Use cluster specific finalizers for credential secret

api/v1alpha1/ionoscloudcluster_types.go

@@ -27,10 +27,6 @@ const (
 	// associated with the IonosCloudCluster before removing it from the API server.
 	ClusterFinalizer = "ionoscloudcluster.infrastructure.cluster.x-k8s.io"
 
-	// ClusterCredentialsFinalizer allows cleanup of resources, which are
-	// associated with the IonosCloudCluster credentials before removing it from the API server.
-	ClusterCredentialsFinalizer = ClusterFinalizer + "/credentials"
-
 	// IonosCloudClusterReady is the condition for the IonosCloudCluster, which indicates that the cluster is ready.
 	IonosCloudClusterReady clusterv1.ConditionType = "ClusterReady"
 

internal/controller/util.go

@@ -107,7 +107,7 @@ func ensureSecretControlledByCluster(
 ) error {
 	old := secret.DeepCopy()
 
-	finalizerAdded := controllerutil.AddFinalizer(secret, infrav1.ClusterCredentialsFinalizer)
+	finalizerAdded := controllerutil.AddFinalizer(secret, fmt.Sprintf("%s-%s/credentials", infrav1.ClusterFinalizer, cluster.GetName()))
 	// We want to allow using the secret in multiple clusters.
 	// Kubernetes only allows us to have one controller reference.
 	if err := controllerutil.SetOwnerReference(cluster, secret, c.Scheme()); err != nil {
@@ -135,12 +135,6 @@ func removeCredentialsFinalizer(ctx context.Context, c client.Client, cluster *i
 		return client.IgnoreNotFound(err)
 	}
 
-	if len(secret.GetOwnerReferences()) > 1 {
-		// The secret is owned by more than one resource.
-		// Therefore, we don't want to remove the finalizer.
-		return nil
-	}
-
-	controllerutil.RemoveFinalizer(&secret, infrav1.ClusterCredentialsFinalizer)
+	controllerutil.RemoveFinalizer(&secret, fmt.Sprintf("%s-%s/credentials", infrav1.ClusterFinalizer, cluster.GetName()))
 	return c.Update(ctx, &secret)
 }