Merge pull request #1286 from dprince/webhook_cleanup

openshift-merge-bot[bot] · web-flow · commit e523d7afe995 · 2025-02-04T23:14:54.000Z
webhook cleanup on init resource delete
diff --git a/controllers/operator/openstack_controller.go b/controllers/operator/openstack_controller.go
@@ -138,7 +138,7 @@ func (r *OpenStackReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 		return ctrl.Result{}, err
 	}
 
-	versionHelper, err := helper.NewHelper(
+	openstackHelper, err := helper.NewHelper(
 		instance,
 		r.Client,
 		r.Kclient,
@@ -177,13 +177,18 @@ func (r *OpenStackReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 		condition.RestoreLastTransitionTimes(
 			&instance.Status.Conditions, savedConditions)
 
-		err := versionHelper.PatchInstance(ctx, instance)
+		err := openstackHelper.PatchInstance(ctx, instance)
 		if err != nil {
 			_err = err
 			return
 		}
 	}()
 
+	// If we're not deleting this and the object doesn't have our finalizer, add it.
+	if instance.DeletionTimestamp.IsZero() && controllerutil.AddFinalizer(instance, openstackHelper.GetFinalizer()) || isNewInstance {
+		return ctrl.Result{}, err
+	}
+
 	cl := condition.CreateList(
 		condition.UnknownCondition(operatorv1beta1.OpenStackOperatorReadyCondition, condition.InitReason, string(operatorv1beta1.OpenStackOperatorReadyInitMessage)),
 	)
@@ -219,6 +224,10 @@ func (r *OpenStackReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 		}
 	}
 
+	if !instance.DeletionTimestamp.IsZero() {
+		return r.reconcileDelete(ctx, instance, openstackHelper)
+	}
+
 	// TODO: cleanup obsolete resources here (remove old CSVs, etc)
 	/*
 	   if err := r.cleanupObsoleteResources(ctx); err != nil {
@@ -262,6 +271,47 @@ func (r *OpenStackReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 
 }
 
+func (r *OpenStackReconciler) reconcileDelete(ctx context.Context, instance *operatorv1beta1.OpenStack, helper *helper.Helper) (ctrl.Result, error) {
+	Log := r.GetLogger(ctx)
+	Log.Info("Reconciling OpenStack initialization resource delete")
+
+	// validating webhook cleanup
+	valWebhooks, err := r.Kclient.AdmissionregistrationV1().ValidatingWebhookConfigurations().List(ctx, metav1.ListOptions{
+		LabelSelector: "openstack.openstack.org/managed=true",
+	})
+	if err != nil {
+		return ctrl.Result{}, errors.Wrap(err, "failed listing validating webhook configurations")
+	}
+	for _, webhook := range valWebhooks.Items {
+		err := r.Kclient.AdmissionregistrationV1().ValidatingWebhookConfigurations().Delete(ctx, webhook.Name, metav1.DeleteOptions{})
+		if err != nil {
+			return ctrl.Result{}, errors.Wrap(err, "failed to cleanup webhook")
+		}
+		fmt.Println("Found ValidatingWebhookConfiguration:", webhook.Name)
+
+	}
+
+	// mutating webhook cleanup
+	mutWebhooks, err := r.Kclient.AdmissionregistrationV1().MutatingWebhookConfigurations().List(ctx, metav1.ListOptions{
+		LabelSelector: "openstack.openstack.org/managed=true",
+	})
+	if err != nil {
+		return ctrl.Result{}, errors.Wrap(err, "failed listing validating webhook configurations")
+	}
+	for _, webhook := range mutWebhooks.Items {
+		err := r.Kclient.AdmissionregistrationV1().MutatingWebhookConfigurations().Delete(ctx, webhook.Name, metav1.DeleteOptions{})
+		if err != nil {
+			return ctrl.Result{}, errors.Wrap(err, "failed to cleanup webhook")
+		}
+		fmt.Println("Found MutatingWebhookConfiguration:", webhook.Name)
+
+	}
+
+	controllerutil.RemoveFinalizer(instance, helper.GetFinalizer())
+
+	return ctrl.Result{}, nil
+}
+
 // countDeployments -
 func (r *OpenStackReconciler) countDeployments(ctx context.Context, instance *operatorv1beta1.OpenStack) (int, error) {
 	deployments := &appsv1.DeploymentList{}
@@ -308,7 +358,7 @@ func (r *OpenStackReconciler) applyCRDs(ctx context.Context, instance *operatorv
 func (r *OpenStackReconciler) applyRBAC(ctx context.Context, instance *operatorv1beta1.OpenStack) error {
 	data := bindata.MakeRenderData()
 	data.Data["OperatorNamespace"] = instance.Namespace
-	return r.renderAndApply(ctx, instance, data, "rbac", false)
+	return r.renderAndApply(ctx, instance, data, "rbac", true)
 }
 
 func (r *OpenStackReconciler) applyOperator(ctx context.Context, instance *operatorv1beta1.OpenStack) error {
diff --git a/pkg/operator/bindata/merge.go b/pkg/operator/bindata/merge.go
@@ -198,6 +198,12 @@ func mergeLabels(current, updated *uns.Unstructured) {
 	if gvk.Group == "apiextensions.k8s.io" && gvk.Kind == "CustomResourceDefinition" {
 		curLabels["openstack.openstack.org/crd"] = ""
 	}
+	// Validating/Mutating webhooks aren't namespaced meaning we can't own them directly
+	// via the initialization resource. This adds a custom label so that at least we
+	// can identify them for cleanup via a finalizer
+	if gvk.Group == "admissionregistration.k8s.io" && (gvk.Kind == "MutatingWebhookConfiguration" || gvk.Kind == "ValidatingWebhookConfiguration") {
+		curLabels["openstack.openstack.org/managed"] = "true"
+	}
 
 	updated.SetLabels(curLabels)
 }

Original file line number	Diff line number	Diff line change
`@@ -198,6 +198,12 @@ func mergeLabels(current, updated *uns.Unstructured) {`
`198`	`198`	`if gvk.Group == "apiextensions.k8s.io" && gvk.Kind == "CustomResourceDefinition" {`
`199`	`199`	`curLabels["openstack.openstack.org/crd"] = ""`
`200`	`200`	`}`
	`201`	`+ // Validating/Mutating webhooks aren't namespaced meaning we can't own them directly`
	`202`	`+ // via the initialization resource. This adds a custom label so that at least we`
	`203`	`+ // can identify them for cleanup via a finalizer`
	`204`	`+ if gvk.Group == "admissionregistration.k8s.io" && (gvk.Kind == "MutatingWebhookConfiguration" \|\| gvk.Kind == "ValidatingWebhookConfiguration") {`
	`205`	`+ curLabels["openstack.openstack.org/managed"] = "true"`
	`206`	`+ }`
`201`	`207`
`202`	`208`	`updated.SetLabels(curLabels)`
`203`	`209`	`}`