diff --git a/hack/api-reference/config.md b/hack/api-reference/config.md
index 749a85fe..f696af73 100644
--- a/hack/api-reference/config.md
+++ b/hack/api-reference/config.md
@@ -128,6 +128,17 @@ bool
AllowInsecureRegistries allows Lakom to use HTTP for communication with the registries
+
+
+deploySeedResources
+
+bool
+
+ |
+
+ DeploySeedResources instruct the lakom-controller whether it should deploy lakom to the seed cluster.
+ |
+
DebugConfig
diff --git a/pkg/apis/config/types.go b/pkg/apis/config/types.go
index eae6d2f3..1f8f12ba 100644
--- a/pkg/apis/config/types.go
+++ b/pkg/apis/config/types.go
@@ -33,6 +33,8 @@ type Configuration struct {
// AllowInsecureRegistries sets the lakom webhook to allow HTTP communication with OCI registries.
// It first tries HTTPS and then falls back to HTTP.
AllowInsecureRegistries bool
+ // DeploySeedResources instruct the lakom-controller whether it should deploy lakom to the seed cluster.
+ DeploySeedResources bool
}
// DebugConfig contains debug configurations for the controller.
diff --git a/pkg/apis/config/v1alpha1/types.go b/pkg/apis/config/v1alpha1/types.go
index e3c711d5..6ea151e7 100644
--- a/pkg/apis/config/v1alpha1/types.go
+++ b/pkg/apis/config/v1alpha1/types.go
@@ -36,6 +36,8 @@ type Configuration struct {
AllowUntrustedImages bool `json:"allowUntrustedImages"`
// AllowInsecureRegistries allows Lakom to use HTTP for communication with the registries
AllowInsecureRegistries bool `json:"allowInsecureRegistries"`
+ // DeploySeedResources instruct the lakom-controller whether it should deploy lakom to the seed cluster.
+ DeploySeedResources bool `json:"deploySeedResources"`
}
// DebugConfig contains debug configurations for the controller.
diff --git a/pkg/apis/config/v1alpha1/zz_generated.conversion.go b/pkg/apis/config/v1alpha1/zz_generated.conversion.go
index c4b6c96d..051b2105 100644
--- a/pkg/apis/config/v1alpha1/zz_generated.conversion.go
+++ b/pkg/apis/config/v1alpha1/zz_generated.conversion.go
@@ -69,6 +69,7 @@ func autoConvert_v1alpha1_Configuration_To_config_Configuration(in *Configuratio
out.UseOnlyImagePullSecrets = in.UseOnlyImagePullSecrets
out.AllowUntrustedImages = in.AllowUntrustedImages
out.AllowInsecureRegistries = in.AllowInsecureRegistries
+ out.DeploySeedResources = in.DeploySeedResources
return nil
}
@@ -87,6 +88,7 @@ func autoConvert_config_Configuration_To_v1alpha1_Configuration(in *config.Confi
out.UseOnlyImagePullSecrets = in.UseOnlyImagePullSecrets
out.AllowUntrustedImages = in.AllowUntrustedImages
out.AllowInsecureRegistries = in.AllowInsecureRegistries
+ out.DeploySeedResources = in.DeploySeedResources
return nil
}
diff --git a/pkg/controller/seed/reconciler.go b/pkg/controller/seed/reconciler.go
index 76db6bbb..8d61951d 100644
--- a/pkg/controller/seed/reconciler.go
+++ b/pkg/controller/seed/reconciler.go
@@ -80,6 +80,16 @@ func (kcr *kubeSystemReconciler) reconcile(ctx context.Context, logger logr.Logg
const (
kubeSystemNamespaceName = metav1.NamespaceSystem
)
+ var (
+ ownerNamespace = kcr.serviceConfig.SeedBootstrap.OwnerNamespace
+ )
+
+ if !kcr.serviceConfig.DeploySeedResources {
+ if err := managedresources.DeleteForSeed(ctx, kcr.client, ownerNamespace, constants.ManagedResourceNamesSeed); err != nil {
+ return err
+ }
+ return nil
+ }
secretsConfig := ConfigsFor(kubeSystemNamespaceName)
secretsManager, err := secretsmanager.New(ctx, logger.WithName("seed-secretsmanager"), clock.RealClock{}, kcr.client, kubeSystemNamespaceName, ManagerIdentity, secretsmanager.Config{CASecretAutoRotation: true})
@@ -122,10 +132,6 @@ func (kcr *kubeSystemReconciler) reconcile(ctx context.Context, logger logr.Logg
return err
}
- var (
- ownerNamespace = kcr.serviceConfig.SeedBootstrap.OwnerNamespace
- )
-
if err := managedresources.CreateForSeed(ctx, kcr.client, ownerNamespace, constants.ManagedResourceNamesSeed, false, resources); err != nil {
return err
}