ESO-155: incorporate review comments

bharath-b-rh · bharath-b-rh · commit e8c8cc293641 · 2025-10-09T20:12:25.000+05:30
diff --git a/bundle/manifests/external-secrets-operator.clusterserviceversion.yaml b/bundle/manifests/external-secrets-operator.clusterserviceversion.yaml
@@ -218,9 +218,9 @@ metadata:
       ]
     capabilities: Basic Install
     categories: Security
-    console.openshift.io/disable-operand-delete: "false"
+    console.openshift.io/disable-operand-delete: "true"
     containerImage: openshift.io/external-secrets-operator:latest
-    createdAt: "2025-10-08T08:59:22Z"
+    createdAt: "2025-10-09T14:41:51Z"
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
     features.operators.openshift.io/csi: "false"
diff --git a/cmd/external-secrets-operator/main.go b/cmd/external-secrets-operator/main.go
@@ -156,8 +156,8 @@ func main() {
 		metricsTLSOpts = append(metricsTLSOpts, func(c *tls.Config) {
 			certPool, err := x509.SystemCertPool()
 			if err != nil {
-				setupLog.Error(err, "failed to load system certificate pool")
-				os.Exit(1)
+				setupLog.Info("unable to load system certificate pool", "error", err)
+				certPool = x509.NewCertPool()
 			}
 			openshiftCACert, err := os.ReadFile(openshiftCACertificateFile)
 			if err != nil {
diff --git a/config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml b/config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml
@@ -5,7 +5,7 @@ metadata:
     alm-examples: '[]'
     capabilities: Basic Install
     categories: Security
-    console.openshift.io/disable-operand-delete: "false"
+    console.openshift.io/disable-operand-delete: "true"
     containerImage: openshift.io/external-secrets-operator:latest
     createdAt: 2023-03-03T00:00:00
     features.operators.openshift.io/cnf: "false"
diff --git a/pkg/controller/common/utils.go b/pkg/controller/common/utils.go
@@ -212,11 +212,13 @@ func deploymentSpecModified(desired, fetched *appsv1.Deployment) bool {
 	for _, desiredVolume := range desired.Spec.Template.Spec.Volumes {
 		if desiredVolume.Secret != nil {
 			for _, fetchedVolume := range fetched.Spec.Template.Spec.Volumes {
-				if !reflect.DeepEqual(desiredVolume.Secret.Items, fetchedVolume.Secret.Items) {
-					return true
-				}
-				if desiredVolume.Secret.SecretName != fetchedVolume.Secret.SecretName {
-					return true
+				if desiredVolume.Name == fetchedVolume.Name {
+					if !reflect.DeepEqual(desiredVolume.Secret.Items, fetchedVolume.Secret.Items) {
+						return true
+					}
+					if !reflect.DeepEqual(desiredVolume.Secret.SecretName, fetchedVolume.Secret.SecretName) {
+						return true
+					}
 				}
 			}
 		}
diff --git a/pkg/controller/external_secrets/deployments.go b/pkg/controller/external_secrets/deployments.go
@@ -403,20 +403,32 @@ func updateBitwardenServerContainerSpec(deployment *appsv1.Deployment, image str
 }
 
 func updateWebhookVolumeConfig(deployment *appsv1.Deployment, esc *operatorv1alpha1.ExternalSecretsConfig) {
-	if isCertManagerConfigEnabled(esc) {
-		const certsVolumeName = "certs"
-		if deployment.Spec.Template.Spec.Volumes == nil {
-			deployment.Spec.Template.Spec.Volumes = append(deployment.Spec.Template.Spec.Volumes, corev1.Volume{
-				Name: certsVolumeName,
-			})
-		}
-		for i := range deployment.Spec.Template.Spec.Volumes {
-			if deployment.Spec.Template.Spec.Volumes[i].Name == certsVolumeName {
-				if deployment.Spec.Template.Spec.Volumes[i].Secret == nil {
-					deployment.Spec.Template.Spec.Volumes[i].Secret = &corev1.SecretVolumeSource{}
-				}
-				deployment.Spec.Template.Spec.Volumes[i].Secret.SecretName = certmanagerTLSSecretWebhook
+	const certsVolumeName = "certs"
+
+	if !isCertManagerConfigEnabled(esc) {
+		return
+	}
+
+	certsVolumeExists := false
+	for i := range deployment.Spec.Template.Spec.Volumes {
+		if deployment.Spec.Template.Spec.Volumes[i].Name == certsVolumeName {
+			certsVolumeExists = true
+			if deployment.Spec.Template.Spec.Volumes[i].Secret == nil {
+				deployment.Spec.Template.Spec.Volumes[i].Secret = &corev1.SecretVolumeSource{}
 			}
+			deployment.Spec.Template.Spec.Volumes[i].Secret.SecretName = certmanagerTLSSecretWebhook
+			break
 		}
 	}
+
+	if !certsVolumeExists {
+		deployment.Spec.Template.Spec.Volumes = append(deployment.Spec.Template.Spec.Volumes, corev1.Volume{
+			Name: certsVolumeName,
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: certmanagerTLSSecretWebhook,
+				},
+			},
+		})
+	}
 }

Original file line number	Diff line number	Diff line change
`@@ -212,11 +212,13 @@ func deploymentSpecModified(desired, fetched *appsv1.Deployment) bool {`
`212`	`212`	`for _, desiredVolume := range desired.Spec.Template.Spec.Volumes {`
`213`	`213`	`if desiredVolume.Secret != nil {`
`214`	`214`	`for _, fetchedVolume := range fetched.Spec.Template.Spec.Volumes {`
`215`		`- if !reflect.DeepEqual(desiredVolume.Secret.Items, fetchedVolume.Secret.Items) {`
`216`		`- return true`
`217`		`- }`
`218`		`- if desiredVolume.Secret.SecretName != fetchedVolume.Secret.SecretName {`
`219`		`- return true`
	`215`	`+ if desiredVolume.Name == fetchedVolume.Name {`
	`216`	`+ if !reflect.DeepEqual(desiredVolume.Secret.Items, fetchedVolume.Secret.Items) {`
	`217`	`+ return true`
	`218`	`+ }`
	`219`	`+ if !reflect.DeepEqual(desiredVolume.Secret.SecretName, fetchedVolume.Secret.SecretName) {`
	`220`	`+ return true`
	`221`	`+ }`
`220`	`222`	`}`
`221`	`223`	`}`
`222`	`224`	`}`