diff --git a/go.mod b/go.mod index 6ed62d8a41..1d2d6d638a 100644 --- a/go.mod +++ b/go.mod @@ -128,3 +128,5 @@ require ( sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect sigs.k8s.io/yaml v1.4.0 // indirect ) + +replace github.com/openshift/library-go => github.com/vrutkovs/library-go v0.0.0-20250513140712-855d77f4d526 diff --git a/go.sum b/go.sum index 633e0c6455..77ece40149 100644 --- a/go.sum +++ b/go.sum @@ -166,8 +166,6 @@ github.com/openshift/build-machinery-go v0.0.0-20250102153059-e85a1a7ecb5c h1:6X github.com/openshift/build-machinery-go v0.0.0-20250102153059-e85a1a7ecb5c/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE= github.com/openshift/client-go v0.0.0-20250125113824-8e1f0b8fa9a7 h1:4iliLcvr1P9EUMZgIaSNEKNQQzBn+L6PSequlFOuB6Q= github.com/openshift/client-go v0.0.0-20250125113824-8e1f0b8fa9a7/go.mod h1:2tcufBE4Cu6RNgDCxcUJepa530kGo5GFVfR9BSnndhI= -github.com/openshift/library-go v0.0.0-20250505141135-5184403e7ead h1:ZphMPDBoxhm7/4+5M2gO9h+TTDRcJpQ2Xa5P0Pn2JpA= -github.com/openshift/library-go v0.0.0-20250505141135-5184403e7ead/go.mod h1:DAa3BGl0CFtkfJn/g5rU8kDDTErfMVA/QlFm4cvU+MI= github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -213,6 +211,8 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE= github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk= +github.com/vrutkovs/library-go v0.0.0-20250513140712-855d77f4d526 h1:5CN5TPvYH5g0ouP7mkGC8eAwA+GXn+FzRu5gOAoGA58= +github.com/vrutkovs/library-go v0.0.0-20250513140712-855d77f4d526/go.mod h1:DAa3BGl0CFtkfJn/g5rU8kDDTErfMVA/QlFm4cvU+MI= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510 h1:S2dVYn90KE98chqDkyE9Z4N61UnQd+KOfgp5Iu53llk= diff --git a/pkg/operator/targetconfigcontroller/targetconfigcontroller.go b/pkg/operator/targetconfigcontroller/targetconfigcontroller.go index 3ac9a42dd1..29b3aec92d 100644 --- a/pkg/operator/targetconfigcontroller/targetconfigcontroller.go +++ b/pkg/operator/targetconfigcontroller/targetconfigcontroller.go @@ -13,7 +13,6 @@ import ( "github.com/ghodss/yaml" - "github.com/openshift/api/annotations" kubecontrolplanev1 "github.com/openshift/api/kubecontrolplane/v1" operatorv1 "github.com/openshift/api/operator/v1" "github.com/openshift/cluster-kube-apiserver-operator/bindata" @@ -24,6 +23,7 @@ import ( "github.com/openshift/library-go/pkg/operator/certrotation" "github.com/openshift/library-go/pkg/operator/events" "github.com/openshift/library-go/pkg/operator/resource/resourceapply" + "github.com/openshift/library-go/pkg/operator/resource/resourcehelper" "github.com/openshift/library-go/pkg/operator/resource/resourcemerge" "github.com/openshift/library-go/pkg/operator/resource/resourceread" "github.com/openshift/library-go/pkg/operator/resourcesynccontroller" @@ -38,6 +38,7 @@ import ( "k8s.io/client-go/kubernetes" coreclientv1 "k8s.io/client-go/kubernetes/typed/core/v1" corev1listers "k8s.io/client-go/listers/core/v1" + "k8s.io/klog/v2" ) const ( @@ -347,12 +348,33 @@ func generateOptionalStartupMonitorPod(isStartupMonitorEnabledFn func() (bool, e } func ManageClientCABundle(ctx context.Context, lister corev1listers.ConfigMapLister, client coreclientv1.ConfigMapsGetter, recorder events.Recorder) (*corev1.ConfigMap, bool, error) { - requiredConfigMap, err := resourcesynccontroller.CombineCABundleConfigMaps( - resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "client-ca"}, + + additionalAnnotations := certrotation.AdditionalAnnotations{ + JiraComponent: "kube-apiserver", + } + caBundleConfigMapName := "client-ca" + + caBundleConfigMap, err := lister.ConfigMaps(operatorclient.TargetNamespace).Get(caBundleConfigMapName) + if err != nil && !apierrors.IsNotFound(err) { + return nil, false, err + } + + creationRequired := false + updateRequired := false + if apierrors.IsNotFound(err) { + creationRequired = true + caBundleConfigMap = &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: caBundleConfigMapName, + Namespace: operatorclient.TargetNamespace, + }, + } + } + + requiredConfigMap, updateRequired, err := resourcesynccontroller.CombineCABundleConfigMapsOptimistically( + caBundleConfigMap, lister, - certrotation.AdditionalAnnotations{ - JiraComponent: "kube-apiserver", - }, + additionalAnnotations, // this is from the installer and contains the value to verify the admin.kubeconfig user resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalUserSpecifiedConfigNamespace, Name: "admin-kubeconfig-client-ca"}, // this is from the installer and contains the value to verify the node bootstrapping cert that is baked into images @@ -372,21 +394,59 @@ func ManageClientCABundle(ctx context.Context, lister corev1listers.ConfigMapLis if err != nil { return nil, false, err } - if requiredConfigMap.Annotations == nil { - requiredConfigMap.Annotations = map[string]string{} + + + if creationRequired { + caBundleConfigMap, err := client.ConfigMaps(operatorclient.TargetNamespace).Create(ctx, requiredConfigMap, metav1.CreateOptions{}) + resourcehelper.ReportCreateEvent(recorder, caBundleConfigMap, err) + if err != nil { + return nil, false, err + } + klog.V(2).Infof("Created client CA bundle configmap %s/%s", caBundleConfigMap.Namespace, caBundleConfigMap.Name) + return caBundleConfigMap, true, nil + } else if updateRequired { + caBundleConfigMap, err := client.ConfigMaps(operatorclient.TargetNamespace).Update(ctx, requiredConfigMap, metav1.UpdateOptions{}) + resourcehelper.ReportUpdateEvent(recorder, caBundleConfigMap, err) + if err != nil { + return nil, false, err + } + klog.V(2).Infof("Updated client CA bundle configmap %s/%s", caBundleConfigMap.Namespace, caBundleConfigMap.Name) + return caBundleConfigMap, true, nil } - requiredConfigMap.Annotations[annotations.OpenShiftComponent] = "kube-apiserver" - return resourceapply.ApplyConfigMap(ctx, client, recorder, requiredConfigMap) + return caBundleConfigMap, false, nil } func manageKubeAPIServerCABundle(ctx context.Context, lister corev1listers.ConfigMapLister, client coreclientv1.ConfigMapsGetter, recorder events.Recorder) (*corev1.ConfigMap, bool, error) { - requiredConfigMap, err := resourcesynccontroller.CombineCABundleConfigMaps( - resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "kube-apiserver-server-ca"}, + + additionalAnnotations := certrotation.AdditionalAnnotations{ + JiraComponent: "kube-apiserver", + } + caBundleConfigMapName := "kube-apiserver-server-ca" + + caBundleConfigMap, err := lister.ConfigMaps(operatorclient.TargetNamespace).Get(caBundleConfigMapName) + if err != nil && !apierrors.IsNotFound(err) { + return nil, false, err + } + + creationRequired := false + updateRequired := false + if apierrors.IsNotFound(err) { + creationRequired = true + } + if apierrors.IsNotFound(err) { + creationRequired = true + caBundleConfigMap = &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: caBundleConfigMapName, + Namespace: operatorclient.TargetNamespace, + }, + } + } + requiredConfigMap, updateRequired, err := resourcesynccontroller.CombineCABundleConfigMapsOptimistically( + caBundleConfigMap, lister, - certrotation.AdditionalAnnotations{ - JiraComponent: "kube-apiserver", - }, + additionalAnnotations, // this bundle is what this operator uses to mint loadbalancers certs resourcesynccontroller.ResourceLocation{Namespace: operatorclient.OperatorNamespace, Name: "loadbalancer-serving-ca"}, // this bundle is what this operator uses to mint localhost certs @@ -399,12 +459,27 @@ func manageKubeAPIServerCABundle(ctx context.Context, lister corev1listers.Confi if err != nil { return nil, false, err } - if requiredConfigMap.Annotations == nil { - requiredConfigMap.Annotations = map[string]string{} + + + if creationRequired { + caBundleConfigMap, err := client.ConfigMaps(operatorclient.TargetNamespace).Create(ctx, requiredConfigMap, metav1.CreateOptions{}) + resourcehelper.ReportCreateEvent(recorder, caBundleConfigMap, err) + if err != nil { + return nil, false, err + } + klog.V(2).Infof("Created kube apiserver CA bundle configmap %s/%s", caBundleConfigMap.Namespace, caBundleConfigMap.Name) + return caBundleConfigMap, true, nil + } else if updateRequired { + caBundleConfigMap, err := client.ConfigMaps(operatorclient.TargetNamespace).Update(ctx, requiredConfigMap, metav1.UpdateOptions{}) + resourcehelper.ReportUpdateEvent(recorder, caBundleConfigMap, err) + if err != nil { + return nil, false, err + } + klog.V(2).Infof("Updated kube apiserver CA bundle configmap %s/%s", caBundleConfigMap.Namespace, caBundleConfigMap.Name) + return caBundleConfigMap, true, nil } - requiredConfigMap.Annotations[annotations.OpenShiftComponent] = "kube-apiserver" - return resourceapply.ApplyConfigMap(ctx, client, recorder, requiredConfigMap) + return caBundleConfigMap, false, nil } func ensureKubeAPIServerTrustedCA(ctx context.Context, client coreclientv1.CoreV1Interface, recorder events.Recorder) error { diff --git a/vendor/github.com/openshift/library-go/pkg/crypto/crypto.go b/vendor/github.com/openshift/library-go/pkg/crypto/crypto.go index 80f5efc2c0..33a09ae16e 100644 --- a/vendor/github.com/openshift/library-go/pkg/crypto/crypto.go +++ b/vendor/github.com/openshift/library-go/pkg/crypto/crypto.go @@ -629,7 +629,7 @@ func MakeSelfSignedCAConfig(name string, lifetime time.Duration) (*TLSCertificat func MakeSelfSignedCAConfigForSubject(subject pkix.Name, lifetime time.Duration) (*TLSCertificateConfig, error) { if lifetime <= 0 { lifetime = DefaultCACertificateLifetimeDuration - fmt.Fprintf(os.Stderr, "Validity period of the certificate for %q is unset, resetting to %d years!\n", subject.CommonName, lifetime) + fmt.Fprintf(os.Stderr, "Validity period of the certificate for %q is unset, resetting to %s!\n", subject.CommonName, lifetime.String()) } if lifetime > DefaultCACertificateLifetimeDuration { @@ -1018,7 +1018,7 @@ func newSigningCertificateTemplateForDuration(subject pkix.Name, caLifetime time func newServerCertificateTemplate(subject pkix.Name, hosts []string, lifetime time.Duration, currentTime func() time.Time, authorityKeyId, subjectKeyId []byte) *x509.Certificate { if lifetime <= 0 { lifetime = DefaultCertificateLifetimeDuration - fmt.Fprintf(os.Stderr, "Validity period of the certificate for %q is unset, resetting to %d years!\n", subject.CommonName, lifetime) + fmt.Fprintf(os.Stderr, "Validity period of the certificate for %q is unset, resetting to %s!\n", subject.CommonName, lifetime.String()) } if lifetime > DefaultCertificateLifetimeDuration { @@ -1105,7 +1105,7 @@ func CertsFromPEM(pemCerts []byte) ([]*x509.Certificate, error) { func NewClientCertificateTemplate(subject pkix.Name, lifetime time.Duration, currentTime func() time.Time) *x509.Certificate { if lifetime <= 0 { lifetime = DefaultCertificateLifetimeDuration - fmt.Fprintf(os.Stderr, "Validity period of the certificate for %q is unset, resetting to %d years!\n", subject.CommonName, lifetime) + fmt.Fprintf(os.Stderr, "Validity period of the certificate for %q is unset, resetting to %s!\n", subject.CommonName, lifetime.String()) } if lifetime > DefaultCertificateLifetimeDuration { diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/annotations.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/annotations.go index fa9709ec06..7fcd4a9aa9 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/annotations.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/annotations.go @@ -28,19 +28,19 @@ func (a AdditionalAnnotations) EnsureTLSMetadataUpdate(meta *metav1.ObjectMeta) } if len(a.JiraComponent) > 0 && meta.Annotations[annotations.OpenShiftComponent] != a.JiraComponent { diff := cmp.Diff(meta.Annotations[annotations.OpenShiftComponent], a.JiraComponent) - klog.V(2).Infof("Updating %q annotation for %s/%s, diff: %s", annotations.OpenShiftComponent, meta.Name, meta.Namespace, diff) + klog.V(2).Infof("Updating %q annotation for %s/%s, diff: %s", annotations.OpenShiftComponent, meta.Namespace, meta.Name, diff) meta.Annotations[annotations.OpenShiftComponent] = a.JiraComponent modified = true } if len(a.Description) > 0 && meta.Annotations[annotations.OpenShiftDescription] != a.Description { diff := cmp.Diff(meta.Annotations[annotations.OpenShiftDescription], a.Description) - klog.V(2).Infof("Updating %q annotation for %s/%s, diff: %s", annotations.OpenShiftDescription, meta.Name, meta.Namespace, diff) + klog.V(2).Infof("Updating %q annotation for %s/%s, diff: %s", annotations.OpenShiftDescription, meta.Namespace, meta.Name, diff) meta.Annotations[annotations.OpenShiftDescription] = a.Description modified = true } if len(a.AutoRegenerateAfterOfflineExpiry) > 0 && meta.Annotations[AutoRegenerateAfterOfflineExpiryAnnotation] != a.AutoRegenerateAfterOfflineExpiry { diff := cmp.Diff(meta.Annotations[AutoRegenerateAfterOfflineExpiryAnnotation], a.AutoRegenerateAfterOfflineExpiry) - klog.V(2).Infof("Updating %q annotation for %s/%s, diff: %s", AutoRegenerateAfterOfflineExpiryAnnotation, meta.Name, meta.Namespace, diff) + klog.V(2).Infof("Updating %q annotation for %s/%s, diff: %s", AutoRegenerateAfterOfflineExpiryAnnotation, meta.Namespace, meta.Name, diff) meta.Annotations[AutoRegenerateAfterOfflineExpiryAnnotation] = a.AutoRegenerateAfterOfflineExpiry modified = true } diff --git a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/generic.go b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/generic.go index 357efad619..6a32071e38 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/generic.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/generic.go @@ -9,6 +9,7 @@ import ( appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" + networkingv1 "k8s.io/api/networking/v1" policyv1 "k8s.io/api/policy/v1" rbacv1 "k8s.io/api/rbac/v1" storagev1 "k8s.io/api/storage/v1" @@ -142,6 +143,12 @@ func ApplyDirectly(ctx context.Context, clients *ClientHolder, recorder events.R } else { result.Result, result.Changed, result.Error = ApplySecretImproved(ctx, client, recorder, t, cache) } + case *networkingv1.NetworkPolicy: + if clients.kubeClient == nil { + result.Error = fmt.Errorf("missing kubeClient") + } else { + result.Result, result.Changed, result.Error = ApplyNetworkPolicy(ctx, clients.kubeClient.NetworkingV1(), recorder, t) + } case *rbacv1.ClusterRole: if clients.kubeClient == nil { result.Error = fmt.Errorf("missing kubeClient") @@ -295,6 +302,12 @@ func DeleteAll(ctx context.Context, clients *ClientHolder, recorder events.Recor } else { _, result.Changed, result.Error = DeleteSecret(ctx, client, recorder, t) } + case *networkingv1.NetworkPolicy: + if clients.kubeClient == nil { + result.Error = fmt.Errorf("missing kubeClient") + } else { + _, result.Changed, result.Error = DeleteNetworkPolicy(ctx, clients.kubeClient.NetworkingV1(), recorder, t) + } case *rbacv1.ClusterRole: if clients.kubeClient == nil { result.Error = fmt.Errorf("missing kubeClient") diff --git a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/networking.go b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/networking.go new file mode 100644 index 0000000000..0a3df326e4 --- /dev/null +++ b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/networking.go @@ -0,0 +1,59 @@ +package resourceapply + +import ( + "context" + + networkingv1 "k8s.io/api/networking/v1" + "k8s.io/apimachinery/pkg/api/equality" + apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + networkingclientv1 "k8s.io/client-go/kubernetes/typed/networking/v1" + "k8s.io/klog/v2" + + "github.com/openshift/library-go/pkg/operator/events" + "github.com/openshift/library-go/pkg/operator/resource/resourcehelper" + "github.com/openshift/library-go/pkg/operator/resource/resourcemerge" +) + +// ApplyClusterRole merges objectmeta, does not worry about anything else +func ApplyNetworkPolicy(ctx context.Context, client networkingclientv1.NetworkPoliciesGetter, recorder events.Recorder, required *networkingv1.NetworkPolicy) (*networkingv1.NetworkPolicy, bool, error) { + existing, err := client.NetworkPolicies(required.Namespace).Get(ctx, required.Name, metav1.GetOptions{}) + if apierrors.IsNotFound(err) { + requiredCopy := required.DeepCopy() + actual, err := client.NetworkPolicies(required.Namespace).Create( + ctx, resourcemerge.WithCleanLabelsAndAnnotations(requiredCopy).(*networkingv1.NetworkPolicy), metav1.CreateOptions{}) + resourcehelper.ReportCreateEvent(recorder, required, err) + return actual, true, err + } + if err != nil { + return nil, false, err + } + + modified := false + existingCopy := existing.DeepCopy() + + resourcemerge.EnsureObjectMeta(&modified, &existingCopy.ObjectMeta, required.ObjectMeta) + if equality.Semantic.DeepEqual(existingCopy.Spec, required.Spec) && !modified { + return existingCopy, false, nil + } + + if klog.V(2).Enabled() { + klog.Infof("NetworkPolicy %q changes: %v", required.Name, JSONPatchNoError(existing, existingCopy)) + } + + actual, err := client.NetworkPolicies(existingCopy.Namespace).Update(ctx, existingCopy, metav1.UpdateOptions{}) + resourcehelper.ReportUpdateEvent(recorder, required, err) + return actual, true, err +} + +func DeleteNetworkPolicy(ctx context.Context, client networkingclientv1.NetworkPoliciesGetter, recorder events.Recorder, required *networkingv1.NetworkPolicy) (*networkingv1.NetworkPolicy, bool, error) { + err := client.NetworkPolicies(required.Namespace).Delete(ctx, required.Name, metav1.DeleteOptions{}) + if err != nil && apierrors.IsNotFound(err) { + return nil, false, nil + } + if err != nil { + return nil, false, err + } + resourcehelper.ReportDeleteEvent(recorder, required, err) + return nil, true, nil +} diff --git a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceread/networking.go b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceread/networking.go new file mode 100644 index 0000000000..9832ede719 --- /dev/null +++ b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceread/networking.go @@ -0,0 +1,26 @@ +package resourceread + +import ( + networkingv1 "k8s.io/api/networking/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/serializer" +) + +var ( + netScheme = runtime.NewScheme() + netCodecs = serializer.NewCodecFactory(netScheme) +) + +func init() { + if err := networkingv1.AddToScheme(netScheme); err != nil { + panic(err) + } +} + +func ReadNetworkPolicyV1OrDie(objBytes []byte) *networkingv1.NetworkPolicy { + requiredObj, err := runtime.Decode(coreCodecs.UniversalDecoder(networkingv1.SchemeGroupVersion), objBytes) + if err != nil { + panic(err) + } + return requiredObj.(*networkingv1.NetworkPolicy) +} diff --git a/vendor/github.com/openshift/library-go/pkg/operator/resourcesynccontroller/core.go b/vendor/github.com/openshift/library-go/pkg/operator/resourcesynccontroller/core.go index 9711348b33..bbd2ab58fb 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/resourcesynccontroller/core.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/resourcesynccontroller/core.go @@ -70,3 +70,64 @@ func CombineCABundleConfigMaps(destinationConfigMap ResourceLocation, lister cor } return cm, nil } + +func CombineCABundleConfigMapsOptimistically(destinationConfigMap *corev1.ConfigMap, lister corev1listers.ConfigMapLister, additionalAnnotations certrotation.AdditionalAnnotations, inputConfigMaps ...ResourceLocation) (*corev1.ConfigMap, bool, error) { + var cm *corev1.ConfigMap + if destinationConfigMap == nil { + cm = &corev1.ConfigMap{} + } else { + cm = destinationConfigMap.DeepCopy() + } + certificates := []*x509.Certificate{} + for _, input := range inputConfigMaps { + inputConfigMap, err := lister.ConfigMaps(input.Namespace).Get(input.Name) + if apierrors.IsNotFound(err) { + continue + } + if err != nil { + return nil, false, err + } + + // configmaps must conform to this + inputContent := inputConfigMap.Data["ca-bundle.crt"] + if len(inputContent) == 0 { + continue + } + inputCerts, err := cert.ParseCertsPEM([]byte(inputContent)) + if err != nil { + return nil, false, fmt.Errorf("configmap/%s in %q is malformed: %v", input.Name, input.Namespace, err) + } + certificates = append(certificates, inputCerts...) + } + + certificates = crypto.FilterExpiredCerts(certificates...) + finalCertificates := []*x509.Certificate{} + // now check for duplicates. n^2, but super simple + for i := range certificates { + found := false + for j := range finalCertificates { + if reflect.DeepEqual(certificates[i].Raw, finalCertificates[j].Raw) { + found = true + break + } + } + if !found { + finalCertificates = append(finalCertificates, certificates[i]) + } + } + + caBytes, err := crypto.EncodeCertificates(finalCertificates...) + if err != nil { + return nil, false, err + } + + modified := additionalAnnotations.EnsureTLSMetadataUpdate(&cm.ObjectMeta) + newCMData := map[string]string{ + "ca-bundle.crt": string(caBytes), + } + if !reflect.DeepEqual(cm.Data, newCMData) { + cm.Data = newCMData + modified = true + } + return cm, modified, nil +} diff --git a/vendor/github.com/openshift/library-go/pkg/operator/staticresourcecontroller/static_resource_controller.go b/vendor/github.com/openshift/library-go/pkg/operator/staticresourcecontroller/static_resource_controller.go index 234cc08eba..22a377a7c4 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/staticresourcecontroller/static_resource_controller.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/staticresourcecontroller/static_resource_controller.go @@ -17,6 +17,7 @@ import ( "k8s.io/client-go/restmapper" corev1 "k8s.io/api/core/v1" + networkingv1 "k8s.io/api/networking/v1" policyv1 "k8s.io/api/policy/v1" rbacv1 "k8s.io/api/rbac/v1" storagev1 "k8s.io/api/storage/v1" @@ -236,6 +237,8 @@ func (c *StaticResourceController) AddKubeInformers(kubeInformersByNamespace v1h ret = ret.AddInformer(informer.Core().V1().ConfigMaps().Informer()) case *corev1.Secret: ret = ret.AddInformer(informer.Core().V1().Secrets().Informer()) + case *networkingv1.NetworkPolicy: + ret = ret.AddInformer(informer.Networking().V1().NetworkPolicies().Informer()) case *rbacv1.ClusterRole: ret = ret.AddInformer(informer.Rbac().V1().ClusterRoles().Informer()) case *rbacv1.ClusterRoleBinding: diff --git a/vendor/modules.txt b/vendor/modules.txt index 937e801168..c467eacf1f 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -349,7 +349,7 @@ github.com/openshift/client-go/security/informers/externalversions/internalinter github.com/openshift/client-go/security/informers/externalversions/security github.com/openshift/client-go/security/informers/externalversions/security/v1 github.com/openshift/client-go/security/listers/security/v1 -# github.com/openshift/library-go v0.0.0-20250505141135-5184403e7ead +# github.com/openshift/library-go v0.0.0-20250505141135-5184403e7ead => github.com/vrutkovs/library-go v0.0.0-20250513140712-855d77f4d526 ## explicit; go 1.23.0 github.com/openshift/library-go/pkg/apiserver/jsonpatch github.com/openshift/library-go/pkg/assets @@ -1556,3 +1556,4 @@ sigs.k8s.io/structured-merge-diff/v4/value ## explicit; go 1.12 sigs.k8s.io/yaml sigs.k8s.io/yaml/goyaml.v2 +# github.com/openshift/library-go => github.com/vrutkovs/library-go v0.0.0-20250513140712-855d77f4d526