Make webhook owner references not a controller (#3255)

dprotaso · web-flow · commit c3062aef2d33 · 2025-10-07T06:13:11.000Z
We setup namespace as the owner of the webhooks in order to clean up
instances where a user deletes the namespace.

This has issues with ArgoCD which we've included a workaround.
But an upcoming ArgoCD PR will handle owner references properly if
it is not a 'controller=true' reference.

This PR changes the owner reference to not be a controlling one.
We still block owner deletion because that was the original intent
of adding the owner reference.
diff --git a/webhook/configmaps/configmaps.go b/webhook/configmaps/configmaps.go
@@ -146,6 +146,7 @@ func (ac *reconciler) reconcileValidatingWebhook(ctx context.Context, caCert []b
 			return fmt.Errorf("failed to fetch namespace: %w", err)
 		}
 		nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
+		nsRef.Controller = ptr.Bool(false)
 		webhook.OwnerReferences = []metav1.OwnerReference{nsRef}
 	}
 
diff --git a/webhook/configmaps/table_test.go b/webhook/configmaps/table_test.go
@@ -66,6 +66,7 @@ func TestReconcile(t *testing.T) {
 		},
 	}
 	nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
+	nsRef.Controller = ptr.Bool(false)
 	expectedOwnerReferences := []metav1.OwnerReference{nsRef}
 
 	ruleScope := admissionregistrationv1.NamespacedScope
diff --git a/webhook/resourcesemantics/defaulting/defaulting.go b/webhook/resourcesemantics/defaulting/defaulting.go
@@ -232,6 +232,7 @@ func (ac *reconciler) reconcileMutatingWebhook(ctx context.Context, caCert []byt
 			return fmt.Errorf("failed to fetch namespace: %w", err)
 		}
 		nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
+		nsRef.Controller = ptr.Bool(false)
 		current.OwnerReferences = []metav1.OwnerReference{nsRef}
 	}
 
diff --git a/webhook/resourcesemantics/defaulting/table_test.go b/webhook/resourcesemantics/defaulting/table_test.go
@@ -67,6 +67,7 @@ func TestReconcile(t *testing.T) {
 		},
 	}
 	nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
+	nsRef.Controller = ptr.Bool(false)
 	expectedOwnerReferences := []metav1.OwnerReference{nsRef}
 
 	// This is the namespace selector setup
diff --git a/webhook/resourcesemantics/validation/reconcile_config.go b/webhook/resourcesemantics/validation/reconcile_config.go
@@ -201,6 +201,7 @@ func (ac *reconciler) reconcileValidatingWebhook(ctx context.Context, caCert []b
 			return fmt.Errorf("failed to fetch namespace: %w", err)
 		}
 		nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
+		nsRef.Controller = ptr.Bool(false)
 		current.OwnerReferences = []metav1.OwnerReference{nsRef}
 	}
 
diff --git a/webhook/resourcesemantics/validation/reconcile_config_test.go b/webhook/resourcesemantics/validation/reconcile_config_test.go
@@ -68,6 +68,7 @@ func TestReconcile(t *testing.T) {
 		},
 	}
 	nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
+	nsRef.Controller = ptr.Bool(false)
 	expectedOwnerReferences := []metav1.OwnerReference{nsRef}
 
 	// This is the namespace selector setup

Original file line number	Diff line number	Diff line change
`@@ -146,6 +146,7 @@ func (ac *reconciler) reconcileValidatingWebhook(ctx context.Context, caCert []b`
`146`	`146`	`return fmt.Errorf("failed to fetch namespace: %w", err)`
`147`	`147`	`}`
`148`	`148`	`nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))`
	`149`	`+ nsRef.Controller = ptr.Bool(false)`
`149`	`150`	`webhook.OwnerReferences = []metav1.OwnerReference{nsRef}`
`150`	`151`	`}`
`151`	`152`
Original file line number	Diff line number	Diff line change
`@@ -66,6 +66,7 @@ func TestReconcile(t *testing.T) {`
`66`	`66`	`},`
`67`	`67`	`}`
`68`	`68`	`nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))`
	`69`	`+ nsRef.Controller = ptr.Bool(false)`
`69`	`70`	`expectedOwnerReferences := []metav1.OwnerReference{nsRef}`
`70`	`71`
`71`	`72`	`ruleScope := admissionregistrationv1.NamespacedScope`
Original file line number	Diff line number	Diff line change
`@@ -232,6 +232,7 @@ func (ac *reconciler) reconcileMutatingWebhook(ctx context.Context, caCert []byt`
`232`	`232`	`return fmt.Errorf("failed to fetch namespace: %w", err)`
`233`	`233`	`}`
`234`	`234`	`nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))`
	`235`	`+ nsRef.Controller = ptr.Bool(false)`
`235`	`236`	`current.OwnerReferences = []metav1.OwnerReference{nsRef}`
`236`	`237`	`}`
`237`	`238`
Original file line number	Diff line number	Diff line change
`@@ -67,6 +67,7 @@ func TestReconcile(t *testing.T) {`
`67`	`67`	`},`
`68`	`68`	`}`
`69`	`69`	`nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))`
	`70`	`+ nsRef.Controller = ptr.Bool(false)`
`70`	`71`	`expectedOwnerReferences := []metav1.OwnerReference{nsRef}`
`71`	`72`
`72`	`73`	`// This is the namespace selector setup`
Original file line number	Diff line number	Diff line change
`@@ -201,6 +201,7 @@ func (ac *reconciler) reconcileValidatingWebhook(ctx context.Context, caCert []b`
`201`	`201`	`return fmt.Errorf("failed to fetch namespace: %w", err)`
`202`	`202`	`}`
`203`	`203`	`nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))`
	`204`	`+ nsRef.Controller = ptr.Bool(false)`
`204`	`205`	`current.OwnerReferences = []metav1.OwnerReference{nsRef}`
`205`	`206`	`}`
`206`	`207`
Original file line number	Diff line number	Diff line change
`@@ -68,6 +68,7 @@ func TestReconcile(t *testing.T) {`
`68`	`68`	`},`
`69`	`69`	`}`
`70`	`70`	`nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))`
	`71`	`+ nsRef.Controller = ptr.Bool(false)`
`71`	`72`	`expectedOwnerReferences := []metav1.OwnerReference{nsRef}`
`72`	`73`
`73`	`74`	`// This is the namespace selector setup`