Type of Change

• New Feature
• Bug Fix
• Documentation
• Performance Improvement
• Test/CI
• Refactor
• Other:

Related Issues

Fixes #145

Summary of Changes

Policy drift detection compared SHA-256 hashes of raw JSON from the Tenant
ConfigMap against live RustFS canned policies. RustFS adds envelope fields
(ID, empty Sid, empty Condition) and may reorder Action arrays when
storing or listing policies, so semantically identical documents produced
different hashes and the Tenant was blocked with PolicyConflict even after
successful provisioning.

This change normalizes policy documents before hashing (strip empty RustFS
fields, sort actions/resources/statements) and treats live policies that match
spec as Ready when status tracking hashes are stale after operator upgrades.

Checklist

• I have read and followed the CONTRIBUTING.md guidelines
• Passed make pre-commit (fmt-check + clippy + test + console-lint + console-fmt-check)
• Added/updated necessary tests
• Documentation updated (if needed)
• CHANGELOG.md updated under [Unreleased] (if user-visible change)
• CI/CD passed (if applicable)

Impact

• Breaking change (CRD/API compatibility)
• Requires doc/config/deployment update
• Other impact:

Verification

make pre-commit
cargo test reconcile::provisioning::tests

Validated on a live cluster: Tenant provisioning moved to Ready after deploy;
policies recreated when deleted from RustFS and reconcile was triggered.

Additional Notes

N/A

Thank you for your contribution! Please ensure your PR follows the community standards (CODE_OF_CONDUCT.md) and sign the CLA if this is your first contribution.