(mockCoreV1Api.readNamespacedSecret).toHaveBeenCalledWith({
+        name: 'x2a-job-secret-init-job-123',
+        namespace: 'test-namespace',
+      });
+
+      // Should replace the secret with ownerReference set
+      expect(mockCoreV1Api.replaceNamespacedSecret).toHaveBeenCalled();
+      const replaceCall =
+        mockCoreV1Api.replaceNamespacedSecret.mock.calls[0][0];
+      expect(replaceCall.name).toBe('x2a-job-secret-init-job-123');
+      expect(replaceCall.namespace).toBe('test-namespace');
+      const ownerRefs = replaceCall.body.metadata.ownerReferences;
+      expect(ownerRefs).toHaveLength(1);
+      expect(ownerRefs[0]).toEqual(
+        expect.objectContaining({
+          apiVersion: 'batch/v1',
+          kind: 'Job',
+          uid: 'uid-456',
+          blockOwnerDeletion: true,
+        }),
+      );
+      expect(ownerRefs[0].name).toMatch(/^job-x2a-init-/);
+    });
+
+    it('should succeed even if ownerReference patching fails', async () => {
+      mockBatchV1Api.createNamespacedJob.mockResolvedValue({
+        metadata: { name: 'job-x2a-init-abc123', uid: 'uid-456' },
+      });
+      mockCoreV1Api.readNamespacedSecret.mockRejectedValue(
+        new Error('Secret read failed'),
+      );
+
+      const result = await kubeService.createJob(params);
+
+      // Job creation should still succeed
+      expect(result.k8sJobName).toBeDefined();
+      expect(mockBatchV1Api.createNamespacedJob).toHaveBeenCalled();
+    });
   });
 
   describe('getJobStatus', () => {