Skip to content

fix(olm): no owner for cluster scoped objects #667

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
razvan wants to merge 4 commits into
base: main
Choose a base branch
from
+25 −13
Open

fix(olm): no owner for cluster scoped objects #667

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d2b2088
fix(olm): no owner for cluster scoped objects
razvan Dec 12, 2025
a62b2f4
update changelog
razvan Dec 15, 2025
b3be103
typo
razvan Dec 15, 2025
cdf8abe
cleanup
razvan Dec 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,15 @@ All notable changes to this project will be documented in this file.

## [Unreleased]

### Changed

- OLM deployer doesn't add owner references to cluster scoped objects anymore ([#667]).
Owner references ensure that objects are garbage collected by OpenShift upon operator removal but they cause problems when the operator is updated.
This means that cluster wide objects are not removed anymore when the operator is uninstalled.
This behaviour is in line with the default behaviour of Helm and OLM.

[#667]: https://github.com/stackabletech/secret-operator/pull/667

## [25.11.0] - 2025-11-07

## [25.11.0-rc1] - 2025-11-06
Expand Down
29 changes: 16 additions & 13 deletions rust/olm-deployer/src/owner/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,19 +11,27 @@ use stackable_operator::{
},
};

/// Updates the owner list of the `target` according to it's scope.
/// For namespaced objects it uses the `ns_owner` whereas for cluster wide
/// objects it uses the `cluster_owner`.
/// Updates owner references of objects created by this deployer so that when an operator is
/// uninstalled by OLM, all created objects are also removed by Kubernetes garbage collection.
///
/// Namespaced object's owner references are updated in place with the value of `ns_owner`.
///
/// A previous version of this function also updated cluster scoped objects to set the owner
/// reference to `cluster_owner`, but this turned out to be problematic.
pub(super) fn maybe_update_owner(
target: &mut DynamicObject,
scope: &Scope,
ns_owner: &Deployment,
cluster_owner: &ClusterRole,
) -> Result<()> {
let owner_ref = owner_ref(scope, ns_owner, cluster_owner)?;
match target.metadata.owner_references {
Some(ref mut ors) => ors.push(owner_ref),
None => target.metadata.owner_references = Some(vec![owner_ref]),
// 2025-12-12: do not set owner references for cluster scoped objects anymore to prevent them from being
// deleted upon operator upgrades.
if scope == &Scope::Namespaced {
match target.metadata.owner_references {
Some(ref mut ors) => ors.push(owner_ref),
None => target.metadata.owner_references = Some(vec![owner_ref]),
}
}
Ok(())
}
Expand Down Expand Up @@ -147,13 +155,8 @@ rules:
let mut daemonset = DAEMONSET.clone();
maybe_update_owner(&mut daemonset, &Scope::Cluster, &DEPLOYMENT, &CLUSTER_ROLE)?;

let expected = Some(vec![OwnerReference {
uid: "d9287d0a-3069-47c3-8c90-b714dc6dddaa".to_string(),
name: "secret-operator-clusterrole".to_string(),
kind: "ClusterRole".to_string(),
api_version: "rbac.authorization.k8s.io/v1".to_string(),
..OwnerReference::default()
}]);
let expected = None;

assert_eq!(daemonset.metadata.owner_references, expected);
Ok(())
}
Expand Down