fix: remove the finalizer on namespace deletion (#5473)

* fix: remove the finalizer on namespace deletion

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* stop ignoring a conflict error

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* add after suite of removing all cluster external secrets

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

---------

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

e2e/suites/provider/suite_test.go

@@ -28,6 +28,7 @@ import (
 	"github.com/external-secrets/external-secrets-e2e/framework/addon"
 	"github.com/external-secrets/external-secrets-e2e/framework/util"
 	_ "github.com/external-secrets/external-secrets-e2e/suites/provider/cases"
+	v1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 )
 
@@ -45,6 +46,7 @@ var _ = SynchronizedAfterSuite(func() {
 }, func() {
 	cfg := &addon.Config{}
 	cfg.KubeConfig, cfg.KubeClientSet, cfg.CRClient = util.NewConfig()
+
 	By("Deleting any pending generator states")
 	generatorStates := &genv1alpha1.GeneratorStateList{}
 	err := cfg.CRClient.List(GinkgoT().Context(), generatorStates)
@@ -53,6 +55,16 @@ var _ = SynchronizedAfterSuite(func() {
 		err = cfg.CRClient.Delete(GinkgoT().Context(), &generatorState)
 		Expect(err).ToNot(HaveOccurred())
 	}
+
+	By("Deleting all ClusterExternalSecrets")
+	externalSecretsList := &v1.ClusterExternalSecretList{}
+	err = cfg.CRClient.List(GinkgoT().Context(), externalSecretsList)
+	Expect(err).ToNot(HaveOccurred())
+	for _, externalSecret := range externalSecretsList.Items {
+		err = cfg.CRClient.Delete(GinkgoT().Context(), &externalSecret)
+		Expect(err).ToNot(HaveOccurred())
+	}
+
 	By("Cleaning up global addons")
 	addon.UninstallGlobalAddons()
 	if CurrentSpecReport().Failed() {

pkg/controllers/clusterexternalsecret/clusterexternalsecret_controller.go

@@ -201,9 +201,13 @@ func (r *Reconciler) gatherProvisionedNamespaces(
 ) []string {
 	var provisionedNamespaces []string //nolint:prealloc // we don't know the size
 	for _, namespace := range namespaces {
-		// Skip namespace if it's being deleted
+		// If namespace is being deleted, remove our finalizer to allow deletion to proceed
 		if namespace.DeletionTimestamp != nil {
-			log.Info("skipping namespace as it is being deleted", "namespace", namespace.Name)
+			log.Info("namespace is being deleted, removing finalizer", "namespace", namespace.Name)
+			if err := r.removeNamespaceFinalizer(ctx, log, &namespace, clusterExternalSecret.Name); err != nil {
+				log.Error(err, "failed to remove finalizer from terminating namespace", "namespace", namespace.Name)
+				// Don't add to failedNamespaces - this is cleanup, not provisioning
+			}
 			continue
 		}
 		var existingES esv1.ExternalSecret
@@ -350,13 +354,14 @@ func (r *Reconciler) updateNamespaceRemoveFinalizer(ctx context.Context, log log
 	// Only update if the finalizer was actually removed
 	if updated := controllerutil.RemoveFinalizer(namespace, finalizer); updated {
 		if err := r.Update(ctx, namespace); err != nil {
-			// Ignore NotFound (namespace deleted) and Conflict (will retry)
-			if apierrors.IsNotFound(err) || apierrors.IsConflict(err) {
+			// Ignore NotFound (namespace deleted)
+			if apierrors.IsNotFound(err) {
 				log.V(1).Info("ignoring expected error during finalizer removal",
 					"namespace", namespaceName,
 					"error", err.Error())
 				return nil
 			}
+
 			return fmt.Errorf("failed to remove finalizer from namespace %s: %w", namespaceName, err)
 		}
 	}