fix: explicitly delete DNSRecordSets when Gateway is deleted

scotwells · claude · scotwells · commit cd4f009be203 · 2026-02-24T14:11:25.000-06:00
Owner reference-based garbage collection doesn't work for DNSRecordSets
because the dns-operator sets itself as the controller owner during
replication. Kubernetes GC only deletes resources when ALL owners are
deleted, so the Gateway's owner reference has no effect.

This adds explicit cleanup in the Gateway finalizer that deletes
DNSRecordSets matching our labels (dns.datumapis.com/source-name,
dns.datumapis.com/source-namespace) when the Gateway is being deleted.

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/internal/controller/gateway_controller.go b/internal/controller/gateway_controller.go
@@ -797,6 +797,14 @@ func (r *GatewayReconciler) finalizeGateway(
 ) (result Result) {
 	logger := log.FromContext(ctx)
 	logger.Info("finalizing gateway")
+
+	// Clean up DNS records created by this gateway
+	if r.Config.Gateway.EnableDNSIntegration {
+		if cleanupResult := r.cleanupDNSRecordSets(ctx, upstreamClient, upstreamGateway); cleanupResult.ShouldReturn() {
+			return cleanupResult
+		}
+	}
+
 	// Go through downstream http routes that are attached to the downstream
 	// gateway and remove the parentRef from the status. If it's the last parent
 	// ref, delete the downstream route. If there's a race condition on delete/create,
@@ -870,6 +878,54 @@ func (r *GatewayReconciler) finalizeGateway(
 	return result
 }
 
+// cleanupDNSRecordSets deletes all DNSRecordSet resources that were created by
+// this gateway. This is called during gateway finalization to ensure DNS records
+// are cleaned up when the gateway is deleted, since owner reference-based garbage
+// collection doesn't work (the dns-operator sets itself as the controller owner).
+func (r *GatewayReconciler) cleanupDNSRecordSets(
+	ctx context.Context,
+	upstreamClient client.Client,
+	upstreamGateway *gatewayv1.Gateway,
+) (result Result) {
+	logger := log.FromContext(ctx)
+
+	var recordSetList dnsv1alpha1.DNSRecordSetList
+	if err := upstreamClient.List(ctx, &recordSetList,
+		client.InNamespace(upstreamGateway.Namespace),
+		client.MatchingLabels{
+			labelDNSManaged:    "true",
+			labelManagedBy:     labelManagedByValue,
+			labelDNSSourceKind: KindGateway,
+			labelDNSSourceName: upstreamGateway.Name,
+			labelDNSSourceNS:   upstreamGateway.Namespace,
+		},
+	); err != nil {
+		// If the CRD doesn't exist, there's nothing to clean up
+		if apimeta.IsNoMatchError(err) {
+			return result
+		}
+		result.Err = fmt.Errorf("failed listing DNSRecordSets for cleanup: %w", err)
+		return result
+	}
+
+	for _, rs := range recordSetList.Items {
+		logger.Info("deleting DNSRecordSet during gateway finalization",
+			"name", rs.Name,
+			"hostname", rs.Annotations[annotationDNSHostname],
+		)
+		if err := upstreamClient.Delete(ctx, &rs); err != nil && !apierrors.IsNotFound(err) {
+			result.Err = fmt.Errorf("failed to delete DNSRecordSet %q: %w", rs.Name, err)
+			return result
+		}
+	}
+
+	if len(recordSetList.Items) > 0 {
+		logger.Info("deleted DNSRecordSets during gateway finalization", "count", len(recordSetList.Items))
+	}
+
+	return result
+}
+
 // TODO(jreese) revisit the parameters here to clean them up. It's a bit messy
 // as this function is used against both the upstream and downstream resources.
 func (r *GatewayReconciler) detachHTTPRoutes(
