From 93a46918e87f494bc9066b7bd3881b7a1733a05e Mon Sep 17 00:00:00 2001
From: Jacob LeGrone <git@jacob.work>
Date: Mon, 28 Jul 2025 15:41:25 -0400
Subject: [PATCH 01/11] Add finalizer

---
 internal/controller/finalizer_test.go    | 242 +++++++++++++++++++++++
 internal/controller/worker_controller.go | 108 ++++++++++
 internal/k8s/deployments.go              |   4 +-
 3 files changed, 352 insertions(+), 2 deletions(-)
 create mode 100644 internal/controller/finalizer_test.go

diff --git a/internal/controller/finalizer_test.go b/internal/controller/finalizer_test.go
new file mode 100644
index 00000000..4903a1bc
--- /dev/null
+++ b/internal/controller/finalizer_test.go
@@ -0,0 +1,242 @@
+// Unless explicitly stated otherwise all files in this repository are licensed under the MIT License.
+//
+// This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2024 Datadog, Inc.
+
+package controller
+
+import (
+	"context"
+	"testing"
+
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+
+	temporaliov1alpha1 "github.com/temporalio/temporal-worker-controller/api/v1alpha1"
+	"github.com/temporalio/temporal-worker-controller/internal/testhelpers"
+	"github.com/temporalio/temporal-worker-controller/internal/testhelpers/testlogr"
+)
+
+func TestFinalizerAddition(t *testing.T) {
+	ctx := context.Background()
+
+	// Create a TemporalWorkerDeployment without finalizer using test helpers
+	workerDeploy := testhelpers.ModifyObj(testhelpers.MakeTWDWithName("test-worker"), func(twd *temporaliov1alpha1.TemporalWorkerDeployment) *temporaliov1alpha1.TemporalWorkerDeployment {
+		twd.Spec.WorkerOptions = temporaliov1alpha1.WorkerOptions{
+			TemporalNamespace:  "test-namespace",
+			TemporalConnection: "test-connection",
+		}
+		twd.Spec.Template = corev1.PodTemplateSpec{
+			Spec: corev1.PodSpec{
+				Containers: []corev1.Container{
+					{
+						Name:  "worker",
+						Image: "test-image:latest",
+					},
+				},
+			},
+		}
+		return twd
+	})
+
+	// Create fake client with test helpers
+	client := testhelpers.SetupFakeClient()
+
+	// Create the resource in the fake client
+	err := client.Create(ctx, workerDeploy)
+	if err != nil {
+		t.Fatalf("Failed to create TemporalWorkerDeployment: %v", err)
+	}
+
+	// Create reconciler
+	reconciler := &TemporalWorkerDeploymentReconciler{
+		Client: client,
+		Scheme: testhelpers.SetupTestScheme(),
+	}
+
+	// Verify finalizer is not present initially
+	if controllerutil.ContainsFinalizer(workerDeploy, TemporalWorkerDeploymentFinalizer) {
+		t.Error("Finalizer should not be present initially")
+	}
+
+	// Simulate what happens in the reconcile loop when finalizer needs to be added
+	if !controllerutil.ContainsFinalizer(workerDeploy, TemporalWorkerDeploymentFinalizer) {
+		controllerutil.AddFinalizer(workerDeploy, TemporalWorkerDeploymentFinalizer)
+		err := reconciler.Update(ctx, workerDeploy)
+		if err != nil {
+			t.Fatalf("Failed to add finalizer: %v", err)
+		}
+	}
+
+	// Fetch the updated resource
+	updated := &temporaliov1alpha1.TemporalWorkerDeployment{}
+	err = client.Get(ctx, types.NamespacedName{Name: "test-worker", Namespace: "default"}, updated)
+	if err != nil {
+		t.Fatalf("Failed to fetch updated resource: %v", err)
+	}
+
+	// Verify finalizer was added
+	if !controllerutil.ContainsFinalizer(updated, TemporalWorkerDeploymentFinalizer) {
+		t.Error("Finalizer should be present after update")
+	}
+}
+
+func TestIsOwnedByWorkerDeployment(t *testing.T) {
+	// Create a TemporalWorkerDeployment
+	workerDeploy := &temporaliov1alpha1.TemporalWorkerDeployment{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-worker",
+			Namespace: "default",
+			UID:       "worker-uid-123",
+		},
+	}
+
+	// Create a deployment owned by the worker deployment
+	deployment := &appsv1.Deployment{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-deployment",
+			Namespace: "default",
+			OwnerReferences: []metav1.OwnerReference{
+				{
+					APIVersion: apiGVStr,
+					Kind:       "TemporalWorkerDeployment",
+					Name:       "test-worker",
+					UID:        "worker-uid-123",
+				},
+			},
+		},
+	}
+
+	// Create a deployment not owned by the worker deployment
+	unownedDeployment := &appsv1.Deployment{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "unowned-deployment",
+			Namespace: "default",
+		},
+	}
+
+	reconciler := &TemporalWorkerDeploymentReconciler{}
+
+	// Test owned deployment
+	if !reconciler.isOwnedByWorkerDeployment(deployment, workerDeploy) {
+		t.Error("Deployment should be identified as owned by worker deployment")
+	}
+
+	// Test unowned deployment
+	if reconciler.isOwnedByWorkerDeployment(unownedDeployment, workerDeploy) {
+		t.Error("Unowned deployment should not be identified as owned by worker deployment")
+	}
+}
+
+func TestCleanupManagedResources(t *testing.T) {
+	ctx := context.Background()
+
+	// Create a TemporalWorkerDeployment using test helpers
+	workerDeploy := testhelpers.ModifyObj(testhelpers.MakeTWDWithName("test-worker"), func(twd *temporaliov1alpha1.TemporalWorkerDeployment) *temporaliov1alpha1.TemporalWorkerDeployment {
+		twd.UID = "worker-uid-123"
+		return twd
+	})
+
+	// Create a deployment owned by the worker deployment
+	ownedDeployment := &appsv1.Deployment{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "owned-deployment",
+			Namespace: "default",
+			OwnerReferences: []metav1.OwnerReference{
+				{
+					APIVersion: apiGVStr,
+					Kind:       "TemporalWorkerDeployment",
+					Name:       "test-worker",
+					UID:        "worker-uid-123",
+				},
+			},
+		},
+	}
+
+	// Create a deployment not owned by the worker deployment
+	unownedDeployment := &appsv1.Deployment{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "unowned-deployment",
+			Namespace: "default",
+		},
+	}
+
+	// Create fake client with the deployments using test helpers
+	client := testhelpers.SetupFakeClient(ownedDeployment, unownedDeployment)
+
+	reconciler := &TemporalWorkerDeploymentReconciler{
+		Client: client,
+		Scheme: testhelpers.SetupTestScheme(),
+	}
+
+	// Create a test logger using testlogr
+	logger := testlogr.New(t)
+
+	// Test cleanup - should only delete owned deployments
+	err := reconciler.cleanupManagedResources(ctx, logger, workerDeploy)
+	if err != nil {
+		t.Fatalf("Cleanup should succeed: %v", err)
+	}
+
+	// Verify owned deployment was deleted
+	err = client.Get(ctx, types.NamespacedName{Name: "owned-deployment", Namespace: "default"}, &appsv1.Deployment{})
+	if err == nil {
+		t.Error("Owned deployment should have been deleted")
+	}
+
+	// Verify unowned deployment was not deleted
+	err = client.Get(ctx, types.NamespacedName{Name: "unowned-deployment", Namespace: "default"}, &appsv1.Deployment{})
+	if err != nil {
+		t.Error("Unowned deployment should not have been deleted")
+	}
+}
+
+func TestHandleDeletion(t *testing.T) {
+	ctx := context.Background()
+
+	// Create a TemporalWorkerDeployment with finalizer and deletion timestamp using test helpers
+	now := metav1.Now()
+	workerDeploy := testhelpers.ModifyObj(testhelpers.MakeTWDWithName("test-worker"), func(twd *temporaliov1alpha1.TemporalWorkerDeployment) *temporaliov1alpha1.TemporalWorkerDeployment {
+		twd.UID = "worker-uid-123"
+		twd.DeletionTimestamp = &now
+		twd.Finalizers = []string{TemporalWorkerDeploymentFinalizer}
+		twd.Spec.WorkerOptions = temporaliov1alpha1.WorkerOptions{
+			TemporalNamespace:  "test-namespace",
+			TemporalConnection: "test-connection",
+		}
+		return twd
+	})
+
+	// Create fake client using test helpers
+	client := testhelpers.SetupFakeClient(workerDeploy)
+
+	reconciler := &TemporalWorkerDeploymentReconciler{
+		Client: client,
+		Scheme: testhelpers.SetupTestScheme(),
+	}
+
+	// Create a test logger using testlogr
+	logger := testlogr.New(t)
+
+	// Verify finalizer is present before deletion
+	if !controllerutil.ContainsFinalizer(workerDeploy, TemporalWorkerDeploymentFinalizer) {
+		t.Error("Finalizer should be present before deletion handling")
+	}
+
+	// Test deletion handling
+	result, err := reconciler.handleDeletion(ctx, logger, workerDeploy)
+	if err != nil {
+		t.Fatalf("handleDeletion should succeed: %v", err)
+	}
+
+	if result.Requeue {
+		t.Error("Result should not indicate requeue")
+	}
+
+	// After handleDeletion, the resource should be deleted (finalizer removal allows deletion to proceed)
+	// In a real cluster, the resource would be gone. In the fake client, we can verify it was marked for deletion
+	// by checking if the finalizer was removed (which we can't easily do since the resource is deleted)
+	// Instead, we'll verify that the deletion handling completed without error, which means cleanup was successful
+}
diff --git a/internal/controller/worker_controller.go b/internal/controller/worker_controller.go
index cddae68a..4d74596c 100644
--- a/internal/controller/worker_controller.go
+++ b/internal/controller/worker_controller.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"time"
 
+	"github.com/go-logr/logr"
 	temporaliov1alpha1 "github.com/temporalio/temporal-worker-controller/api/v1alpha1"
 	"github.com/temporalio/temporal-worker-controller/internal/controller/clientpool"
 	"github.com/temporalio/temporal-worker-controller/internal/k8s"
@@ -21,6 +22,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
@@ -34,6 +36,8 @@ const (
 	// TODO(jlegrone): add this everywhere
 	deployOwnerKey = ".metadata.controller"
 	buildIDLabel   = "temporal.io/build-id"
+	// TemporalWorkerDeploymentFinalizer is the finalizer used to ensure proper cleanup of resources
+	TemporalWorkerDeploymentFinalizer = "temporal.io/temporal-worker-deployment-finalizer"
 )
 
 // TemporalWorkerDeploymentReconciler reconciles a TemporalWorkerDeployment object
@@ -79,6 +83,22 @@ func (r *TemporalWorkerDeploymentReconciler) Reconcile(ctx context.Context, req
 		return ctrl.Result{}, client.IgnoreNotFound(err)
 	}
 
+	// Handle deletion
+	if workerDeploy.ObjectMeta.DeletionTimestamp != nil {
+		return r.handleDeletion(ctx, l, &workerDeploy)
+	}
+
+	// Add finalizer if it doesn't exist
+	if !controllerutil.ContainsFinalizer(&workerDeploy, TemporalWorkerDeploymentFinalizer) {
+		controllerutil.AddFinalizer(&workerDeploy, TemporalWorkerDeploymentFinalizer)
+		if err := r.Update(ctx, &workerDeploy); err != nil {
+			l.Error(err, "unable to add finalizer")
+			return ctrl.Result{}, err
+		}
+		// Requeue to continue with normal reconciliation after adding finalizer
+		return ctrl.Result{Requeue: true}, nil
+	}
+
 	// TODO(jlegrone): Set defaults via webhook rather than manually
 	if err := workerDeploy.Default(ctx, &workerDeploy); err != nil {
 		l.Error(err, "TemporalWorkerDeployment defaulter failed")
@@ -188,6 +208,94 @@ func (r *TemporalWorkerDeploymentReconciler) Reconcile(ctx context.Context, req
 	}, nil
 }
 
+// handleDeletion handles the deletion process for TemporalWorkerDeployment resources
+func (r *TemporalWorkerDeploymentReconciler) handleDeletion(ctx context.Context, l logr.Logger, workerDeploy *temporaliov1alpha1.TemporalWorkerDeployment) (ctrl.Result, error) {
+	l.Info("Handling deletion of TemporalWorkerDeployment")
+
+	if !controllerutil.ContainsFinalizer(workerDeploy, TemporalWorkerDeploymentFinalizer) {
+		// Finalizer has already been removed, allow deletion to proceed
+		return ctrl.Result{}, nil
+	}
+
+	// Clean up managed resources
+	if err := r.cleanupManagedResources(ctx, l, workerDeploy); err != nil {
+		l.Error(err, "Failed to cleanup managed resources")
+		return ctrl.Result{}, err
+	}
+
+	// Remove the finalizer to allow deletion
+	controllerutil.RemoveFinalizer(workerDeploy, TemporalWorkerDeploymentFinalizer)
+	if err := r.Update(ctx, workerDeploy); err != nil {
+		l.Error(err, "Failed to remove finalizer")
+		return ctrl.Result{}, err
+	}
+
+	l.Info("Successfully removed finalizer, resource will be deleted")
+	return ctrl.Result{}, nil
+}
+
+// cleanupManagedResources ensures all resources managed by this TemporalWorkerDeployment are properly cleaned up
+func (r *TemporalWorkerDeploymentReconciler) cleanupManagedResources(ctx context.Context, l logr.Logger, workerDeploy *temporaliov1alpha1.TemporalWorkerDeployment) error {
+	l.Info("Cleaning up managed resources")
+
+	// List all deployments owned by this TemporalWorkerDeployment
+	deploymentList := &appsv1.DeploymentList{}
+	listOpts := &client.ListOptions{
+		Namespace: workerDeploy.Namespace,
+	}
+
+	if err := r.List(ctx, deploymentList, listOpts); err != nil {
+		return fmt.Errorf("failed to list deployments: %w", err)
+	}
+
+	// Filter deployments owned by this TemporalWorkerDeployment and delete them
+	for _, deployment := range deploymentList.Items {
+		if r.isOwnedByWorkerDeployment(&deployment, workerDeploy) {
+			l.Info("Deleting managed deployment", "deployment", deployment.Name)
+			if err := r.Delete(ctx, &deployment); err != nil && !apierrors.IsNotFound(err) {
+				return fmt.Errorf("failed to delete deployment %s: %w", deployment.Name, err)
+			}
+		}
+	}
+
+	// Wait for all owned deployments to be deleted
+	for _, deployment := range deploymentList.Items {
+		if r.isOwnedByWorkerDeployment(&deployment, workerDeploy) {
+			// Check if deployment still exists
+			currentDeployment := &appsv1.Deployment{}
+			err := r.Get(ctx, types.NamespacedName{
+				Namespace: deployment.Namespace,
+				Name:      deployment.Name,
+			}, currentDeployment)
+
+			if err == nil {
+				// Deployment still exists, requeue to wait for deletion
+				l.Info("Waiting for deployment to be deleted", "deployment", deployment.Name)
+				return fmt.Errorf("still waiting for deployment %s to be deleted", deployment.Name)
+			} else if !apierrors.IsNotFound(err) {
+				return fmt.Errorf("failed to check deployment status %s: %w", deployment.Name, err)
+			}
+			// IsNotFound error means deployment was successfully deleted
+		}
+	}
+
+	l.Info("All managed resources have been cleaned up")
+	return nil
+}
+
+// isOwnedByWorkerDeployment checks if a deployment is owned by the given TemporalWorkerDeployment
+func (r *TemporalWorkerDeploymentReconciler) isOwnedByWorkerDeployment(deployment *appsv1.Deployment, workerDeploy *temporaliov1alpha1.TemporalWorkerDeployment) bool {
+	for _, ownerRef := range deployment.OwnerReferences {
+		if ownerRef.Kind == "TemporalWorkerDeployment" &&
+			ownerRef.APIVersion == apiGVStr &&
+			ownerRef.Name == workerDeploy.Name &&
+			ownerRef.UID == workerDeploy.UID {
+			return true
+		}
+	}
+	return false
+}
+
 // SetupWithManager sets up the controller with the Manager.
 func (r *TemporalWorkerDeploymentReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	if err := mgr.GetFieldIndexer().IndexField(context.Background(), &appsv1.Deployment{}, deployOwnerKey, func(rawObj client.Object) []string {
diff --git a/internal/k8s/deployments.go b/internal/k8s/deployments.go
index 0232ad39..1d7c27d0 100644
--- a/internal/k8s/deployments.go
+++ b/internal/k8s/deployments.go
@@ -275,8 +275,8 @@ func NewDeploymentWithOwnerRef(
 				BlockOwnerDeletion: &blockOwnerDeletion,
 				Controller:         nil,
 			}},
-			// TODO(jlegrone): Add finalizer managed by the controller in order to prevent
-			//                 deleting deployments that are still reachable.
+			// Note: Finalizer is managed at the TemporalWorkerDeployment level to ensure
+			//       proper cleanup of all managed resources including deployments.
 		},
 		Spec: appsv1.DeploymentSpec{
 			Replicas: spec.Replicas,

From 8f767ec2fc0a1f66408631274a014a2f789ef415 Mon Sep 17 00:00:00 2001
From: Jacob LeGrone <git@jacob.work>
Date: Mon, 28 Jul 2025 15:50:09 -0400
Subject: [PATCH 02/11] Fix tests

---
 internal/controller/finalizer_test.go |  6 +++---
 internal/testhelpers/make.go          | 22 ++++++++++++++++++++++
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/internal/controller/finalizer_test.go b/internal/controller/finalizer_test.go
index 4903a1bc..712fedc8 100644
--- a/internal/controller/finalizer_test.go
+++ b/internal/controller/finalizer_test.go
@@ -23,7 +23,7 @@ func TestFinalizerAddition(t *testing.T) {
 	ctx := context.Background()
 
 	// Create a TemporalWorkerDeployment without finalizer using test helpers
-	workerDeploy := testhelpers.ModifyObj(testhelpers.MakeTWDWithName("test-worker"), func(twd *temporaliov1alpha1.TemporalWorkerDeployment) *temporaliov1alpha1.TemporalWorkerDeployment {
+	workerDeploy := testhelpers.ModifyObj(testhelpers.MakeTWDWithName("test-worker", "default"), func(twd *temporaliov1alpha1.TemporalWorkerDeployment) *temporaliov1alpha1.TemporalWorkerDeployment {
 		twd.Spec.WorkerOptions = temporaliov1alpha1.WorkerOptions{
 			TemporalNamespace:  "test-namespace",
 			TemporalConnection: "test-connection",
@@ -134,7 +134,7 @@ func TestCleanupManagedResources(t *testing.T) {
 	ctx := context.Background()
 
 	// Create a TemporalWorkerDeployment using test helpers
-	workerDeploy := testhelpers.ModifyObj(testhelpers.MakeTWDWithName("test-worker"), func(twd *temporaliov1alpha1.TemporalWorkerDeployment) *temporaliov1alpha1.TemporalWorkerDeployment {
+	workerDeploy := testhelpers.ModifyObj(testhelpers.MakeTWDWithName("test-worker", "default"), func(twd *temporaliov1alpha1.TemporalWorkerDeployment) *temporaliov1alpha1.TemporalWorkerDeployment {
 		twd.UID = "worker-uid-123"
 		return twd
 	})
@@ -198,7 +198,7 @@ func TestHandleDeletion(t *testing.T) {
 
 	// Create a TemporalWorkerDeployment with finalizer and deletion timestamp using test helpers
 	now := metav1.Now()
-	workerDeploy := testhelpers.ModifyObj(testhelpers.MakeTWDWithName("test-worker"), func(twd *temporaliov1alpha1.TemporalWorkerDeployment) *temporaliov1alpha1.TemporalWorkerDeployment {
+	workerDeploy := testhelpers.ModifyObj(testhelpers.MakeTWDWithName("test-worker", "default"), func(twd *temporaliov1alpha1.TemporalWorkerDeployment) *temporaliov1alpha1.TemporalWorkerDeployment {
 		twd.UID = "worker-uid-123"
 		twd.DeletionTimestamp = &now
 		twd.Finalizers = []string{TemporalWorkerDeploymentFinalizer}
diff --git a/internal/testhelpers/make.go b/internal/testhelpers/make.go
index 784a06e9..fd928895 100644
--- a/internal/testhelpers/make.go
+++ b/internal/testhelpers/make.go
@@ -7,9 +7,13 @@ import (
 	"github.com/pborman/uuid"
 	temporaliov1alpha1 "github.com/temporalio/temporal-worker-controller/api/v1alpha1"
 	"github.com/temporalio/temporal-worker-controller/internal/k8s"
+	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 )
 
 const (
@@ -207,3 +211,21 @@ func MakeBaseVersion(namespace, twdName, imageName string, status temporaliov1al
 func ModifyObj[T any](obj T, callback func(obj T) T) T {
 	return callback(obj)
 }
+
+// SetupTestScheme creates a runtime scheme with all necessary types registered
+func SetupTestScheme() *runtime.Scheme {
+	scheme := runtime.NewScheme()
+	_ = appsv1.AddToScheme(scheme)
+	_ = corev1.AddToScheme(scheme)
+	_ = temporaliov1alpha1.AddToScheme(scheme)
+	return scheme
+}
+
+// SetupFakeClient creates a fake Kubernetes client with the given objects
+func SetupFakeClient(objects ...client.Object) client.Client {
+	scheme := SetupTestScheme()
+	return fake.NewClientBuilder().
+		WithScheme(scheme).
+		WithObjects(objects...).
+		Build()
+}

From 1fbfff89b1ba9bc2f01b7c7479abf59dad847ffc Mon Sep 17 00:00:00 2001
From: Jacob LeGrone <git@jacob.work>
Date: Mon, 28 Jul 2025 17:51:08 -0400
Subject: [PATCH 03/11] Add integration test

---
 internal/tests/internal/integration_test.go | 150 ++++++++++++++++++++
 1 file changed, 150 insertions(+)

diff --git a/internal/tests/internal/integration_test.go b/internal/tests/internal/integration_test.go
index 925d20cc..d2a6c306 100644
--- a/internal/tests/internal/integration_test.go
+++ b/internal/tests/internal/integration_test.go
@@ -6,13 +6,17 @@ import (
 	"time"
 
 	temporaliov1alpha1 "github.com/temporalio/temporal-worker-controller/api/v1alpha1"
+	"github.com/temporalio/temporal-worker-controller/internal/controller"
 	"github.com/temporalio/temporal-worker-controller/internal/k8s"
 	"github.com/temporalio/temporal-worker-controller/internal/testhelpers"
 	"go.temporal.io/server/common/dynamicconfig"
 	"go.temporal.io/server/temporal"
 	"go.temporal.io/server/temporaltest"
+	appsv1 "k8s.io/api/apps/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 )
 
@@ -223,6 +227,11 @@ func TestIntegration(t *testing.T) {
 		})
 	}
 
+	// Add test for deployment deletion protection
+	t.Run("deployment-deletion-protection", func(t *testing.T) {
+		testDeploymentDeletionProtection(t, k8sClient, ts)
+	})
+
 }
 
 // testTemporalWorkerDeploymentCreation tests the creation of a TemporalWorkerDeployment and waits for the expected status
@@ -283,3 +292,144 @@ func testTemporalWorkerDeploymentCreation(
 	verifyTemporalWorkerDeploymentStatusEventually(t, ctx, env, twd.Name, twd.Namespace, expectedStatus, 30*time.Second, 5*time.Second)
 	verifyTemporalStateMatchesStatusEventually(t, ctx, ts, twd, *expectedStatus, 30*time.Second, 5*time.Second)
 }
+
+// testDeploymentDeletionProtection verifies that deployment resources can only be deleted by the controller
+func testDeploymentDeletionProtection(t *testing.T, k8sClient client.Client, ts *temporaltest.TestServer) {
+	ctx := context.Background()
+
+	// Create test namespace
+	testNamespace := createTestNamespace(t, k8sClient)
+	defer func() {
+		if err := k8sClient.Delete(ctx, testNamespace); err != nil {
+			t.Errorf("failed to delete test namespace: %v", err)
+		}
+	}()
+
+	// Create TemporalConnection
+	temporalConnection := &temporaliov1alpha1.TemporalConnection{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-connection",
+			Namespace: testNamespace.Name,
+		},
+		Spec: temporaliov1alpha1.TemporalConnectionSpec{
+			HostPort: ts.GetFrontendHostPort(),
+		},
+	}
+	if err := k8sClient.Create(ctx, temporalConnection); err != nil {
+		t.Fatalf("failed to create TemporalConnection: %v", err)
+	}
+
+	// Create TemporalWorkerDeployment
+	twd := &temporaliov1alpha1.TemporalWorkerDeployment{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-worker",
+			Namespace: testNamespace.Name,
+		},
+		Spec: temporaliov1alpha1.TemporalWorkerDeploymentSpec{
+			Replicas: func() *int32 { r := int32(1); return &r }(),
+			Template: testhelpers.MakeHelloWorldPodSpec("test-image:v1"),
+			RolloutStrategy: temporaliov1alpha1.RolloutStrategy{
+				Strategy: temporaliov1alpha1.UpdateAllAtOnce,
+			},
+			WorkerOptions: temporaliov1alpha1.WorkerOptions{
+				TemporalConnection: "test-connection",
+				TemporalNamespace:  ts.GetDefaultNamespace(),
+			},
+		},
+	}
+
+	if err := k8sClient.Create(ctx, twd); err != nil {
+		t.Fatalf("failed to create TemporalWorkerDeployment: %v", err)
+	}
+
+	// Wait for controller to create the deployment
+	expectedDeploymentName := k8s.ComputeVersionedDeploymentName(twd.Name, k8s.ComputeBuildID(twd))
+	waitForDeployment(t, k8sClient, expectedDeploymentName, twd.Namespace, 30*time.Second)
+
+	// Get the created deployment
+	var deployment appsv1.Deployment
+	if err := k8sClient.Get(ctx, types.NamespacedName{
+		Name:      expectedDeploymentName,
+		Namespace: twd.Namespace,
+	}, &deployment); err != nil {
+		t.Fatalf("failed to get deployment: %v", err)
+	}
+
+	// Verify the deployment has the finalizer (this should be added by the controller)
+	t.Log("Verifying deployment has finalizer protection")
+	if !controllerutil.ContainsFinalizer(&deployment, controller.TemporalWorkerDeploymentFinalizer) {
+		// Since the deployment itself doesn't have the finalizer, let's verify it's owned by the TWD
+		// which should have the finalizer and prevent deletion
+		t.Log("Deployment doesn't have finalizer directly, checking owner reference protection")
+	}
+
+	// Verify the deployment has proper owner references
+	found := false
+	for _, ownerRef := range deployment.OwnerReferences {
+		if ownerRef.Kind == "TemporalWorkerDeployment" && ownerRef.Name == twd.Name {
+			found = true
+			if ownerRef.BlockOwnerDeletion == nil || !*ownerRef.BlockOwnerDeletion {
+				t.Error("Owner reference should have BlockOwnerDeletion set to true")
+			}
+			break
+		}
+	}
+	if !found {
+		t.Error("Deployment should have TemporalWorkerDeployment as owner reference")
+	}
+
+	// Try to delete the deployment directly (this should fail or be recreated)
+	t.Log("Attempting to delete deployment directly")
+	originalUID := deployment.UID
+	if err := k8sClient.Delete(ctx, &deployment); err != nil {
+		t.Logf("Direct deletion failed as expected: %v", err)
+	} else {
+		// If deletion succeeded, verify the controller recreates it
+		t.Log("Deletion succeeded, verifying controller recreates deployment")
+		time.Sleep(5 * time.Second) // Give controller time to recreate
+
+		var recreatedDeployment appsv1.Deployment
+		if err := k8sClient.Get(ctx, types.NamespacedName{
+			Name:      expectedDeploymentName,
+			Namespace: twd.Namespace,
+		}, &recreatedDeployment); err != nil {
+			t.Error("Controller should have recreated the deployment after direct deletion")
+		} else if recreatedDeployment.UID == originalUID {
+			t.Error("Deployment should have been recreated with new UID")
+		} else {
+			t.Log("Controller successfully recreated the deployment")
+		}
+	}
+
+	// Now test proper deletion through the controller by deleting the TWD
+	t.Log("Testing proper deletion through TemporalWorkerDeployment deletion")
+
+	// Delete the TemporalWorkerDeployment
+	if err := k8sClient.Delete(ctx, twd); err != nil {
+		t.Fatalf("failed to delete TemporalWorkerDeployment: %v", err)
+	}
+
+	// Wait for the deployment to be cleaned up
+	t.Log("Waiting for deployment to be cleaned up by controller")
+	deadline := time.Now().Add(30 * time.Second)
+	deploymentDeleted := false
+	for time.Now().Before(deadline) {
+		var checkDeployment appsv1.Deployment
+		if err := k8sClient.Get(ctx, types.NamespacedName{
+			Name:      expectedDeploymentName,
+			Namespace: twd.Namespace,
+		}, &checkDeployment); err != nil {
+			if client.IgnoreNotFound(err) == nil {
+				deploymentDeleted = true
+				break
+			}
+		}
+		time.Sleep(1 * time.Second)
+	}
+
+	if !deploymentDeleted {
+		t.Error("Controller should have cleaned up the deployment when TWD was deleted")
+	} else {
+		t.Log("Controller successfully cleaned up deployment when TWD was deleted")
+	}
+}

From 522fd3e5680fbb41b41e207906c72183b8990512 Mon Sep 17 00:00:00 2001
From: Jacob LeGrone <git@jacob.work>
Date: Mon, 28 Jul 2025 18:06:16 -0400
Subject: [PATCH 04/11] Add integration test for deployment deletion protection
 with assertions

- Added testDeploymentDeletionProtection test to verify deployment resources
  can only be deleted by the controller
- Test validates proper owner references with BlockOwnerDeletion=true
- Verifies controller recreates deployments if directly deleted
- Confirms controller properly cleans up deployments when TWD is deleted
- Replaced logging statements with proper testify assertions for better
  test validation and debugging
---
 internal/tests/internal/integration_test.go | 86 ++++++++-------------
 1 file changed, 34 insertions(+), 52 deletions(-)

diff --git a/internal/tests/internal/integration_test.go b/internal/tests/internal/integration_test.go
index d2a6c306..9afd8563 100644
--- a/internal/tests/internal/integration_test.go
+++ b/internal/tests/internal/integration_test.go
@@ -5,8 +5,9 @@ import (
 	"testing"
 	"time"
 
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	temporaliov1alpha1 "github.com/temporalio/temporal-worker-controller/api/v1alpha1"
-	"github.com/temporalio/temporal-worker-controller/internal/controller"
 	"github.com/temporalio/temporal-worker-controller/internal/k8s"
 	"github.com/temporalio/temporal-worker-controller/internal/testhelpers"
 	"go.temporal.io/server/common/dynamicconfig"
@@ -16,7 +17,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 )
 
@@ -300,9 +300,8 @@ func testDeploymentDeletionProtection(t *testing.T, k8sClient client.Client, ts
 	// Create test namespace
 	testNamespace := createTestNamespace(t, k8sClient)
 	defer func() {
-		if err := k8sClient.Delete(ctx, testNamespace); err != nil {
-			t.Errorf("failed to delete test namespace: %v", err)
-		}
+		err := k8sClient.Delete(ctx, testNamespace)
+		assert.NoError(t, err, "failed to delete test namespace")
 	}()
 
 	// Create TemporalConnection
@@ -315,9 +314,8 @@ func testDeploymentDeletionProtection(t *testing.T, k8sClient client.Client, ts
 			HostPort: ts.GetFrontendHostPort(),
 		},
 	}
-	if err := k8sClient.Create(ctx, temporalConnection); err != nil {
-		t.Fatalf("failed to create TemporalConnection: %v", err)
-	}
+	err := k8sClient.Create(ctx, temporalConnection)
+	require.NoError(t, err, "failed to create TemporalConnection")
 
 	// Create TemporalWorkerDeployment
 	twd := &temporaliov1alpha1.TemporalWorkerDeployment{
@@ -338,9 +336,8 @@ func testDeploymentDeletionProtection(t *testing.T, k8sClient client.Client, ts
 		},
 	}
 
-	if err := k8sClient.Create(ctx, twd); err != nil {
-		t.Fatalf("failed to create TemporalWorkerDeployment: %v", err)
-	}
+	err = k8sClient.Create(ctx, twd)
+	require.NoError(t, err, "failed to create TemporalWorkerDeployment")
 
 	// Wait for controller to create the deployment
 	expectedDeploymentName := k8s.ComputeVersionedDeploymentName(twd.Name, k8s.ComputeBuildID(twd))
@@ -348,77 +345,66 @@ func testDeploymentDeletionProtection(t *testing.T, k8sClient client.Client, ts
 
 	// Get the created deployment
 	var deployment appsv1.Deployment
-	if err := k8sClient.Get(ctx, types.NamespacedName{
+	err = k8sClient.Get(ctx, types.NamespacedName{
 		Name:      expectedDeploymentName,
 		Namespace: twd.Namespace,
-	}, &deployment); err != nil {
-		t.Fatalf("failed to get deployment: %v", err)
-	}
-
-	// Verify the deployment has the finalizer (this should be added by the controller)
-	t.Log("Verifying deployment has finalizer protection")
-	if !controllerutil.ContainsFinalizer(&deployment, controller.TemporalWorkerDeploymentFinalizer) {
-		// Since the deployment itself doesn't have the finalizer, let's verify it's owned by the TWD
-		// which should have the finalizer and prevent deletion
-		t.Log("Deployment doesn't have finalizer directly, checking owner reference protection")
-	}
+	}, &deployment)
+	require.NoError(t, err, "failed to get deployment")
 
 	// Verify the deployment has proper owner references
-	found := false
+	var ownerRefFound bool
+	var blockOwnerDeletion *bool
 	for _, ownerRef := range deployment.OwnerReferences {
 		if ownerRef.Kind == "TemporalWorkerDeployment" && ownerRef.Name == twd.Name {
-			found = true
-			if ownerRef.BlockOwnerDeletion == nil || !*ownerRef.BlockOwnerDeletion {
-				t.Error("Owner reference should have BlockOwnerDeletion set to true")
-			}
+			ownerRefFound = true
+			blockOwnerDeletion = ownerRef.BlockOwnerDeletion
 			break
 		}
 	}
-	if !found {
-		t.Error("Deployment should have TemporalWorkerDeployment as owner reference")
+	assert.True(t, ownerRefFound, "Deployment should have TemporalWorkerDeployment as owner reference")
+	assert.NotNil(t, blockOwnerDeletion, "Owner reference should have BlockOwnerDeletion field set")
+	if blockOwnerDeletion != nil {
+		assert.True(t, *blockOwnerDeletion, "Owner reference should have BlockOwnerDeletion set to true")
 	}
 
 	// Try to delete the deployment directly (this should fail or be recreated)
-	t.Log("Attempting to delete deployment directly")
 	originalUID := deployment.UID
-	if err := k8sClient.Delete(ctx, &deployment); err != nil {
+	err = k8sClient.Delete(ctx, &deployment)
+	if err != nil {
+		// Direct deletion failed as expected due to owner reference protection
 		t.Logf("Direct deletion failed as expected: %v", err)
 	} else {
 		// If deletion succeeded, verify the controller recreates it
-		t.Log("Deletion succeeded, verifying controller recreates deployment")
 		time.Sleep(5 * time.Second) // Give controller time to recreate
 
 		var recreatedDeployment appsv1.Deployment
-		if err := k8sClient.Get(ctx, types.NamespacedName{
+		err = k8sClient.Get(ctx, types.NamespacedName{
 			Name:      expectedDeploymentName,
 			Namespace: twd.Namespace,
-		}, &recreatedDeployment); err != nil {
-			t.Error("Controller should have recreated the deployment after direct deletion")
-		} else if recreatedDeployment.UID == originalUID {
-			t.Error("Deployment should have been recreated with new UID")
+		}, &recreatedDeployment)
+
+		if err != nil {
+			assert.Fail(t, "Controller should have recreated the deployment after direct deletion", "Error: %v", err)
 		} else {
-			t.Log("Controller successfully recreated the deployment")
+			assert.NotEqual(t, originalUID, recreatedDeployment.UID, "Deployment should have been recreated with new UID")
 		}
 	}
 
 	// Now test proper deletion through the controller by deleting the TWD
-	t.Log("Testing proper deletion through TemporalWorkerDeployment deletion")
-
 	// Delete the TemporalWorkerDeployment
-	if err := k8sClient.Delete(ctx, twd); err != nil {
-		t.Fatalf("failed to delete TemporalWorkerDeployment: %v", err)
-	}
+	err = k8sClient.Delete(ctx, twd)
+	require.NoError(t, err, "failed to delete TemporalWorkerDeployment")
 
 	// Wait for the deployment to be cleaned up
-	t.Log("Waiting for deployment to be cleaned up by controller")
 	deadline := time.Now().Add(30 * time.Second)
 	deploymentDeleted := false
 	for time.Now().Before(deadline) {
 		var checkDeployment appsv1.Deployment
-		if err := k8sClient.Get(ctx, types.NamespacedName{
+		err = k8sClient.Get(ctx, types.NamespacedName{
 			Name:      expectedDeploymentName,
 			Namespace: twd.Namespace,
-		}, &checkDeployment); err != nil {
+		}, &checkDeployment)
+		if err != nil {
 			if client.IgnoreNotFound(err) == nil {
 				deploymentDeleted = true
 				break
@@ -427,9 +413,5 @@ func testDeploymentDeletionProtection(t *testing.T, k8sClient client.Client, ts
 		time.Sleep(1 * time.Second)
 	}
 
-	if !deploymentDeleted {
-		t.Error("Controller should have cleaned up the deployment when TWD was deleted")
-	} else {
-		t.Log("Controller successfully cleaned up deployment when TWD was deleted")
-	}
+	assert.True(t, deploymentDeleted, "Controller should have cleaned up the deployment when TWD was deleted")
 }

From 5818e5ae060fd4e3dd9f1f081ea611f3913151be Mon Sep 17 00:00:00 2001
From: Jacob LeGrone <git@jacob.work>
Date: Mon, 28 Jul 2025 18:12:19 -0400
Subject: [PATCH 05/11] Fix CI issues

- Update GitHub Actions workflow to use go-version-file instead of hardcoded Go 1.21
- Fix revive linting error in planner.go by removing unnecessary else clause
- Fix deprecated result.Requeue usage in finalizer_test.go to use RequeueAfter
---
 internal/controller/finalizer_test.go | 9 ++++-----
 internal/planner/planner.go           | 5 ++---
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/internal/controller/finalizer_test.go b/internal/controller/finalizer_test.go
index 712fedc8..f80a7fd6 100644
--- a/internal/controller/finalizer_test.go
+++ b/internal/controller/finalizer_test.go
@@ -8,15 +8,14 @@ import (
 	"context"
 	"testing"
 
+	temporaliov1alpha1 "github.com/temporalio/temporal-worker-controller/api/v1alpha1"
+	"github.com/temporalio/temporal-worker-controller/internal/testhelpers"
+	"github.com/temporalio/temporal-worker-controller/internal/testhelpers/testlogr"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
-
-	temporaliov1alpha1 "github.com/temporalio/temporal-worker-controller/api/v1alpha1"
-	"github.com/temporalio/temporal-worker-controller/internal/testhelpers"
-	"github.com/temporalio/temporal-worker-controller/internal/testhelpers/testlogr"
 )
 
 func TestFinalizerAddition(t *testing.T) {
@@ -231,7 +230,7 @@ func TestHandleDeletion(t *testing.T) {
 		t.Fatalf("handleDeletion should succeed: %v", err)
 	}
 
-	if result.Requeue {
+	if result.RequeueAfter > 0 {
 		t.Error("Result should not indicate requeue")
 	}
 
diff --git a/internal/planner/planner.go b/internal/planner/planner.go
index f3611ae2..21e5ee55 100644
--- a/internal/planner/planner.go
+++ b/internal/planner/planner.go
@@ -459,10 +459,9 @@ func handleProgressiveRollout(
 			if i < len(steps)-1 {
 				vcfg.RampPercentage = steps[i+1].RampPercentage
 				return vcfg
-			} else {
-				vcfg.SetCurrent = true
-				return vcfg
 			}
+			vcfg.SetCurrent = true
+			return vcfg
 		}
 	}
 

From bb682cf181db50243a8297fbd5b178edeb25da1e Mon Sep 17 00:00:00 2001
From: Jacob LeGrone <git@jacob.work>
Date: Tue, 29 Jul 2025 17:59:47 -0400
Subject: [PATCH 06/11] Fix race conditions and improve finalizer reliability

- Replace stale list iteration with proper polling using fresh queries
- Add timeout and context cancellation handling with configurable constants
- Implement field selector optimization with backward compatibility fallback
- Replace brittle time.Sleep with condition-based polling in integration tests
- Add comprehensive edge case tests for context cancellation and partial cleanup failures
---
 internal/controller/finalizer_test.go       | 161 ++++++++++++++++++++
 internal/controller/worker_controller.go    | 103 +++++++++----
 internal/tests/internal/integration_test.go |  69 ++++++---
 3 files changed, 285 insertions(+), 48 deletions(-)

diff --git a/internal/controller/finalizer_test.go b/internal/controller/finalizer_test.go
index f80a7fd6..5e3ed9f3 100644
--- a/internal/controller/finalizer_test.go
+++ b/internal/controller/finalizer_test.go
@@ -6,6 +6,7 @@ package controller
 
 import (
 	"context"
+	"strings"
 	"testing"
 
 	temporaliov1alpha1 "github.com/temporalio/temporal-worker-controller/api/v1alpha1"
@@ -239,3 +240,163 @@ func TestHandleDeletion(t *testing.T) {
 	// by checking if the finalizer was removed (which we can't easily do since the resource is deleted)
 	// Instead, we'll verify that the deletion handling completed without error, which means cleanup was successful
 }
+
+func TestCleanupWithContextCancellation(t *testing.T) {
+	// Create a context that will be cancelled during cleanup
+	ctx, cancel := context.WithCancel(context.Background())
+
+	// Create a TemporalWorkerDeployment using test helpers
+	workerDeploy := testhelpers.ModifyObj(testhelpers.MakeTWDWithName("test-worker", "default"), func(twd *temporaliov1alpha1.TemporalWorkerDeployment) *temporaliov1alpha1.TemporalWorkerDeployment {
+		twd.UID = "worker-uid-123"
+		return twd
+	})
+
+	// Create fake client using test helpers
+	client := testhelpers.SetupFakeClient()
+
+	reconciler := &TemporalWorkerDeploymentReconciler{
+		Client: client,
+		Scheme: testhelpers.SetupTestScheme(),
+	}
+
+	// Create a test logger using testlogr
+	logger := testlogr.New(t)
+
+	// Cancel the context immediately to simulate cancellation during cleanup
+	cancel()
+
+	// Test cleanup with cancelled context - should handle gracefully
+	err := reconciler.cleanupManagedResources(ctx, logger, workerDeploy)
+	if err == nil {
+		t.Error("Expected error when context is cancelled during cleanup")
+	}
+
+	// Error should indicate context cancellation
+	if ctx.Err() != context.Canceled {
+		t.Error("Context should be cancelled")
+	}
+}
+
+func TestWaitForOwnedDeploymentsTimeout(t *testing.T) {
+	ctx := context.Background()
+
+	// Create a TemporalWorkerDeployment using test helpers
+	workerDeploy := testhelpers.ModifyObj(testhelpers.MakeTWDWithName("test-worker", "default"), func(twd *temporaliov1alpha1.TemporalWorkerDeployment) *temporaliov1alpha1.TemporalWorkerDeployment {
+		twd.UID = "worker-uid-123"
+		return twd
+	})
+
+	// Create a deployment that won't be deleted (simulate stuck deletion)
+	persistentDeployment := &appsv1.Deployment{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "persistent-deployment",
+			Namespace: "default",
+			OwnerReferences: []metav1.OwnerReference{
+				{
+					APIVersion: apiGVStr,
+					Kind:       "TemporalWorkerDeployment",
+					Name:       "test-worker",
+					UID:        "worker-uid-123",
+				},
+			},
+		},
+	}
+
+	// Create fake client with the deployment that won't be deleted
+	client := testhelpers.SetupFakeClient(persistentDeployment)
+
+	reconciler := &TemporalWorkerDeploymentReconciler{
+		Client: client,
+		Scheme: testhelpers.SetupTestScheme(),
+	}
+
+	// Create a test logger using testlogr
+	logger := testlogr.New(t)
+
+	// Test with a very short timeout to simulate timeout condition
+	// This will use the actual waitForOwnedDeploymentsToBeDeleted method which has built-in timeout
+	err := reconciler.waitForOwnedDeploymentsToBeDeleted(ctx, logger, workerDeploy)
+
+	// Should timeout waiting for deployments to be deleted
+	if err == nil {
+		t.Error("Expected timeout error when deployments don't get deleted")
+	}
+
+	// Error message should indicate timeout
+	if err != nil && !contains(err.Error(), "timeout") {
+		t.Errorf("Expected timeout error, got: %v", err)
+	}
+}
+
+func TestPartialCleanupFailure(t *testing.T) {
+	ctx := context.Background()
+
+	// Create a TemporalWorkerDeployment using test helpers
+	workerDeploy := testhelpers.ModifyObj(testhelpers.MakeTWDWithName("test-worker", "default"), func(twd *temporaliov1alpha1.TemporalWorkerDeployment) *temporaliov1alpha1.TemporalWorkerDeployment {
+		twd.UID = "worker-uid-123"
+		return twd
+	})
+
+	// Create multiple deployments owned by the worker deployment
+	deployment1 := &appsv1.Deployment{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "deployment-1",
+			Namespace: "default",
+			OwnerReferences: []metav1.OwnerReference{
+				{
+					APIVersion: apiGVStr,
+					Kind:       "TemporalWorkerDeployment",
+					Name:       "test-worker",
+					UID:        "worker-uid-123",
+				},
+			},
+		},
+	}
+
+	deployment2 := &appsv1.Deployment{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "deployment-2",
+			Namespace: "default",
+			OwnerReferences: []metav1.OwnerReference{
+				{
+					APIVersion: apiGVStr,
+					Kind:       "TemporalWorkerDeployment",
+					Name:       "test-worker",
+					UID:        "worker-uid-123",
+				},
+			},
+		},
+	}
+
+	// Create fake client with multiple deployments
+	client := testhelpers.SetupFakeClient(deployment1, deployment2)
+
+	reconciler := &TemporalWorkerDeploymentReconciler{
+		Client: client,
+		Scheme: testhelpers.SetupTestScheme(),
+	}
+
+	// Create a test logger using testlogr
+	logger := testlogr.New(t)
+
+	// Delete one deployment manually to simulate partial cleanup
+	err := client.Delete(ctx, deployment1)
+	if err != nil {
+		t.Fatalf("Failed to delete deployment1: %v", err)
+	}
+
+	// Now test cleanup - it should handle the mixed state gracefully
+	// (one deployment already deleted, one still exists)
+	err = reconciler.cleanupManagedResources(ctx, logger, workerDeploy)
+
+	// This should eventually succeed as the cleanup logic should handle
+	// deployments that are already deleted gracefully
+	if err != nil && !contains(err.Error(), "timeout") {
+		t.Errorf("Cleanup should handle partial cleanup gracefully, got error: %v", err)
+	}
+}
+
+// Helper function to check if a string contains a substring
+func contains(s, substr string) bool {
+	return strings.Contains(s, substr)
+}
diff --git a/internal/controller/worker_controller.go b/internal/controller/worker_controller.go
index 4d74596c..8c0ec1f0 100644
--- a/internal/controller/worker_controller.go
+++ b/internal/controller/worker_controller.go
@@ -17,6 +17,7 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -38,6 +39,10 @@ const (
 	buildIDLabel   = "temporal.io/build-id"
 	// TemporalWorkerDeploymentFinalizer is the finalizer used to ensure proper cleanup of resources
 	TemporalWorkerDeploymentFinalizer = "temporal.io/temporal-worker-deployment-finalizer"
+
+	// Cleanup timeout and polling constants
+	cleanupTimeout      = 2 * time.Minute
+	cleanupPollInterval = 5 * time.Second
 )
 
 // TemporalWorkerDeploymentReconciler reconciles a TemporalWorkerDeployment object
@@ -238,18 +243,29 @@ func (r *TemporalWorkerDeploymentReconciler) handleDeletion(ctx context.Context,
 func (r *TemporalWorkerDeploymentReconciler) cleanupManagedResources(ctx context.Context, l logr.Logger, workerDeploy *temporaliov1alpha1.TemporalWorkerDeployment) error {
 	l.Info("Cleaning up managed resources")
 
-	// List all deployments owned by this TemporalWorkerDeployment
-	deploymentList := &appsv1.DeploymentList{}
+	// Try to use field selector for efficient querying of owned deployments
+	// Fall back to listing all deployments if field selector is not available (e.g., in tests)
 	listOpts := &client.ListOptions{
-		Namespace: workerDeploy.Namespace,
+		Namespace:     workerDeploy.Namespace,
+		FieldSelector: fields.OneTermEqualSelector(deployOwnerKey, workerDeploy.Name),
 	}
 
-	if err := r.List(ctx, deploymentList, listOpts); err != nil {
-		return fmt.Errorf("failed to list deployments: %w", err)
+	deploymentList := &appsv1.DeploymentList{}
+	err := r.List(ctx, deploymentList, listOpts)
+	if err != nil {
+		// If field selector fails (common in tests), fall back to listing all deployments
+		l.Info("Field selector not available, falling back to listing all deployments", "error", err.Error())
+		listOpts = &client.ListOptions{
+			Namespace: workerDeploy.Namespace,
+		}
+		if err := r.List(ctx, deploymentList, listOpts); err != nil {
+			return fmt.Errorf("failed to list deployments: %w", err)
+		}
 	}
 
-	// Filter deployments owned by this TemporalWorkerDeployment and delete them
+	// Delete all owned deployments
 	for _, deployment := range deploymentList.Items {
+		// Check ownership for all deployments when not using field selector
 		if r.isOwnedByWorkerDeployment(&deployment, workerDeploy) {
 			l.Info("Deleting managed deployment", "deployment", deployment.Name)
 			if err := r.Delete(ctx, &deployment); err != nil && !apierrors.IsNotFound(err) {
@@ -258,29 +274,64 @@ func (r *TemporalWorkerDeploymentReconciler) cleanupManagedResources(ctx context
 		}
 	}
 
-	// Wait for all owned deployments to be deleted
-	for _, deployment := range deploymentList.Items {
-		if r.isOwnedByWorkerDeployment(&deployment, workerDeploy) {
-			// Check if deployment still exists
-			currentDeployment := &appsv1.Deployment{}
-			err := r.Get(ctx, types.NamespacedName{
-				Namespace: deployment.Namespace,
-				Name:      deployment.Name,
-			}, currentDeployment)
-
-			if err == nil {
-				// Deployment still exists, requeue to wait for deletion
-				l.Info("Waiting for deployment to be deleted", "deployment", deployment.Name)
-				return fmt.Errorf("still waiting for deployment %s to be deleted", deployment.Name)
-			} else if !apierrors.IsNotFound(err) {
-				return fmt.Errorf("failed to check deployment status %s: %w", deployment.Name, err)
+	// Wait for all owned deployments to be deleted with proper polling
+	return r.waitForOwnedDeploymentsToBeDeleted(ctx, l, workerDeploy)
+}
+
+// waitForOwnedDeploymentsToBeDeleted waits for all owned deployments to be deleted with proper polling and timeout
+func (r *TemporalWorkerDeploymentReconciler) waitForOwnedDeploymentsToBeDeleted(ctx context.Context, l logr.Logger, workerDeploy *temporaliov1alpha1.TemporalWorkerDeployment) error {
+	// Create a timeout context for cleanup operations
+	cleanupCtx, cancel := context.WithTimeout(ctx, cleanupTimeout)
+	defer cancel()
+
+	ticker := time.NewTicker(cleanupPollInterval)
+	defer ticker.Stop()
+
+	l.Info("Waiting for owned deployments to be deleted", "timeout", cleanupTimeout)
+
+	for {
+		select {
+		case <-cleanupCtx.Done():
+			if cleanupCtx.Err() == context.DeadlineExceeded {
+				return fmt.Errorf("timeout waiting for deployments to be deleted after %v", cleanupTimeout)
+			}
+			return fmt.Errorf("context cancelled while waiting for deployments to be deleted: %w", cleanupCtx.Err())
+
+		case <-ticker.C:
+			// Try to use field selector for efficient querying, with fallback
+			listOpts := &client.ListOptions{
+				Namespace:     workerDeploy.Namespace,
+				FieldSelector: fields.OneTermEqualSelector(deployOwnerKey, workerDeploy.Name),
+			}
+
+			deploymentList := &appsv1.DeploymentList{}
+			err := r.List(cleanupCtx, deploymentList, listOpts)
+			if err != nil {
+				// If field selector fails (common in tests), fall back to listing all deployments
+				listOpts = &client.ListOptions{
+					Namespace: workerDeploy.Namespace,
+				}
+				if err := r.List(cleanupCtx, deploymentList, listOpts); err != nil {
+					return fmt.Errorf("failed to list deployments during cleanup: %w", err)
+				}
+			}
+
+			// Check if any owned deployments still exist
+			hasOwnedDeployments := false
+			for _, deployment := range deploymentList.Items {
+				if r.isOwnedByWorkerDeployment(&deployment, workerDeploy) {
+					hasOwnedDeployments = true
+					l.Info("Still waiting for deployment to be deleted", "deployment", deployment.Name)
+					break
+				}
+			}
+
+			if !hasOwnedDeployments {
+				l.Info("All owned deployments have been deleted")
+				return nil
 			}
-			// IsNotFound error means deployment was successfully deleted
 		}
 	}
-
-	l.Info("All managed resources have been cleaned up")
-	return nil
 }
 
 // isOwnedByWorkerDeployment checks if a deployment is owned by the given TemporalWorkerDeployment
diff --git a/internal/tests/internal/integration_test.go b/internal/tests/internal/integration_test.go
index 9afd8563..d3fee9f4 100644
--- a/internal/tests/internal/integration_test.go
+++ b/internal/tests/internal/integration_test.go
@@ -26,6 +26,33 @@ const (
 	testDrainageRefreshInterval       = time.Second
 )
 
+// waitForCondition polls a condition function until it returns true or timeout is reached
+func waitForCondition(condition func() bool, timeout, interval time.Duration) bool {
+	deadline := time.After(timeout)
+	ticker := time.NewTicker(interval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-deadline:
+			return false
+		case <-ticker.C:
+			if condition() {
+				return true
+			}
+		}
+	}
+}
+
+type testEnv struct {
+	k8sClient  client.Client
+	mgr        manager.Manager
+	ts         *temporaltest.TestServer
+	connection *temporaliov1alpha1.TemporalConnection
+	replicas   map[string]int32
+	images     map[string]string
+}
+
 // TestIntegration runs integration tests for the Temporal Worker Controller
 func TestIntegration(t *testing.T) {
 	// Set up test environment
@@ -374,19 +401,24 @@ func testDeploymentDeletionProtection(t *testing.T, k8sClient client.Client, ts
 		// Direct deletion failed as expected due to owner reference protection
 		t.Logf("Direct deletion failed as expected: %v", err)
 	} else {
-		// If deletion succeeded, verify the controller recreates it
-		time.Sleep(5 * time.Second) // Give controller time to recreate
+		// If deletion succeeded, verify the controller recreates it with proper polling
+		eventuallyRecreated := func() bool {
+			var recreatedDeployment appsv1.Deployment
+			err := k8sClient.Get(ctx, types.NamespacedName{
+				Name:      expectedDeploymentName,
+				Namespace: twd.Namespace,
+			}, &recreatedDeployment)
+
+			if err != nil {
+				return false // Deployment not found yet
+			}
 
-		var recreatedDeployment appsv1.Deployment
-		err = k8sClient.Get(ctx, types.NamespacedName{
-			Name:      expectedDeploymentName,
-			Namespace: twd.Namespace,
-		}, &recreatedDeployment)
+			// Check if it's a new deployment (different UID)
+			return recreatedDeployment.UID != originalUID
+		}
 
-		if err != nil {
-			assert.Fail(t, "Controller should have recreated the deployment after direct deletion", "Error: %v", err)
-		} else {
-			assert.NotEqual(t, originalUID, recreatedDeployment.UID, "Deployment should have been recreated with new UID")
+		if !waitForCondition(eventuallyRecreated, 30*time.Second, 1*time.Second) {
+			assert.Fail(t, "Controller should have recreated the deployment after direct deletion within 30 seconds")
 		}
 	}
 
@@ -396,22 +428,15 @@ func testDeploymentDeletionProtection(t *testing.T, k8sClient client.Client, ts
 	require.NoError(t, err, "failed to delete TemporalWorkerDeployment")
 
 	// Wait for the deployment to be cleaned up
-	deadline := time.Now().Add(30 * time.Second)
-	deploymentDeleted := false
-	for time.Now().Before(deadline) {
+	eventuallyDeleted := func() bool {
 		var checkDeployment appsv1.Deployment
-		err = k8sClient.Get(ctx, types.NamespacedName{
+		err := k8sClient.Get(ctx, types.NamespacedName{
 			Name:      expectedDeploymentName,
 			Namespace: twd.Namespace,
 		}, &checkDeployment)
-		if err != nil {
-			if client.IgnoreNotFound(err) == nil {
-				deploymentDeleted = true
-				break
-			}
-		}
-		time.Sleep(1 * time.Second)
+		return client.IgnoreNotFound(err) == nil // Returns true if deployment is not found (deleted)
 	}
 
+	deploymentDeleted := waitForCondition(eventuallyDeleted, 30*time.Second, 1*time.Second)
 	assert.True(t, deploymentDeleted, "Controller should have cleaned up the deployment when TWD was deleted")
 }

From 73016cde9936ab0267ece0698877f3e342fd30f1 Mon Sep 17 00:00:00 2001
From: Jacob LeGrone <jlegrone@users.noreply.github.com>
Date: Tue, 19 Aug 2025 17:24:46 -0400
Subject: [PATCH 07/11] Update internal/controller/finalizer_test.go

---
 internal/controller/finalizer_test.go | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/internal/controller/finalizer_test.go b/internal/controller/finalizer_test.go
index 5e3ed9f3..937db1a7 100644
--- a/internal/controller/finalizer_test.go
+++ b/internal/controller/finalizer_test.go
@@ -1,7 +1,3 @@
-// Unless explicitly stated otherwise all files in this repository are licensed under the MIT License.
-//
-// This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2024 Datadog, Inc.
-
 package controller
 
 import (

From fd71bcac54920d6fd33db4ff41724038757771ef Mon Sep 17 00:00:00 2001
From: Jacob LeGrone <git@jacob.work>
Date: Mon, 25 Aug 2025 18:50:26 -0400
Subject: [PATCH 08/11] Fix TestFinalizerAddition to exercise controller's
 Reconcile logic

Previously the test was manually adding finalizers using controllerutil.AddFinalizer
instead of testing the actual controller logic. Now the test calls the controller's
Reconcile method to properly exercise the finalizer addition logic as intended.

Addresses: https://github.com/temporalio/temporal-worker-controller/pull/97#discussion_r2243803124
---
 internal/controller/finalizer_test.go | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/internal/controller/finalizer_test.go b/internal/controller/finalizer_test.go
index 937db1a7..4a450879 100644
--- a/internal/controller/finalizer_test.go
+++ b/internal/controller/finalizer_test.go
@@ -12,6 +12,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 )
 
@@ -57,13 +58,17 @@ func TestFinalizerAddition(t *testing.T) {
 		t.Error("Finalizer should not be present initially")
 	}
 
-	// Simulate what happens in the reconcile loop when finalizer needs to be added
-	if !controllerutil.ContainsFinalizer(workerDeploy, TemporalWorkerDeploymentFinalizer) {
-		controllerutil.AddFinalizer(workerDeploy, TemporalWorkerDeploymentFinalizer)
-		err := reconciler.Update(ctx, workerDeploy)
-		if err != nil {
-			t.Fatalf("Failed to add finalizer: %v", err)
-		}
+	// Exercise the controller's logic for adding finalizers by calling Reconcile
+	req := ctrl.Request{
+		NamespacedName: types.NamespacedName{
+			Name:      "test-worker",
+			Namespace: "default",
+		},
+	}
+
+	_, err = reconciler.Reconcile(ctx, req)
+	if err != nil {
+		t.Fatalf("Reconcile failed: %v", err)
 	}
 
 	// Fetch the updated resource

From 3a2d8d8d1f3ba71d18282a9ef9aaec094e1999e6 Mon Sep 17 00:00:00 2001
From: Jacob LeGrone <git@jacob.work>
Date: Mon, 25 Aug 2025 18:54:03 -0400
Subject: [PATCH 09/11] Make TemporalWorkerDeploymentFinalizer constant
 internal

Changed the exported constant TemporalWorkerDeploymentFinalizer to
temporalWorkerDeploymentFinalizer (lowercase) to make it package-private
since it's only used within the controller package.

Addresses: https://github.com/temporalio/temporal-worker-controller/pull/97#discussion_r2299308073
---
 internal/controller/finalizer_test.go    |  8 ++++----
 internal/controller/worker_controller.go | 12 ++++++------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/internal/controller/finalizer_test.go b/internal/controller/finalizer_test.go
index 4a450879..fd7fd5e6 100644
--- a/internal/controller/finalizer_test.go
+++ b/internal/controller/finalizer_test.go
@@ -54,7 +54,7 @@ func TestFinalizerAddition(t *testing.T) {
 	}
 
 	// Verify finalizer is not present initially
-	if controllerutil.ContainsFinalizer(workerDeploy, TemporalWorkerDeploymentFinalizer) {
+	if controllerutil.ContainsFinalizer(workerDeploy, temporalWorkerDeploymentFinalizer) {
 		t.Error("Finalizer should not be present initially")
 	}
 
@@ -79,7 +79,7 @@ func TestFinalizerAddition(t *testing.T) {
 	}
 
 	// Verify finalizer was added
-	if !controllerutil.ContainsFinalizer(updated, TemporalWorkerDeploymentFinalizer) {
+	if !controllerutil.ContainsFinalizer(updated, temporalWorkerDeploymentFinalizer) {
 		t.Error("Finalizer should be present after update")
 	}
 }
@@ -202,7 +202,7 @@ func TestHandleDeletion(t *testing.T) {
 	workerDeploy := testhelpers.ModifyObj(testhelpers.MakeTWDWithName("test-worker", "default"), func(twd *temporaliov1alpha1.TemporalWorkerDeployment) *temporaliov1alpha1.TemporalWorkerDeployment {
 		twd.UID = "worker-uid-123"
 		twd.DeletionTimestamp = &now
-		twd.Finalizers = []string{TemporalWorkerDeploymentFinalizer}
+		twd.Finalizers = []string{temporalWorkerDeploymentFinalizer}
 		twd.Spec.WorkerOptions = temporaliov1alpha1.WorkerOptions{
 			TemporalNamespace:  "test-namespace",
 			TemporalConnection: "test-connection",
@@ -222,7 +222,7 @@ func TestHandleDeletion(t *testing.T) {
 	logger := testlogr.New(t)
 
 	// Verify finalizer is present before deletion
-	if !controllerutil.ContainsFinalizer(workerDeploy, TemporalWorkerDeploymentFinalizer) {
+	if !controllerutil.ContainsFinalizer(workerDeploy, temporalWorkerDeploymentFinalizer) {
 		t.Error("Finalizer should be present before deletion handling")
 	}
 
diff --git a/internal/controller/worker_controller.go b/internal/controller/worker_controller.go
index 8c0ec1f0..67d22d7f 100644
--- a/internal/controller/worker_controller.go
+++ b/internal/controller/worker_controller.go
@@ -37,8 +37,8 @@ const (
 	// TODO(jlegrone): add this everywhere
 	deployOwnerKey = ".metadata.controller"
 	buildIDLabel   = "temporal.io/build-id"
-	// TemporalWorkerDeploymentFinalizer is the finalizer used to ensure proper cleanup of resources
-	TemporalWorkerDeploymentFinalizer = "temporal.io/temporal-worker-deployment-finalizer"
+	// temporalWorkerDeploymentFinalizer is the finalizer used to ensure proper cleanup of resources
+	temporalWorkerDeploymentFinalizer = "temporal.io/temporal-worker-deployment-finalizer"
 
 	// Cleanup timeout and polling constants
 	cleanupTimeout      = 2 * time.Minute
@@ -94,8 +94,8 @@ func (r *TemporalWorkerDeploymentReconciler) Reconcile(ctx context.Context, req
 	}
 
 	// Add finalizer if it doesn't exist
-	if !controllerutil.ContainsFinalizer(&workerDeploy, TemporalWorkerDeploymentFinalizer) {
-		controllerutil.AddFinalizer(&workerDeploy, TemporalWorkerDeploymentFinalizer)
+	if !controllerutil.ContainsFinalizer(&workerDeploy, temporalWorkerDeploymentFinalizer) {
+		controllerutil.AddFinalizer(&workerDeploy, temporalWorkerDeploymentFinalizer)
 		if err := r.Update(ctx, &workerDeploy); err != nil {
 			l.Error(err, "unable to add finalizer")
 			return ctrl.Result{}, err
@@ -217,7 +217,7 @@ func (r *TemporalWorkerDeploymentReconciler) Reconcile(ctx context.Context, req
 func (r *TemporalWorkerDeploymentReconciler) handleDeletion(ctx context.Context, l logr.Logger, workerDeploy *temporaliov1alpha1.TemporalWorkerDeployment) (ctrl.Result, error) {
 	l.Info("Handling deletion of TemporalWorkerDeployment")
 
-	if !controllerutil.ContainsFinalizer(workerDeploy, TemporalWorkerDeploymentFinalizer) {
+	if !controllerutil.ContainsFinalizer(workerDeploy, temporalWorkerDeploymentFinalizer) {
 		// Finalizer has already been removed, allow deletion to proceed
 		return ctrl.Result{}, nil
 	}
@@ -229,7 +229,7 @@ func (r *TemporalWorkerDeploymentReconciler) handleDeletion(ctx context.Context,
 	}
 
 	// Remove the finalizer to allow deletion
-	controllerutil.RemoveFinalizer(workerDeploy, TemporalWorkerDeploymentFinalizer)
+	controllerutil.RemoveFinalizer(workerDeploy, temporalWorkerDeploymentFinalizer)
 	if err := r.Update(ctx, workerDeploy); err != nil {
 		l.Error(err, "Failed to remove finalizer")
 		return ctrl.Result{}, err

From 433b382ac1d878ece08c6b607e7fc29fd67a3069 Mon Sep 17 00:00:00 2001
From: Jacob LeGrone <git@jacob.work>
Date: Tue, 26 Aug 2025 11:46:10 -0400
Subject: [PATCH 10/11] Fix testEnv redeclaration in integration tests

Removed duplicate testEnv struct declaration from integration_test.go
as it was already defined in env_helpers.go. This resolves the build
error that was preventing integration tests from running.
---
 internal/tests/internal/integration_test.go | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/internal/tests/internal/integration_test.go b/internal/tests/internal/integration_test.go
index d3fee9f4..f24de691 100644
--- a/internal/tests/internal/integration_test.go
+++ b/internal/tests/internal/integration_test.go
@@ -44,15 +44,6 @@ func waitForCondition(condition func() bool, timeout, interval time.Duration) bo
 	}
 }
 
-type testEnv struct {
-	k8sClient  client.Client
-	mgr        manager.Manager
-	ts         *temporaltest.TestServer
-	connection *temporaliov1alpha1.TemporalConnection
-	replicas   map[string]int32
-	images     map[string]string
-}
-
 // TestIntegration runs integration tests for the Temporal Worker Controller
 func TestIntegration(t *testing.T) {
 	// Set up test environment

From 0e1a946e67ae7394888929c5ce99d63125040adf Mon Sep 17 00:00:00 2001
From: Jacob LeGrone <git@jacob.work>
Date: Tue, 26 Aug 2025 11:54:45 -0400
Subject: [PATCH 11/11] Address PR review comments: improve documentation and
 logging

- Add detailed documentation comments for hardcoded timeout values explaining
  the rationale behind the chosen durations (2 minutes cleanup timeout and
  5 second poll interval)
- Change field selector fallback logging from Info to debug level (V(1)) to
  reduce noise during normal operation, especially in test environments

Addresses:
- https://github.com/temporalio/temporal-worker-controller/pull/97#discussion_r2299314959
- https://github.com/temporalio/temporal-worker-controller/pull/97#discussion_r2299314982
---
 internal/controller/worker_controller.go | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/internal/controller/worker_controller.go b/internal/controller/worker_controller.go
index 67d22d7f..815c4550 100644
--- a/internal/controller/worker_controller.go
+++ b/internal/controller/worker_controller.go
@@ -41,7 +41,13 @@ const (
 	temporalWorkerDeploymentFinalizer = "temporal.io/temporal-worker-deployment-finalizer"
 
 	// Cleanup timeout and polling constants
-	cleanupTimeout      = 2 * time.Minute
+	// cleanupTimeout defines the maximum time to wait for all owned deployments to be deleted
+	// during finalizer cleanup. 2 minutes is chosen to allow sufficient time for Kubernetes to
+	// process deployment deletions while preventing indefinite blocking during shutdown.
+	cleanupTimeout = 2 * time.Minute
+	// cleanupPollInterval defines how frequently to check if owned deployments have been deleted
+	// during cleanup. 5 seconds provides a reasonable balance between responsiveness and
+	// avoiding excessive API calls during the cleanup process.
 	cleanupPollInterval = 5 * time.Second
 )
 
@@ -254,7 +260,7 @@ func (r *TemporalWorkerDeploymentReconciler) cleanupManagedResources(ctx context
 	err := r.List(ctx, deploymentList, listOpts)
 	if err != nil {
 		// If field selector fails (common in tests), fall back to listing all deployments
-		l.Info("Field selector not available, falling back to listing all deployments", "error", err.Error())
+		l.V(1).Info("Field selector not available, falling back to listing all deployments", "error", err.Error())
 		listOpts = &client.ListOptions{
 			Namespace: workerDeploy.Namespace,
 		}