refactor: consolidate reference tracking with Tracker in deployer

[Ankitsinghsisodya]

Fixes #3678

Note: Re-submission of #3687, accidentally closed when the head repository was deleted.

What

Fixes the three code smells called out in #3678 by introducing a Tracker struct (shape b from the issue) that owns the three reference sets and accumulates them via receiver methods.

Changes

pkg/k8s/deployer.go

• Add References struct holding Secrets, ConfigMaps, PVCs as sets.Set[string] values
• Add Tracker struct embedding References and NewTracker() constructor
• Convert ProcessEnvs, ProcessVolumes, createEnvFromSource, createEnvVarSource from free functions with *sets.Set[string] out-parameters to *Tracker methods
• Update generateDeployment to accept *Tracker instead of three pointer parameters
• Update CheckResourcesArePresent to accept References by value

pkg/knative/deployer.go

• Update generateNewService signature to accept *k8s.Tracker
• Remove now-unused sets import

pkg/k8s/deployer_test.go / pkg/knative/deployer_test.go

• Replace three-variable sets.New[string]() + pointer passing with NewTracker() in all affected tests

Why shape (b) — Tracker receiver

• Structurally prevents the bug class from fix: apply resource validation to first-deploy path in k8s and keda deployers #3671: with a single Tracker receiver there is nothing to disconnect
• Eliminates the pointer-to-map double-indirection
• One argument instead of three at every call site

Behavior

No behavior changes. This is a pure shape refactor.

Test plan

• go test ./pkg/k8s/ ./pkg/knative/ — both pass
• make check — 0 lint issues
• make test — all pre-existing unit tests pass

[knative-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Ankitsinghsisodya
Once this PR has been reviewed and has the lgtm label, please assign dprotaso for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[knative-prow]

Hi @Ankitsinghsisodya. Thanks for your PR.

I'm waiting for a knative member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR refactors how referenced Kubernetes resources (Secrets/ConfigMaps/PVCs) are tracked during manifest generation by introducing a References tracker struct, and wires it through Knative and Kubernetes deployer paths to ensure referenced-resource validation runs correctly.

Changes:

• Introduce k8s.References + NewReferences() and migrate env/volume processing to tracker methods.
• Update deploy flows to validate referenced resources using the tracker rather than separate caller-allocated sets.
• Update regression tests to verify the tracker is populated as expected.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 8 comments.

File	Description
pkg/knative/deployer_test.go	Updates regression test to use the new k8s.References tracker.
pkg/knative/deployer.go	Switches Knative deployer resource tracking/validation to k8s.References.
pkg/k8s/deployer_test.go	Updates Kubernetes deployer tests to pass References tracker into generation.
pkg/k8s/deployer.go	Adds References type, converts env/volume processing to methods, and updates validation API.

Comments suppressed due to low confidence (2)

pkg/k8s/deployer.go:654

• The env var is appended before checking err. While the function returns on error (so the slice isn't used), this ordering is easy to misread and can cause accidental use of a nil/invalid ValueFrom if the control flow changes later. Prefer checking err before appending to envVars.

					valueFrom, err := t.createEnvVarSource(slices)
					envVars = append(envVars, corev1.EnvVar{Name: *env.Name, ValueFrom: valueFrom})
					if err != nil {
						return nil, nil, err
					}

pkg/k8s/deployer.go:518

• On Forbidden, the message does not include which secret was being accessed (nor the namespace), which makes troubleshooting harder when multiple secrets are referenced. Consider including the secret name (and namespace) in the forbidden branch as well.

			if errors.IsForbidden(err) {
				errMsg += " Ensure that the service account has the necessary permissions to access the secret.\n"
			} else {
				errMsg += fmt.Sprintf("  referenced Secret \"%s\" is not present in namespace \"%s\"\n", s, namespace)
			}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

❌ Patch coverage is 90.19608% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 53.45%. Comparing base (ec38d52) to head (5b734f4).

Files with missing lines	Patch %	Lines
pkg/k8s/deployer.go	89.74%	2 Missing and 2 partials ⚠️
pkg/knative/deployer.go	91.66%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #3830   +/-   ##
=======================================
  Coverage   53.44%   53.45%           
=======================================
  Files         200      200           
  Lines       23450    23447    -3     
=======================================
  Hits        12533    12533           
+ Misses       9662     9661    -1     
+ Partials     1255     1253    -2     

Flag	Coverage Δ
e2e	33.70% <86.27%> (-0.02%)	⬇️
e2e go	29.68% <28.00%> (+0.02%)	⬆️
e2e node	25.98% <28.00%> (+0.02%)	⬆️
e2e python	30.02% <28.00%> (+0.02%)	⬆️
e2e quarkus	26.09% <28.00%> (+0.02%)	⬆️
e2e rust	25.56% <28.00%> (+0.02%)	⬆️
e2e springboot	24.17% <28.00%> (-0.04%)	⬇️
e2e typescript	26.08% <28.00%> (+0.02%)	⬆️
e2e-config-ci	26.80% <28.00%> (+0.02%)	⬆️
integration	15.76% <82.00%> (-0.01%)	⬇️
unit macos-14	42.26% <26.00%> (+0.03%)	⬆️
unit macos-latest	42.26% <26.00%> (+0.03%)	⬆️
unit ubuntu-24.04-arm	42.55% <27.45%> (+0.02%)	⬆️
unit ubuntu-latest	43.12% <26.00%> (+0.03%)	⬆️
unit windows-latest	42.33% <26.00%> (+0.03%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.