fix: owner refs

vknabel · vknabel · commit f7069983aae8 · 2025-03-07T14:41:49.000+01:00
diff --git a/capi-lab/firewall-controller-manager/kustomization.yaml b/capi-lab/firewall-controller-manager/kustomization.yaml
@@ -3,135 +3,132 @@ namespace: capms-system
 namePrefix: capms-
 
 resources:
-- bases/firewall.metal-stack.io_firewalldeployments.yaml
-- bases/firewall.metal-stack.io_firewallmonitors.yaml
-- bases/firewall.metal-stack.io_firewallsets.yaml
-- bases/firewall.metal-stack.io_firewalls.yaml
-- cluster-role-binding.yaml
-- cluster-role.yaml
-- deployment.yaml
-- mutatingwebhookconfiguration.yaml
-- namespace.yaml
-- sa.yaml
-- service.yaml
-- validatingwebhookconfiguration.yaml
-- webhook-certs.yaml
+  - bases/firewall.metal-stack.io_firewalldeployments.yaml
+  - bases/firewall.metal-stack.io_firewallmonitors.yaml
+  - bases/firewall.metal-stack.io_firewallsets.yaml
+  - bases/firewall.metal-stack.io_firewalls.yaml
+  - cluster-role-binding.yaml
+  - cluster-role.yaml
+  - deployment.yaml
+  - mutatingwebhookconfiguration.yaml
+  - namespace.yaml
+  - sa.yaml
+  - service.yaml
+  - validatingwebhookconfiguration.yaml
+  - webhook-certs.yaml
 
 patches:
-- patch: |-
-    apiVersion: apiextensions.k8s.io/v1
-    kind: CustomResourceDefinition
-    metadata:
-      name: firewalls.firewall.metal-stack.io
-      labels:
-        clusterctl.cluster.x-k8s.io/move: ""
-  target:
-    kind: CustomResourceDefinition
-    name: firewalls.firewall.metal-stack.io
+  - patch: |-
+      apiVersion: apiextensions.k8s.io/v1
+      kind: CustomResourceDefinition
+      metadata:
+        name: firewalls.firewall.metal-stack.io
+        labels:
+          clusterctl.cluster.x-k8s.io/move: ""
 
 replacements:
- - source:
-     kind: Certificate
-     group: cert-manager.io
-     version: v1
-     name: capms-firewall-controller-manager-webhooks
-     fieldPath: .metadata.namespace
-   targets:
-     - select:
-         kind: ValidatingWebhookConfiguration
-         name: capms-firewall-controller-manager
-       fieldPaths:
-         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-       options:
-         delimiter: '/'
-         index: 0
-         create: true
+  - source:
+      kind: Certificate
+      group: cert-manager.io
+      version: v1
+      name: capms-firewall-controller-manager-webhooks
+      fieldPath: .metadata.namespace
+    targets:
+      - select:
+          kind: ValidatingWebhookConfiguration
+          name: capms-firewall-controller-manager
+        fieldPaths:
+          - .metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: "/"
+          index: 0
+          create: true
 
- - source:
-     kind: Certificate
-     group: cert-manager.io
-     version: v1
-     name: capms-firewall-controller-manager-webhooks
-     fieldPath: .metadata.name
-   targets:
-     - select:
-         kind: ValidatingWebhookConfiguration
-         name: capms-firewall-controller-manager
-       fieldPaths:
-         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-       options:
-         delimiter: '/'
-         index: 1
-         create: true
+  - source:
+      kind: Certificate
+      group: cert-manager.io
+      version: v1
+      name: capms-firewall-controller-manager-webhooks
+      fieldPath: .metadata.name
+    targets:
+      - select:
+          kind: ValidatingWebhookConfiguration
+          name: capms-firewall-controller-manager
+        fieldPaths:
+          - .metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: "/"
+          index: 1
+          create: true
 
- - source:
-     kind: Certificate
-     group: cert-manager.io
-     version: v1
-     name: capms-firewall-controller-manager-webhooks
-     fieldPath: .metadata.namespace
-   targets:
-     - select:
-         kind: MutatingWebhookConfiguration
-         name: capms-firewall-controller-manager
-       fieldPaths:
-         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-       options:
-         delimiter: '/'
-         index: 0
-         create: true
+  - source:
+      kind: Certificate
+      group: cert-manager.io
+      version: v1
+      name: capms-firewall-controller-manager-webhooks
+      fieldPath: .metadata.namespace
+    targets:
+      - select:
+          kind: MutatingWebhookConfiguration
+          name: capms-firewall-controller-manager
+        fieldPaths:
+          - .metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: "/"
+          index: 0
+          create: true
 
- - source:
-     kind: Certificate
-     group: cert-manager.io
-     version: v1
-     name: capms-firewall-controller-manager-webhooks
-     fieldPath: .metadata.name
-   targets:
-     - select:
-         kind: MutatingWebhookConfiguration
-         name: capms-firewall-controller-manager
-       fieldPaths:
-         - .metadata.annotations.[cert-manager.io/inject-ca-from]
-       options:
-         delimiter: '/'
-         index: 1
-         create: true
+  - source:
+      kind: Certificate
+      group: cert-manager.io
+      version: v1
+      name: capms-firewall-controller-manager-webhooks
+      fieldPath: .metadata.name
+    targets:
+      - select:
+          kind: MutatingWebhookConfiguration
+          name: capms-firewall-controller-manager
+        fieldPaths:
+          - .metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: "/"
+          index: 1
+          create: true
 
- - source:
-     kind: Service
-     version: v1
-     name: firewall-controller-manager
-     fieldPath: .metadata.name
-   targets:
-     - select:
-         kind: Certificate
-         group: cert-manager.io
-         version: v1
-         name: firewall-controller-manager-webhooks
-       fieldPaths:
-         - .spec.dnsNames.0
-         - .spec.dnsNames.1
-       options:
-         delimiter: '.'
-         index: 0
-         create: true
+  - source:
+      kind: Service
+      version: v1
+      name: firewall-controller-manager
+      fieldPath: .metadata.name
+    targets:
+      - select:
+          kind: Certificate
+          group: cert-manager.io
+          version: v1
+          name: firewall-controller-manager-webhooks
+        fieldPaths:
+          - .spec.dnsNames.0
+          - .spec.dnsNames.1
+        options:
+          delimiter: "."
+          index: 0
+          create: true
 
- - source:
-     kind: Service
-     version: v1
-     name: firewall-controller-manager
-     fieldPath: .metadata.namespace
-   targets:
-     - select:
-         kind: Certificate
-         group: cert-manager.io
-         version: v1
-         name: firewall-controller-manager-webhooks
-       fieldPaths:
-         - .spec.dnsNames.0
-         - .spec.dnsNames.1
-       options:
-         delimiter: '.'
-         index: 1
-         create: true
+  - source:
+      kind: Service
+      version: v1
+      name: firewall-controller-manager
+      fieldPath: .metadata.namespace
+    targets:
+      - select:
+          kind: Certificate
+          group: cert-manager.io
+          version: v1
+          name: firewall-controller-manager-webhooks
+        fieldPaths:
+          - .spec.dnsNames.0
+          - .spec.dnsNames.1
+        options:
+          delimiter: "."
+          index: 1
+          create: true
diff --git a/internal/controller/metalstackcluster_controller.go b/internal/controller/metalstackcluster_controller.go
@@ -125,8 +125,10 @@ func (r *MetalStackClusterReconciler) Reconcile(ctx context.Context, req ctrl.Re
 	}
 
 	if annotations.IsPaused(cluster, infraCluster) {
+		// TODO: pause firewalldeployment
 		conditions.MarkTrue(infraCluster, v1alpha1.ClusterPaused)
 	} else {
+		// TODO: unpause firewalldeployment if needed
 		conditions.MarkFalse(infraCluster, v1alpha1.ClusterPaused, clusterv1.PausedV1Beta2Reason, clusterv1.ConditionSeverityInfo, "")
 	}
 
@@ -482,10 +484,15 @@ func (r *clusterReconciler) ensureSshKeyPair(ctx context.Context) (string, error
 		return "", err
 	}
 
+	secret.Type = clusterv1.ClusterSecretType
 	secret.Data = map[string][]byte{
 		"id_rsa":     pem.EncodeToMemory(privateKeyBlock),
 		"id_rsa.pub": ssh.MarshalAuthorizedKey(pubKey),
 	}
+	secret.Labels = map[string]string{
+		clusterv1.ClusterNameLabel: r.cluster.Name,
+	}
+	secret.OwnerReferences = append(secret.OwnerReferences, *metav1.NewControllerRef(r.infraCluster, r.infraCluster.GroupVersionKind()))
 
 	err = r.client.Create(ctx, secret)
 	if err != nil {
@@ -553,6 +560,8 @@ func (r *clusterReconciler) ensureFirewallDeployment(nodeNetworkID, sshPubKey st
 			deploy.Labels = map[string]string{}
 		}
 
+		deploy.Labels[clusterv1.ClusterNameLabel] = r.cluster.Name
+
 		deploy.Spec.Replicas = 1
 		deploy.Spec.Selector = map[string]string{
 			tag.ClusterID: string(r.infraCluster.GetUID()),
@@ -647,6 +656,7 @@ func (r *clusterReconciler) ensureFirewallDeployment(nodeNetworkID, sshPubKey st
 			deploy.Spec.Template.Labels = map[string]string{}
 		}
 		deploy.Spec.Template.Labels[tag.ClusterID] = string(r.infraCluster.GetUID())
+		deploy.Spec.Template.Labels[clusterv1.ClusterNameLabel] = r.cluster.Name
 
 		deploy.Spec.Template.Spec.Size = r.infraCluster.Spec.Firewall.Size
 		deploy.Spec.Template.Spec.Image = r.infraCluster.Spec.Firewall.Image
