fix(controller): use ownerreferences without controller owner relation (#1095)

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

Author: oliverbaehler

controllers/tenant/manager.go

@@ -16,6 +16,7 @@ import (
 	"k8s.io/client-go/util/retry"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
@@ -31,11 +32,11 @@ type Manager struct {
 func (r *Manager) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&capsulev1beta2.Tenant{}).
-		Owns(&corev1.Namespace{}).
 		Owns(&networkingv1.NetworkPolicy{}).
 		Owns(&corev1.LimitRange{}).
 		Owns(&corev1.ResourceQuota{}).
 		Owns(&rbacv1.RoleBinding{}).
+		Watches(&corev1.Namespace{}, handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &capsulev1beta2.Tenant{})).
 		Complete(r)
 }
 

pkg/webhook/namespace/utils.go renamed to pkg/utils/reference.go

@@ -1,7 +1,7 @@
 // Copyright 2020-2023 Project Capsule Authors.
 // SPDX-License-Identifier: Apache-2.0
 
-package namespace
+package utils
 
 import (
 	"strings"
@@ -15,7 +15,7 @@ const (
 	ObjectReferenceTenantKind = "Tenant"
 )
 
-func isTenantOwnerReference(or metav1.OwnerReference) bool {
+func IsTenantOwnerReference(or metav1.OwnerReference) bool {
 	parts := strings.Split(or.APIVersion, "/")
 	if len(parts) != 2 {
 		return false

pkg/webhook/namespace/freezed.go

@@ -15,6 +15,7 @@ import (
 
 	capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
 	"github.com/projectcapsule/capsule/pkg/configuration"
+	capsuleutils "github.com/projectcapsule/capsule/pkg/utils"
 	capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
 	"github.com/projectcapsule/capsule/pkg/webhook/utils"
 )
@@ -35,7 +36,7 @@ func (r *freezedHandler) OnCreate(client client.Client, decoder admission.Decode
 		}
 
 		for _, objectRef := range ns.ObjectMeta.OwnerReferences {
-			if !isTenantOwnerReference(objectRef) {
+			if !capsuleutils.IsTenantOwnerReference(objectRef) {
 				continue
 			}
 

pkg/webhook/namespace/prefix.go

@@ -16,6 +16,7 @@ import (
 
 	capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
 	"github.com/projectcapsule/capsule/pkg/configuration"
+	capsuleutils "github.com/projectcapsule/capsule/pkg/utils"
 	capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
 	"github.com/projectcapsule/capsule/pkg/webhook/utils"
 )
@@ -49,7 +50,7 @@ func (r *prefixHandler) OnCreate(clt client.Client, decoder admission.Decoder, r
 			tnt := &capsulev1beta2.Tenant{}
 
 			for _, or := range ns.ObjectMeta.OwnerReferences {
-				if !isTenantOwnerReference(or) {
+				if !capsuleutils.IsTenantOwnerReference(or) {
 					continue
 				}
 

pkg/webhook/namespace/quota.go

@@ -13,6 +13,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
+	capsuleutils "github.com/projectcapsule/capsule/pkg/utils"
 	capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
 	"github.com/projectcapsule/capsule/pkg/webhook/utils"
 )
@@ -31,7 +32,7 @@ func (r *quotaHandler) OnCreate(client client.Client, decoder admission.Decoder,
 		}
 
 		for _, objectRef := range ns.ObjectMeta.OwnerReferences {
-			if !isTenantOwnerReference(objectRef) {
+			if !capsuleutils.IsTenantOwnerReference(objectRef) {
 				continue
 			}
 

pkg/webhook/namespace/user_metadata.go

@@ -15,6 +15,7 @@ import (
 
 	capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
 	"github.com/projectcapsule/capsule/pkg/api"
+	capsuleutils "github.com/projectcapsule/capsule/pkg/utils"
 	capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook"
 	"github.com/projectcapsule/capsule/pkg/webhook/utils"
 )
@@ -35,7 +36,7 @@ func (r *userMetadataHandler) OnCreate(client client.Client, decoder admission.D
 		tnt := &capsulev1beta2.Tenant{}
 
 		for _, objectRef := range ns.ObjectMeta.OwnerReferences {
-			if !isTenantOwnerReference(objectRef) {
+			if !capsuleutils.IsTenantOwnerReference(objectRef) {
 				continue
 			}
 
@@ -90,7 +91,7 @@ func (r *userMetadataHandler) OnUpdate(client client.Client, decoder admission.D
 		tnt := &capsulev1beta2.Tenant{}
 
 		for _, objectRef := range newNs.ObjectMeta.OwnerReferences {
-			if !isTenantOwnerReference(objectRef) {
+			if !capsuleutils.IsTenantOwnerReference(objectRef) {
 				continue
 			}
 

pkg/webhook/ownerreference/patching.go

@@ -12,6 +12,7 @@ import (
 	"strings"
 
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/tools/record"
@@ -71,7 +72,21 @@ func (h *handler) OnUpdate(_ client.Client, decoder admission.Decoder, _ record.
 			return &response
 		}
 
-		newNs.OwnerReferences = oldNs.OwnerReferences
+		var refs []metav1.OwnerReference
+
+		for _, ref := range oldNs.OwnerReferences {
+			if capsuleutils.IsTenantOwnerReference(ref) {
+				refs = append(refs, ref)
+			}
+		}
+
+		for _, ref := range newNs.OwnerReferences {
+			if !capsuleutils.IsTenantOwnerReference(ref) {
+				refs = append(refs, ref)
+			}
+		}
+
+		newNs.OwnerReferences = refs
 
 		c, err := json.Marshal(newNs)
 		if err != nil {
@@ -212,7 +227,7 @@ func (h *handler) patchResponseForOwnerRef(tenant *capsulev1beta2.Tenant, ns *co
 		return admission.Errored(http.StatusInternalServerError, err)
 	}
 
-	if err = controllerutil.SetControllerReference(tenant, ns, scheme); err != nil {
+	if err = controllerutil.SetOwnerReference(tenant, ns, scheme); err != nil {
 		recorder.Eventf(tenant, corev1.EventTypeWarning, "Error", "Namespace %s cannot be assigned to the desired Tenant", ns.GetName())
 
 		return admission.Errored(http.StatusInternalServerError, err)