platform-mesh · OlegErshov · Jan 30, 2026 · Jan 30, 2026 · Jan 30, 2026 · Jan 30, 2026
@@ -29,7 +29,8 @@
 )
 
 const (
-	apiBindingFinalizer = "core.platform-mesh.io/apibinding-finalizer"
+	apiBindingFinalizer       = "core.platform-mesh.io/apibinding-finalizer"
+	corePlatformMeshApiExport = "core.platform-mesh.io"
 )
 
 // toK8sName creates a valid Kubernetes metadata.name from the given parts.
@@ -201,10 +202,10 @@
 	return subroutines.OK(), nil
 }
 
-// Finalizers implements subroutines.Finalizer.
-func (a *AuthorizationModelGenerationSubroutine) Finalizers(obj client.Object) []string {
-	binding := obj.(*kcpapisv1alpha2.APIBinding)
-	if strings.Contains(binding.Name, "platform-mesh.io") || strings.Contains(binding.Name, "kcp.io") {
+// Finalizers implements lifecycle.Subroutine.
+func (a *AuthorizationModelGenerationSubroutine) Finalizers(instance lifecyclecontrollerruntime.RuntimeObject) []string {
+	binding := instance.(*kcpapisv1alpha2.APIBinding)
+	if strings.HasSuffix(binding.Spec.Reference.Export.Name, "kcp.io") {
 		return []string{}
 	}
 	return []string{apiBindingFinalizer}
@@ -237,7 +238,12 @@
 		return subroutines.OK(), fmt.Errorf("getting AccountInfo: %w", err)
 	}
 
-	apiExportCluster, err := a.mgr.GetCluster(ctx, multicluster.ClusterName(binding.Status.APIExportClusterName))
+	if binding.Spec.Reference.Export.Name == corePlatformMeshApiExport || strings.HasSuffix(binding.Spec.Reference.Export.Name, "kcp.io") {
+		// If the APIExport is the core.platform-mesh.io, we can skip the model generation.
+		return ctrl.Result{}, nil
+	}
+
+	apiExportCluster, err := a.mgr.GetCluster(ctx, binding.Status.APIExportClusterName)
 	if err != nil {
 		return subroutines.OK(), fmt.Errorf("getting APIExport cluster: %w", err)
 	}

@@ -927,39 +927,38 @@ func TestAuthorizationModelGeneration_Finalizers(t *testing.T) {
 
 	tests := []struct {
 		name            string
-		bindingName     string
+		exportName      string
 		expectFinalizer bool
 	}{
 		{
-			name:            "returns finalizer when name has neither platform-mesh.io nor kcp.io",
-			bindingName:     "my-binding",
+			name:            "returns finalizer when export name is core.platform-mesh.io",
+			exportName:      "core.platform-mesh.io",
 			expectFinalizer: true,
 		},
 		{
-			name:            "returns no finalizer when name contains platform-mesh.io",
-			bindingName:     "core.platform-mesh.io-awuzd",
+			name:            "returns no finalizer when export name has suffix kcp.io",
+			exportName:      "tenancy.kcp.io",
 			expectFinalizer: false,
 		},
 		{
-			name:            "returns no finalizer when name contains kcp.io",
-			bindingName:     "tenancy.kcp.io-dr0q1",
+			name:            "returns no finalizer when export name is topology.kcp.io",
+			exportName:      "topology.kcp.io",
 			expectFinalizer: false,
 		},
 		{
-			name:            "returns no finalizer when name contains topology.kcp.io",
-			bindingName:     "topology.kcp.io-5oxoy",
+			name:            "returns no finalizer when export name is apis.kcp.io",
+			exportName:      "apis.kcp.io",
 			expectFinalizer: false,
 		},
 		{
-			name:            "returns no finalizer when name contains platform-mesh.io in the middle",
-			bindingName:     "something.platform-mesh.io-suffix",
-			expectFinalizer: false,
+			name:            "returns finalizer when export name has suffix platform-mesh.io but not kcp.io",
+			exportName:      "something.platform-mesh.io",
+			expectFinalizer: true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			binding := newApiBinding("foo", "bar")
-			binding.Name = tt.bindingName
+			binding := newApiBinding(tt.exportName, "root:orgs:test")
 			got := sub.Finalizers(binding)
 			if tt.expectFinalizer {
 				assert.Equal(t, []string{"core.platform-mesh.io/apibinding-finalizer"}, got)