Skip to content

feat(natscluster): block deletion while accounts are bound#290

Merged
henriropp merged 11 commits into
mainfrom
feat/block-natscluster-deletion
May 12, 2026
Merged

feat(natscluster): block deletion while accounts are bound#290
henriropp merged 11 commits into
mainfrom
feat/block-natscluster-deletion

Conversation

@henriropp
Copy link
Copy Markdown
Contributor

@henriropp henriropp commented May 8, 2026
edited
Loading

Summary

Prevent NatsCluster deletion from completing while Account resources are still bound to that cluster. This protects cluster/account relationships from being orphaned and surfaces the blocked deletion state through controller status until the bindings are removed.

What changed

  • add a NatsCluster finalizer and deletion logic that checks for bound accounts by cluster UID before allowing removal
  • watch Account delete events from the NatsCluster controller so deletion is retried after bindings are removed
  • persist the bound cluster UID on Account resources via account.nauth.io/nats-cluster-id
  • reject rebinding an account to a different cluster UID once it has already been bound
  • update manager RBAC to allow natsclusters updates/finalizer updates and add Helm test coverage for those permissions
  • extend KUTTL coverage to verify account-to-cluster binding and add an e2e scenario that confirms NatsCluster deletion is blocked until the bound account is deleted
  • refactor account and nats cluster controller tests to setup state in given, without using the reconcile function that it is testing
  • refactor cluster target lookup to happen in controller, and pass down to manager.

How to validate

make lint
make test
make test-e2e

@henriropp henriropp changed the title Feat/block natscluster deletion feat(natscluster): block deletion while accounts are bound May 8, 2026
@henriropp henriropp marked this pull request as ready for review May 8, 2026 14:08
@henriropp henriropp requested a review from a team as a code owner May 8, 2026 14:08
@henriropp henriropp marked this pull request as draft May 8, 2026 14:09
@henriropp henriropp force-pushed the feat/block-natscluster-deletion branch 4 times, most recently from 669ccba to 44c637f Compare May 12, 2026 12:22
henriropp added 9 commits May 12, 2026 14:23
@henriropp
chore(controller): requeue account after adding finalizer
7a4290a 
Signed-off-by: Henri Ropponen <henriropponen@gmail.com>
@henriropp
chore(controller): cleanup unnecessary setting of status in account r…
5e033ec 
…econciler

Signed-off-by: Henri Ropponen <henriropponen@gmail.com>
@henriropp
feat(controller): bind account to nats cluster
fbb7530 
Signed-off-by: Henri Ropponen <henriropponen@gmail.com>
@henriropp
feat(controller): add finalizer to NatsCluster
576c0b1 
Signed-off-by: Henri Ropponen <henriropponen@gmail.com>
@henriropp
feat(controller): check bindings before delete NatsCluster
893d207 
Signed-off-by: Henri Ropponen <henriropponen@gmail.com>
@henriropp
test(kuttl): add test to verify natcluster deletion blocked if bound …
2d52b54 
…accounts exist

Signed-off-by: Henri Ropponen <henriropponen@gmail.com>
@henriropp
feat(controller): nats cluster watches accounts
fb44067 
Signed-off-by: Henri Ropponen <henriropponen@gmail.com>
@henriropp
refactor(test): refactor account controller tests
56fb1b3 
Signed-off-by: Henri Ropponen <henriropponen@gmail.com>
@henriropp
refactor(test): refactor nats cluster controller tests
39a51e9 
Signed-off-by: Henri Ropponen <henriropponen@gmail.com>
@henriropp henriropp force-pushed the feat/block-natscluster-deletion branch 2 times, most recently from 0e7da0a to 6f517b7 Compare May 12, 2026 12:25
@henriropp henriropp marked this pull request as ready for review May 12, 2026 12:28
@henriropp henriropp force-pushed the feat/block-natscluster-deletion branch from 6f517b7 to 5beb0fa Compare May 12, 2026 12:39
choufraise
choufraise previously approved these changes May 12, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@choufraise choufraise left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 LGTM

Comment thread test/e2e/cluster-ref-test/02-assert.yaml
Comment thread internal/adapter/inbound/controller/natscluster_test.go
henriropp added 2 commits May 12, 2026 15:04
@henriropp
refactor: cluster target lookup from controller
27ea905 
Signed-off-by: Henri Ropponen <henriropponen@gmail.com>
@henriropp
test: add test to detect account changing nats cluster
c0a603f 
Signed-off-by: Henri Ropponen <henriropponen@gmail.com>
@henriropp henriropp force-pushed the feat/block-natscluster-deletion branch from 8f9fb29 to c0a603f Compare May 12, 2026 13:05
@henriropp henriropp merged commit c0a603f into main May 12, 2026
8 checks passed
@henriropp henriropp deleted the feat/block-natscluster-deletion branch May 12, 2026 13:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@choufraise choufraise choufraise approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@henriropp @choufraise