Merge pull request #16 from erikgb/refactor-controllers

Refactor package structure

Author: cert-manager-prow[bot]

.gitignore

@@ -13,3 +13,4 @@ _bin/
 *.bak
 /go.work.sum
 **/go.work
+*.test

pkg/authority/authority.go

@@ -22,44 +22,26 @@ import (
 	"time"
 
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/labels"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/cert-manager/webhook-cert-lib/pkg/authority/api"
-	"github.com/cert-manager/webhook-cert-lib/pkg/authority/cert"
-	leadercontrollers "github.com/cert-manager/webhook-cert-lib/pkg/authority/leader_controllers"
-	"github.com/cert-manager/webhook-cert-lib/pkg/authority/leader_controllers/injectable"
+	"github.com/cert-manager/webhook-cert-lib/pkg/authority/certificate"
+	"github.com/cert-manager/webhook-cert-lib/pkg/authority/injectable"
 )
 
-type LeafOptions struct {
-	DNSNames []string
-
-	// The amount of time leaf certificates signed by this authority will be
-	// valid for.
-	// This must be less than CADuration.
-	Duration time.Duration
-}
-
-type Options struct {
-	CAOptions   leadercontrollers.CAOptions
-	LeafOptions LeafOptions
-
-	Injectables []injectable.Injectable
-}
-
 type Authority struct {
 	Options Options
 
-	certificateHolder *cert.CertificateHolder
+	certificateHolder *certificate.Holder
 }
 
 func (o *Authority) ServingCertificate() func(config *tls.Config) {
 	if o.certificateHolder == nil {
-		o.certificateHolder = &cert.CertificateHolder{}
+		o.certificateHolder = &certificate.Holder{}
 	}
 	return func(config *tls.Config) {
 		config.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
@@ -99,8 +81,8 @@ func (o *Authority) SetupWithManager(mgr ctrl.Manager) error {
 			}),
 		},
 	}
-	for _, injectable := range o.Options.Injectables {
-		cacheByObject[newUnstructured(injectable)] = cache.ByObject{
+	for _, i := range o.Options.Injectables {
+		cacheByObject[injectable.NewUnstructured(i)] = cache.ByObject{
 			Label: labels.SelectorFromSet(labels.Set{
 				api.WantInjectFromSecretNameLabel:      o.Options.CAOptions.Name,
 				api.WantInjectFromSecretNamespaceLabel: o.Options.CAOptions.Namespace,
@@ -131,17 +113,17 @@ func (o *Authority) SetupWithManager(mgr ctrl.Manager) error {
 		return err
 	}
 
-	r := leadercontrollers.Reconciler{
+	r := Reconciler{
 		Patcher: controllerClient,
 		Cache:   controllerCache,
-		Opts:    o.Options.CAOptions,
+		Options: o.Options,
 	}
 	controllers := []dynamicAuthorityController{
-		&leadercontrollers.CASecretReconciler{Reconciler: r},
-		&LeafCertReconciler{Options: o.Options, Cache: controllerCache, CertificateHolder: o.certificateHolder},
+		&CASecretReconciler{Reconciler: r},
+		&LeafCertReconciler{Reconciler: r, CertificateHolder: o.certificateHolder},
 	}
-	for _, injectable := range o.Options.Injectables {
-		controllers = append(controllers, &leadercontrollers.InjectableReconciler{Reconciler: r, Injectable: injectable})
+	for _, i := range o.Options.Injectables {
+		controllers = append(controllers, &InjectableReconciler{Reconciler: r, Injectable: i})
 	}
 	for _, c := range controllers {
 		if err := c.SetupWithManager(mgr); err != nil {
@@ -155,9 +137,3 @@ func (o *Authority) SetupWithManager(mgr ctrl.Manager) error {
 type dynamicAuthorityController interface {
 	SetupWithManager(ctrl.Manager) error
 }
-
-func newUnstructured(injectable injectable.Injectable) *unstructured.Unstructured {
-	obj := &unstructured.Unstructured{}
-	obj.SetGroupVersionKind(injectable.GroupVersionKind())
-	return obj
-}

pkg/authority/leader_controllers/ca_secret_controller.go renamed to pkg/authority/ca_secret_controller.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package leadercontrollers
+package authority
 
 import (
 	"context"
@@ -35,7 +35,8 @@ import (
 
 	"github.com/cert-manager/webhook-cert-lib/internal/pki"
 	"github.com/cert-manager/webhook-cert-lib/pkg/authority/api"
-	"github.com/cert-manager/webhook-cert-lib/pkg/authority/cert"
+	"github.com/cert-manager/webhook-cert-lib/pkg/authority/certificate"
+	"github.com/cert-manager/webhook-cert-lib/pkg/authority/internal/ssa"
 )
 
 // CASecretReconciler reconciles a CA Secret object
@@ -49,8 +50,8 @@ func (r *CASecretReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	r.events = make(chan event.TypedGenericEvent[*corev1.Secret], 1)
 	r.events <- event.TypedGenericEvent[*corev1.Secret]{Object: &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      r.Opts.Name,
-			Namespace: r.Opts.Namespace,
+			Namespace: r.CAOptions.Namespace,
+			Name:      r.CAOptions.Name,
 		},
 	}}
 
@@ -80,7 +81,7 @@ func (r *CASecretReconciler) reconcileSecret(ctx context.Context, req ctrl.Reque
 
 	if generate || secret.Annotations[api.RenewCertificateSecretAnnotation] != secret.Annotations[api.RenewHandledCertificateSecretAnnotation] {
 		var err error
-		caCert, caPk, err = cert.GenerateCA(r.Opts.Duration)
+		caCert, caPk, err = certificate.GenerateCA(r.CAOptions.Duration)
 		if err != nil {
 			return err
 		}
@@ -114,7 +115,7 @@ func (r *CASecretReconciler) reconcileSecret(ctx context.Context, req ctrl.Reque
 		})
 	}
 
-	return r.Patcher.Patch(ctx, secret, newApplyPatch(ac), client.ForceOwnership, fieldOwner)
+	return r.Patcher.Patch(ctx, secret, ssa.NewApplyPatch(ac), client.ForceOwnership, ssa.FieldOwner)
 }
 
 func addCertToCABundle(logger logr.Logger, caBundleBytes []byte, caCert *x509.Certificate) []byte {

pkg/authority/cert/tls.go renamed to pkg/authority/certificate/tls.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package cert
+package certificate
 
 import (
 	"crypto"
@@ -102,18 +102,18 @@ var (
 	ErrCertNotAvailable = errors.New("no tls.Certificate available")
 )
 
-type CertificateHolder struct {
+type Holder struct {
 	certP atomic.Pointer[tls.Certificate]
 }
 
-func (h *CertificateHolder) GetCertificate(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
+func (h *Holder) GetCertificate(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
 	cert := h.certP.Load()
 	if cert == nil {
 		return nil, ErrCertNotAvailable
 	}
 	return cert, nil
 }
 
-func (h *CertificateHolder) SetCertificate(cert *tls.Certificate) {
+func (h *Holder) SetCertificate(cert *tls.Certificate) {
 	h.certP.Store(cert)
 }

pkg/authority/injectable/injectable.go

@@ -0,0 +1,41 @@
+/*
+Copyright 2025 The cert-manager Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package injectable
+
+import (
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	"github.com/cert-manager/webhook-cert-lib/pkg/runtime"
+)
+
+type Injectable interface {
+	GroupVersionKind() schema.GroupVersionKind
+	InjectCA(obj *unstructured.Unstructured, caBundle []byte) (runtime.ApplyConfiguration, error)
+}
+
+func NewUnstructured(injectable Injectable) *unstructured.Unstructured {
+	obj := &unstructured.Unstructured{}
+	obj.SetGroupVersionKind(injectable.GroupVersionKind())
+	return obj
+}
+
+func NewUnstructuredList(injectable Injectable) *unstructured.UnstructuredList {
+	obj := &unstructured.UnstructuredList{}
+	obj.SetGroupVersionKind(injectable.GroupVersionKind())
+	return obj
+}

pkg/authority/leader_controllers/injectable/validating_webhook.go renamed to pkg/authority/injectable/validating_webhook.go

@@ -20,6 +20,8 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	admissionregistrationv1ac "k8s.io/client-go/applyconfigurations/admissionregistration/v1"
+
+	"github.com/cert-manager/webhook-cert-lib/pkg/runtime"
 )
 
 type ValidatingWebhookCaBundleInject struct {
@@ -35,7 +37,7 @@ func (i *ValidatingWebhookCaBundleInject) GroupVersionKind() schema.GroupVersion
 	}
 }
 
-func (i *ValidatingWebhookCaBundleInject) InjectCA(obj *unstructured.Unstructured, caBundle []byte) (ApplyConfiguration, error) {
+func (i *ValidatingWebhookCaBundleInject) InjectCA(obj *unstructured.Unstructured, caBundle []byte) (runtime.ApplyConfiguration, error) {
 	// TODO: Can we generalize this function for any resource based on a JSON path?
 
 	ac := admissionregistrationv1ac.ValidatingWebhookConfiguration(obj.GetName())

pkg/authority/leader_controllers/injectable_controller.go renamed to pkg/authority/injectable_controller.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package leadercontrollers
+package authority
 
 import (
 	"context"
@@ -23,7 +23,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
@@ -33,7 +32,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/source"
 
 	"github.com/cert-manager/webhook-cert-lib/pkg/authority/api"
-	"github.com/cert-manager/webhook-cert-lib/pkg/authority/leader_controllers/injectable"
+	"github.com/cert-manager/webhook-cert-lib/pkg/authority/injectable"
+	"github.com/cert-manager/webhook-cert-lib/pkg/authority/internal/ssa"
 )
 
 // InjectableReconciler injects CA bundle into resources
@@ -49,21 +49,21 @@ func (r *InjectableReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		WatchesRawSource(
 			source.Kind(
 				r.Cache,
-				newUnstructured(r.Injectable),
+				injectable.NewUnstructured(r.Injectable),
 				&handler.TypedEnqueueRequestForObject[*unstructured.Unstructured]{},
 				predicate.NewTypedPredicateFuncs(func(obj *unstructured.Unstructured) bool {
-					return obj.GetLabels()[api.WantInjectFromSecretNamespaceLabel] == r.Opts.Namespace &&
-						obj.GetLabels()[api.WantInjectFromSecretNameLabel] == r.Opts.Name
+					return obj.GetLabels()[api.WantInjectFromSecretNamespaceLabel] == r.CAOptions.Namespace &&
+						obj.GetLabels()[api.WantInjectFromSecretNameLabel] == r.CAOptions.Name
 				}),
 			),
 		).
 		WatchesRawSource(
 			r.caSecretSource(
 				handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, _ *corev1.Secret) []reconcile.Request {
-					objList := newUnstructuredList(r.Injectable)
+					objList := injectable.NewUnstructuredList(r.Injectable)
 					if err := r.Cache.List(ctx, objList, client.MatchingLabels(map[string]string{
-						api.WantInjectFromSecretNamespaceLabel: r.Opts.Namespace,
-						api.WantInjectFromSecretNameLabel:      r.Opts.Name,
+						api.WantInjectFromSecretNamespaceLabel: r.CAOptions.Namespace,
+						api.WantInjectFromSecretNameLabel:      r.CAOptions.Name,
 					})); err != nil {
 						log.FromContext(ctx).Error(err, "when listing injectables")
 						return nil
@@ -83,23 +83,11 @@ func (r *InjectableReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		Complete(r)
 }
 
-func newUnstructured(injectable injectable.Injectable) *unstructured.Unstructured {
-	obj := &unstructured.Unstructured{}
-	obj.SetGroupVersionKind(injectable.GroupVersionKind())
-	return obj
-}
-
-func newUnstructuredList(injectable injectable.Injectable) *unstructured.UnstructuredList {
-	obj := &unstructured.UnstructuredList{}
-	obj.SetGroupVersionKind(injectable.GroupVersionKind())
-	return obj
-}
-
 func (r *InjectableReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	_ = log.FromContext(ctx)
 
 	secret := &corev1.Secret{}
-	if err := r.Cache.Get(ctx, types.NamespacedName{Namespace: r.Opts.Namespace, Name: r.Opts.Name}, secret); err != nil {
+	if err := r.Cache.Get(ctx, r.CAOptions.NamespacedName, secret); err != nil {
 		if errors.IsNotFound(err) {
 			log.FromContext(ctx).V(1).Info("CA secret not yet found, requeueing request...")
 			return ctrl.Result{Requeue: true}, nil
@@ -111,7 +99,7 @@ func (r *InjectableReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 }
 
 func (r *InjectableReconciler) reconcileInjectable(ctx context.Context, req ctrl.Request, caBundle []byte) error {
-	obj := newUnstructured(r.Injectable)
+	obj := injectable.NewUnstructured(r.Injectable)
 	if err := r.Cache.Get(ctx, req.NamespacedName, obj); err != nil {
 		return err
 	}
@@ -121,7 +109,7 @@ func (r *InjectableReconciler) reconcileInjectable(ctx context.Context, req ctrl
 		return err
 	}
 
-	if err := r.Patcher.Patch(ctx, obj, newApplyPatch(ac), client.ForceOwnership, fieldOwner); err != nil {
+	if err := r.Patcher.Patch(ctx, obj, ssa.NewApplyPatch(ac), client.ForceOwnership, ssa.FieldOwner); err != nil {
 		return err
 	}
 

pkg/authority/leader_controllers/ssa_client.go renamed to pkg/authority/internal/ssa/client.go

@@ -14,32 +14,32 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package leadercontrollers
+package ssa
 
 import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/json"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	"github.com/cert-manager/webhook-cert-lib/pkg/authority/leader_controllers/injectable"
+	"github.com/cert-manager/webhook-cert-lib/pkg/runtime"
 )
 
 const (
-	fieldOwner = client.FieldOwner("cert-manager-dynamic-authority")
+	FieldOwner = client.FieldOwner("cert-manager-dynamic-authority")
 )
 
-func newApplyPatch(ac injectable.ApplyConfiguration) applyPatch {
-	return applyPatch{ac: ac}
+func NewApplyPatch(ac runtime.ApplyConfiguration) ApplyPatch {
+	return ApplyPatch{ac: ac}
 }
 
-type applyPatch struct {
-	ac injectable.ApplyConfiguration
+type ApplyPatch struct {
+	ac runtime.ApplyConfiguration
 }
 
-func (p applyPatch) Type() types.PatchType {
+func (p ApplyPatch) Type() types.PatchType {
 	return types.ApplyPatchType
 }
 
-func (p applyPatch) Data(_ client.Object) ([]byte, error) {
+func (p ApplyPatch) Data(_ client.Object) ([]byte, error) {
 	return json.Marshal(p.ac)
 }