ESO-155: Updates to use different TLS Secret name when cert-manager enabled

Signed-off-by: Bharath B <[email protected]>

Author: bharath-b-rh

pkg/controller/common/utils.go

@@ -210,16 +210,17 @@ func deploymentSpecModified(desired, fetched *appsv1.Deployment) bool {
 		return true
 	}
 	for _, desiredVolume := range desired.Spec.Template.Spec.Volumes {
-		if desiredVolume.Secret != nil && desiredVolume.Secret.Items != nil {
+		if desiredVolume.Secret != nil {
 			for _, fetchedVolume := range fetched.Spec.Template.Spec.Volumes {
-				if !reflect.DeepEqual(desiredVolume.Secret.Items, fetchedVolume.Secret.Items) {
-					return true
-				}
-				if desiredVolume.Secret.SecretName != fetchedVolume.Secret.SecretName {
-					return true
+				if desiredVolume.Name == fetchedVolume.Name {
+					if !reflect.DeepEqual(desiredVolume.Secret.Items, fetchedVolume.Secret.Items) {
+						return true
+					}
+					if !reflect.DeepEqual(desiredVolume.Secret.SecretName, fetchedVolume.Secret.SecretName) {
+						return true
+					}
 				}
 			}
-
 		}
 	}
 

pkg/controller/external_secrets/certificate.go

@@ -82,6 +82,11 @@ func (r *Reconciler) createOrApplyCertificate(esc *operatorv1alpha1.ExternalSecr
 func (r *Reconciler) getCertificateObject(esc *operatorv1alpha1.ExternalSecretsConfig, resourceLabels map[string]string, fileName string) (*certmanagerv1.Certificate, error) {
 	certificate := common.DecodeCertificateObjBytes(assets.MustAsset(fileName))
 
+	// update the secret name in the Certificate resource of the webhook component.
+	if fileName == webhookCertificateAssetName {
+		certificate.Spec.SecretName = certmanagerTLSSecretWebhook
+	}
+
 	updateNamespace(certificate, esc)
 	common.UpdateResourceLabels(certificate, resourceLabels)
 

pkg/controller/external_secrets/constants.go

@@ -48,6 +48,10 @@ const (
 	// externalsecretsDefaultNamespace is the namespace where the `external-secrets` operand required resources
 	// will be created, when ExternalSecretsConfig.Spec.Namespace is not set.
 	externalsecretsDefaultNamespace = "external-secrets"
+
+	// certmanagerTLSSecretWebhook is the TLS secret created by cert-manager for the webhook component. A different
+	// name is used to avoiding clash with the secret created by the inbuilt cert-controller component.
+	certmanagerTLSSecretWebhook = "external-secrets-webhook-cm"
 )
 
 var (

pkg/controller/external_secrets/deployments.go

@@ -123,6 +123,7 @@ func (r *Reconciler) getDeploymentObject(assetName string, esc *operatorv1alpha1
 			checkInterval = esc.Spec.ApplicationConfig.WebhookConfig.CertificateCheckInterval.Duration.String()
 		}
 		updateWebhookContainerSpec(deployment, image, logLevel, checkInterval)
+		updateWebhookVolumeConfig(deployment, esc)
 	case certControllerDeploymentAssetName:
 		updateCertControllerContainerSpec(deployment, image, logLevel)
 	case bitwardenDeploymentAssetName:
@@ -400,3 +401,34 @@ func updateBitwardenServerContainerSpec(deployment *appsv1.Deployment, image str
 		}
 	}
 }
+
+func updateWebhookVolumeConfig(deployment *appsv1.Deployment, esc *operatorv1alpha1.ExternalSecretsConfig) {
+	if isCertManagerConfigEnabled(esc) {
+		updateSecretVolumeConfig(deployment, "certs", certmanagerTLSSecretWebhook)
+	}
+}
+
+func updateSecretVolumeConfig(deployment *appsv1.Deployment, volumeName, secretName string) {
+	volumeExists := false
+	for i := range deployment.Spec.Template.Spec.Volumes {
+		if deployment.Spec.Template.Spec.Volumes[i].Name == volumeName {
+			volumeExists = true
+		}
+		if deployment.Spec.Template.Spec.Volumes[i].Secret == nil {
+			deployment.Spec.Template.Spec.Volumes[i].Secret = &corev1.SecretVolumeSource{}
+		}
+		deployment.Spec.Template.Spec.Volumes[i].Secret.SecretName = secretName
+		break
+	}
+
+	if !volumeExists {
+		deployment.Spec.Template.Spec.Volumes = append(deployment.Spec.Template.Spec.Volumes, corev1.Volume{
+			Name: volumeName,
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: secretName,
+				},
+			},
+		})
+	}
+}