fix: owner references and clusterctl annotations

This should enable moves. Though they still result in a firewall roll.

Author: vknabel

capi-lab/firewall-controller-manager/kustomization.yaml

@@ -2,6 +2,13 @@
 namespace: capms-system
 namePrefix: capms-
 
+labels:
+  - includeSelectors: false
+    pairs:
+      cluster.x-k8s.io/v1beta1: v1alpha1
+      # TODO this only needs to be set because we currently do not install everything using clusterctl
+      clusterctl.cluster.x-k8s.io: ""
+
 resources:
   - bases/firewall.metal-stack.io_firewalldeployments.yaml
   - bases/firewall.metal-stack.io_firewallmonitors.yaml

internal/controller/metalstackcluster_controller.go

@@ -492,7 +492,7 @@ func (r *clusterReconciler) ensureSshKeyPair(ctx context.Context) (string, error
 	secret.Labels = map[string]string{
 		clusterv1.ClusterNameLabel: r.cluster.Name,
 	}
-	secret.OwnerReferences = append(secret.OwnerReferences, *metav1.NewControllerRef(r.infraCluster, r.infraCluster.GroupVersionKind()))
+	secret.OwnerReferences = r.ownerReferences()
 
 	err = r.client.Create(ctx, secret)
 	if err != nil {
@@ -561,6 +561,7 @@ func (r *clusterReconciler) ensureFirewallDeployment(nodeNetworkID, sshPubKey st
 		}
 
 		deploy.Labels[clusterv1.ClusterNameLabel] = r.cluster.Name
+		deploy.OwnerReferences = r.ownerReferences()
 
 		deploy.Spec.Replicas = 1
 		deploy.Spec.Selector = map[string]string{
@@ -720,3 +721,9 @@ func (r *clusterReconciler) deleteFirewallDeployment() error {
 
 	return errors.New("firewall deployment is still ongoing")
 }
+
+func (r *clusterReconciler) ownerReferences() []metav1.OwnerReference {
+	return []metav1.OwnerReference{
+		*metav1.NewControllerRef(r.infraCluster, r.infraCluster.GroupVersionKind()),
+	}
+}