Merge pull request #78 from weaveworks/allow-secret-retention

Allow removal when referenced secret exists.
weaveworks · Nov 9, 2023 · c4afe68 · c4afe68
2 parents de46e39 + b19afc5
commit c4afe68
Show file tree

Hide file tree

Showing 6 changed files with 30 additions and 13 deletions.
diff --git a/Makefile b/Makefile
@@ -8,7 +8,7 @@ VERSION ?= 0.0.1
 # Image URL to use all building/pushing image targets
 IMG ?= controller:latest
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
-ENVTEST_K8S_VERSION = 1.23
+ENVTEST_K8S_VERSION = 1.27
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/gitops.weave.works_gitopsclusters.yaml b/config/crd/bases/gitops.weave.works_gitopsclusters.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: gitopsclusters.gitops.weave.works
 spec:
   group: gitops.weave.works

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -2,7 +2,6 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  creationTimestamp: null
   name: manager-role
 rules:
 - apiGroups:

diff --git a/controllers/gitopscluster_controller.go b/controllers/gitopscluster_controller.go
@@ -43,13 +43,18 @@ import (
 )
 
 // GitOpsClusterFinalizer is the finalizer key used to detect when we need to
-// finalize a GitOps cluster.
+// finalize a Gitops cluster.
 const GitOpsClusterFinalizer = "clusters.gitops.weave.works"
 
-// GitOpsClusterProvisionedAnnotation if applied to a GitOpsCluster indicates
+// GitOpsClusterProvisionedAnnotation if applied to a GitopsCluster indicates
 // that it should have a ready Provisioned condition.
 const GitOpsClusterProvisionedAnnotation = "clusters.gitops.weave.works/provisioned"
 
+// GitOpsClusterNoSecretFinalizerAnnotation if applied to a GitopsCluster
+// indicates that we should not wait for the secret to be removed before
+// allowing the cluster to be removed.
+const GitOpsClusterNoSecretFinalizerAnnotation = "clusters.gitops.weave.works/no-secret-finalizer"
+
 const (
 	// SecretNameIndexKey is the key used for indexing secret
 	// resources based on their name.
@@ -129,7 +134,8 @@ func (r *GitopsClusterReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 
 	// examine DeletionTimestamp to determine if object is under deletion
 	if cluster.ObjectMeta.DeletionTimestamp.IsZero() {
-		if cluster.Spec.SecretRef != nil || cluster.Spec.CAPIClusterRef != nil {
+		hasSkipFinalizer := metav1.HasAnnotation(cluster.ObjectMeta, GitOpsClusterNoSecretFinalizerAnnotation)
+		if (cluster.Spec.SecretRef != nil || cluster.Spec.CAPIClusterRef != nil) && !hasSkipFinalizer {
 			if !controllerutil.ContainsFinalizer(cluster, GitOpsClusterFinalizer) {
 				controllerutil.AddFinalizer(cluster, GitOpsClusterFinalizer)
 				if err := r.Update(ctx, cluster); err != nil {

diff --git a/controllers/gitopscluster_controller_test.go b/controllers/gitopscluster_controller_test.go
@@ -457,6 +457,22 @@ func TestFinalizers(t *testing.T) {
 				map[string][]byte{"value": []byte("test")})},
 			true,
 		},
+		{
+			"cluster referencing secret - but no-secret-finalization annotation",
+			makeTestCluster(func(c *gitopsv1alpha1.GitopsCluster) {
+				c.ObjectMeta.Namespace = "test-ns"
+				c.ObjectMeta.Annotations = map[string]string{
+					controllers.GitOpsClusterNoSecretFinalizerAnnotation: "true",
+				}
+				c.Spec.SecretRef = &meta.LocalObjectReference{
+					Name: "test-cluster",
+				}
+			}),
+			[]runtime.Object{makeTestSecret(types.NamespacedName{Name: "test-cluster", Namespace: "test-ns"},
+				map[string][]byte{"value": []byte("test")})},
+			false,
+		},
+
 		{
 			"deleted gitops cluster",
 			makeTestCluster(func(c *gitopsv1alpha1.GitopsCluster) {
@@ -489,11 +505,9 @@ func TestFinalizers(t *testing.T) {
 				t.Fatal(err)
 			}
 
-			if tt.wantFinalizer {
-				updated := testGetGitopsCluster(t, r.Client, client.ObjectKeyFromObject(tt.gitopsCluster))
-				if !controllerutil.ContainsFinalizer(updated, controllers.GitOpsClusterFinalizer) {
-					t.Fatal("cluster HasFinalizer got false, want true")
-				}
+			updated := testGetGitopsCluster(t, r.Client, client.ObjectKeyFromObject(tt.gitopsCluster))
+			if v := controllerutil.ContainsFinalizer(updated, controllers.GitOpsClusterFinalizer); v != tt.wantFinalizer {
+				t.Fatalf("cluster HasFinalizer got %v, want %v", v, tt.wantFinalizer)
 			}
 		})
 	}