From d2b2088252eeb00507c349c5dbf38322b2db1d27 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Fri, 12 Dec 2025 16:32:02 +0100 Subject: [PATCH 1/4] fix(olm): no owner for cluster scoped objects --- rust/olm-deployer/src/owner/mod.rs | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/rust/olm-deployer/src/owner/mod.rs b/rust/olm-deployer/src/owner/mod.rs index bd3d377f..ff2c20c7 100644 --- a/rust/olm-deployer/src/owner/mod.rs +++ b/rust/olm-deployer/src/owner/mod.rs @@ -11,9 +11,14 @@ use stackable_operator::{ }, }; -/// Updates the owner list of the `target` according to it's scope. -/// For namespaced objects it uses the `ns_owner` whereas for cluster wide -/// objects it uses the `cluster_owner`. +/// Updates owner references of objects created by this deployer so that when an operator is +/// uninstalled by OLM, all created objects are also removed by Kubernetes garbage collection. +/// +/// Namespaced object's owner references are updated in place with the value of `ns_owner`. +/// +/// A previous version of this function also updated cluster scoped objects to set the owner +/// reference to `cluster_owner`, but this turned out to be problematic. First, this is not how OLM +/// and Helm behave by default. pub(super) fn maybe_update_owner( target: &mut DynamicObject, scope: &Scope, @@ -21,9 +26,13 @@ pub(super) fn maybe_update_owner( cluster_owner: &ClusterRole, ) -> Result<()> { let owner_ref = owner_ref(scope, ns_owner, cluster_owner)?; - match target.metadata.owner_references { - Some(ref mut ors) => ors.push(owner_ref), - None => target.metadata.owner_references = Some(vec![owner_ref]), + // 2025-12-12: do not set owner references for cluster scoped objects anymore to prevent them from being + // deleted upon operator upgrades. + if scope == &Scope::Namespaced { + match target.metadata.owner_references { + Some(ref mut ors) => ors.push(owner_ref), + None => target.metadata.owner_references = Some(vec![owner_ref]), + } } Ok(()) } @@ -147,13 +156,8 @@ rules: let mut daemonset = DAEMONSET.clone(); maybe_update_owner(&mut daemonset, &Scope::Cluster, &DEPLOYMENT, &CLUSTER_ROLE)?; - let expected = Some(vec![OwnerReference { - uid: "d9287d0a-3069-47c3-8c90-b714dc6dddaa".to_string(), - name: "secret-operator-clusterrole".to_string(), - kind: "ClusterRole".to_string(), - api_version: "rbac.authorization.k8s.io/v1".to_string(), - ..OwnerReference::default() - }]); + let expected = None; + assert_eq!(daemonset.metadata.owner_references, expected); Ok(()) } From a62b2f43a55c32f6eb98c1b06dcf4da4ef3b1508 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Mon, 15 Dec 2025 14:59:40 +0100 Subject: [PATCH 2/4] update changelog --- CHANGELOG.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c22a903d..a66c9e69 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,15 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +### Changed + +- OLM deployer doesn't add owner references to cluster scoped objects anymore ([#667]). + Owner references ensure that objects are garbage collected by OpenShift upon operator removal but they cause problems when the operator is updated. + This means that cluster wide objects are not removed anymore when the operator is uninstalled. + This behaviur is in line with the default behaviour of Helm and OLM. + +[#667]: https://github.com/stackabletech/secret-operator/pull/667 + ## [25.11.0] - 2025-11-07 ## [25.11.0-rc1] - 2025-11-06 From b3be1034538d40d91efc3af62f43c98bc6f9e54e Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Mon, 15 Dec 2025 15:04:27 +0100 Subject: [PATCH 3/4] typo --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a66c9e69..d2e187aa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ All notable changes to this project will be documented in this file. - OLM deployer doesn't add owner references to cluster scoped objects anymore ([#667]). Owner references ensure that objects are garbage collected by OpenShift upon operator removal but they cause problems when the operator is updated. This means that cluster wide objects are not removed anymore when the operator is uninstalled. - This behaviur is in line with the default behaviour of Helm and OLM. + This behaviour is in line with the default behaviour of Helm and OLM. [#667]: https://github.com/stackabletech/secret-operator/pull/667 From cdf8abe7cca329173d3f60b42de9accfc5bff641 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Mon, 15 Dec 2025 15:05:44 +0100 Subject: [PATCH 4/4] cleanup --- rust/olm-deployer/src/owner/mod.rs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rust/olm-deployer/src/owner/mod.rs b/rust/olm-deployer/src/owner/mod.rs index ff2c20c7..d5d7d6c1 100644 --- a/rust/olm-deployer/src/owner/mod.rs +++ b/rust/olm-deployer/src/owner/mod.rs @@ -17,8 +17,7 @@ use stackable_operator::{ /// Namespaced object's owner references are updated in place with the value of `ns_owner`. /// /// A previous version of this function also updated cluster scoped objects to set the owner -/// reference to `cluster_owner`, but this turned out to be problematic. First, this is not how OLM -/// and Helm behave by default. +/// reference to `cluster_owner`, but this turned out to be problematic. pub(super) fn maybe_update_owner( target: &mut DynamicObject, scope: &Scope,