Fix a reconciliation issue with mount_ca_trust

[noissue]

Author: git-hyagi

apis/repo-manager.pulpproject.org/v1/pulp_types.go

@@ -328,7 +328,7 @@ type PulpSpec struct {
 	// Required on vanilla Kubernetes when mount_trusted_ca is true. Optional on OpenShift.
 	// +kubebuilder:validation:Optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Trusted CA ConfigMap Key",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:advanced","urn:alm:descriptor:com.tectonic.ui:fieldDependency:mount_trusted_ca:true"}
-	TrustedCaConfigMapKey string `json:"mount_trusted_ca_configmap_key,omitempty"`
+	TrustedCaConfigMapKey *string `json:"mount_trusted_ca_configmap_key,omitempty"`
 
 	// Job to reset pulp admin password
 	AdminPasswordJob PulpJob `json:"admin_password_job,omitempty"`

apis/repo-manager.pulpproject.org/v1/zz_generated.deepcopy.go

@@ -554,6 +554,10 @@ func (d *CommonDeployment) setVolumes(resources any, pulpcoreType settings.Pulpc
 		}
 		volumes = append(volumes, containerTokenSecretVolume)
 	}
+
+	// append the CA configmap to the volumes
+	volumes = SetCAVolumes(&pulp, volumes)
+
 	d.volumes = append([]corev1.Volume(nil), volumes...)
 }
 
@@ -724,6 +728,10 @@ func (d *CommonDeployment) setVolumeMounts(pulp pulpv1.Pulp, pulpcoreType settin
 		}
 		volumeMounts = append(volumeMounts, containerTokenSecretMount...)
 	}
+
+	// append the CA configmap to the volumeMounts
+	volumeMounts = SetCAVolumeMounts(&pulp, volumeMounts)
+
 	d.volumeMounts = append([]corev1.VolumeMount(nil), volumeMounts...)
 }
 

controllers/deployment.go

@@ -28,15 +28,6 @@ import (
 func defaultsForOCPDeployment(deployment *appsv1.Deployment, pulp *pulpv1.Pulp) {
 	// in OCP we use SCC so there is no need to define PodSecurityContext
 	deployment.Spec.Template.Spec.SecurityContext = &corev1.PodSecurityContext{}
-
-	// get the current volume mount points
-	volumes := deployment.Spec.Template.Spec.Volumes
-	volumeMounts := deployment.Spec.Template.Spec.Containers[0].VolumeMounts
-
-	// append the CA configmap to the volumes/volumemounts slice
-	volumes, volumeMounts = MountCASpec(pulp, volumes, volumeMounts)
-	deployment.Spec.Template.Spec.Volumes = volumes
-	deployment.Spec.Template.Spec.Containers[0].VolumeMounts = volumeMounts
 }
 
 // DeploymentAPIOCP is the pulpcore-api Deployment definition for common OCP clusters

controllers/ocp/deployment.go

@@ -18,7 +18,6 @@ package ocp
 
 import (
 	"context"
-	"strings"
 
 	"github.com/go-logr/logr"
 	pulpv1 "github.com/pulp/pulp-operator/apis/repo-manager.pulpproject.org/v1"
@@ -102,72 +101,6 @@ func CreateEmptyConfigMap(r client.Client, scheme *runtime.Scheme, ctx context.C
 	return ctrl.Result{}, nil
 }
 
-// MountCASpec adds the trusted-ca bundle into []volume and []volumeMount if pulp.Spec.TrustedCA is true
-// On OpenShift: uses the operator-created ConfigMap with CNO injection
-// On vanilla K8s: uses a user-specified ConfigMap (which can be managed manually or by trust-manager)
-func MountCASpec(pulp *pulpv1.Pulp, volumes []corev1.Volume, volumeMounts []corev1.VolumeMount) ([]corev1.Volume, []corev1.VolumeMount) {
-
-	if pulp.Spec.TrustedCa {
-		var configMapName string
-		var configMapKey string
-
-		// Determine ConfigMap name and key based on configuration
-		if len(pulp.Spec.TrustedCaConfigMapKey) > 0 {
-			// Vanilla K8s mode: parse "configmap-name:key" format
-			// If no separator, assume it's just the ConfigMap name and use the first key in the map
-			parts := strings.Split(pulp.Spec.TrustedCaConfigMapKey, ":")
-			if len(parts) == 2 {
-				configMapName = parts[0]
-				configMapKey = parts[1]
-			} else {
-				// Just ConfigMap name provided, use empty key to get first key in map
-				configMapName = parts[0]
-				configMapKey = ""
-			}
-		} else {
-			// OpenShift mode: use the operator-created ConfigMap with CNO injection
-			configMapName = settings.EmptyCAConfigMapName(pulp.Name)
-			configMapKey = "ca-bundle.crt"
-		}
-
-		// trustedCAVolume contains the configmap with the custom ca bundle
-		defaultMode := int32(420)
-		configMapVolumeSource := &corev1.ConfigMapVolumeSource{
-			LocalObjectReference: corev1.LocalObjectReference{
-				Name: configMapName,
-			},
-			DefaultMode: &defaultMode,
-		}
-
-		// If a specific key is provided, map it to the expected path
-		// Otherwise, mount all keys from the ConfigMap (first key will be used)
-		if configMapKey != "" {
-			configMapVolumeSource.Items = []corev1.KeyToPath{
-				{Key: configMapKey, Path: "tls-ca-bundle.pem"},
-			}
-		}
-
-		trustedCAVolume := corev1.Volume{
-			Name: "trusted-ca",
-			VolumeSource: corev1.VolumeSource{
-				ConfigMap: configMapVolumeSource,
-			},
-		}
-		volumes = append(volumes, trustedCAVolume)
-
-		// trustedCAMount defines the mount point of the configmap
-		// with the custom ca bundle
-		trustedCAMount := corev1.VolumeMount{
-			Name:      "trusted-ca",
-			MountPath: "/etc/pki/ca-trust/extracted/pem",
-			ReadOnly:  true,
-		}
-		volumeMounts = append(volumeMounts, trustedCAMount)
-	}
-
-	return volumes, volumeMounts
-}
-
 // GetRouteHost defines route host based on ingress default cluster domain if no .spec.route_host defined
 func GetRouteHost(pulp *pulpv1.Pulp) string {
 	if len(pulp.Spec.RouteHost) == 0 {

controllers/ocp/utils.go

@@ -20,6 +20,7 @@ import (
 	"testing"
 
 	pulpv1 "github.com/pulp/pulp-operator/apis/repo-manager.pulpproject.org/v1"
+	"github.com/pulp/pulp-operator/controllers"
 	"github.com/pulp/pulp-operator/controllers/settings"
 	corev1 "k8s.io/api/core/v1"
 )
@@ -35,7 +36,8 @@ func TestMountCASpec_Disabled(t *testing.T) {
 	volumes := []corev1.Volume{}
 	volumeMounts := []corev1.VolumeMount{}
 
-	resultVolumes, resultVolumeMounts := MountCASpec(pulp, volumes, volumeMounts)
+	resultVolumes := controllers.SetCAVolumes(pulp, volumes)
+	resultVolumeMounts := controllers.SetCAVolumeMounts(pulp, volumeMounts)
 
 	if len(resultVolumes) != 0 {
 		t.Errorf("Expected 0 volumes when TrustedCa is false, got %d", len(resultVolumes))
@@ -52,15 +54,16 @@ func TestMountCASpec_OpenShiftMode(t *testing.T) {
 	pulp := &pulpv1.Pulp{
 		Spec: pulpv1.PulpSpec{
 			TrustedCa:             true,
-			TrustedCaConfigMapKey: "", // Empty means OpenShift mode
+			TrustedCaConfigMapKey: nil, // Empty means OpenShift mode
 		},
 	}
 	pulp.Name = pulpName
 
 	volumes := []corev1.Volume{}
 	volumeMounts := []corev1.VolumeMount{}
 
-	resultVolumes, resultVolumeMounts := MountCASpec(pulp, volumes, volumeMounts)
+	resultVolumes := controllers.SetCAVolumes(pulp, volumes)
+	resultVolumeMounts := controllers.SetCAVolumeMounts(pulp, volumeMounts)
 
 	// Verify we got exactly one volume and one mount
 	if len(resultVolumes) != 1 {
@@ -117,15 +120,16 @@ func TestMountCASpec_TrustManagerMode(t *testing.T) {
 	pulp := &pulpv1.Pulp{
 		Spec: pulpv1.PulpSpec{
 			TrustedCa:             true,
-			TrustedCaConfigMapKey: configMapName, // Just ConfigMap name, no ":"
+			TrustedCaConfigMapKey: &configMapName, // Just ConfigMap name, no ":"
 		},
 	}
 	pulp.Name = pulpName
 
 	volumes := []corev1.Volume{}
 	volumeMounts := []corev1.VolumeMount{}
 
-	resultVolumes, resultVolumeMounts := MountCASpec(pulp, volumes, volumeMounts)
+	resultVolumes := controllers.SetCAVolumes(pulp, volumes)
+	resultVolumeMounts := controllers.SetCAVolumeMounts(pulp, volumeMounts)
 
 	// Verify we got exactly one volume and one mount
 	if len(resultVolumes) != 1 {
@@ -176,15 +180,13 @@ func TestMountCASpec_CustomKey(t *testing.T) {
 	pulp := &pulpv1.Pulp{
 		Spec: pulpv1.PulpSpec{
 			TrustedCa:             true,
-			TrustedCaConfigMapKey: separatorFormat,
+			TrustedCaConfigMapKey: &separatorFormat,
 		},
 	}
 	pulp.Name = pulpName
 
 	volumes := []corev1.Volume{}
-	volumeMounts := []corev1.VolumeMount{}
-
-	resultVolumes, _ := MountCASpec(pulp, volumes, volumeMounts)
+	resultVolumes := controllers.SetCAVolumes(pulp, volumes)
 
 	if len(resultVolumes) != 1 {
 		t.Fatalf("Expected 1 volume, got %d", len(resultVolumes))
@@ -206,10 +208,11 @@ func TestMountCASpec_CustomKey(t *testing.T) {
 
 // TestMountCASpec_PreservesExistingVolumes verifies that existing volumes are preserved
 func TestMountCASpec_PreservesExistingVolumes(t *testing.T) {
+	configMapName := "my-bund:ca-bundle.crt"
 	pulp := &pulpv1.Pulp{
 		Spec: pulpv1.PulpSpec{
 			TrustedCa:             true,
-			TrustedCaConfigMapKey: "my-bundle:ca-bundle.crt",
+			TrustedCaConfigMapKey: &configMapName,
 		},
 	}
 	pulp.Name = "test-pulp"
@@ -224,7 +227,8 @@ func TestMountCASpec_PreservesExistingVolumes(t *testing.T) {
 		{Name: "existing-mount-2"},
 	}
 
-	resultVolumes, resultVolumeMounts := MountCASpec(pulp, existingVolumes, existingVolumeMounts)
+	resultVolumes := controllers.SetCAVolumes(pulp, existingVolumes)
+	resultVolumeMounts := controllers.SetCAVolumeMounts(pulp, existingVolumeMounts)
 
 	// Should have 3 volumes (2 existing + 1 new)
 	if len(resultVolumes) != 3 {
@@ -269,15 +273,16 @@ func TestMountCASpec_SeparatorFormat(t *testing.T) {
 	pulp := &pulpv1.Pulp{
 		Spec: pulpv1.PulpSpec{
 			TrustedCa:             true,
-			TrustedCaConfigMapKey: separatorFormat,
+			TrustedCaConfigMapKey: &separatorFormat,
 		},
 	}
 	pulp.Name = pulpName
 
 	volumes := []corev1.Volume{}
 	volumeMounts := []corev1.VolumeMount{}
 
-	resultVolumes, resultVolumeMounts := MountCASpec(pulp, volumes, volumeMounts)
+	resultVolumes := controllers.SetCAVolumes(pulp, volumes)
+	resultVolumeMounts := controllers.SetCAVolumeMounts(pulp, volumeMounts)
 
 	// Verify we got exactly one volume and one mount
 	if len(resultVolumes) != 1 {
@@ -361,12 +366,12 @@ func TestMountCASpec_MountPathConsistency(t *testing.T) {
 			pulp := &pulpv1.Pulp{
 				Spec: pulpv1.PulpSpec{
 					TrustedCa:             tc.trustedCa,
-					TrustedCaConfigMapKey: tc.trustedCaConfigMapKey,
+					TrustedCaConfigMapKey: &tc.trustedCaConfigMapKey,
 				},
 			}
 			pulp.Name = pulpName
 
-			_, resultVolumeMounts := MountCASpec(pulp, []corev1.Volume{}, []corev1.VolumeMount{})
+			resultVolumeMounts := controllers.SetCAVolumeMounts(pulp, []corev1.VolumeMount{})
 
 			if len(resultVolumeMounts) != 1 {
 				t.Fatalf("Expected 1 volumeMount, got %d", len(resultVolumeMounts))

controllers/ocp/utils_test.go

@@ -251,7 +251,7 @@ PulpSpec defines the desired state of Pulp
 | sa_labels | ServiceAccount.metadata.labels that will be used in Pulp pods. | map[string]string | false |
 | sso_secret | Secret where Single Sign-on configuration can be found | string | false |
 | mount_trusted_ca | Enable mounting of custom CA certificates. On OpenShift, mounts CA certificates added to the cluster via cluster-wide proxy config. On vanilla Kubernetes with cert-manager's trust-manager, requires mount_trusted_ca_configmap_key to specify the ConfigMap and key containing the CA bundle. Default: false | bool | false |
-| mount_trusted_ca_configmap_key | Specifies the ConfigMap and key containing the CA bundle for vanilla Kubernetes clusters. The ConfigMap can be managed manually or kept up to date using cert-manager's trust-manager. Format: \"configmap-name:key\" (e.g., \"vault-ca-defaults-bundle:ca.crt\") Required on vanilla Kubernetes when mount_trusted_ca is true. Optional on OpenShift. | string | false |
+| mount_trusted_ca_configmap_key | Specifies the ConfigMap and key containing the CA bundle for vanilla Kubernetes clusters. The ConfigMap can be managed manually or kept up to date using cert-manager's trust-manager. Format: \"configmap-name:key\" (e.g., \"vault-ca-defaults-bundle:ca.crt\") Required on vanilla Kubernetes when mount_trusted_ca is true. Optional on OpenShift. | *string | false |
 | admin_password_job | Job to reset pulp admin password | [PulpJob](#pulpjob) | false |
 | migration_job | Job to run django migrations | [PulpJob](#pulpjob) | false |
 | signing_job | Job to store signing metadata scripts | [PulpJob](#pulpjob) | false |

controllers/repo_manager/README.md

@@ -0,0 +1,51 @@
+package repo_manager
+
+import (
+	"context"
+
+	pulpv1 "github.com/pulp/pulp-operator/apis/repo-manager.pulpproject.org/v1"
+	"github.com/pulp/pulp-operator/controllers"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+	ctrl "sigs.k8s.io/controller-runtime"
+)
+
+func (r *RepoManagerReconciler) configMapTasks(ctx context.Context, pulp *pulpv1.Pulp) (*ctrl.Result, error) {
+
+	needsPulpcoreRestart := false
+
+	// if mount_trusted_ca_configmap_key is defined, check if it was modified
+	if pulp.Spec.TrustedCaConfigMapKey != nil {
+		trustedCAConfigMap := &corev1.ConfigMap{}
+		caConfigMapName, _ := controllers.SplitCAConfigMapNameKey(*pulp)
+
+		r.Get(ctx, types.NamespacedName{Name: caConfigMapName, Namespace: pulp.Namespace}, trustedCAConfigMap)
+		if r.caConfigMapChanged(ctx, trustedCAConfigMap) {
+			needsPulpcoreRestart = true
+		}
+	}
+
+	// TODO: check pulp-web configmap change
+
+	// restart pulpcore pods if any of the configmaps changed
+	if needsPulpcoreRestart {
+		r.restartPulpCorePods(ctx, pulp)
+		return &ctrl.Result{Requeue: true}, nil
+	}
+	return nil, nil
+}
+
+func (r *RepoManagerReconciler) caConfigMapChanged(ctx context.Context, cm *corev1.ConfigMap) bool {
+	currentHash := controllers.GetCurrentHash(cm)
+	calculatedHash := controllers.CalculateHash(cm.Data)
+
+	if currentHash == calculatedHash {
+		return false
+	}
+
+	controllers.SetHashLabel(calculatedHash, cm)
+	if err := r.Update(ctx, cm); err != nil {
+		r.RawLogger.Error(err, "Failed to update "+cm.Name+" ConfigMap label!")
+	}
+	return true
+}

controllers/repo_manager/configmap.go

@@ -194,6 +194,11 @@ func pulpCoreTasks(ctx context.Context, pulp *pulpv1.Pulp, r RepoManagerReconcil
 		return pulpController, err
 	}
 
+	log.V(1).Info("Running configMap tasks ...")
+	if pulpController, err := r.configMapTasks(ctx, pulp); pulpController != nil || err != nil {
+		return pulpController, err
+	}
+
 	log.V(1).Info("Running API tasks")
 	if pulpController, err := r.pulpApiController(ctx, pulp, log); needsRequeue(err, pulpController) {
 		return &pulpController, err
@@ -329,6 +334,10 @@ func indexerFunc(obj client.Object) []string {
 	if customSettings := pulp.Spec.CustomPulpSettings; customSettings != "" {
 		keys = append(keys, customSettings)
 	}
+	if pulp.Spec.TrustedCaConfigMapKey != nil {
+		caConfigMap, _ := controllers.SplitCAConfigMapNameKey(*pulp)
+		keys = append(keys, caConfigMap)
+	}
 
 	return keys
 }