Fix doNotDeploy bypassed when broader target precedes it in the target list (#4688)

`MatchTargetCustomizations` returns on the first matching target. If a
broader-matching customization (e.g. `clusterGroup: all`) is listed
before a `doNotDeploy: true` customization (e.g. `clusterGroup: one`),
the doNotDeploy entry is never evaluated for clusters that match the
broader entry first.

Additionally, `target.DoNotDeploy` (from the main `Match()` call) was
not being checked when no targetCustomization was found.

Add `HasDoNotDeployTarget()` to `BundleMatch`, which scans all
targets—not just the first match—for a `doNotDeploy` flag. Update
`Targets()` in `builder.go` to consult this method before building a
`Target`, and separately honour `target.DoNotDeploy` from the GitRepo
match. Add an integration test covering the first-match bypass scenario.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: jesse.mirza@nslogin.nl <jesse.mirza@ns.nl>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: 4 people

integrationtests/controller/bundle/bundle_targets_test.go

@@ -459,6 +459,53 @@ var _ = Describe("Bundle targets", Ordered, func() {
 		})
 	})
 
+	// Regression test for https://github.com/rancher/fleet/issues/3580:
+	// When a broader-matching target appears before a doNotDeploy target in the list,
+	// the doNotDeploy target was previously bypassed due to first-match semantics.
+	When("a broader-matching targetCustomization appears before a doNotDeploy targetCustomization", func() {
+		BeforeEach(func() {
+			bundleName = "donot-deploy-after-broader-match"
+			bdLabels = map[string]string{
+				"fleet.cattle.io/bundle-name":      bundleName,
+				"fleet.cattle.io/bundle-namespace": namespace,
+			}
+			expectedNumberOfBundleDeployments = 0
+			// simulate targets in fleet.yaml:
+			// - first entry matches all clusters (broader match)
+			// - second entry matches cluster "one" with doNotDeploy=true
+			// With the old first-match logic, cluster "one" would match the first entry and
+			// the doNotDeploy entry would never be evaluated.
+			targets = []v1alpha1.BundleTarget{
+				{
+					BundleDeploymentOptions: v1alpha1.BundleDeploymentOptions{
+						Helm: &v1alpha1.HelmOptions{
+							Values: &v1alpha1.GenericMap{Data: map[string]interface{}{"replicas": "1"}},
+						},
+					},
+					ClusterGroup: "all",
+				},
+				{
+					ClusterGroup: "one",
+					DoNotDeploy:  true,
+				},
+			}
+			// simulate targets in GitRepo: only cluster group "one" is targeted
+			targetsInGitRepo := []v1alpha1.BundleTarget{
+				{
+					ClusterGroup: "one",
+				},
+			}
+			targetRestrictions = make([]v1alpha1.BundleTarget, len(targetsInGitRepo))
+			copy(targetRestrictions, targetsInGitRepo)
+			targets = append(targets, targetsInGitRepo...)
+		})
+
+		It("no BundleDeployments are created", func() {
+			waitForBundleToBeReady(bundleName)
+			_ = verifyBundlesDeploymentsAreCreated(expectedNumberOfBundleDeployments, bdLabels, bundleName)
+		})
+	})
+
 	When("setting doNotDeploy to a target customization after the bundle has been deployed", func() {
 		BeforeEach(func() {
 			bundleName = "one-customized-do-not-deploy-two-later"

internal/cmd/controller/target/builder.go

@@ -83,14 +83,24 @@ func (m *Manager) Targets(ctx context.Context, bundle *fleet.Bundle, manifestID
 			if target == nil {
 				continue
 			}
+			// Check all matching targetCustomizations for doNotDeploy, not just the first match.
+			// This ensures that a doNotDeploy entry is honoured even when a broader-matching
+			// target appears before it in the target list (fixes first-match bypass).
+			doNotDeploy := target.DoNotDeploy || bm.HasDoNotDeployTarget(cluster.Name, ClusterGroupsToLabelMap(clusterGroups), cluster.Labels)
+			if doNotDeploy {
+				logger.V(1).Info("Skipping BundleDeployment creation because doNotDeploy is set to true.",
+					"bundle", bundle.Name,
+					"bundleNamespace", bundle.Namespace,
+					"cluster", cluster.Name,
+					"clusterNamespace", cluster.Namespace,
+					"reason", "doNotDeploy",
+				)
+				continue
+			}
 			// check if there is any matching targetCustomization that should be applied
 			targetOpts := target.BundleDeploymentOptions
 			targetCustomized := bm.MatchTargetCustomizations(cluster.Name, ClusterGroupsToLabelMap(clusterGroups), cluster.Labels)
 			if targetCustomized != nil {
-				if targetCustomized.DoNotDeploy {
-					logger.V(1).Info("BundleDeployment creation for Bundle was skipped because doNotDeploy is set to true.")
-					continue
-				}
 				targetOpts = targetCustomized.BundleDeploymentOptions
 			}
 

internal/cmd/controller/target/matcher/bundlematch.go

@@ -51,6 +51,30 @@ func (a *BundleMatch) MatchTargetCustomizations(clusterName string, clusterGroup
 	return nil
 }
 
+// HasDoNotDeployTarget returns true if any bundle target matching the given cluster
+// has DoNotDeploy set to true. Unlike MatchTargetCustomizations, this scans all matching
+// bundle targets instead of stopping at the first match, so a doNotDeploy entry does not have to
+// appear before a broader matching entry in the target list.
+func (a *BundleMatch) HasDoNotDeployTarget(clusterName string, clusterGroups map[string]map[string]string, clusterLabels map[string]string) bool {
+	for _, tm := range a.matcher.matches {
+		if !tm.bundleTarget.DoNotDeploy {
+			continue
+		}
+		if len(clusterGroups) == 0 {
+			if criteriaWithoutRestrictions(tm, clusterName, "", nil, clusterLabels) {
+				return true
+			}
+		} else {
+			for cg, cgLabels := range clusterGroups {
+				if criteriaWithoutRestrictions(tm, clusterName, cg, cgLabels, clusterLabels) {
+					return true
+				}
+			}
+		}
+	}
+	return false
+}
+
 type targetMatch struct {
 	bundleTarget *fleet.BundleTarget
 	criteria     *ClusterMatcher