Node maintenance finalizer

Author: anton-paulovich

go.mod

@@ -12,9 +12,9 @@ require (
 	k8s.io/api v0.35.0
 	k8s.io/apimachinery v0.35.0
 	k8s.io/client-go v0.35.0
-	k8s.io/cloud-provider v0.34.1
+	k8s.io/cloud-provider v0.35.0
 	k8s.io/component-base v0.35.0
-	k8s.io/controller-manager v0.34.1
+	k8s.io/controller-manager v0.35.0
 	k8s.io/klog/v2 v2.130.1
 	sigs.k8s.io/cluster-api v1.10.4
 	sigs.k8s.io/controller-runtime v0.23.1
@@ -121,7 +121,7 @@ require (
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	k8s.io/apiextensions-apiserver v0.35.0 // indirect
 	k8s.io/apiserver v0.35.0 // indirect
-	k8s.io/component-helpers v0.34.1 // indirect
+	k8s.io/component-helpers v0.35.0 // indirect
 	k8s.io/kms v0.35.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
 	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect

go.sum

@@ -344,14 +344,14 @@ k8s.io/apiserver v0.35.0 h1:CUGo5o+7hW9GcAEF3x3usT3fX4f9r8xmgQeCBDaOgX4=
 k8s.io/apiserver v0.35.0/go.mod h1:QUy1U4+PrzbJaM3XGu2tQ7U9A4udRRo5cyxkFX0GEds=
 k8s.io/client-go v0.35.0 h1:IAW0ifFbfQQwQmga0UdoH0yvdqrbwMdq9vIFEhRpxBE=
 k8s.io/client-go v0.35.0/go.mod h1:q2E5AAyqcbeLGPdoRB+Nxe3KYTfPce1Dnu1myQdqz9o=
-k8s.io/cloud-provider v0.34.1 h1:FS+4C1vq9pIngd/5LR5Jha1sEbn+fo0HJitgZmUyBNc=
-k8s.io/cloud-provider v0.34.1/go.mod h1:ghyQYfQIWZAXKNS+TEgEiQ8wPuhzIVt3wFO6rKqS/rQ=
+k8s.io/cloud-provider v0.35.0 h1:syiBCQbKh2gho/S1BkIl006Dc44pV8eAtGZmv5NMe7M=
+k8s.io/cloud-provider v0.35.0/go.mod h1:7grN+/Nt5Hf7tnSGPT3aErt4K7aQpygyCrGpbrQbzNc=
 k8s.io/component-base v0.35.0 h1:+yBrOhzri2S1BVqyVSvcM3PtPyx5GUxCK2tinZz1G94=
 k8s.io/component-base v0.35.0/go.mod h1:85SCX4UCa6SCFt6p3IKAPej7jSnF3L8EbfSyMZayJR0=
-k8s.io/component-helpers v0.34.1 h1:gWhH3CCdwAx5P3oJqZKb4Lg5FYZTWVbdWtOI8n9U4XY=
-k8s.io/component-helpers v0.34.1/go.mod h1:4VgnUH7UA/shuBur+OWoQC0xfb69sy/93ss0ybZqm3c=
-k8s.io/controller-manager v0.34.1 h1:c9Cmun/zF740kmdRQWPGga+4MglT5SlrwsCXDS/KtJI=
-k8s.io/controller-manager v0.34.1/go.mod h1:fGiJDhi3OSzSAB4f40ZkJLAqMQSag9RM+7m5BRhBO3Q=
+k8s.io/component-helpers v0.35.0 h1:wcXv7HJRksgVjM4VlXJ1CNFBpyDHruRI99RrBtrJceA=
+k8s.io/component-helpers v0.35.0/go.mod h1:ahX0m/LTYmu7fL3W8zYiIwnQ/5gT28Ex4o2pymF63Co=
+k8s.io/controller-manager v0.35.0 h1:KteodmfVIRzfZ3RDaxhnHb72rswBxEngvdL9vuZOA9A=
+k8s.io/controller-manager v0.35.0/go.mod h1:1bVuPNUG6/dpWpevsJpXioS0E0SJnZ7I/Wqc9Awyzm4=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kms v0.35.0 h1:/x87FED2kDSo66csKtcYCEHsxF/DBlNl7LfJ1fVQs1o=

pkg/cloudprovider/metal/node_maintenance_controller.go

@@ -19,8 +19,11 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	ctrlcache "sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 )
 
+const nodeMaintenanceFinalizer = "cloud-provider-metal.ironcore.dev/node-maintenance"
+
 type NodeMaintenanceReconciler struct {
 	metalClient  client.Client
 	targetClient client.Client
@@ -133,6 +136,11 @@ func (r *NodeMaintenanceReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 
 	l = l.WithValues("server-claim-name", serverClaimKey.Name, "server-claim-namespace", serverClaimKey.Namespace)
 
+	if !node.DeletionTimestamp.IsZero() {
+		l.Info("Node is deleting, reconciling delete flow")
+		return r.reconcileDelete(ctx, node, serverClaimKey)
+	}
+
 	serverClaim := &metalv1alpha1.ServerClaim{}
 	if err = r.metalClient.Get(ctx, serverClaimKey, serverClaim); err != nil {
 		if apierrors.IsNotFound(err) {
@@ -151,6 +159,13 @@ func (r *NodeMaintenanceReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 	maintenanceRequested := node.Labels[metalv1alpha1.ServerMaintenanceRequestedLabelKey] == TrueStr
 
 	if maintenanceRequested {
+		base := node.DeepCopy()
+		if added := controllerutil.AddFinalizer(node, nodeMaintenanceFinalizer); added {
+			if err = r.targetClient.Patch(ctx, node, client.MergeFrom(base)); err != nil {
+				return fmt.Errorf("unable to add finalizer: %w", err)
+			}
+		}
+
 		serverName := serverClaim.Spec.ServerRef.Name
 
 		if err = r.ensureServerMaintenanceExists(ctx, maintenanceKey, serverName); err != nil {
@@ -161,6 +176,13 @@ func (r *NodeMaintenanceReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		if err = r.ensureServerMaintenanceNotExists(ctx, maintenanceKey); err != nil {
 			return fmt.Errorf("unable to ensure ServerMaintenance CR not exists: %w", err)
 		}
+
+		base := node.DeepCopy()
+		if removed := controllerutil.RemoveFinalizer(node, nodeMaintenanceFinalizer); removed {
+			if err := r.targetClient.Patch(ctx, node, client.MergeFrom(base)); err != nil {
+				return fmt.Errorf("unable to remove finalizer: %w", err)
+			}
+		}
 	}
 
 	maintenanceNeeded := serverClaim.Labels[metalv1alpha1.ServerMaintenanceNeededLabelKey] == TrueStr
@@ -178,22 +200,23 @@ func (r *NodeMaintenanceReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 	return nil
 }
 
-func parseProviderID(providerID string) (types.NamespacedName, error) {
-	if providerID == "" {
-		return types.NamespacedName{}, errors.New("empty providerID")
+func (r *NodeMaintenanceReconciler) reconcileDelete(ctx context.Context, node *corev1.Node, serverClaimKey types.NamespacedName) error {
+	if !controllerutil.ContainsFinalizer(node, nodeMaintenanceFinalizer) {
+		return nil
 	}
 
-	provider, rest, ok := strings.Cut(providerID, "://")
-	if !ok || provider == "" {
-		return types.NamespacedName{}, errors.New("missing scheme")
+	if err := r.ensureServerMaintenanceNotExists(ctx, serverClaimKey); err != nil {
+		return fmt.Errorf("unable to cleanup ServerMaintenance: %w", err)
 	}
 
-	parts := strings.Split(rest, "/")
-	if len(parts) != 2 {
-		return types.NamespacedName{}, errors.New("unexpected count of forward slashes")
+	base := node.DeepCopy()
+	if removed := controllerutil.RemoveFinalizer(node, nodeMaintenanceFinalizer); removed {
+		if err := r.targetClient.Patch(ctx, node, client.MergeFrom(base)); err != nil {
+			return fmt.Errorf("unable to remove finalizer: %w", err)
+		}
 	}
 
-	return types.NamespacedName{Namespace: parts[0], Name: parts[1]}, nil
+	return nil
 }
 
 func (r *NodeMaintenanceReconciler) ensureServerMaintenanceExists(ctx context.Context, key types.NamespacedName, serverName string) error {
@@ -267,3 +290,25 @@ func (r *NodeMaintenanceReconciler) syncServerClaimApproval(ctx context.Context,
 
 	return nil
 }
+
+func parseProviderID(providerID string) (types.NamespacedName, error) {
+	if providerID == "" {
+		return types.NamespacedName{}, errors.New("empty providerID")
+	}
+
+	provider, rest, ok := strings.Cut(providerID, "://")
+	if !ok || provider == "" {
+		return types.NamespacedName{}, errors.New("missing scheme")
+	}
+
+	parts := strings.Split(rest, "/")
+	if len(parts) != 2 {
+		return types.NamespacedName{}, errors.New("unexpected count of forward slashes")
+	}
+
+	if parts[0] == "" || parts[1] == "" {
+		return types.NamespacedName{}, errors.New("missing namespace or name")
+	}
+
+	return types.NamespacedName{Namespace: parts[0], Name: parts[1]}, nil
+}

pkg/cloudprovider/metal/node_maintenance_controller_test.go

@@ -68,7 +68,9 @@ var _ = Describe("NodeMaintenanceReconciler", func() {
 			},
 		}
 		Expect(k8sClient.Create(ctx, node)).To(Succeed())
-		DeferCleanup(k8sClient.Delete, node)
+		DeferCleanup(func(ctx SpecContext) error {
+			return client.IgnoreNotFound(k8sClient.Delete(ctx, node))
+		})
 
 		originalNode := node.DeepCopy()
 		node.Spec.ProviderID = fmt.Sprintf("metal://%s/%s", serverClaim.Namespace, serverClaim.Name)
@@ -100,6 +102,9 @@ var _ = Describe("NodeMaintenanceReconciler", func() {
 			Expect(maintenanceCR.Spec.Priority).To(Equal(int32(100)))
 			Expect(maintenanceCR.Spec.ServerRef).NotTo(BeNil())
 			Expect(maintenanceCR.Spec.ServerRef.Name).To(Equal(serverClaim.Spec.ServerRef.Name))
+
+			By("Verifying the finalizer is added to the Node")
+			Eventually(Object(node)).Should(HaveField("Finalizers", ContainElement(nodeMaintenanceFinalizer)))
 		})
 
 		It("should do nothing if ServerMaintenance CR already exists (idempotency)", func(ctx SpecContext) {
@@ -110,6 +115,7 @@ var _ = Describe("NodeMaintenanceReconciler", func() {
 					Labels: map[string]string{
 						"test-marker": "do-not-overwrite",
 					},
+					Finalizers: []string{nodeMaintenanceFinalizer},
 				},
 				Spec: metalv1alpha1.ServerMaintenanceSpec{
 					Policy:   metalv1alpha1.ServerMaintenancePolicyOwnerApproval,
@@ -136,6 +142,9 @@ var _ = Describe("NodeMaintenanceReconciler", func() {
 				g.Expect(err).NotTo(HaveOccurred())
 				g.Expect(checkCR.Labels).To(HaveKeyWithValue("test-marker", "do-not-overwrite"))
 			}).Should(Succeed())
+
+			By("Verifying the finalizer is present in the Node")
+			Consistently(Object(node)).Should(HaveField("Finalizers", ContainElement(nodeMaintenanceFinalizer)))
 		})
 
 		It("should delete the ServerMaintenance CR when the maintenance-requested label is removed", func(ctx SpecContext) {
@@ -166,6 +175,9 @@ var _ = Describe("NodeMaintenanceReconciler", func() {
 				g.Expect(err).To(HaveOccurred())
 				g.Expect(apierrors.IsNotFound(err)).To(BeTrue())
 			}).Should(Succeed())
+
+			By("Verifying the finalizer is removed from the Node")
+			Eventually(Object(node)).ShouldNot(HaveField("Finalizers", ContainElement(nodeMaintenanceFinalizer)))
 		})
 
 		It("should do nothing if the label is absent and CR does not exist (idempotency)", func(ctx SpecContext) {
@@ -187,6 +199,47 @@ var _ = Describe("NodeMaintenanceReconciler", func() {
 				g.Expect(err).To(HaveOccurred())
 				g.Expect(apierrors.IsNotFound(err)).To(BeTrue())
 			}).Should(Succeed())
+
+			Consistently(Object(node)).ShouldNot(HaveField("Finalizers", ContainElement(nodeMaintenanceFinalizer)))
+		})
+
+		It("should handle Node deletion by cleaning up the CR and removing the finalizer", func(ctx SpecContext) {
+			By("Triggering maintenance to create CR and add finalizer")
+			originalNode := node.DeepCopy()
+			if node.Labels == nil {
+				node.Labels = make(map[string]string)
+			}
+			node.Labels[metalv1alpha1.ServerMaintenanceRequestedLabelKey] = TrueStr
+			Expect(k8sClient.Patch(ctx, node, client.MergeFrom(originalNode))).To(Succeed())
+
+			maintenanceKey := client.ObjectKey{
+				Namespace: serverClaim.Namespace,
+				Name:      serverClaim.Name,
+			}
+			maintenanceCR := &metalv1alpha1.ServerMaintenance{}
+
+			Eventually(func(g Gomega) {
+				err := k8sClient.Get(ctx, maintenanceKey, maintenanceCR)
+				g.Expect(err).NotTo(HaveOccurred())
+			}).Should(Succeed())
+			Eventually(Object(node)).Should(HaveField("Finalizers", ContainElement(nodeMaintenanceFinalizer)))
+
+			By("Deleting the Node")
+			Expect(k8sClient.Delete(ctx, node)).To(Succeed())
+
+			By("Verifying the ServerMaintenance CR is deleted first")
+			Eventually(func(g Gomega) {
+				err := k8sClient.Get(ctx, maintenanceKey, maintenanceCR)
+				g.Expect(err).To(HaveOccurred())
+				g.Expect(apierrors.IsNotFound(err)).To(BeTrue())
+			}).Should(Succeed())
+
+			By("Verifying the Node is completely deleted (finalizer was removed)")
+			Eventually(func(g Gomega) {
+				err := k8sClient.Get(ctx, client.ObjectKeyFromObject(node), &corev1.Node{})
+				g.Expect(err).To(HaveOccurred())
+				g.Expect(apierrors.IsNotFound(err)).To(BeTrue())
+			}).Should(Succeed())
 		})
 	})
 
@@ -272,5 +325,8 @@ var _ = Describe("parseProviderID", func() {
 		Entry("missing provider before scheme", "://default/node-1", types.NamespacedName{}, true),
 		Entry("missing namespace or name (no slash)", "metal://node-1", types.NamespacedName{}, true),
 		Entry("too many slashes", "metal://default/node-1/extra", types.NamespacedName{}, true),
+		Entry("empty namespace", "metal:///name", types.NamespacedName{}, true),
+		Entry("empty name", "metal://namespace/", types.NamespacedName{}, true),
+		Entry("empty name and namespace", "metal:///", types.NamespacedName{}, true),
 	)
 })