From de98f17068eb84aa3fdeaf4b0748af9b40472631 Mon Sep 17 00:00:00 2001
From: Dave Protasowski <dprotaso@gmail.com>
Date: Tue, 9 Sep 2025 12:39:01 -0400
Subject: [PATCH] Make webhook owner references not a controller

We setup namespace as the owner of the webhooks in order to clean up
instances where a user deletes the namespace.

This has issues with ArgoCD which we've included a workaround.
But an upcoming ArgoCD PR will handle owner references properly if
it is not a 'controller=true' reference.

This PR changes the owner reference to not be a controlling one.
We still block owner deletion because that was the original intent
of adding the owner reference.
---
 webhook/configmaps/configmaps.go                              | 1 +
 webhook/configmaps/table_test.go                              | 1 +
 webhook/resourcesemantics/defaulting/defaulting.go            | 1 +
 webhook/resourcesemantics/defaulting/table_test.go            | 1 +
 webhook/resourcesemantics/validation/reconcile_config.go      | 1 +
 webhook/resourcesemantics/validation/reconcile_config_test.go | 1 +
 6 files changed, 6 insertions(+)

diff --git a/webhook/configmaps/configmaps.go b/webhook/configmaps/configmaps.go
index aa47879221..8ce668e1ee 100644
--- a/webhook/configmaps/configmaps.go
+++ b/webhook/configmaps/configmaps.go
@@ -146,6 +146,7 @@ func (ac *reconciler) reconcileValidatingWebhook(ctx context.Context, caCert []b
 			return fmt.Errorf("failed to fetch namespace: %w", err)
 		}
 		nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
+		nsRef.Controller = ptr.Bool(false)
 		webhook.OwnerReferences = []metav1.OwnerReference{nsRef}
 	}
 
diff --git a/webhook/configmaps/table_test.go b/webhook/configmaps/table_test.go
index ef9157a08f..6b3f5f92a6 100644
--- a/webhook/configmaps/table_test.go
+++ b/webhook/configmaps/table_test.go
@@ -66,6 +66,7 @@ func TestReconcile(t *testing.T) {
 		},
 	}
 	nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
+	nsRef.Controller = ptr.Bool(false)
 	expectedOwnerReferences := []metav1.OwnerReference{nsRef}
 
 	ruleScope := admissionregistrationv1.NamespacedScope
diff --git a/webhook/resourcesemantics/defaulting/defaulting.go b/webhook/resourcesemantics/defaulting/defaulting.go
index 670649b2e1..821151781e 100644
--- a/webhook/resourcesemantics/defaulting/defaulting.go
+++ b/webhook/resourcesemantics/defaulting/defaulting.go
@@ -232,6 +232,7 @@ func (ac *reconciler) reconcileMutatingWebhook(ctx context.Context, caCert []byt
 			return fmt.Errorf("failed to fetch namespace: %w", err)
 		}
 		nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
+		nsRef.Controller = ptr.Bool(false)
 		current.OwnerReferences = []metav1.OwnerReference{nsRef}
 	}
 
diff --git a/webhook/resourcesemantics/defaulting/table_test.go b/webhook/resourcesemantics/defaulting/table_test.go
index 0468d4f10a..3969f93b55 100644
--- a/webhook/resourcesemantics/defaulting/table_test.go
+++ b/webhook/resourcesemantics/defaulting/table_test.go
@@ -67,6 +67,7 @@ func TestReconcile(t *testing.T) {
 		},
 	}
 	nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
+	nsRef.Controller = ptr.Bool(false)
 	expectedOwnerReferences := []metav1.OwnerReference{nsRef}
 
 	// This is the namespace selector setup
diff --git a/webhook/resourcesemantics/validation/reconcile_config.go b/webhook/resourcesemantics/validation/reconcile_config.go
index 9f3114d4c6..89158990b6 100644
--- a/webhook/resourcesemantics/validation/reconcile_config.go
+++ b/webhook/resourcesemantics/validation/reconcile_config.go
@@ -201,6 +201,7 @@ func (ac *reconciler) reconcileValidatingWebhook(ctx context.Context, caCert []b
 			return fmt.Errorf("failed to fetch namespace: %w", err)
 		}
 		nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
+		nsRef.Controller = ptr.Bool(false)
 		current.OwnerReferences = []metav1.OwnerReference{nsRef}
 	}
 
diff --git a/webhook/resourcesemantics/validation/reconcile_config_test.go b/webhook/resourcesemantics/validation/reconcile_config_test.go
index 668a2db5c0..0a87b84c8c 100644
--- a/webhook/resourcesemantics/validation/reconcile_config_test.go
+++ b/webhook/resourcesemantics/validation/reconcile_config_test.go
@@ -68,6 +68,7 @@ func TestReconcile(t *testing.T) {
 		},
 	}
 	nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
+	nsRef.Controller = ptr.Bool(false)
 	expectedOwnerReferences := []metav1.OwnerReference{nsRef}
 
 	// This is the namespace selector setup