feat: add CAPI cleanup finalizer to NamespaceReservation#572
Merged
Conversation
Gate namespace GC on CAPI Cluster resource deletion so that CAPI controllers have time to run their own finalizers (which require rosa-creds-secret) before the namespace disappears. - Register cluster-api v1beta1 scheme in run.go - Add helpers.DeleteCAPIResources to list/delete Cluster objects - Add capiCleanupFinalizer to reservations once a namespace is assigned - handleCAPICleanup blocks deletion and requeues every 10s until all Cluster resources are gone, then removes the finalizer Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Handle missing CAPI CRD: treat IsNoMatchError from List as no resources remaining, avoiding error-loops on clusters without CAPI - Fix finalizer ordering: add finalizer after Status().Update so Status.Namespace is guaranteed to be set whenever the finalizer is present; also add guard in the active case to catch any missed window - Add 1-hour safety timeout in handleCAPICleanup to unblock deletion if a CAPI Cluster finalizer is permanently stuck - Move const/timeout declarations above RBAC markers for clarity - Add unit tests for DeleteCAPIResources covering: no clusters, clusters present, already-terminating clusters, and cross-namespace isolation Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Without clusterv1 in the manager scheme, the controller-runtime client can't encode ClusterList, so DeleteCAPIResources errors before reaching the API server and bypasses the IsNoMatchError guard. This caused the expired-reservation test to time out with the finalizer stuck on. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2 tasks
bsquizz
added a commit
that referenced
this pull request
Apr 24, 2026
) * fix(rbac): add CAPI cluster RBAC permissions for cleanup finalizer Add delete/get/list/watch permissions on cluster.x-k8s.io/clusters to support the CAPI cleanup finalizer added in #572. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(test): re-fetch pool inside Eventually before retrying Update The update loops were retrying with a stale pool object, causing 409 conflict errors on every retry until timeout because the controller continuously bumps the ResourceVersion via status updates. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
cluster-apiv1beta1 scheme so the controller can list and deleteClusterresourceshelpers.DeleteCAPIResourceshelper that deletes allClusterobjects in a namespace and reports whether any remaincapi-cleanup.cloud.redhat.comfinalizer toNamespaceReservationonce a namespace is assignedhandleCAPICleanupblocks removal and requeues every 10s until allClusterresources are fully gone, then releases the finalizerWhy: CAPI controllers need
rosa-creds-secretto run their own finalizers when aClusteris deleted. If the namespace is GC'd before those finalizers complete, the secret disappears and cleanup stalls/fails. This finalizer ensures CAPI gets a clean window to finish before the namespace is released.Test plan
Clusterinto the reserved namespaceTerminatinguntil theClusterresource is fully removedStatus.Namespace) skip cleanup and delete cleanlymake pre-pushto confirm formatting, vet, and tests pass🤖 Generated with Claude Code