Merge pull request #312 from chiragkyal/istio-ca-config

CM-679: Implements user-configurable CA certificate support for Istio CSR

Author: openshift-merge-bot[bot]

pkg/controller/istiocsr/constants.go

@@ -65,21 +65,21 @@ const (
 	// created in other namespaces by the controller.
 	istiocsrNamespaceMappingLabelName = "cert-manager-istio-csr-namespace"
 
-	// istiocsrResourceWatchLabelName is the label name for identifying the resources of interest for the
+	// IstiocsrResourceWatchLabelName is the label name for identifying the resources of interest for the
 	// controller but does not create or manage the resource.
-	istiocsrResourceWatchLabelName = "istiocsr.openshift.operator.io/watched-by"
+	IstiocsrResourceWatchLabelName = "istiocsr.openshift.operator.io/watched-by"
 
 	// istiocsrResourceWatchLabelName is the value format assigned to istiocsrResourceWatchLabelName label, which
 	// will be of the form <istiocsr_namespace>/<istiocsr_instance-Name>
 	istiocsrResourceWatchLabelValueFmt = "%s_%s"
 
-	// istiocsrCAConfigMapName is the name o the configmap which is mounted in istiocsr container, containing the
+	// IstiocsrCAConfigMapName is the name o the configmap which is mounted in istiocsr container, containing the
 	// CA certificate configured in the secret referenced in the issuer.
-	istiocsrCAConfigMapName = istiocsrCommonName + "-issuer-ca-copy"
+	IstiocsrCAConfigMapName = istiocsrCommonName + "-issuer-ca-copy"
 
-	// istiocsrCAKeyName is the key name holding the CA certificate in the issuer secret or the controller
+	// IstiocsrCAKeyName is the key name holding the CA certificate in the issuer secret or the controller
 	// CA configmap.
-	istiocsrCAKeyName = "ca.crt"
+	IstiocsrCAKeyName = "ca.crt"
 )
 
 var (

pkg/controller/istiocsr/controller.go

@@ -135,13 +135,13 @@ func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error {
 				if objLabels[requestEnqueueLabelKey] == requestEnqueueLabelValue {
 					return true
 				}
-				value := objLabels[istiocsrResourceWatchLabelName]
+				value := objLabels[IstiocsrResourceWatchLabelName]
 				if value == "" {
 					return false
 				}
 				key := strings.Split(value, "_")
 				if len(key) != 2 {
-					r.log.Error(fmt.Errorf("invalid label format"), "%s label value(%s) not in expected format on %s resource", istiocsrResourceWatchLabelName, value, obj.GetName())
+					r.log.Error(fmt.Errorf("invalid label format"), "%s label value(%s) not in expected format on %s resource", IstiocsrResourceWatchLabelName, value, obj.GetName())
 					return false
 				}
 				namespace = key[0]
@@ -172,12 +172,22 @@ func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error {
 	// predicate function to filter events for objects which controller is interested in, but
 	// not managed or created by controller.
 	controllerWatchResources := predicate.NewPredicateFuncs(func(object client.Object) bool {
-		return object.GetLabels() != nil && object.GetLabels()[istiocsrResourceWatchLabelName] != ""
+		return object.GetLabels() != nil && object.GetLabels()[IstiocsrResourceWatchLabelName] != ""
+	})
+
+	controllerConfigMapPredicates := predicate.NewPredicateFuncs(func(object client.Object) bool {
+		if object.GetLabels() == nil {
+			return false
+		}
+		// Accept if it's a managed ConfigMap OR a watched ConfigMap
+		return object.GetLabels()[requestEnqueueLabelKey] == requestEnqueueLabelValue ||
+			object.GetLabels()[IstiocsrResourceWatchLabelName] != ""
 	})
 
 	withIgnoreStatusUpdatePredicates := builder.WithPredicates(predicate.GenerationChangedPredicate{}, controllerManagedResources)
 	controllerWatchResourcePredicates := builder.WithPredicates(predicate.ResourceVersionChangedPredicate{}, controllerWatchResources)
 	controllerManagedResourcePredicates := builder.WithPredicates(controllerManagedResources)
+	controllerConfigMapWatchPredicates := builder.WithPredicates(predicate.ResourceVersionChangedPredicate{}, controllerConfigMapPredicates)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&v1alpha1.IstioCSR{}, builder.WithPredicates(predicate.GenerationChangedPredicate{})).
@@ -190,6 +200,7 @@ func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error {
 		Watches(&rbacv1.RoleBinding{}, handler.EnqueueRequestsFromMapFunc(mapFunc), controllerManagedResourcePredicates).
 		Watches(&corev1.Service{}, handler.EnqueueRequestsFromMapFunc(mapFunc), controllerManagedResourcePredicates).
 		Watches(&corev1.ServiceAccount{}, handler.EnqueueRequestsFromMapFunc(mapFunc), controllerManagedResourcePredicates).
+		Watches(&corev1.ConfigMap{}, handler.EnqueueRequestsFromMapFunc(mapFunc), controllerConfigMapWatchPredicates).
 		WatchesMetadata(&corev1.Secret{}, handler.EnqueueRequestsFromMapFunc(mapFunc), controllerWatchResourcePredicates).
 		Complete(r)
 }

pkg/controller/istiocsr/controller_test.go

@@ -44,6 +44,12 @@ func TestReconcile(t *testing.T) {
 					case *appsv1.Deployment:
 						deployment := testDeployment()
 						deployment.DeepCopyInto(o)
+					case *certmanagerv1.Issuer:
+						issuer := testIssuer()
+						issuer.DeepCopyInto(o)
+					case *corev1.Secret:
+						secret := testSecret()
+						secret.DeepCopyInto(o)
 					}
 					return nil
 				})
@@ -52,6 +58,9 @@ func TestReconcile(t *testing.T) {
 					case *appsv1.Deployment:
 						deployment := testDeployment()
 						deployment.DeepCopyInto(o)
+					case *corev1.ConfigMap:
+						configmap := testConfigMap()
+						configmap.DeepCopyInto(o)
 					}
 					return true, nil
 				})
@@ -121,6 +130,12 @@ func TestReconcile(t *testing.T) {
 					case *corev1.ServiceAccount:
 						serviceAccount := testServiceAccount()
 						serviceAccount.DeepCopyInto(o)
+					case *certmanagerv1.Issuer:
+						issuer := testIssuer()
+						issuer.DeepCopyInto(o)
+					case *corev1.Secret:
+						secret := testSecret()
+						secret.DeepCopyInto(o)
 					}
 					return nil
 				})
@@ -139,6 +154,9 @@ func TestReconcile(t *testing.T) {
 					case *appsv1.Deployment:
 						deployment := testDeployment()
 						deployment.DeepCopyInto(o)
+					case *corev1.ConfigMap:
+						configmap := testConfigMap()
+						configmap.DeepCopyInto(o)
 					}
 					return true, nil
 				})
@@ -208,13 +226,21 @@ func TestReconcile(t *testing.T) {
 					case *corev1.ServiceAccount:
 						serviceAccount := testServiceAccount()
 						serviceAccount.DeepCopyInto(o)
+					case *certmanagerv1.Issuer:
+						issuer := testIssuer()
+						issuer.DeepCopyInto(o)
+					case *corev1.Secret:
+						secret := testSecret()
+						secret.DeepCopyInto(o)
 					}
 					return nil
 				})
 				m.ExistsCalls(func(ctx context.Context, ns types.NamespacedName, obj client.Object) (bool, error) {
 					switch obj.(type) {
 					case *appsv1.Deployment:
 						return false, nil
+					case *corev1.ConfigMap:
+						return true, nil
 					}
 					return true, nil
 				})
@@ -438,6 +464,12 @@ func TestProcessReconcileRequest(t *testing.T) {
 					case *appsv1.Deployment:
 						deployment := testDeployment()
 						deployment.DeepCopyInto(o)
+					case *certmanagerv1.Issuer:
+						issuer := testIssuer()
+						issuer.DeepCopyInto(o)
+					case *corev1.Secret:
+						secret := testSecret()
+						secret.DeepCopyInto(o)
 					}
 					return nil
 				})
@@ -446,6 +478,9 @@ func TestProcessReconcileRequest(t *testing.T) {
 					case *appsv1.Deployment:
 						deployment := testDeployment()
 						deployment.DeepCopyInto(o)
+					case *corev1.ConfigMap:
+						configmap := testConfigMap()
+						configmap.DeepCopyInto(o)
 					}
 					return true, nil
 				})
@@ -490,6 +525,12 @@ func TestProcessReconcileRequest(t *testing.T) {
 					case *appsv1.Deployment:
 						deployment := testDeployment()
 						deployment.DeepCopyInto(o)
+					case *certmanagerv1.Issuer:
+						issuer := testIssuer()
+						issuer.DeepCopyInto(o)
+					case *corev1.Secret:
+						secret := testSecret()
+						secret.DeepCopyInto(o)
 					}
 					return nil
 				})
@@ -498,6 +539,9 @@ func TestProcessReconcileRequest(t *testing.T) {
 					case *appsv1.Deployment:
 						deployment := testDeployment()
 						deployment.DeepCopyInto(o)
+					case *corev1.ConfigMap:
+						configmap := testConfigMap()
+						configmap.DeepCopyInto(o)
 					}
 					return true, nil
 				})