fix: Add fleet annotation to namespace of CAPI cluster

yiannistri · yiannistri · commit 3f9c3ad4bcb3 · 2025-06-18T15:36:38.000+01:00
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -19,12 +19,8 @@ rules:
   - list
   - get
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - namespaces
-  verbs:
   - create
+  - patch
 - apiGroups:
   - events.k8s.io
   resources:
diff --git a/justfile b/justfile
@@ -172,6 +172,7 @@ test-import: start-dev deploy deploy-child-cluster deploy-kindnet deploy-app &&
     kubectl wait pods --for=condition=Ready --timeout=150s --all --all-namespaces
     kubectl wait cluster --timeout=500s --for=condition=ControlPlaneReady=true docker-demo
     kubectl wait clusters.fleet.cattle.io --timeout=500s --for=condition=Ready=true docker-demo
+    kubectl wait ns default --timeout=500s --for=jsonpath='{.metadata.annotations.field\.cattle\.io\/allow-fleetworkspace-creation-for-existing-namespace}=true'
 
 # Full e2e test of importing cluster in fleet
 test-import-rke2: start-dev deploy deploy-child-rke2-cluster deploy-calico-gitrepo deploy-app
diff --git a/src/controller.rs b/src/controller.rs
@@ -417,4 +417,4 @@ fn error_policy(doc: Arc<impl kube::Resource>, error: &Error, ctx: Arc<Context>)
     warn!("reconcile failed: {:?}", error);
     ctx.metrics.reconcile_failure(doc, error);
     Action::requeue(Duration::from_secs(10))
-}
+}
diff --git a/src/controllers/cluster.rs b/src/controllers/cluster.rs
@@ -17,10 +17,10 @@ use kube::api::{
 use kube::client::scope;
 use kube::runtime::watcher::{self, Config};
 use kube::{Api, Client};
-use kube::{Resource, api::ResourceExt, runtime::controller::Action};
+use kube::{Resource, api::{ResourceExt, Patch}, runtime::controller::Action};
 use serde::Serialize;
-use serde_json::Value;
-use tracing::info;
+use serde_json::{Value,json};
+use tracing::{info,debug};
 
 use std::sync::Arc;
 
@@ -30,6 +30,7 @@ use super::controller::{
 use super::{BundleResult, ClusterSyncError, ClusterSyncResult};
 
 pub static CONTROLPLANE_READY_CONDITION: &str = "ControlPlaneReady";
+pub static FLEET_WORKSPACE_ANNOTATION: &str = "field.cattle.io/allow-fleetworkspace-creation-for-existing-namespace";
 
 pub struct FleetClusterBundle {
     template_sources: TemplateSources,
@@ -176,6 +177,19 @@ impl FleetBundle for FleetClusterBundle {
             }
         }
 
+        // Ensure the fleet workspace annotation is present.
+        let patch = json!({
+                        "metadata": {
+                            "annotations": {
+                                FLEET_WORKSPACE_ANNOTATION: "true"
+                            }
+                        }
+                    });
+        let namespace_name = self.fleet.namespace().unwrap_or_default();
+        let namespaces = Api::<Namespace>::all(ctx.client.clone());
+        namespaces.patch_metadata(&namespace_name,&PatchParams::default(), &Patch::Merge(&patch)).await?;
+        debug!("Added fleet annotation to namespace {}.", namespace_name);
+
         Ok(Action::await_change())
     }
 
@@ -205,6 +219,26 @@ impl FleetBundle for FleetClusterBundle {
                 .await?;
         }
 
+        // List all other clusters in this namespace
+        let namespaces = Api::<Namespace>::all(ctx.client.clone());
+        let namespace_name = self.fleet.namespace().unwrap_or_default();
+        let clusters = Api::<Cluster>::namespaced(ctx.client.clone(), &namespace_name);
+        let other_clusters = clusters
+            .list(&ListParams::default().fields(&format!("metadata.namespace={},metadata.name!={}", namespace_name, self.fleet.name_any())))
+            .await?;
+        // If no other clusters are found in this namespace, remove the fleet workspace annotation.
+        if other_clusters.items.is_empty() {
+            let patch = json!({
+                "metadata": {
+                    "annotations": {
+                        FLEET_WORKSPACE_ANNOTATION: null
+                    }
+                }
+            });
+            namespaces.patch_metadata(&namespace_name,&PatchParams::default(), &Patch::Merge(&patch)).await?;
+            debug!("Removed fleet annotation from namespace {}.", namespace_name);
+        }
+
         Ok(Action::await_change())
     }
 }
@@ -285,4 +319,4 @@ impl Cluster {
 
         Ok(Action::await_change())
     }
-}
+}
