Skip to content

Detach ConfigMap for injected CA Bundle from Cluster Network Operator during Teardown #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mclasmeier merged 1 commit into from
Feb 9, 2026
Merged

Detach ConfigMap for injected CA Bundle from Cluster Network Operator during Teardown #48

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 37 additions & 2 deletions internal/deployer/deployer.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,7 @@ func (d *Deployer) deleteFinalizers(ctx context.Context, namespace, resourceType
return err
}

// Expects that reconciliation for the RHACS operator is paused.
func (d *Deployer) deleteCentralResources(ctx context.Context, wait bool) error {
d.logger.Info("Deleting Central resources")
var crExists bool
Expand All @@ -193,12 +194,19 @@ func (d *Deployer) deleteCentralResources(ctx context.Context, wait bool) error
if err != nil {
return fmt.Errorf("failed to delete finalizers on Central CR: %w", err)
}
}

// Pause reconciliation for other controllers, not just our RHACS operator.
// This is needed to ensure that there is no race causing the Cluster Network Operator
// to re-create the injected-ca-bundle ConfigMap during resource deletion.
err := d.preventOtherControllersFromReconciling(ctx)
if err != nil {
return fmt.Errorf("failed to prevent other controllers from reconciling: %w", err)
}

// In the meantime, delete other resources by brute force.
// Delete other resources by brute force.
resourceKinds := d.filterResourceKinds(allInstallableCentralResourceKinds)
err := d.deleteResources(ctx, d.centralNamespace, resourceKinds, "-l=app.kubernetes.io/part-of=stackrox-central-services")
err = d.deleteResources(ctx, d.centralNamespace, resourceKinds, "-l=app.kubernetes.io/part-of=stackrox-central-services")
if err != nil {
return err
}
Expand All @@ -225,6 +233,33 @@ func (d *Deployer) deleteCentralResources(ctx context.Context, wait bool) error
return nil
}

func (d *Deployer) preventOtherControllersFromReconciling(ctx context.Context) error {
return d.preventCABundleInjection(ctx)
}

func (d *Deployer) preventCABundleInjection(ctx context.Context) error {
configMapName := "injected-cabundle-stackrox-central-services"

if !d.doesResourceExist(ctx, "configmap", configMapName, d.centralNamespace) {
return nil
}

d.logger.Info("Removing CNO label from injected-cabundle ConfigMap to prevent CNO from injecting the CA bundle during cleanup")
_, err := d.runKubectl(ctx, KubectlOptions{
Args: []string{
"label", "configmap", configMapName, "-n", d.centralNamespace,
"config.openshift.io/inject-trusted-cabundle-",
},
IgnoreErrors: true,
})

if err != nil {
d.logger.Warningf("Failed to remove CNO label from %s: %v", configMapName, err)
}

return nil
}

func (d *Deployer) deleteSecuredClusterResources(ctx context.Context, wait bool) error {
d.logger.Info("Deleting SecuredCluster resources")
var crExists bool
Expand Down
Loading