controllers: adopt ownerReferences for existing resources to ensure cascading deletes; bump VERSION to 0.4.8 and update CHANGELOG

Author: reoring

CHANGELOG.md

@@ -5,6 +5,19 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [v0.4.8] - 2025-11-11
+
+### Fixed
+- Cascading deletion could fail in some paths due to missing ownerReferences on existing resources. Controllers now adopt pre-existing resources and ensure ownerReferences are present:
+  - CAPTControlPlane main WorkspaceTemplateApply
+  - CAPTControlPlane kubeconfig WorkspaceTemplateApply
+  - CAPTCluster VPC WorkspaceTemplateApply
+  - EC2 Spot Service-Linked Role check/create WorkspaceTemplateApply
+- Adoption logic is idempotent: missing ownerReferences are repaired on the next reconciliation loop.
+
+### Notes
+- Helm chart version is unchanged in this release.
+
 ## [v0.4.7] - 2025-11-11
 
 ### Changed

VERSION

@@ -1 +1 @@
-VERSION = 0.4.7
+VERSION = 0.4.8

internal/controller/captcluster/vpc.go

@@ -163,6 +163,20 @@ func (r *Reconciler) getOrCreateWorkspaceTemplateApply(ctx context.Context, capt
 			return nil, err
 		}
 
+		// Adopt: ensure owner reference to CAPTCluster is present on existing resource
+		{
+			hasOwner := false
+			for _, ref := range latest.OwnerReferences {
+				if ref.APIVersion == infrastructurev1beta1.GroupVersion.String() && ref.Kind == "CAPTCluster" && ref.Name == captCluster.Name {
+					hasOwner = true
+					break
+				}
+			}
+			if !hasOwner {
+				_ = controllerutil.SetControllerReference(captCluster, latest, r.Scheme)
+			}
+		}
+
 		// Desired spec based on current CAPTCluster
 		desiredSpec := infrastructurev1beta1.WorkspaceTemplateApplySpec{
 			TemplateRef: *captCluster.Spec.VPCTemplateRef,

internal/controller/controlplane/controller.go

@@ -41,7 +41,6 @@ const (
 func (r *Reconciler) createKubeconfigWorkspaceTemplateApply(ctx context.Context, controlPlane *controlplanev1beta1.CAPTControlPlane, cluster *clusterv1.Cluster, workspaceApply *infrastructurev1beta1.WorkspaceTemplateApply) error {
 	logger := log.FromContext(ctx)
 
-
 	// Get region from ControlPlaneConfig or cluster annotations
 	var region string
 	if controlPlane.Spec.ControlPlaneConfig != nil {
@@ -90,7 +89,7 @@ func (r *Reconciler) createKubeconfigWorkspaceTemplateApply(ctx context.Context,
 			},
 			Variables: map[string]string{
 				"cluster_name": cluster.Name,
-                "region": region,
+				"region":       region,
 			},
 			WriteConnectionSecretToRef: &xpv1.SecretReference{
 				Name:      fmt.Sprintf("%s-outputs-kubeconfig", cluster.Name),
@@ -122,6 +121,20 @@ func (r *Reconciler) createKubeconfigWorkspaceTemplateApply(ctx context.Context,
 			return fmt.Errorf("failed to get kubeconfig WorkspaceTemplateApply: %v", err)
 		}
 	} else {
+		// Adopt: ensure owner reference to CAPTControlPlane exists on the existing WTA
+		{
+			hasOwner := false
+			for _, ref := range kubeconfigApply.OwnerReferences {
+				if ref.APIVersion == controlplanev1beta1.GroupVersion.String() && ref.Kind == "CAPTControlPlane" && ref.Name == controlPlane.Name {
+					hasOwner = true
+					break
+				}
+			}
+			if !hasOwner {
+				_ = controllerutil.SetControllerReference(controlPlane, existingApply, r.Scheme)
+				_ = r.Update(ctx, existingApply)
+			}
+		}
 		// Update existing WorkspaceTemplateApply only if spec changed
 		if !reflect.DeepEqual(existingApply.Spec, kubeconfigApply.Spec) {
 			existingApply.Spec = kubeconfigApply.Spec

internal/controller/controlplane/service_linked_role.go

@@ -72,6 +72,20 @@ func (r *Reconciler) reconcileSpotServiceLinkedRole(ctx context.Context, control
 	}
 
 	// Check if the workspace apply is ready
+	{
+		// Adopt: ensure owner reference to CAPTControlPlane is present on existing check WTA
+		hasOwner := false
+		for _, ref := range checkWorkspaceApply.OwnerReferences {
+			if ref.APIVersion == controlplanev1beta1.GroupVersion.String() && ref.Kind == "CAPTControlPlane" && ref.Name == controlPlane.Name {
+				hasOwner = true
+				break
+			}
+		}
+		if !hasOwner {
+			_ = controllerutil.SetControllerReference(controlPlane, checkWorkspaceApply, r.Scheme)
+			_ = r.Update(ctx, checkWorkspaceApply)
+		}
+	}
 	if !checkWorkspaceApply.Status.Applied {
 		logger.Info("Waiting for Spot Role check workspace apply to be applied", "workspace", checkWorkspaceName)
 		return nil
@@ -148,6 +162,21 @@ func (r *Reconciler) reconcileSpotServiceLinkedRole(ctx context.Context, control
 			return nil
 		}
 
+		// Adopt: ensure owner reference to CAPTControlPlane is present on existing create WTA
+		{
+			hasOwner := false
+			for _, ref := range createWorkspaceApply.OwnerReferences {
+				if ref.APIVersion == controlplanev1beta1.GroupVersion.String() && ref.Kind == "CAPTControlPlane" && ref.Name == controlPlane.Name {
+					hasOwner = true
+					break
+				}
+			}
+			if !hasOwner {
+				_ = controllerutil.SetControllerReference(controlPlane, createWorkspaceApply, r.Scheme)
+				_ = r.Update(ctx, createWorkspaceApply)
+			}
+		}
+
 		// Check if the workspace apply is ready
 		if !createWorkspaceApply.Status.Applied {
 			logger.Info("Waiting for Spot Role create workspace apply to be applied", "workspace", createWorkspaceName)

internal/controller/controlplane/workspace.go

@@ -67,7 +67,20 @@ func (r *Reconciler) getOrCreateWorkspaceTemplateApply(
 	workspaceApply := &infrastructurev1beta1.WorkspaceTemplateApply{}
 	err := r.Get(ctx, types.NamespacedName{Name: applyName, Namespace: controlPlane.Namespace}, workspaceApply)
 	if err == nil {
-		// Update existing WorkspaceTemplateApply
+		// Adopt: ensure owner reference to CAPTControlPlane is present on existing resource
+		{
+			hasOwner := false
+			for _, ref := range workspaceApply.OwnerReferences {
+				if ref.APIVersion == controlplanev1beta1.GroupVersion.String() && ref.Kind == "CAPTControlPlane" && ref.Name == controlPlane.Name {
+					hasOwner = true
+					break
+				}
+			}
+			if !hasOwner {
+				_ = controllerutil.SetControllerReference(controlPlane, workspaceApply, r.Scheme)
+			}
+		}
+		// Update existing WorkspaceTemplateApply spec
 		workspaceApply.Spec = r.generateWorkspaceTemplateApplySpec(controlPlane)
 		if err := r.Update(ctx, workspaceApply); err != nil {
 			return nil, fmt.Errorf("failed to update WorkspaceTemplateApply: %v", err)

internal/controller/workspacetemplateapply_controller.go

@@ -31,6 +31,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -215,13 +216,15 @@ func SetupWorkspaceTemplateApply(mgr ctrl.Manager, l logging.Logger) error {
 			client: mgr.GetClient(),
 			log:    l,
 			record: event.NewAPIRecorder(mgr.GetEventRecorderFor(controllerName)),
+			scheme: mgr.GetScheme(),
 		})
 }
 
 type workspaceTemplateApplyReconciler struct {
 	client client.Client
 	log    logging.Logger
 	record event.Recorder
+	scheme *runtime.Scheme
 }
 
 func (r *workspaceTemplateApplyReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
@@ -282,6 +285,29 @@ func (r *workspaceTemplateApplyReconciler) Reconcile(ctx context.Context, req ct
 		return ctrl.Result{}, err
 	}
 
+	// If a Workspace with the expected name already exists (e.g., from previous versions),
+	// adopt it by setting ownerReference and updating status instead of failing creation.
+	existing := &tfv1beta1.Workspace{}
+	if err := r.client.Get(ctx, types.NamespacedName{
+		Name:      workspaceName,
+		Namespace: cr.Namespace,
+	}, existing); err == nil {
+		// Ensure owner reference to this WorkspaceTemplateApply so GC can cascade on delete.
+		if setErr := controllerutil.SetControllerReference(cr, existing, r.scheme); setErr == nil {
+			_ = r.client.Update(ctx, existing)
+		}
+		// Update status to reflect adoption
+		cr.Status.WorkspaceName = existing.GetName()
+		cr.Status.Applied = true
+		now := metav1.Now()
+		cr.Status.LastAppliedTime = &now
+		if uerr := r.client.Status().Update(ctx, cr); uerr != nil {
+			return ctrl.Result{}, uerr
+		}
+		r.record.Event(cr, event.Normal(reasonCreatedWorkspace, "Adopted existing Workspace"))
+		return ctrl.Result{RequeueAfter: requeueAfterStatus}, nil
+	}
+
 	// Create Workspace from template
 	workspace := &tfv1beta1.Workspace{
 		ObjectMeta: metav1.ObjectMeta{
@@ -296,6 +322,12 @@ func (r *workspaceTemplateApplyReconciler) Reconcile(ctx context.Context, req ct
 		workspace.Spec.WriteConnectionSecretToReference = cr.Spec.WriteConnectionSecretToRef
 	}
 
+	// Set owner reference so Workspace is garbage-collected when WTA is deleted.
+	if err := controllerutil.SetControllerReference(cr, workspace, r.scheme); err != nil {
+		log.Debug("Failed to set owner reference on Workspace", "error", err)
+		return ctrl.Result{}, err
+	}
+
 	if err := r.client.Create(ctx, workspace); err != nil {
 		log.Debug(errCreateWorkspace, "error", err)
 		return ctrl.Result{}, err
@@ -393,6 +425,13 @@ func (r *workspaceTemplateApplyReconciler) reconcileWorkspaceStatus(ctx context.
 		return ctrl.Result{}, err
 	}
 
+	// Ensure owner reference to WTA is present on Workspace (adopt if missing).
+	if !hasOwnerReference(workspace.GetOwnerReferences(), cr.APIVersion, cr.Kind, cr.Name, string(cr.UID)) {
+		if err := controllerutil.SetControllerReference(cr, workspace, r.scheme); err == nil {
+			_ = r.client.Update(ctx, workspace)
+		}
+	}
+
 	// Copy conditions from workspace to WorkspaceTemplateApply
 	cr.Status.Conditions = workspace.Status.Conditions
 
@@ -419,3 +458,13 @@ func (r *workspaceTemplateApplyReconciler) reconcileWorkspaceStatus(ctx context.
 	r.record.Event(cr, event.Normal(reasonWorkspaceReady, "Workspace is synced and ready"))
 	return ctrl.Result{}, nil
 }
+
+// hasOwnerReference returns true if an owner reference matching the given attributes exists.
+func hasOwnerReference(refs []metav1.OwnerReference, apiVersion, kind, name, uid string) bool {
+	for _, ref := range refs {
+		if ref.APIVersion == apiVersion && ref.Kind == kind && ref.Name == name && string(ref.UID) == uid {
+			return true
+		}
+	}
+	return false
+}