fix owner references for ca cert

egegunes · egegunes · commit f0daa5879b14 · 2026-05-04T11:08:37.000+03:00
diff --git a/internal/controller/postgrescluster/pki.go b/internal/controller/postgrescluster/pki.go
@@ -133,7 +133,6 @@ func (r *Reconciler) reconcileRootCertificate(
 	}
 	intent.SetGroupVersionKind(corev1.SchemeGroupVersion.WithKind("Secret"))
 	intent.Data = make(map[string][]byte)
-	intent.ObjectMeta.OwnerReferences = existing.ObjectMeta.OwnerReferences
 
 	if cluster.Labels != nil {
 		currVersion, err := gover.NewVersion(cluster.Labels[naming.LabelVersion])
@@ -143,17 +142,8 @@ func (r *Reconciler) reconcileRootCertificate(
 		}
 	}
 
-	// A root secret is scoped to the namespace where postgrescluster(s)
-	// are deployed. For operator deployments with postgresclusters in more than
-	// one namespace, there will be one root per namespace.
-	// During reconciliation, the owner reference block of the root secret is
-	// updated to include the postgrescluster as an owner.
-	// However, unlike the leaf certificate, the postgrescluster will not be
-	// set as the controller. This allows for multiple owners to guide garbage
-	// collection, but avoids any errors related to setting multiple controllers.
-	// https://docs.k8s.io/concepts/workloads/controllers/garbage-collection/#owners-and-dependents
 	if err == nil {
-		err = errors.WithStack(r.setOwnerReference(cluster, intent))
+		err = errors.WithStack(r.setControllerReference(cluster, intent))
 	}
 	if err == nil {
 		intent.Data[keyCertificate], err = root.Certificate.MarshalText()

Original file line number	Diff line number	Diff line change
`@@ -133,7 +133,6 @@ func (r *Reconciler) reconcileRootCertificate(`
`133`	`133`	`}`
`134`	`134`	`intent.SetGroupVersionKind(corev1.SchemeGroupVersion.WithKind("Secret"))`
`135`	`135`	`intent.Data = make(map[string][]byte)`
`136`		`- intent.ObjectMeta.OwnerReferences = existing.ObjectMeta.OwnerReferences`
`137`	`136`
`138`	`137`	`if cluster.Labels != nil {`
`139`	`138`	`currVersion, err := gover.NewVersion(cluster.Labels[naming.LabelVersion])`
`@@ -143,17 +142,8 @@ func (r *Reconciler) reconcileRootCertificate(`
`143`	`142`	`}`
`144`	`143`	`}`
`145`	`144`
`146`		`- // A root secret is scoped to the namespace where postgrescluster(s)`
`147`		`- // are deployed. For operator deployments with postgresclusters in more than`
`148`		`- // one namespace, there will be one root per namespace.`
`149`		`- // During reconciliation, the owner reference block of the root secret is`
`150`		`- // updated to include the postgrescluster as an owner.`
`151`		`- // However, unlike the leaf certificate, the postgrescluster will not be`
`152`		`- // set as the controller. This allows for multiple owners to guide garbage`
`153`		`- // collection, but avoids any errors related to setting multiple controllers.`
`154`		`- // https://docs.k8s.io/concepts/workloads/controllers/garbage-collection/#owners-and-dependents`
`155`	`145`	`if err == nil {`
`156`		`- err = errors.WithStack(r.setOwnerReference(cluster, intent))`
	`146`	`+ err = errors.WithStack(r.setControllerReference(cluster, intent))`
`157`	`147`	`}`
`158`	`148`	`if err == nil {`
`159`	`149`	`intent.Data[keyCertificate], err = root.Certificate.MarshalText()`