test(e2e): Fix up secret ownership checks

jimmidyson · jimmidyson · commit d93f77666ef8 · 2024-05-17T10:18:55.000+01:00
This commit copies the upstream check by allowing `KubeadmControlPlane` and
`KubeadmConfig` owners, but adds `Cluster` as well as the secrets that CAREN
generates are owned by the relevant `Cluster` to ensure they are cleaned up
as part of Kubernetes resource garbage collection following deletion of the
`Cluster`.
diff --git a/test/e2e/ownerreference_helpers.go b/test/e2e/ownerreference_helpers.go
@@ -11,6 +11,8 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
+	bootstrapv1 "sigs.k8s.io/cluster-api/bootstrap/kubeadm/api/v1beta1"
+	controlplanev1 "sigs.k8s.io/cluster-api/controlplane/kubeadm/api/v1beta1"
 	addonsv1 "sigs.k8s.io/cluster-api/exp/addons/api/v1beta1"
 	"sigs.k8s.io/cluster-api/test/framework"
 
@@ -25,6 +27,8 @@ const (
 	machineKind                   = "Machine"
 	clusterResourceSetKind        = "ClusterResourceSet"
 	clusterResourceSetBindingKind = "ClusterResourceSetBinding"
+	kubeadmControlPlaneKind       = "KubeadmControlPlane"
+	kubeadmConfigKind             = "KubeadmConfig"
 
 	awsMachineKind                   = "AWSMachine"
 	awsMachineTemplateKind           = "AWSMachineTemplate"
@@ -74,6 +78,18 @@ var (
 		APIVersion: caaphv1.GroupVersion.String(),
 		Controller: ptr.To(true),
 	}
+	kubeadmControlPlaneGroupVersion = controlplanev1.GroupVersion.String()
+	kubeadmControlPlaneController   = metav1.OwnerReference{
+		Kind:       kubeadmControlPlaneKind,
+		APIVersion: kubeadmControlPlaneGroupVersion,
+		Controller: ptr.To(true),
+	}
+	kubeadmConfigGroupVersion = bootstrapv1.GroupVersion.String()
+	kubeadmConfigController   = metav1.OwnerReference{
+		Kind:       kubeadmConfigKind,
+		APIVersion: kubeadmConfigGroupVersion,
+		Controller: ptr.To(true),
+	}
 
 	// AddonReferenceAssertions maps addontypes to functions which return an error if the passed OwnerReferences
 	// aren't as expected.
@@ -167,9 +183,15 @@ var (
 	// https://github.com/kubernetes-sigs/cluster-api/tree/main/docs/book/src/reference/owner_references.md.
 	KubernetesReferenceAssertions = map[string]func([]metav1.OwnerReference) error{
 		secretKind: func(owners []metav1.OwnerReference) error {
-			// TODO:deepakm-ntnx Currently pc-creds, pc-creds-for-csi, dockerhub-credentials,
-			// registry-creds, and encryption config secrets have unexpected owners which needs more investigation.
-			return nil
+			// Secrets for cluster certificates must be owned and controlled by the KubeadmControlPlane.
+			// The bootstrap secret should be owned and controlled by a KubeadmControlPlane.
+			// Other resources can be owned by the Cluster to ensure correct GC.
+			return framework.HasOneOfExactOwners(
+				owners,
+				[]metav1.OwnerReference{kubeadmControlPlaneController},
+				[]metav1.OwnerReference{kubeadmConfigController},
+				[]metav1.OwnerReference{clusterOwner},
+			)
 		},
 		configMapKind: func(owners []metav1.OwnerReference) error {
 			// The only configMaps considered here are those owned by a ClusterResourceSet.
