Skip to content

CM-871: TrustManager: cluster FeatureGate discovery, fail-closed gating, and certmanager package rename #383

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-bot merged 5 commits into from
Apr 6, 2026
Merged

CM-871: TrustManager: cluster FeatureGate discovery, fail-closed gating, and certmanager package rename #383

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e5f6de7
CM-871: Renames cert-manager controller package to certmanager
bharath-b-rh Mar 31, 2026
b91eb48
CM-871: Adds vendor code required for feature gate tests
bharath-b-rh Mar 31, 2026
efa0994
CM-871: Add TrustManager featureSet gating via FeatureGate resource d…
bharath-b-rh Mar 31, 2026
b11a063
CM-871: Adds RBAC to read featuregate resource
bharath-b-rh Mar 31, 2026
3d63af2
CM-871: incorporate review suggestions
bharath-b-rh Apr 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions api/operator/v1alpha1/features.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ import (
)

var (
// IstioCSR enables the controller for istiocsr.operator.openshift.io resource,
// FeatureIstioCSR enables the controller for istiocsr.operator.openshift.io resource,
// which extends cert-manager-operator to deploy and manage the istio-csr agent.
// OpenShift Service Mesh facilitates the integration and istio-csr is an agent that
// allows Istio workload and control plane components to be secured using cert-manager.
Expand All @@ -14,7 +14,7 @@ var (
// https://github.com/openshift/enhancements/blob/master/enhancements/cert-manager/istio-csr-controller.md
FeatureIstioCSR featuregate.Feature = "IstioCSR"

// TrustManager enables the controller for trustmanagers.operator.openshift.io resource,
// FeatureTrustManager enables the controller for trustmanagers.operator.openshift.io resource,
// which extends cert-manager-operator to deploy and manage the trust-manager operand.
// trust-manager provides a way to manage trust bundles in OpenShift clusters.
//
Expand Down
6 changes: 6 additions & 0 deletions bundle/manifests/cert-manager-operator.clusterserviceversion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -407,6 +407,12 @@ spec:
spec:
clusterPermissions:
- rules:
- apiGroups:
- config.openshift.io
resources:
- featuregates
verbs:
- get
- apiGroups:
- ""
resources:
Expand Down
17 changes: 17 additions & 0 deletions config/rbac/featuregate_clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: featuregate-reader
app.kubernetes.io/instance: featuregate-reader
app.kubernetes.io/created-by: cert-manager-operator
app.kubernetes.io/part-of: cert-manager-operator
app.kubernetes.io/managed-by: kustomize
name: featuregate-reader
rules:
- apiGroups:
- config.openshift.io
resources:
- featuregates
verbs:
- get
18 changes: 18 additions & 0 deletions config/rbac/featuregate_clusterrole_binding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: featuregate-reader
app.kubernetes.io/instance: featuregate-reader
app.kubernetes.io/created-by: cert-manager-operator
app.kubernetes.io/part-of: cert-manager-operator
app.kubernetes.io/managed-by: kustomize
name: featuregate-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: featuregate-reader
subjects:
- kind: ServiceAccount
name: controller-manager
namespace: system
4 changes: 4 additions & 0 deletions config/rbac/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,7 @@ resources:
- auth_proxy_role.yaml
- auth_proxy_role_binding.yaml
- auth_proxy_client_clusterrole.yaml
# RBAC for reading featuregates.config.openshift.io resource to determine
# feature enabling.
- featuregate_clusterrole.yaml
- featuregate_clusterrole_binding.yaml
6 changes: 3 additions & 3 deletions ...ent/cert_manager_cainjector_deployment.go → ...ger/cert_manager_cainjector_deployment.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package deployment
package certmanager

import (
"k8s.io/client-go/informers"
Expand All @@ -14,7 +14,7 @@ import (

"github.com/openshift/cert-manager-operator/pkg/operator/assets"
certmanoperatorinformers "github.com/openshift/cert-manager-operator/pkg/operator/informers/externalversions"
"github.com/openshift/cert-manager-operator/pkg/operator/optionalinformer"
"github.com/openshift/cert-manager-operator/pkg/operator/utils"
)

const (
Expand Down Expand Up @@ -51,7 +51,7 @@ func NewCertManagerCAInjectorStaticResourcesController(operatorClient v1helpers.

func NewCertManagerCAInjectorDeploymentController(operatorClient v1helpers.OperatorClientWithFinalizers,
certManagerOperatorInformers certmanoperatorinformers.SharedInformerFactory,
infraInformers optionalinformer.OptionalInformer[configinformers.SharedInformerFactory],
infraInformers utils.OptionalInformer[configinformers.SharedInformerFactory],
kubeClient kubernetes.Interface,
kubeInformersForTargetNamespace informers.SharedInformerFactory,
eventsRecorder events.Recorder, targetVersion string, versionRecorder status.VersionGetter,
Expand Down
7 changes: 4 additions & 3 deletions ...ent/cert_manager_controller_deployment.go → ...ger/cert_manager_controller_deployment.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package deployment
package certmanager

import (
"k8s.io/client-go/informers"
Expand All @@ -14,7 +14,7 @@ import (

"github.com/openshift/cert-manager-operator/pkg/operator/assets"
certmanoperatorinformers "github.com/openshift/cert-manager-operator/pkg/operator/informers/externalversions"
"github.com/openshift/cert-manager-operator/pkg/operator/optionalinformer"
"github.com/openshift/cert-manager-operator/pkg/operator/utils"
)

const (
Expand Down Expand Up @@ -70,11 +70,12 @@ func NewCertManagerControllerStaticResourcesController(operatorClient v1helpers.

func NewCertManagerControllerDeploymentController(operatorClient v1helpers.OperatorClientWithFinalizers,
certManagerOperatorInformers certmanoperatorinformers.SharedInformerFactory,
infraInformers optionalinformer.OptionalInformer[configinformers.SharedInformerFactory],
infraInformers utils.OptionalInformer[configinformers.SharedInformerFactory],
kubeClient kubernetes.Interface,
kubeInformersForTargetNamespace informers.SharedInformerFactory,
eventsRecorder events.Recorder, targetVersion string, versionRecorder status.VersionGetter, trustedCAConfigmapName, cloudCredentialsSecretName string) factory.Controller {
return newGenericDeploymentController(

certManagerControllerDeploymentControllerName,
targetVersion,
certManagerControllerDeploymentFile,
Expand Down
6 changes: 3 additions & 3 deletions ...deployment/cert_manager_controller_set.go → ...ertmanager/cert_manager_controller_set.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package deployment
package certmanager

import (
"k8s.io/client-go/informers"
Expand All @@ -12,7 +12,7 @@ import (
"github.com/openshift/library-go/pkg/operator/v1helpers"

certmanoperatorinformers "github.com/openshift/cert-manager-operator/pkg/operator/informers/externalversions"
"github.com/openshift/cert-manager-operator/pkg/operator/optionalinformer"
"github.com/openshift/cert-manager-operator/pkg/operator/utils"
)

type CertManagerControllerSet struct {
Expand All @@ -30,7 +30,7 @@ func NewCertManagerControllerSet(
kubeClient kubernetes.Interface,
kubeInformersForNamespaces v1helpers.KubeInformersForNamespaces,
kubeInformersForTargetNamespace informers.SharedInformerFactory,
infraInformers optionalinformer.OptionalInformer[configinformers.SharedInformerFactory],
infraInformers utils.OptionalInformer[configinformers.SharedInformerFactory],
operatorClient v1helpers.OperatorClientWithFinalizers,
certManagerOperatorInformers certmanoperatorinformers.SharedInformerFactory,
kubeClientContainer *resourceapply.ClientHolder,
Expand Down
2 changes: 1 addition & 1 deletion .../deployment/cert_manager_networkpolicy.go → ...certmanager/cert_manager_networkpolicy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package deployment
package certmanager

import (
"context"
Expand Down
6 changes: 3 additions & 3 deletions ...oyment/cert_manager_webhook_deployment.go → ...anager/cert_manager_webhook_deployment.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package deployment
package certmanager

import (
"k8s.io/client-go/informers"
Expand All @@ -14,7 +14,7 @@ import (

"github.com/openshift/cert-manager-operator/pkg/operator/assets"
certmanoperatorinformers "github.com/openshift/cert-manager-operator/pkg/operator/informers/externalversions"
"github.com/openshift/cert-manager-operator/pkg/operator/optionalinformer"
"github.com/openshift/cert-manager-operator/pkg/operator/utils"
)

const (
Expand Down Expand Up @@ -52,7 +52,7 @@ func NewCertManagerWebhookStaticResourcesController(operatorClient v1helpers.Ope

func NewCertManagerWebhookDeploymentController(operatorClient v1helpers.OperatorClientWithFinalizers,
certManagerOperatorInformers certmanoperatorinformers.SharedInformerFactory,
infraInformers optionalinformer.OptionalInformer[configinformers.SharedInformerFactory],
infraInformers utils.OptionalInformer[configinformers.SharedInformerFactory],
kubeclient kubernetes.Interface,
kubeInformersForTargetNamespace informers.SharedInformerFactory,
eventsRecorder events.Recorder, targetVersion string, versionRecorder status.VersionGetter, trustedCAConfigmapName, cloudCredentialsSecretName string) factory.Controller {
Expand Down
2 changes: 1 addition & 1 deletion ...ller/deployment/certmanager_controller.go → ...ler/certmanager/certmanager_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
limitations under the License.
*/

package deployment
package certmanager

import (
"context"
Expand Down
2 changes: 1 addition & 1 deletion pkg/controller/deployment/common.go → pkg/controller/certmanager/common.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package deployment
package certmanager

const (
operatorName = "cert-manager"
Expand Down
2 changes: 1 addition & 1 deletion ...troller/deployment/credentials_request.go → ...roller/certmanager/credentials_request.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package deployment
package certmanager

import (
"fmt"
Expand Down
2 changes: 1 addition & 1 deletion ...oyment/default_cert_manager_controller.go → ...anager/default_cert_manager_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package deployment
package certmanager

import (
"context"
Expand Down
2 changes: 1 addition & 1 deletion ...ontroller/deployment/deployment_helper.go → ...ntroller/certmanager/deployment_helper.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package deployment
package certmanager

import (
"fmt"
Expand Down
2 changes: 1 addition & 1 deletion ...ller/deployment/deployment_helper_test.go → ...ler/certmanager/deployment_helper_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package deployment
package certmanager

import (
"testing"
Expand Down
2 changes: 1 addition & 1 deletion ...roller/deployment/deployment_log_level.go → ...oller/certmanager/deployment_log_level.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package deployment
package certmanager

import (
appsv1 "k8s.io/api/apps/v1"
Expand Down
2 changes: 1 addition & 1 deletion ...roller/deployment/deployment_overrides.go → ...oller/certmanager/deployment_overrides.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package deployment
package certmanager

import (
"fmt"
Expand Down
2 changes: 1 addition & 1 deletion ...r/deployment/deployment_overrides_test.go → .../certmanager/deployment_overrides_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package deployment
package certmanager

import (
"reflect"
Expand Down
2 changes: 1 addition & 1 deletion ...oyment/deployment_overrides_validation.go → ...anager/deployment_overrides_validation.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package deployment
package certmanager

import (
"fmt"
Expand Down
2 changes: 1 addition & 1 deletion ...t/deployment_overrides_validation_test.go → ...r/deployment_overrides_validation_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package deployment
package certmanager

import (
"testing"
Expand Down
2 changes: 1 addition & 1 deletion ...yment/deployment_unsupported_overrides.go → ...nager/deployment_unsupported_overrides.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package deployment
package certmanager

import (
"encoding/json"
Expand Down
6 changes: 3 additions & 3 deletions ...ployment/generic_deployment_controller.go → ...tmanager/generic_deployment_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package deployment
package certmanager

import (
"k8s.io/client-go/informers"
Expand All @@ -14,14 +14,14 @@ import (

"github.com/openshift/cert-manager-operator/pkg/operator/assets"
certmanoperatorinformers "github.com/openshift/cert-manager-operator/pkg/operator/informers/externalversions"
"github.com/openshift/cert-manager-operator/pkg/operator/optionalinformer"
"github.com/openshift/cert-manager-operator/pkg/operator/utils"
)

func newGenericDeploymentController(
controllerName, targetVersion, deploymentFile string,
operatorClient v1helpers.OperatorClientWithFinalizers,
certManagerOperatorInformers certmanoperatorinformers.SharedInformerFactory,
infraInformers optionalinformer.OptionalInformer[configinformers.SharedInformerFactory],
infraInformers utils.OptionalInformer[configinformers.SharedInformerFactory],
kubeClient kubernetes.Interface,
kubeInformersForTargetNamespace informers.SharedInformerFactory,
eventsRecorder events.Recorder,
Expand Down
2 changes: 1 addition & 1 deletion pkg/controller/deployment/related_images.go → pkg/controller/certmanager/related_images.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package deployment
package certmanager

import (
"os"
Expand Down
2 changes: 1 addition & 1 deletion ...troller/deployment/related_images_test.go → ...roller/certmanager/related_images_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package deployment
package certmanager

import (
"os"
Expand Down
Loading