Resource removal in OBC deletion

shirady · shirady · commit a8fa7f25ff99 · 2026-02-26T13:16:51.000+02:00
Signed-off-by: shirady &lt;57721533+shirady@users.noreply.github.com&gt;
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -259,6 +259,16 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - objectbucket.io
+  resources:
+  - objectbuckets
+  verbs:
+  - delete
+  - get
+  - list
+  - update
+  - watch
 - apiGroups:
   - ocs.openshift.io
   resources:
diff --git a/internal/controller/obc_controller.go b/internal/controller/obc_controller.go
@@ -10,6 +10,7 @@ import (
 	"github.com/red-hat-storage/ocs-client-operator/api/v1alpha1"
 	"github.com/red-hat-storage/ocs-client-operator/pkg/utils"
 	providerClient "github.com/red-hat-storage/ocs-operator/services/provider/api/v4/client"
+	corev1 "k8s.io/api/core/v1"
 	storagev1 "k8s.io/api/storage/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -25,8 +26,9 @@ import (
 )
 
 const (
-	operatorObcFinalizer               = "ocs-client-operator.ocs.openshift.io/obc"
+	ObcFinalizer                       = nbv1.ObjectBucketFinalizer
 	ObjectBucketClaimStatusPhaseFailed = "Failed"
+	ObjectBucketClaimStatusPhaseBound  = "Bound"
 )
 
 // OBCReconciler reconciles a ObjectBucketClaim object
@@ -66,8 +68,11 @@ func (r *OBCReconciler) SetupWithManager(mgr ctrl.Manager) error {
 
 //+kubebuilder:rbac:groups=objectbucket.io,resources=objectbucketclaims,verbs=get;list;watch;update
 //+kubebuilder:rbac:groups=objectbucket.io,resources=objectbucketclaims/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=objectbucket.io,resources=objectbuckets,verbs=get;list;watch;update;delete
 //+kubebuilder:rbac:groups=ocs.openshift.io,resources=storageclients,verbs=get
 //+kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=get
+//+kubebuilder:rbac:groups="",resources=configmaps,verbs=get;update
+//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;update
 
 func (r *OBCReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	r.ctx = ctx
@@ -97,8 +102,20 @@ func (r *OBCReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.R
 			r.log.Error(err, "failed to notify provider of OBC deletion", "namespaced/name", client.ObjectKeyFromObject(obc))
 			return reconcile.Result{}, fmt.Errorf("failed to delete the OBC on provider cluster: %v", err)
 		}
-		if controllerutil.RemoveFinalizer(obc, operatorObcFinalizer) {
-			r.log.Info("removing finalizer from OBC.", "namespaced/name", client.ObjectKeyFromObject(obc))
+		if obc.Status.Phase == ObjectBucketClaimStatusPhaseBound {
+			r.log.Info("OBC is Bound - release resources", "namespaced/name", client.ObjectKeyFromObject(obc))
+			ob, cm, secret, errs := r.getResources(obc)
+			if len(errs) > 0 {
+				r.log.Error(errs[0], "failed to get related resources for OBC delete")
+				return reconcile.Result{}, fmt.Errorf("failed to get related resources for OBC delete: %v", errs)
+			}
+			if err := r.deleteResources(ob, cm, secret, obc); err != nil {
+				r.log.Error(err, "failed to delete resources for OBC delete")
+				return reconcile.Result{}, fmt.Errorf("failed to delete resources for OBC delete: %v", err)
+			}
+		}
+		if controllerutil.RemoveFinalizer(obc, ObcFinalizer) {
+			r.log.Info("removing finalizer from OBC", "namespaced/name", client.ObjectKeyFromObject(obc))
 			if err := r.Update(r.ctx, obc); err != nil {
 				r.log.Info("Failed to remove finalizer from OBC", "namespaced/name", client.ObjectKeyFromObject(obc))
 				return reconcile.Result{}, fmt.Errorf("failed to remove finalizer from OBC: %v", err)
@@ -108,8 +125,8 @@ func (r *OBCReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.R
 	}
 
 	r.log.Info("OBC created", "namespace", obc.Namespace, "name", obc.Name)
-	if controllerutil.AddFinalizer(obc, operatorObcFinalizer) {
-		r.log.Info("Finalizer not found for OBC. Adding finalizer.", "namespaced/name", client.ObjectKeyFromObject(obc))
+	if controllerutil.AddFinalizer(obc, ObcFinalizer) {
+		r.log.Info("Finalizer not found for OBC. Adding finalizer", "namespaced/name", client.ObjectKeyFromObject(obc))
 		if err := r.Update(r.ctx, obc); err != nil {
 			r.log.Info("Failed to add finalizer to OBC", "namespaced/name", client.ObjectKeyFromObject(obc))
 			return reconcile.Result{}, fmt.Errorf("failed to add finalizer to OBC: %v", err)
@@ -209,3 +226,125 @@ func NewProviderClientForStorageClient(ctx context.Context, sc *v1alpha1.Storage
 	}
 	return pc, nil
 }
+
+// getResources gets the resources that were created as part of the OBC provisioning.
+// The names of the ConfigMap and Secret are always the same as the OBC name.
+// The names of the OB's are of the following format: "obc-<namespace_of_OBC>-<OBC_name>"
+func (r *OBCReconciler) getResources(obc *nbv1.ObjectBucketClaim) (ob *nbv1.ObjectBucket, cm *corev1.ConfigMap, secret *corev1.Secret, errs []error) {
+	obName := fmt.Sprintf("obc-%s-%s", obc.Namespace, obc.Name)
+	ob = &nbv1.ObjectBucket{}
+	if err := r.Get(r.ctx, types.NamespacedName{Name: obName}, ob); err != nil {
+		ob = nil
+		if !errors.IsNotFound(err) {
+			errs = append(errs, fmt.Errorf("failed to get OB: %w", err))
+		}
+	}
+	cm = &corev1.ConfigMap{}
+	if err := r.Get(r.ctx, types.NamespacedName{Namespace: obc.Namespace, Name: obc.Name}, cm); err != nil {
+		cm = nil
+		if !errors.IsNotFound(err) {
+			errs = append(errs, fmt.Errorf("failed to get config map: %w", err))
+		}
+	}
+	secret = &corev1.Secret{}
+	if err := r.Get(r.ctx, types.NamespacedName{Namespace: obc.Namespace, Name: obc.Name}, secret); err != nil {
+		secret = nil
+		if !errors.IsNotFound(err) {
+			errs = append(errs, fmt.Errorf("failed to get secret: %w", err))
+		}
+	}
+	return ob, cm, secret, errs
+}
+
+// deleteResources handles the related resurces that were created as part of the OBC provisioning
+// Since the secret and configmap's ownerReference is the OBC they will be garbage collected once their finalizers are removed.
+// The OB must be explicitly deleted since it is a global resource and cannot have a namespaced ownerReference.
+func (r *OBCReconciler) deleteResources(ob *nbv1.ObjectBucket, cm *corev1.ConfigMap, secret *corev1.Secret, obc *nbv1.ObjectBucketClaim) (err error) {
+
+	if delErr := r.releaseAndDeleteOB(ob); delErr != nil {
+		r.log.Error(delErr, "error deleting OB", ob.Name)
+		err = delErr
+	}
+	if delErr := r.releaseObcSecret(secret); delErr != nil {
+		r.log.Error(delErr, "error releasing secret")
+		err = delErr
+	}
+	if delErr := r.releaseObcConfigMap(cm); delErr != nil {
+		r.log.Error(delErr, "error releasing configMap")
+		err = delErr
+	}
+	return err
+}
+
+// The OB does not have an ownerReference and must be explicitly deleted after its finalizer is removed.
+func (r *OBCReconciler) releaseAndDeleteOB(ob *nbv1.ObjectBucket) error {
+	if ob == nil {
+		r.log.Info("got nil OB, skipping")
+		return nil
+	}
+
+	if controllerutil.RemoveFinalizer(ob, nbv1.ObjectBucketFinalizer) {
+		r.log.Info("removing finalizer from OB", "name", ob.Name)
+		if err := r.Update(r.ctx, ob); err != nil {
+			r.log.Info("Failed to remove finalizer from OB", "name", ob.Name)
+			return fmt.Errorf("failed to remove finalizer from OB: %v", err)
+		}
+	}
+
+	r.log.Info("deleting OB", "name", ob.Name)
+	if err := r.Delete(r.ctx, ob); err != nil {
+		r.log.Info("Failed to delete OB", "name", ob.Name)
+		return fmt.Errorf("failed to delete OB: %v", err)
+	}
+
+	r.log.Info("OB deleted", "name", ob.Name)
+	return nil
+}
+
+// releaseSecret releases the finalizer from the secret.
+// The secret will be garbage collected since its ownerReference refers to the parent OBC.
+func (r *OBCReconciler) releaseObcSecret(secret *corev1.Secret) (err error) {
+	if secret == nil {
+		r.log.Info("got nil secret, skipping")
+		return nil
+	}
+	if err := r.Get(r.ctx, types.NamespacedName{Namespace: secret.Namespace, Name: secret.Name}, secret); err != nil {
+		r.log.Info("Failed to get secret", "namespaced/name", client.ObjectKeyFromObject(secret))
+		return fmt.Errorf("failed to get secret: %v", err)
+	}
+
+	if controllerutil.RemoveFinalizer(secret, nbv1.ObjectBucketFinalizer) {
+		r.log.Info("removing finalizer from secret", "name", secret.Name)
+		if err := r.Update(r.ctx, secret); err != nil {
+			r.log.Info("Failed to remove finalizer from secret", "namespaced/name", client.ObjectKeyFromObject(secret))
+			return fmt.Errorf("failed to remove finalizer from secret: %v", err)
+		}
+	}
+
+	r.log.Info("secret finalizer removed", "namespaced/name", client.ObjectKeyFromObject(secret))
+	return nil
+}
+
+// releaseObcConfigMap releases the finalizer from the configmap.
+// The configmap will be garbage collected since its ownerReference refers to the parent OBC.
+func (r *OBCReconciler) releaseObcConfigMap(cm *corev1.ConfigMap) (err error) {
+	if cm == nil {
+		r.log.Info("got nil configmap, skipping")
+		return nil
+	}
+	if err := r.Get(r.ctx, types.NamespacedName{Namespace: cm.Namespace, Name: cm.Name}, cm); err != nil {
+		r.log.Info("Failed to get configmap", "namespaced/name", client.ObjectKeyFromObject(cm))
+		return fmt.Errorf("failed to get configmap: %v", err)
+	}
+
+	if controllerutil.RemoveFinalizer(cm, nbv1.ObjectBucketFinalizer) {
+		r.log.Info("removing finalizer from configmap", "name", cm.Name)
+		if err := r.Update(r.ctx, cm); err != nil {
+			r.log.Info("Failed to remove finalizer from configmap", "namespaced/name", client.ObjectKeyFromObject(cm))
+			return fmt.Errorf("failed to remove finalizer from configmap: %v", err)
+		}
+	}
+
+	r.log.Info("configmap finalizer removed", "namespaced/name", client.ObjectKeyFromObject(cm))
+	return nil
+}
