fix(tenant): respect opendatahub.io/managed=false on live resources during SSA

liangwen12year · liangwen12year · commit 17e04ec6813c · 2026-04-20T19:48:18.000-04:00
ApplyRendered now checks the live cluster object's opendatahub.io/managed
annotation before applying via SSA. Resources marked managed=false on the
cluster are skipped, preventing the Tenant reconciler from overwriting
AuthPolicy changes made by deploy.sh (e.g. OIDC patch).

Signed-off-by: Wen Liang &lt;liangwen12year@gmail.com&gt;
diff --git a/maas-controller/pkg/platform/tenantreconcile/apply.go b/maas-controller/pkg/platform/tenantreconcile/apply.go
@@ -10,6 +10,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
@@ -116,9 +117,19 @@ func ApplyParams(componentPath, file string, imageParamsMap map[string]string, e
 // Same-namespace children get a standard ownerReference; cluster-scoped and cross-namespace children
 // get tracking labels instead (Kubernetes forbids cross-namespace and namespaced-to-cluster ownerReferences).
 func ApplyRendered(ctx context.Context, c client.Client, scheme *runtime.Scheme, tenant *maasv1alpha1.Tenant, objs []unstructured.Unstructured) error {
+	log := ctrl.LoggerFrom(ctx)
 	for i := range objs {
 		u := objs[i].DeepCopy()
 
+		// Skip resources whose live cluster copy has opendatahub.io/managed=false.
+		// This allows deploy scripts to opt-out specific resources (e.g. AuthPolicy
+		// patched with OIDC config) from being overwritten on each reconcile.
+		if isLiveResourceUnmanaged(ctx, c, u) {
+			log.V(1).Info("Skipping SSA for resource with opendatahub.io/managed=false on cluster",
+				"kind", u.GetKind(), "name", u.GetName(), "namespace", u.GetNamespace())
+			continue
+		}
+
 		childNs := u.GetNamespace()
 		if childNs != "" && childNs == tenant.Namespace {
 			if err := controllerutil.SetControllerReference(tenant, u, scheme); err != nil {
@@ -140,6 +151,22 @@ func ApplyRendered(ctx context.Context, c client.Client, scheme *runtime.Scheme,
 	return nil
 }
 
+// isLiveResourceUnmanaged checks if the live cluster copy of a resource has
+// the opendatahub.io/managed=false annotation.
+func isLiveResourceUnmanaged(ctx context.Context, c client.Client, rendered *unstructured.Unstructured) bool {
+	live := &unstructured.Unstructured{}
+	live.SetGroupVersionKind(rendered.GroupVersionKind())
+	key := client.ObjectKeyFromObject(rendered)
+	if key.Name == "" {
+		return false
+	}
+	if err := c.Get(ctx, key, live); err != nil {
+		return false
+	}
+	ann := live.GetAnnotations()
+	return ann != nil && ann["opendatahub.io/managed"] == "false"
+}
+
 func setTenantTrackingLabels(obj *unstructured.Unstructured, tenant *maasv1alpha1.Tenant) {
 	labels := obj.GetLabels()
 	if labels == nil {
