fix(tenant): respect opendatahub.io/managed=false on live resources during SSA

liangwen12year · liangwen12year · commit 7eafff8cb367 · 2026-04-21T10:01:28.000-04:00
ApplyRendered now checks the live cluster object's opendatahub.io/managed
annotation before applying via SSA. Resources marked managed=false on the
cluster are skipped, preventing the Tenant reconciler from overwriting
AuthPolicy changes made by deploy.sh (e.g. OIDC patch).

Previously the annotation was only checked on the rendered kustomize
template (in PostRender), not on the live object — so deploy.sh patches
to the AuthPolicy were immediately reverted by the next Tenant reconcile.

Signed-off-by: Wen Liang &lt;liangwen12year@gmail.com&gt;
diff --git a/maas-controller/pkg/platform/tenantreconcile/apply.go b/maas-controller/pkg/platform/tenantreconcile/apply.go
@@ -10,6 +10,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
@@ -116,9 +117,19 @@ func ApplyParams(componentPath, file string, imageParamsMap map[string]string, e
 // Same-namespace children get a standard ownerReference; cluster-scoped and cross-namespace children
 // get tracking labels instead (Kubernetes forbids cross-namespace and namespaced-to-cluster ownerReferences).
 func ApplyRendered(ctx context.Context, c client.Client, scheme *runtime.Scheme, tenant *maasv1alpha1.Tenant, objs []unstructured.Unstructured) error {
+	log := ctrl.LoggerFrom(ctx)
 	for i := range objs {
 		u := objs[i].DeepCopy()
 
+		// Skip resources whose live cluster copy has opendatahub.io/managed=false.
+		// This allows deploy scripts to opt-out specific resources (e.g. AuthPolicy
+		// patched with OIDC config) from being overwritten on each reconcile.
+		if isLiveResourceUnmanaged(ctx, c, u) {
+			log.V(1).Info("Skipping SSA for resource with opendatahub.io/managed=false on cluster",
+				"kind", u.GetKind(), "name", u.GetName(), "namespace", u.GetNamespace())
+			continue
+		}
+
 		childNs := u.GetNamespace()
 		if childNs != "" && childNs == tenant.Namespace {
 			if err := controllerutil.SetControllerReference(tenant, u, scheme); err != nil {
@@ -140,6 +151,20 @@ func ApplyRendered(ctx context.Context, c client.Client, scheme *runtime.Scheme,
 	return nil
 }
 
+func isLiveResourceUnmanaged(ctx context.Context, c client.Client, rendered *unstructured.Unstructured) bool {
+	live := &unstructured.Unstructured{}
+	live.SetGroupVersionKind(rendered.GroupVersionKind())
+	key := client.ObjectKeyFromObject(rendered)
+	if key.Name == "" {
+		return false
+	}
+	if err := c.Get(ctx, key, live); err != nil {
+		return false
+	}
+	ann := live.GetAnnotations()
+	return ann != nil && ann["opendatahub.io/managed"] == "false"
+}
+
 func setTenantTrackingLabels(obj *unstructured.Unstructured, tenant *maasv1alpha1.Tenant) {
 	labels := obj.GetLabels()
 	if labels == nil {
