refactor gc controller

Signed-off-by: Zhiwei Yin <[email protected]>

go.mod

@@ -17,7 +17,7 @@ require (
 	github.com/stretchr/testify v1.8.2
 	github.com/valyala/fasttemplate v1.2.2
 	golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1
-	golang.org/x/net v0.10.0
+	golang.org/x/net v0.17.0
 	k8s.io/api v0.27.2
 	k8s.io/apiextensions-apiserver v0.27.2
 	k8s.io/apimachinery v0.27.2
@@ -28,7 +28,7 @@ require (
 	k8s.io/kube-aggregator v0.27.2
 	k8s.io/utils v0.0.0-20230313181309-38a27ef9d749
 	open-cluster-management.io/addon-framework v0.8.1-0.20231009020812-e52774032b4c
-	open-cluster-management.io/api v0.12.1-0.20230925140632-bf4f47ea90d1
+	open-cluster-management.io/api v0.12.1-0.20231012061439-c2e638b6b872
 	sigs.k8s.io/controller-runtime v0.15.0
 	sigs.k8s.io/kube-storage-version-migrator v0.0.5
 )
@@ -118,12 +118,12 @@ require (
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
 	go.uber.org/zap v1.24.0 // indirect
-	golang.org/x/crypto v0.5.0 // indirect
+	golang.org/x/crypto v0.14.0 // indirect
 	golang.org/x/oauth2 v0.5.0 // indirect
 	golang.org/x/sync v0.2.0 // indirect
-	golang.org/x/sys v0.8.0 // indirect
-	golang.org/x/term v0.8.0 // indirect
-	golang.org/x/text v0.9.0 // indirect
+	golang.org/x/sys v0.13.0 // indirect
+	golang.org/x/term v0.13.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/tools v0.9.1 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect

go.sum

@@ -710,8 +710,8 @@ golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.5.0 h1:U/0M97KRkSFvyD/3FSmdP5W5swImpNgle/EHFhOsQPE=
-golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU=
+golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
+golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -793,8 +793,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
-golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
+golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -872,15 +872,15 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
-golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
+golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
-golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols=
-golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek=
+golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
 golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -891,8 +891,8 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
-golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -1158,8 +1158,8 @@ k8s.io/utils v0.0.0-20230313181309-38a27ef9d749 h1:xMMXJlJbsU8w3V5N2FLDQ8YgU8s1E
 k8s.io/utils v0.0.0-20230313181309-38a27ef9d749/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 open-cluster-management.io/addon-framework v0.8.1-0.20231009020812-e52774032b4c h1:9Rvj3UTjVwJWOItlIYx6shFF72f8L3t91T9IwZ8sx6Q=
 open-cluster-management.io/addon-framework v0.8.1-0.20231009020812-e52774032b4c/go.mod h1:r4sQGR9YgLC4hXC695sfinun2WhuigWrEPk2IeIl800=
-open-cluster-management.io/api v0.12.1-0.20230925140632-bf4f47ea90d1 h1:8r0fdost7Yhvvz+xJb7xkj/tLZ4DigxiGoEJGakXhUg=
-open-cluster-management.io/api v0.12.1-0.20230925140632-bf4f47ea90d1/go.mod h1:/CZhelEH+30/pX7vXGSZOzLMX0zvjthYOkT/5ZTzVTQ=
+open-cluster-management.io/api v0.12.1-0.20231012061439-c2e638b6b872 h1:DJh18fiImtiTHcdQ5MT761VbqeT+TrzoePaye+oztr4=
+open-cluster-management.io/api v0.12.1-0.20231012061439-c2e638b6b872/go.mod h1:RaKSNLO1I3xYfvIwIcCxFYgIUp3NOseG0xoGfReBEPw=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

manifests/cluster-manager/hub/cluster-manager-registration-clusterrole.yaml

@@ -87,7 +87,7 @@ rules:
 # Allow hub to manage managed cluster addons
 - apiGroups: ["addon.open-cluster-management.io"]
   resources: ["managedclusteraddons"]
-  verbs: ["get", "list", "watch"]
+  verbs: ["get", "list", "watch", "delete"]
 - apiGroups: ["addon.open-cluster-management.io"]
   resources: ["managedclusteraddons/status"]
   verbs: ["patch", "update"]

pkg/registration/helpers/testing/testinghelpers.go

@@ -28,6 +28,7 @@ import (
 	certutil "k8s.io/client-go/util/cert"
 	"k8s.io/client-go/util/keyutil"
 
+	addonv1alpha1 "open-cluster-management.io/api/addon/v1alpha1"
 	clusterv1 "open-cluster-management.io/api/cluster/v1"
 	workapiv1 "open-cluster-management.io/api/work/v1"
 )
@@ -192,11 +193,14 @@ func NewNamespace(name string, terminated bool) *corev1.Namespace {
 	return namespace
 }
 
-func NewManifestWork(namespace, name string, finalizers []string, deletionTimestamp *metav1.Time) *workapiv1.ManifestWork {
+func NewManifestWork(namespace, name string, finalizers []string,
+	labels, annotations map[string]string, deletionTimestamp *metav1.Time) *workapiv1.ManifestWork {
 	work := &workapiv1.ManifestWork{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace:         namespace,
 			Name:              name,
+			Labels:            labels,
+			Annotations:       annotations,
 			Finalizers:        finalizers,
 			DeletionTimestamp: deletionTimestamp,
 		},
@@ -230,6 +234,30 @@ func NewRoleBinding(namespace, name string, finalizers []string, labels map[stri
 	return rolebinding
 }
 
+func NewClusterRole(name string, finalizers []string, labels map[string]string, terminated bool) *rbacv1.ClusterRole {
+	clusterRole := &rbacv1.ClusterRole{}
+	clusterRole.Name = name
+	clusterRole.Finalizers = finalizers
+	clusterRole.Labels = labels
+	if terminated {
+		now := metav1.Now()
+		clusterRole.DeletionTimestamp = &now
+	}
+	return clusterRole
+}
+
+func NewClusterRoleBinding(name string, finalizers []string, labels map[string]string, terminated bool) *rbacv1.ClusterRoleBinding {
+	clusterRoleBinding := &rbacv1.ClusterRoleBinding{}
+	clusterRoleBinding.Name = name
+	clusterRoleBinding.Finalizers = finalizers
+	clusterRoleBinding.Labels = labels
+	if terminated {
+		now := metav1.Now()
+		clusterRoleBinding.DeletionTimestamp = &now
+	}
+	return clusterRoleBinding
+}
+
 func NewResourceList(cpu, mem int) corev1.ResourceList {
 	return corev1.ResourceList{
 		corev1.ResourceCPU:    *resource.NewQuantity(int64(cpu), resource.DecimalExponent),
@@ -499,3 +527,14 @@ func WriteFile(filename string, data []byte) {
 		panic(err)
 	}
 }
+
+func NewManagedClusterAddons(name, namespace string, finalizers []string, deletionTimestamp *metav1.Time) *addonv1alpha1.ManagedClusterAddOn {
+	return &addonv1alpha1.ManagedClusterAddOn{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:              name,
+			Namespace:         namespace,
+			Finalizers:        finalizers,
+			DeletionTimestamp: deletionTimestamp,
+		},
+	}
+}

pkg/registration/hub/clusterrole/controller.go

@@ -2,7 +2,6 @@ package clusterrole
 
 import (
 	"context"
-	"embed"
 	"fmt"
 
 	"github.com/openshift/library-go/pkg/controller/factory"
@@ -18,6 +17,7 @@ import (
 
 	"open-cluster-management.io/ocm/pkg/common/apply"
 	"open-cluster-management.io/ocm/pkg/common/queue"
+	"open-cluster-management.io/ocm/pkg/registration/hub/manifests"
 )
 
 const (
@@ -26,13 +26,10 @@ const (
 )
 
 var clusterRoleFiles = []string{
-	"manifests/managedcluster-registration-clusterrole.yaml",
-	"manifests/managedcluster-work-clusterrole.yaml",
+	"rbac/managedcluster-registration-clusterrole.yaml",
+	"rbac/managedcluster-work-clusterrole.yaml",
 }
 
-//go:embed manifests
-var manifestFiles embed.FS
-
 // clusterroleController maintains the necessary clusterroles for registration and work agent on hub cluster.
 type clusterroleController struct {
 	kubeClient    kubernetes.Interface
@@ -83,7 +80,7 @@ func (c *clusterroleController) sync(ctx context.Context, syncCtx factory.SyncCo
 			ctx,
 			resourceapply.NewKubeClientHolder(c.kubeClient),
 			c.eventRecorder,
-			manifestFiles.ReadFile,
+			manifests.RBACManifests.ReadFile,
 			clusterRoleFiles...,
 		)
 		for _, result := range results {
@@ -98,7 +95,7 @@ func (c *clusterroleController) sync(ctx context.Context, syncCtx factory.SyncCo
 	results := c.applier.Apply(
 		ctx,
 		syncCtx.Recorder(),
-		manifestFiles.ReadFile,
+		manifests.RBACManifests.ReadFile,
 		clusterRoleFiles...,
 	)
 

pkg/registration/hub/gc/controller.go

@@ -0,0 +1,155 @@
+package gc
+
+import (
+	"context"
+	"strings"
+	"time"
+
+	"github.com/openshift/library-go/pkg/controller/factory"
+	"github.com/openshift/library-go/pkg/operator/events"
+	operatorhelpers "github.com/openshift/library-go/pkg/operator/v1helpers"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/client-go/kubernetes"
+	rbacv1listers "k8s.io/client-go/listers/rbac/v1"
+	"k8s.io/client-go/metadata"
+	"k8s.io/klog/v2"
+
+	clientset "open-cluster-management.io/api/client/cluster/clientset/versioned"
+	informerv1 "open-cluster-management.io/api/client/cluster/informers/externalversions/cluster/v1"
+	clusterv1listers "open-cluster-management.io/api/client/cluster/listers/cluster/v1"
+	worklister "open-cluster-management.io/api/client/work/listers/work/v1"
+	clusterv1 "open-cluster-management.io/api/cluster/v1"
+
+	"open-cluster-management.io/ocm/pkg/common/patcher"
+	"open-cluster-management.io/ocm/pkg/common/queue"
+)
+
+type gcReconcileOp int
+
+const (
+	gcReconcileRequeue gcReconcileOp = iota
+	gcReconcileStop
+	gcReconcileContinue
+)
+
+var (
+	addonGvr = schema.GroupVersionResource{Group: "addon.open-cluster-management.io",
+		Version: "v1alpha1", Resource: "managedclusteraddons"}
+	workGvr = schema.GroupVersionResource{Group: "work.open-cluster-management.io",
+		Version: "v1", Resource: "manifestworks"}
+)
+
+// gcReconciler is an interface for reconcile cleanup logic after cluster is deleted.
+// clusterName is from the queueKey, cluster may be nil.
+type gcReconciler interface {
+	reconcile(ctx context.Context, cluster *clusterv1.ManagedCluster) (gcReconcileOp, error)
+}
+
+type GCController struct {
+	clusterLister  clusterv1listers.ManagedClusterLister
+	clusterPatcher patcher.Patcher[*clusterv1.ManagedCluster, clusterv1.ManagedClusterSpec, clusterv1.ManagedClusterStatus]
+	gcReconcilers  []gcReconciler
+}
+
+// NewGCController ensures the related resources are cleaned up after cluster is deleted
+func NewGCController(
+	clusterRoleLister rbacv1listers.ClusterRoleLister,
+	clusterRoleBindingLister rbacv1listers.ClusterRoleBindingLister,
+	roleBindingLister rbacv1listers.RoleBindingLister,
+	clusterInformer informerv1.ManagedClusterInformer,
+	manifestWorkLister worklister.ManifestWorkLister,
+	clusterClient clientset.Interface,
+	kubeClient kubernetes.Interface,
+	metadataClient metadata.Interface,
+	eventRecorder events.Recorder,
+	gcResourceList []string,
+) factory.Controller {
+	clusterPatcher := patcher.NewPatcher[
+		*clusterv1.ManagedCluster, clusterv1.ManagedClusterSpec, clusterv1.ManagedClusterStatus](
+		clusterClient.ClusterV1().ManagedClusters())
+
+	gcResources := []schema.GroupVersionResource{}
+	if len(gcResourceList) == 0 {
+		gcResources = append(gcResources, addonGvr, workGvr)
+	}
+	for _, gcResource := range gcResourceList {
+		subStrings := strings.Split(gcResource, "/")
+		if len(subStrings) != 3 {
+			klog.Errorf("invalid gc-resource-list flag: %v", gcResources)
+			continue
+		}
+		gcResources = append(gcResources, schema.GroupVersionResource{
+			Group: subStrings[0], Version: subStrings[1], Resource: subStrings[2]})
+	}
+
+	controller := &GCController{
+		clusterLister:  clusterInformer.Lister(),
+		clusterPatcher: clusterPatcher,
+		gcReconcilers: []gcReconciler{
+			newGCResourcesController(metadataClient, gcResources, eventRecorder),
+			newGCClusterRbacController(kubeClient, clusterPatcher, clusterInformer, clusterRoleLister,
+				clusterRoleBindingLister, roleBindingLister, manifestWorkLister, eventRecorder),
+		},
+	}
+
+	return factory.New().
+		WithInformersQueueKeysFunc(queue.QueueKeyByMetaName, clusterInformer.Informer()).
+		WithSync(controller.sync).ToController("GCController", eventRecorder)
+}
+
+// gc controller is watching cluster and to do these jobs:
+//  1. add a cleanup finalizer to managedCluster if the cluster is not deleting.
+//  2. clean up all rbac and resources in the cluster ns after the cluster is deleted.
+func (r *GCController) sync(ctx context.Context, controllerContext factory.SyncContext) error {
+	clusterName := controllerContext.QueueKey()
+	if clusterName == "" || clusterName == factory.DefaultQueueKey {
+		return nil
+	}
+
+	originalCluster, err := r.clusterLister.Get(clusterName)
+	switch {
+	case errors.IsNotFound(err):
+		return nil
+	case err != nil:
+		return err
+	}
+
+	cluster := originalCluster.DeepCopy()
+	var errs []error
+	var requeue bool
+	for _, reconciler := range r.gcReconcilers {
+		op, err := reconciler.reconcile(ctx, cluster)
+		if err != nil {
+			errs = append(errs, err)
+		}
+		if op == gcReconcileRequeue {
+			requeue = true
+		}
+		if op == gcReconcileStop {
+			break
+		}
+	}
+	// update cluster condition firstly
+	if len(errs) != 0 {
+		applyErrors := operatorhelpers.NewMultiLineAggregate(errs)
+		meta.SetStatusCondition(&cluster.Status.Conditions, metav1.Condition{
+			Type:    clusterv1.ManagedClusterConditionDeleting,
+			Status:  metav1.ConditionFalse,
+			Reason:  clusterv1.ConditionDeletingReasonResourceError,
+			Message: applyErrors.Error(),
+		})
+	}
+
+	if _, err = r.clusterPatcher.PatchStatus(ctx, cluster, cluster.Status, originalCluster.Status); err != nil {
+		errs = append(errs, err)
+	}
+
+	if requeue {
+		controllerContext.Queue().AddAfter(clusterName, 1*time.Second)
+	}
+	return utilerrors.NewAggregate(errs)
+}