From 1f54e93195ac1e8559e69a61a6962fe8b59652e9 Mon Sep 17 00:00:00 2001
From: Yuedong Wu <dwcn22@outlook.com>
Date: Thu, 30 Oct 2025 14:37:23 +0800
Subject: [PATCH] Fix unconditional update in user-defined network policy

to eliminate unnecessary reconciliation loops
---
 .../deployment/cert_manager_networkpolicy.go  | 34 +++++++------------
 1 file changed, 12 insertions(+), 22 deletions(-)

diff --git a/pkg/controller/deployment/cert_manager_networkpolicy.go b/pkg/controller/deployment/cert_manager_networkpolicy.go
index e3d17ea18..6b1cadbf7 100644
--- a/pkg/controller/deployment/cert_manager_networkpolicy.go
+++ b/pkg/controller/deployment/cert_manager_networkpolicy.go
@@ -84,6 +84,7 @@ type CertManagerNetworkPolicyUserDefinedController struct {
 	certManagerOperatorInformers certmanoperatorinformers.SharedInformerFactory
 	kubeClient                   kubernetes.Interface
 	eventRecorder                events.Recorder
+	resourceCache                resourceapply.ResourceCache
 }
 
 func NewCertManagerNetworkPolicyUserDefinedController(
@@ -97,6 +98,7 @@ func NewCertManagerNetworkPolicyUserDefinedController(
 		certManagerOperatorInformers: certManagerOperatorInformers,
 		kubeClient:                   kubeClient,
 		eventRecorder:                eventRecorder.WithComponentSuffix("cert-manager-networkpolicy-user-defined"),
+		resourceCache:                resourceapply.NewResourceCache(),
 	}
 
 	return factory.New().
@@ -138,7 +140,8 @@ func (c *CertManagerNetworkPolicyUserDefinedController) sync(ctx context.Context
 		return fmt.Errorf("failed to reconcile user network policies: %w", err)
 	}
 
-	c.eventRecorder.Event("UserNetworkPolicyReconcileSuccess", "Successfully reconciled user-defined network policies")
+	// Success is indicated by not returning an error and not setting Degraded condition
+	// Events are only fired for actual resource changes (via ApplyNetworkPolicy)
 	return nil
 }
 
@@ -228,29 +231,16 @@ func (c *CertManagerNetworkPolicyUserDefinedController) getPodSelectorForCompone
 }
 
 func (c *CertManagerNetworkPolicyUserDefinedController) createOrUpdateNetworkPolicy(ctx context.Context, policy *networkingv1.NetworkPolicy) error {
-	existing, err := c.kubeClient.NetworkingV1().NetworkPolicies(policy.Namespace).Get(ctx, policy.Name, metav1.GetOptions{})
-	if err != nil {
-		if errors.IsNotFound(err) {
-			// Create new policy
-			_, err := c.kubeClient.NetworkingV1().NetworkPolicies(policy.Namespace).Create(ctx, policy, metav1.CreateOptions{})
-			if err != nil {
-				return fmt.Errorf("failed to create network policy: %w", err)
-			}
-			c.eventRecorder.Eventf("NetworkPolicyCreated", "Created user-defined network policy %s", policy.Name)
-			return nil
-		}
-		return fmt.Errorf("failed to get existing network policy: %w", err)
-	}
-
-	// Update existing policy
-	existing.Spec = policy.Spec
-	existing.Labels = policy.Labels
-	_, err = c.kubeClient.NetworkingV1().NetworkPolicies(policy.Namespace).Update(ctx, existing, metav1.UpdateOptions{})
+	_, _, err := resourceapply.ApplyNetworkPolicy(
+		ctx,
+		c.kubeClient.NetworkingV1(),
+		c.eventRecorder,
+		policy,
+		c.resourceCache,
+	)
 	if err != nil {
-		return fmt.Errorf("failed to update network policy: %w", err)
+		return fmt.Errorf("failed to apply network policy: %w", err)
 	}
 
-	c.eventRecorder.Eventf("NetworkPolicyUpdated", "Updated user-defined network policy %s", policy.Name)
-
 	return nil
 }