From ec8fa9db9a3ab0545576d0ea2468d99ec171ec67 Mon Sep 17 00:00:00 2001
From: Swati Mulje <86704969+smulje@users.noreply.github.com>
Date: Wed, 17 Jun 2026 10:31:47 +0000
Subject: [PATCH] Fix node label matching in triggerReconciliation

  Replace reflect.DeepEqual with proper label selector matching.
  This ensures the operator correctly creates IngressNodeFirewallNodeState
  objects for nodes added after the operator starts.

  The previous implementation used DeepEqual which required exact
  label match. The new implementation uses labels.SelectorFromSet
  which properly handles label selectors per Kubernetes semantics.
---
 controllers/ingressnodefirewall_controller.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/controllers/ingressnodefirewall_controller.go b/controllers/ingressnodefirewall_controller.go
index c8e947f8f..c07ebf395 100644
--- a/controllers/ingressnodefirewall_controller.go
+++ b/controllers/ingressnodefirewall_controller.go
@@ -19,7 +19,6 @@ package controllers
 import (
 	"context"
 	"fmt"
-	"reflect"
 	"strings"
 
 	infv1alpha1 "github.com/openshift/ingress-node-firewall/api/v1alpha1"
@@ -30,6 +29,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/equality"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -233,7 +233,8 @@ func (r *IngressNodeFirewallReconciler) triggerReconciliation(ctx context.Contex
 	}
 
 	for _, fwobj := range ingressNodeFirewallList.Items {
-		if reflect.DeepEqual(fwobj.Spec.NodeSelector.MatchLabels, object.GetLabels()) {
+		selector := labels.SelectorFromSet(fwobj.Spec.NodeSelector.MatchLabels)
+		if selector.Matches(labels.Set(object.GetLabels())) {
 			nodeState := fwobj
 			req := reconcile.Request{
 				NamespacedName: types.NamespacedName{