Skip to content

ESO-186: Make the operator HTTP(s) proxy aware #62

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

ESO-186: Make the operator HTTP(s) proxy aware #62

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
3289cf5
Make the operator http(s) proxy aware
chiragkyal Oct 7, 2025
53e42e4
Create operator trusted-ca-configmap through OLM
chiragkyal Oct 7, 2025
87fee5f
Address review comments
chiragkyal Oct 7, 2025
b72aa19
Update predicate function
chiragkyal Oct 9, 2025
3386a27
Add ProxyConfig removal scenario
chiragkyal Oct 9, 2025
661b156
Update deployment spec comparison logic
chiragkyal Oct 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions bundle/manifests/external-secrets-operator-trusted-ca-bundle_v1_configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: external-secrets-operator
config.openshift.io/inject-trusted-cabundle: "true"
control-plane: controller-manager
name: external-secrets-operator-trusted-ca-bundle
10 changes: 8 additions & 2 deletions bundle/manifests/external-secrets-operator.clusterserviceversion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -220,13 +220,13 @@ metadata:
categories: Security
console.openshift.io/disable-operand-delete: "true"
containerImage: openshift.io/external-secrets-operator:latest
createdAt: "2025-10-07T03:20:14Z"
createdAt: "2025-10-07T09:42:32Z"
features.operators.openshift.io/cnf: "false"
features.operators.openshift.io/cni: "false"
features.operators.openshift.io/csi: "false"
features.operators.openshift.io/disconnected: "false"
features.operators.openshift.io/fips-compliant: "true"
features.operators.openshift.io/proxy-aware: "false"
features.operators.openshift.io/proxy-aware: "true"
features.operators.openshift.io/tls-profiles: "false"
features.operators.openshift.io/token-auth-aws: "false"
features.operators.openshift.io/token-auth-azure: "false"
Expand Down Expand Up @@ -763,6 +763,9 @@ spec:
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /etc/pki/tls/certs
name: trusted-ca-bundle
readOnly: true
- mountPath: /etc/metrics-certs
name: metrics-serving-cert
readOnly: true
Expand All @@ -773,6 +776,9 @@ spec:
serviceAccountName: external-secrets-operator-controller-manager
terminationGracePeriodSeconds: 10
volumes:
- configMap:
name: external-secrets-operator-trusted-ca-bundle
name: trusted-ca-bundle
- name: metrics-serving-cert
secret:
secretName: metrics-serving-cert
Expand Down
6 changes: 0 additions & 6 deletions config/default/manager_metrics_patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,18 +3,12 @@
- op: add
path: /spec/template/spec/containers/0/args/-
value: --metrics-cert-dir=/etc/metrics-certs
- op: add
path: /spec/template/spec/containers/0/volumeMounts
value: []
- op: add
path: /spec/template/spec/containers/0/volumeMounts/-
value:
name: metrics-serving-cert
mountPath: /etc/metrics-certs
readOnly: true
- op: add
path: /spec/template/spec/volumes
value: []
- op: add
path: /spec/template/spec/volumes/-
value:
Expand Down
15 changes: 15 additions & 0 deletions config/manager/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,18 @@ images:
- name: controller
newName: openshift.io/external-secrets-operator
newTag: latest
generatorOptions:
disableNameSuffixHash: true
configMapGenerator:
- name: trusted-ca-bundle
options:
labels:
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: external-secrets-operator
config.openshift.io/inject-trusted-cabundle: "true"
control-plane: controller-manager
patches:
- path: trusted-ca-patch.yaml
target:
kind: Deployment
name: controller-manager
18 changes: 18 additions & 0 deletions config/manager/trusted-ca-patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
- name: manager
volumeMounts:
- name: trusted-ca-bundle
mountPath: /etc/pki/tls/certs
readOnly: true
volumes:
- name: trusted-ca-bundle
configMap:
name: trusted-ca-bundle
2 changes: 1 addition & 1 deletion config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ metadata:
features.operators.openshift.io/csi: "false"
features.operators.openshift.io/disconnected: "false"
features.operators.openshift.io/fips-compliant: "true"
features.operators.openshift.io/proxy-aware: "false"
features.operators.openshift.io/proxy-aware: "true"
features.operators.openshift.io/tls-profiles: "false"
features.operators.openshift.io/token-auth-aws: "false"
features.operators.openshift.io/token-auth-azure: "false"
Expand Down
91 changes: 91 additions & 0 deletions pkg/controller/external_secrets/configmap.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
package external_secrets

import (
"fmt"

corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"sigs.k8s.io/controller-runtime/pkg/client"

operatorv1alpha1 "github.com/openshift/external-secrets-operator/api/v1alpha1"
"github.com/openshift/external-secrets-operator/pkg/controller/common"
)

// ensureTrustedCABundleConfigMap creates or ensures the trusted CA bundle ConfigMap exists
// in the operand namespace when proxy configuration is present. The ConfigMap is labeled
// with the injection label required by the Cluster Network Operator (CNO), which watches
// for this label and injects the cluster's trusted CA bundle into the ConfigMap's data.
// This function ensures the correct labels are present so that CNO can manage the CA bundle
// content as expected.
func (r *Reconciler) ensureTrustedCABundleConfigMap(esc *operatorv1alpha1.ExternalSecretsConfig, resourceLabels map[string]string) error {
proxyConfig := r.getProxyConfiguration(esc)

// Only create ConfigMap if proxy is configured
if proxyConfig == nil {
// TODO: ConfigMap removal when proxy configuration is removed
// will be revisited in a follow-up implementation.
r.log.V(4).Info("no proxy configuration found, skipping trusted CA bundle ConfigMap creation")
return nil
}

namespace := getNamespace(esc)
expectedLabels := getTrustedCABundleLabels(resourceLabels)

desiredConfigMap := &corev1.ConfigMap{
ObjectMeta: metav1.ObjectMeta{
Name: trustedCABundleConfigMapName,
Namespace: namespace,
Labels: expectedLabels,
},
}

configMapName := fmt.Sprintf("%s/%s", desiredConfigMap.GetNamespace(), desiredConfigMap.GetName())
r.log.V(4).Info("reconciling trusted CA bundle ConfigMap resource", "name", configMapName)

// Check if the ConfigMap already exists
existingConfigMap := &corev1.ConfigMap{}
exist, err := r.Exists(r.ctx, client.ObjectKeyFromObject(desiredConfigMap), existingConfigMap)
if err != nil {
return common.FromClientError(err, "failed to check %s trusted CA bundle ConfigMap resource already exists", configMapName)
}

if !exist {
// Create the ConfigMap
if err := r.Create(r.ctx, desiredConfigMap); err != nil {
return common.FromClientError(err, "failed to create %s trusted CA bundle ConfigMap resource", configMapName)
}
r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "trusted CA bundle ConfigMap resource %s created", configMapName)
return nil
}

// ConfigMap exists, ensure it has the correct labels
// Do not update the data of the ConfigMap since it is managed by CNO
// Check if metadata (labels) has been modified.
// NOTE: Currently ObjectMetadataModified only checks labels, but if it's extended
// in the future to check annotations as well, CNO may race with this update since
// CNO adds `openshift.io/owning-component: Networking / cluster-network-operator` annotations on this ConfigMap.
if exist && common.ObjectMetadataModified(desiredConfigMap, existingConfigMap) {
r.log.V(1).Info("trusted CA bundle ConfigMap has been modified, updating to desired state", "name", configMapName)
// Update the labels since
existingConfigMap.Labels = desiredConfigMap.Labels

Comment on lines +31 to +71
Copy link

@coderabbitai coderabbitai bot Oct 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Use the CA-bundle injection annotation, not a label

CNO injects trust bundles only when the ConfigMap carries the annotation config.openshift.io/inject-trusted-cabundle: "true". Populating it under metadata.labels (as done here via getTrustedCABundleLabels) means the operand ConfigMap will never be patched with the cluster CA, so every proxy/TLS flow that relies on this bundle will fail. Please move the injection marker to metadata.annotations (and ensure the reconcile path preserves any annotations CNO adds) so the bundle actually gets injected.

Apply the following diff:

-	expectedLabels := getTrustedCABundleLabels(resourceLabels)
+	expectedLabels := maps.Clone(resourceLabels)
+	expectedAnnotations := map[string]string{
+		trustedCABundleInjectAnnotation: "true",
+	}
 
 	desiredConfigMap := &corev1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      trustedCABundleConfigMapName,
 			Namespace: namespace,
-			Labels:    expectedLabels,
+			Labels:    expectedLabels,
+			Annotations: expectedAnnotations,
 		},
 	}

Then, when the ConfigMap already exists, make sure you merge the annotation without dropping any others before calling UpdateWithRetry:

-	if exist && common.ObjectMetadataModified(desiredConfigMap, existingConfigMap) {
+	needsUpdate := common.ObjectMetadataModified(desiredConfigMap, existingConfigMap)
+
+	if existingConfigMap.Annotations == nil {
+		existingConfigMap.Annotations = map[string]string{}
+	}
+	if existingConfigMap.Annotations[trustedCABundleInjectAnnotation] != "true" {
+		existingConfigMap.Annotations[trustedCABundleInjectAnnotation] = "true"
+		needsUpdate = true
+	}
+
+	if needsUpdate {
 		r.log.V(1).Info("trusted CA bundle ConfigMap has been modified, updating to desired state", "name", configMapName)
-		// Update the labels since
+		// Update the labels
 		existingConfigMap.Labels = desiredConfigMap.Labels

(You'll need to import maps from the standard library and define trustedCABundleInjectAnnotation alongside the existing constants.)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
namespace := getNamespace(esc)
expectedLabels := getTrustedCABundleLabels(resourceLabels)
desiredConfigMap := &corev1.ConfigMap{
ObjectMeta: metav1.ObjectMeta{
Name: trustedCABundleConfigMapName,
Namespace: namespace,
Labels: expectedLabels,
},
}
configMapName := fmt.Sprintf("%s/%s", desiredConfigMap.GetNamespace(), desiredConfigMap.GetName())
r.log.V(4).Info("reconciling trusted CA bundle ConfigMap resource", "name", configMapName)
// Check if the ConfigMap already exists
existingConfigMap := &corev1.ConfigMap{}
exist, err := r.Exists(r.ctx, client.ObjectKeyFromObject(desiredConfigMap), existingConfigMap)
if err != nil {
return common.FromClientError(err, "failed to check %s trusted CA bundle ConfigMap resource already exists", configMapName)
}
if !exist {
// Create the ConfigMap
if err := r.Create(r.ctx, desiredConfigMap); err != nil {
return common.FromClientError(err, "failed to create %s trusted CA bundle ConfigMap resource", configMapName)
}
r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "trusted CA bundle ConfigMap resource %s created", configMapName)
return nil
}
// ConfigMap exists, ensure it has the correct labels
// Do not update the data of the ConfigMap since it is managed by CNO
// Check if metadata (labels) has been modified.
// NOTE: Currently ObjectMetadataModified only checks labels, but if it's extended
// in the future to check annotations as well, CNO may race with this update since
// CNO adds `openshift.io/owning-component: Networking / cluster-network-operator` annotations on this ConfigMap.
if exist && common.ObjectMetadataModified(desiredConfigMap, existingConfigMap) {
r.log.V(1).Info("trusted CA bundle ConfigMap has been modified, updating to desired state", "name", configMapName)
// Update the labels since
existingConfigMap.Labels = desiredConfigMap.Labels
namespace := getNamespace(esc)
// Use the base resourceLabels as labels, and set the injection annotation
expectedLabels := maps.Clone(resourceLabels)
expectedAnnotations := map[string]string{
trustedCABundleInjectAnnotation: "true",
}
desiredConfigMap := &corev1.ConfigMap{
ObjectMeta: metav1.ObjectMeta{
Name: trustedCABundleConfigMapName,
Namespace: namespace,
Labels: expectedLabels,
Annotations: expectedAnnotations,
},
}
configMapName := fmt.Sprintf("%s/%s", desiredConfigMap.GetNamespace(), desiredConfigMap.GetName())
r.log.V(4).Info("reconciling trusted CA bundle ConfigMap resource", "name", configMapName)
// Check if the ConfigMap already exists
existingConfigMap := &corev1.ConfigMap{}
exist, err := r.Exists(r.ctx, client.ObjectKeyFromObject(desiredConfigMap), existingConfigMap)
if err != nil {
return common.FromClientError(err, "failed to check %s trusted CA bundle ConfigMap resource already exists", configMapName)
}
if !exist {
// Create the ConfigMap
if err := r.Create(r.ctx, desiredConfigMap); err != nil {
return common.FromClientError(err, "failed to create %s trusted CA bundle ConfigMap resource", configMapName)
}
r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "trusted CA bundle ConfigMap resource %s created", configMapName)
return nil
}
// Determine if labels drifted, then ensure the inject annotation is present
needsUpdate := common.ObjectMetadataModified(desiredConfigMap, existingConfigMap)
if existingConfigMap.Annotations == nil {
existingConfigMap.Annotations = map[string]string{}
}
if existingConfigMap.Annotations[trustedCABundleInjectAnnotation] != "true" {
existingConfigMap.Annotations[trustedCABundleInjectAnnotation] = "true"
needsUpdate = true
}
if needsUpdate {
r.log.V(1).Info("trusted CA bundle ConfigMap has been modified, updating to desired state", "name", configMapName)
// Update the labels
existingConfigMap.Labels = desiredConfigMap.Labels
// (the update call goes here)
}
🤖 Prompt for AI Agents 
In pkg/controller/external_secrets/configmap.go around lines 31 to 71, the code
currently puts the CNO CA-bundle injection marker into metadata.labels which
prevents CNO from injecting the trust bundle; change the implementation to place
the marker key "config.openshift.io/inject-trusted-cabundle" with value "true"
under desiredConfigMap.ObjectMeta.Annotations (define a constant
trustedCABundleInjectAnnotation), not Labels, and ensure you still set the
expected labels on ObjectMeta.Labels; when reconciling an existing ConfigMap
merge annotations rather than overwriting them (preserve any annotations CNO
added) — use the standard library maps helpers to clone/merge annotation maps so
existingConfigMap.Annotations = merged(existingConfigMap.Annotations,
desiredConfigMap.Annotations) before calling UpdateWithRetry, and keep updating
labels as before.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not true, label is expected and not annotation.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧩 Analysis chain

🌐 Web query:

OpenShift Cluster Network Operator CNO CA bundle injection config.openshift.io/inject-trusted-cabundle label or annotation

💡 Result:

Use a label. The CNO (and other operators) request trusted-CA injection by creating an empty ConfigMap with the label
config.openshift.io/inject-trusted-cabundle="true". (Do not combine that label with the service.beta.openshift.io/inject-cabundle annotation — the latter is a different mechanism for service CA injection.) [1][2]

@bharath-b-rh You're absolutely right, and I apologize for the incorrect review comment.

The CNO does indeed use a label (config.openshift.io/inject-trusted-cabundle: "true"), not an annotation, to trigger CA bundle injection. The current implementation in the PR is correct. [1][2]

The suggestion to move it to annotations was incorrect and should be disregarded. Thank you for catching that!

if err := r.UpdateWithRetry(r.ctx, existingConfigMap); err != nil {
return common.FromClientError(err, "failed to update %s trusted CA bundle ConfigMap resource", configMapName)
}
r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "trusted CA bundle ConfigMap resource %s reconciled back to desired state", configMapName)
} else {
r.log.V(4).Info("trusted CA bundle ConfigMap resource already exists and is in expected state", "name", configMapName)
}

return nil
}

// getTrustedCABundleLabels merges resource labels with the injection label
func getTrustedCABundleLabels(resourceLabels map[string]string) map[string]string {
labels := make(map[string]string)
for k, v := range resourceLabels {
labels[k] = v
}
labels[trustedCABundleInjectLabel] = "true"
return labels
}
19 changes: 19 additions & 0 deletions pkg/controller/external_secrets/constants.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,25 @@ const (
// externalsecretsDefaultNamespace is the namespace where the `external-secrets` operand required resources
// will be created, when ExternalSecretsConfig.Spec.Namespace is not set.
externalsecretsDefaultNamespace = "external-secrets"

// trustedCABundleConfigMapName is the name of the ConfigMap containing the trusted CA bundle
trustedCABundleConfigMapName = externalsecretsCommonName + "-trusted-ca-bundle"

// trustedCABundleInjectLabel is the label that triggers OpenShift CNO to inject cluster-wide CA certificates
trustedCABundleInjectLabel = "config.openshift.io/inject-trusted-cabundle"

// trustedCABundleVolumeName is the name of the volume for mounting the CA bundle
trustedCABundleVolumeName = "trusted-ca-bundle"

// trustedCABundleMountPath is the path where the CA bundle should be mounted in containers
// Default certificate path is taken from the golang source:
// https://cs.opensource.google/go/go/+/refs/tags/go1.24.4:src/crypto/x509/root_linux.go;l=22
trustedCABundleMountPath = "/etc/pki/tls/certs"

// Proxy environment variable names
httpProxyEnvVar = "HTTP_PROXY"
httpsProxyEnvVar = "HTTPS_PROXY"
noProxyEnvVar = "NO_PROXY"
)

var (
Expand Down
26 changes: 11 additions & 15 deletions pkg/controller/external_secrets/controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ var (
&corev1.Secret{},
&corev1.Service{},
&corev1.ServiceAccount{},
&corev1.ConfigMap{},
&webhook.ValidatingWebhookConfiguration{},
}
)
Expand Down Expand Up @@ -251,26 +252,21 @@ func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error {
mapFunc := func(ctx context.Context, obj client.Object) []reconcile.Request {
r.log.V(4).Info("received reconcile event", "object", fmt.Sprintf("%T", obj), "name", obj.GetName(), "namespace", obj.GetNamespace())

objLabels := obj.GetLabels()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is required for Secret resource filtering scenario.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we modify the predicate for Secret resource from builder.WithPredicates(predicate.LabelChangedPredicate{}) to managedResourcePredicate, then this won't be required, right?

Moreover, there is a dedicated check for the label change; so I think the above predicate can be modified.

external-secrets-operator/pkg/controller/external_secrets/secret.go

Lines 39 to 47 in e3fe1cf

if exist && common.ObjectMetadataModified(desired, fetched) {
r.log.V(1).Info("secret has been modified, updating to desired state", "name", secretName)
if err := r.UpdateWithRetry(r.ctx, desired); err != nil {
return common.FromClientError(err, "failed to update %s secret resource", secretName)
}
r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "secret resource %s reconciled back to desired state", secretName)
} else {
r.log.V(4).Info("secret resource already exists and is in expected state", "name", secretName)
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason for using predicate.LabelChangedPredicate{} is because we are not interested in the data. If both predicates can be combined then no issues.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Combined both the predicates and modified to use

case &corev1.Secret{}, &corev1.ConfigMap{}:
			mgrBuilder.WatchesMetadata(res, handler.EnqueueRequestsFromMapFunc(mapFunc), builder.WithPredicates(predicate.LabelChangedPredicate{}, managedResources))

if objLabels != nil {
if objLabels[requestEnqueueLabelKey] == requestEnqueueLabelValue {
return []reconcile.Request{
{
NamespacedName: types.NamespacedName{
Name: common.ExternalSecretsConfigObjectName,
},
},
}
}
// Since predicate already filtered, all objects that reach here should trigger reconciliation
return []reconcile.Request{
{
NamespacedName: types.NamespacedName{
Name: common.ExternalSecretsConfigObjectName,
},
},
}
r.log.V(4).Info("object not of interest, ignoring reconcile event", "object", fmt.Sprintf("%T", obj), "name", obj.GetName(), "namespace", obj.GetNamespace())
return []reconcile.Request{}
}

// predicate function to ignore events for objects not managed by controller.
managedResources := predicate.NewPredicateFuncs(func(object client.Object) bool {
return object.GetLabels() != nil && object.GetLabels()[requestEnqueueLabelKey] == requestEnqueueLabelValue
})

withIgnoreStatusUpdatePredicates := builder.WithPredicates(predicate.GenerationChangedPredicate{}, managedResources)
managedResourcePredicate := builder.WithPredicates(managedResources)

Expand All @@ -286,8 +282,8 @@ func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error {
if _, ok := r.optionalResourcesList[certificateCRDGKV]; ok {
mgrBuilder.Watches(res, handler.EnqueueRequestsFromMapFunc(mapFunc), managedResourcePredicate)
}
case &corev1.Secret{}:
mgrBuilder.WatchesMetadata(res, handler.EnqueueRequestsFromMapFunc(mapFunc), builder.WithPredicates(predicate.LabelChangedPredicate{}))
case &corev1.Secret{}, &corev1.ConfigMap{}:
mgrBuilder.WatchesMetadata(res, handler.EnqueueRequestsFromMapFunc(mapFunc), builder.WithPredicates(predicate.LabelChangedPredicate{}, managedResources))
default:
mgrBuilder.Watches(res, handler.EnqueueRequestsFromMapFunc(mapFunc), managedResourcePredicate)
}
Expand Down
Loading