ADR: Management Policies for Resource Lifecycle Control
- Status: Approved
- Date: 2026-01-19
- Updated: 2026-03-08
- Decision Makers: Entigo RnD Team
Context
Entigo Platform synchronizes resources between a control plane and workspace clusters. Resources can enter the platform from two directions:
- Top-down (full management): Resources defined in the control plane and provisioned to workspaces
- Bottom-up (observation): Resources created directly in the workspace (via GitOps, Helm, etc.) and mirrored to the control plane for visibility
The platform needs a mechanism to declare and enforce which direction applies to each resource, determining the source of truth and allowable operations.
Problem Statement
Without explicit policy:
- The platform cannot determine whether to overwrite a resource in the workspace or preserve it
- Users have no way to indicate "this resource is managed elsewhere, just observe it"
- Cloud resources could be accidentally deleted if the platform assumes full ownership of externally created resources
Decision
Management Policy Label
Use the label entigo.com/management-policy to instruct the platform on how to manage each resource.
| Value | Source of Truth | Platform Behavior |
|---|---|---|
full (default, implicit) | Control Plane | Full lifecycle: create, update, delete |
observed | Workspace | Read-only: mirror spec and status to control plane |
Key design choice:
fullis the default at the control plane level. The label does not need to be explicitly set for fully managed resources at the control plane. When a resource is synced to the workspace from the control plane, thefulllable is set at workspace resources.observedis the default at the workspace level. If the lable is not explicitly set tofull,observedmanagement policy is assumed and the resource status will be mirrored to the control plane.
The management policy is a Kubernetes-only concept — it is not propagated to cloud resource tags. See Cloud Resource Tagging ADR for the cloud tagging strategy.
Syncer Agent Responsibilities
The Syncer agent is responsible for labeling resources when the label is not already set:
- Full management: Set
entigo.com/management-policy=fullon the managed resource in the Workspace (making it explicit at the workspace level for other tools to see) - Observation: Set
entigo.com/management-policy=observedon the resource in the Platform that originate from the workspace
Status Matrix
Label in the Workspace takes precedence over a label set to a resource in the Platform.
| Platform resource label | Workspace resource label | Behaviour | Notes |
|---|---|---|---|
| any | management-policy=full | full | Workspace explicitly requests full management |
| any | management-policy=observed | observe | Workspace explicitly requests observe only |
| any | No label (steady-state) | observe | After migration: unlabeled resources default to observe |
| management-policy=full | none (doesn't exist) | full | Platform provisions resource with full management |
| no label | none (doesn't exist) | full | Platform provisions resource with full management |
| management-policy=observed | none (doesn't exist) | orphaned | Platform expects resource but it doesn't exist; don't provision |
Alternatives Considered
Alternative 1: Boolean managed Flag
Approach: A simple boolean label entigo.com/managed: true|false.
Pros:
- Simpler — binary choice
Cons:
- Does not express directionality (who is source of truth)
falseis ambiguous — does it mean "ignore" or "observe"?
Rejected: We need to distinguish between "fully managed by the platform" and "observed but managed elsewhere."
Consequences
Positive
- Clear ownership — Each resource has an unambiguous source of truth
- Safe observation — Observed resources cannot be accidentally modified or deleted through the platform control plane
- Infralib upgrade path — Customers can upgrade form OSS Infralib environment to full Platform without having to redeploy
Negative
- Migration complexity — Transitioning a resource from
observedtofullrequires careful coordination (remove observed tag, ensure platform has the correct desired state) - Orphaned state — If a resource is marked as
observedat the platform level but doesn't exist in the workspace, it enters an orphaned state that requires manual resolution