ESO-155: Updates to use different TLS Secret name when cert-manager enabled

Signed-off-by: Bharath B <[email protected]>

Author: bharath-b-rh

pkg/controller/common/utils.go

@@ -210,7 +210,7 @@ func deploymentSpecModified(desired, fetched *appsv1.Deployment) bool {
 		return true
 	}
 	for _, desiredVolume := range desired.Spec.Template.Spec.Volumes {
-		if desiredVolume.Secret != nil && desiredVolume.Secret.Items != nil {
+		if desiredVolume.Secret != nil {
 			for _, fetchedVolume := range fetched.Spec.Template.Spec.Volumes {
 				if !reflect.DeepEqual(desiredVolume.Secret.Items, fetchedVolume.Secret.Items) {
 					return true
@@ -219,7 +219,6 @@ func deploymentSpecModified(desired, fetched *appsv1.Deployment) bool {
 					return true
 				}
 			}
-
 		}
 	}
 

pkg/controller/external_secrets/certificate.go

@@ -82,6 +82,11 @@ func (r *Reconciler) createOrApplyCertificate(esc *operatorv1alpha1.ExternalSecr
 func (r *Reconciler) getCertificateObject(esc *operatorv1alpha1.ExternalSecretsConfig, resourceLabels map[string]string, fileName string) (*certmanagerv1.Certificate, error) {
 	certificate := common.DecodeCertificateObjBytes(assets.MustAsset(fileName))
 
+	// update the secret name in the Certificate resource of the webhook component.
+	if fileName == webhookCertificateAssetName {
+		certificate.Spec.SecretName = certmanagerTLSSecretWebhook
+	}
+
 	updateNamespace(certificate, esc)
 	common.UpdateResourceLabels(certificate, resourceLabels)
 

pkg/controller/external_secrets/constants.go

@@ -48,6 +48,10 @@ const (
 	// externalsecretsDefaultNamespace is the namespace where the `external-secrets` operand required resources
 	// will be created, when ExternalSecretsConfig.Spec.Namespace is not set.
 	externalsecretsDefaultNamespace = "external-secrets"
+
+	// certmanagerTLSSecretWebhook is the TLS secret created by cert-manager for the webhook component. A different
+	// name is used to avoiding clash with the secret created by the inbuilt cert-controller component.
+	certmanagerTLSSecretWebhook = "external-secrets-webhook-cm"
 )
 
 var (

pkg/controller/external_secrets/deployments.go

@@ -123,6 +123,7 @@ func (r *Reconciler) getDeploymentObject(assetName string, esc *operatorv1alpha1
 			checkInterval = esc.Spec.ApplicationConfig.WebhookConfig.CertificateCheckInterval.Duration.String()
 		}
 		updateWebhookContainerSpec(deployment, image, logLevel, checkInterval)
+		updateWebhookVolumeConfig(deployment, esc)
 	case certControllerDeploymentAssetName:
 		updateCertControllerContainerSpec(deployment, image, logLevel)
 	case bitwardenDeploymentAssetName:
@@ -389,3 +390,22 @@ func updateBitwardenServerContainerSpec(deployment *appsv1.Deployment, image str
 		}
 	}
 }
+
+func updateWebhookVolumeConfig(deployment *appsv1.Deployment, esc *operatorv1alpha1.ExternalSecretsConfig) {
+	if isCertManagerConfigEnabled(esc) {
+		const certsVolumeName = "certs"
+		if deployment.Spec.Template.Spec.Volumes == nil {
+			deployment.Spec.Template.Spec.Volumes = append(deployment.Spec.Template.Spec.Volumes, corev1.Volume{
+				Name: certsVolumeName,
+			})
+		}
+		for i := range deployment.Spec.Template.Spec.Volumes {
+			if deployment.Spec.Template.Spec.Volumes[i].Name == certsVolumeName {
+				if deployment.Spec.Template.Spec.Volumes[i].Secret == nil {
+					deployment.Spec.Template.Spec.Volumes[i].Secret = &corev1.SecretVolumeSource{}
+				}
+				deployment.Spec.Template.Spec.Volumes[i].Secret.SecretName = certmanagerTLSSecretWebhook
+			}
+		}
+	}
+}