CM-1040: Extract shared ApplyResource helper and migrate istiocsr to SSA

[sebrandon1]

Summary

• Adds a generic common.ApplyResource[T]() helper for SSA-based reconciliation with pluggable drift detection callbacks
• Migrates trustmanager's 11 createOrApply methods to use the shared helper
• Migrates istiocsr's 8 simple createOrApply methods from Create/UpdateWithRetry to SSA via the shared helper
• Keeps istiocsr's complex ClusterRole/ClusterRoleBinding methods unchanged (they use GenerateName + List fallback + Delete for immutable RoleRef)
• Drops istioCSRCreateRecon warning events from migrated methods (SSA is inherently idempotent)
• Net -501 lines of duplicated boilerplate

Test plan

• go test ./pkg/controller/common/... passes
• go test ./pkg/controller/istiocsr/... passes
• go test ./pkg/controller/trustmanager/... passes
• go build ./... succeeds
• make lint shows only pre-existing issues (9 total, none introduced)

Summary by CodeRabbit

• Refactoring
  • Unified resource reconciliation to use server-side apply across controllers for more consistent, reliable deployments.
  • Simplified and standardized reconciliation flows, reducing duplicate logic and improving idempotency.
  • Error messages standardized and clarified for resource apply/check failures, making troubleshooting clearer.

[openshift-ci-robot]

@sebrandon1: This pull request references CM-1040 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Adds a generic common.ApplyResource[T]() helper for SSA-based reconciliation with pluggable drift detection callbacks
• Migrates trustmanager's 11 createOrApply methods to use the shared helper
• Migrates istiocsr's 8 simple createOrApply methods from Create/UpdateWithRetry to SSA via the shared helper
• Keeps istiocsr's complex ClusterRole/ClusterRoleBinding methods unchanged (they use GenerateName + List fallback + Delete for immutable RoleRef)
• Drops istioCSRCreateRecon warning events from migrated methods (SSA is inherently idempotent)
• Net -501 lines of duplicated boilerplate

Test plan

• go test ./pkg/controller/common/... passes
• go test ./pkg/controller/istiocsr/... passes
• go test ./pkg/controller/trustmanager/... passes
• go build ./... succeeds
• make lint shows only pre-existing issues (9 total, none introduced)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Adds a generic Server-Side Apply utility ApplyResource[T client.Object] and migrates many controller reconciliation paths (IstioCSR, TrustManager) to use it. Per-resource manual exists/patch/create logic and an istioCSRCreateRecon flag are removed; resource label/namespace handling and tests updated for SSA/patch semantics and messaging.

Changes

Generic Resource Applier and Controller Refactor

Layer / File(s)	Summary
Generic Applier Foundation pkg/controller/common/applier.go	New generic ApplyResource[T client.Object] implementing existence check, drift detection via a hasChanged callback, Server-Side Apply (SSA) patch with forced ownership and field owner, structured logging, event recording, and client error propagation.
Constants / Ownership pkg/controller/istiocsr/constants.go	Added unexported fieldOwner = "istio-csr-controller" constant used as SSA field owner.
Controller Entrypoints / Labeling pkg/controller/istiocsr/install_istiocsr.go	Introduced centralized resourceLabels assembly; removed istioCSRCreateRecon parameter from networkpolicies/services/serviceaccounts/certificates reconciliation calls.
IstioCSR Resource Migration pkg/controller/istiocsr/networkpolicies.go, .../services.go, .../serviceaccounts.go, .../certificates.go	Replaced manual exists/patch/create flows with ApplyResource calls; asset decoding now enforces target namespace and merges resourceLabels (uses maps.Copy), and per-resource functions drop the istioCSRCreateRecon flag.
IstioCSR RBAC Expansion pkg/controller/istiocsr/rbacs.go	Added apply-based reconciliation helpers for Roles, RoleBindings, and lease-related Role/RoleBinding resources; all are reconciled through ApplyResource with appropriate drift predicates.
TrustManager Migration pkg/controller/trustmanager/certificates.go, .../deployments.go, .../serviceaccounts.go, .../services.go, .../rbacs.go, .../webhooks.go	Reconciler functions replaced manual existence/patch logic with ApplyResource calls; preserved per-resource *Modified predicates and consolidated annotation/ClientConfig handling (webhooks). Imports trimmed to match new implementation.
Tests / Messaging pkg/controller/istiocsr/*_test.go, pkg/controller/trustmanager/*_test.go	Updated tests to the SSA/patch apply path: replaced create/update expectations with Patch/PatchReturns, removed istioCSRCreateRecon test parameters, and adjusted expected error messages to resource-level phrasing (capitalized resource names and "failed to check if ", "failed to apply ").

sequenceDiagram
  participant Reconciler as Reconciler
  participant ApplyUtil as ApplyResource
  participant API as Kubernetes API Server
  participant Recorder as EventRecorder
  participant Logger as Logger

  Reconciler->>ApplyUtil: Call ApplyResource(ctx, client, logger, recorder, owner, desired, existing, fieldOwner, hasChanged)
  ApplyUtil->>API: Get resource (exists check)
  API-->>ApplyUtil: Exists / NotFound / Error
  alt exists & hasChanged==false
    ApplyUtil->>Logger: emit debug "no drift, skipping"
    ApplyUtil-->>Reconciler: return nil
  else not exists or hasChanged==true
    ApplyUtil->>API: Server-Side Apply (Patch, Force=true, FieldManager=fieldOwner)
    API-->>ApplyUtil: Success / Error
    alt success
      ApplyUtil->>Recorder: Event(fmt.Sprintf("Applied %s/%s", ns, name))
      ApplyUtil->>Logger: emit info "applied resource"
      ApplyUtil-->>Reconciler: return nil
    else error
      ApplyUtil->>Logger: emit error
      ApplyUtil-->>Reconciler: return propagated error
    end
  end

Loading

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main changes: extracting a shared ApplyResource helper and migrating istiocsr to Server-Side Apply (SSA), which aligns with the changeset's primary objectives.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Custom check is not applicable. This PR does not use Ginkgo test framework. All tests use Go's standard testing.T with table-driven patterns. All test names are static strings with no dynamic content.
Test Structure And Quality	✅ Passed	Tests meet all quality requirements: single responsibility via table-driven tests, proper setup/cleanup, appropriate timeouts for unit tests, meaningful assertion messages, and consistent Go patterns.
Microshift Test Compatibility	✅ Passed	This PR adds no Ginkgo e2e tests. All changes are to controller production code and existing unit tests using the standard Go testing package. No MicroShift compatibility assessment required.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds no Ginkgo e2e tests. All changes are to unit tests in pkg/controller/ using standard Go testing.T. Custom check for SNO compatibility of e2e tests is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only refactors controller reconciliation methods to use a shared ApplyResource helper. No deployment manifests are added or modified, and no scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	PR contains no OTE Binary Stdout Contract violations. All new code uses structured logr.Logger logging, no fmt.Print/klog writes at process level, and no suite setup modifications.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. All test files use Go's standard testing package (testing.T), not Ginkgo framework. The custom check only applies to Ginkgo e2e tests.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sebrandon1
Once this PR has been reviewed and has the lgtm label, please assign mytreya-rh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

pkg/controller/istiocsr/install_instiocsr_test.go (1)

68-84: ⚡ Quick win

Preserve generated-name simulation for ClusterRole in these fakes.

createOrApplyClusterRoles() still depends on Create mutating the object with a generated name before status is written and before the ClusterRoleBinding gets its RoleRef.Name. These stubs only backfill ClusterRoleBinding, so the test can still pass even if the role name is left empty. I'd add a *rbacv1.ClusterRole branch in each CreateCalls block as well.

Representative tweak

m.CreateCalls(func(ctx context.Context, obj client.Object, option ...client.CreateOption) error {
	switch o := obj.(type) {
+	case *rbacv1.ClusterRole:
+		role := testClusterRole()
+		role.DeepCopyInto(o)
 	case *appsv1.Deployment:
 		if !reflect.DeepEqual(o.GetLabels(), labels) {
 			return fmt.Errorf("labels mismatch in %v resource; got: %v, want: %v", o, o.GetLabels(), labels)
 		}

Also applies to: 110-117, 131-138

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/istiocsr/install_instiocsr_test.go` around lines 68 - 84, The
CreateCalls test stubs need to simulate Create mutating a ClusterRole with a
generated name so createOrApplyClusterRoles() sees a non-empty Role.Name; update
the CreateCalls handlers (the ones that currently switch over *appsv1.Deployment
and *rbacv1.ClusterRoleBinding) to also include a case for *rbacv1.ClusterRole
that sets o.Name to a generated value (e.g., append "-generated" or a
deterministic string) and preserves labels so subsequent logic that reads the
ClusterRole's name (and the ClusterRoleBinding RoleRef.Name) behaves as in real
Create; apply this same addition to the other CreateCalls blocks mentioned.

pkg/controller/trustmanager/webhooks_test.go (1)

207-221: ⚡ Quick win

Keep the error assertion specific to the webhook config.

ApplyResource still includes the resource name in the returned error, so shortening these expectations to just failed to ... resource makes this table much less discriminating. A wrong object name or an extra apply call in this path would still satisfy the assertion. I'd keep the expected substring specific to trustManagerWebhookConfigName here, and mirror that in the other migrated reconciliation tests.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/trustmanager/webhooks_test.go` around lines 207 - 221, The
test's error expectation is too generic; update the table entries (the case with
name "patch error propagates" and similar migrated reconciliation tests) to
assert the error message includes the specific webhook resource name by matching
the substring that contains trustManagerWebhookConfigName (the Reconciler's
ApplyResource error includes the resource name), e.g. expect the returned error
to contain trustManagerWebhookConfigName along with "failed to apply resource",
and adjust other tests that assert "failed to check if resource" / "failed to
apply resource" to similarly include trustManagerWebhookConfigName so the
assertions target the specific webhook config rather than any resource.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/controller/common/applier.go`:
- Around line 33-36: The resourceName construction in applier.go currently uses
fmt.Sprintf("%s/%s", desired.GetNamespace(), desired.GetName()) which yields
"/name" for cluster-scoped objects; change the logic to detect an empty
namespace (desired.GetNamespace() == "") and build resourceName as just
desired.GetName(), otherwise build it as namespace + "/" + name so
cluster-scoped resources do not get a leading slash; update any use of the
existing resourceName variable accordingly.

---

Nitpick comments:
In `@pkg/controller/istiocsr/install_instiocsr_test.go`:
- Around line 68-84: The CreateCalls test stubs need to simulate Create mutating
a ClusterRole with a generated name so createOrApplyClusterRoles() sees a
non-empty Role.Name; update the CreateCalls handlers (the ones that currently
switch over *appsv1.Deployment and *rbacv1.ClusterRoleBinding) to also include a
case for *rbacv1.ClusterRole that sets o.Name to a generated value (e.g., append
"-generated" or a deterministic string) and preserves labels so subsequent logic
that reads the ClusterRole's name (and the ClusterRoleBinding RoleRef.Name)
behaves as in real Create; apply this same addition to the other CreateCalls
blocks mentioned.

In `@pkg/controller/trustmanager/webhooks_test.go`:
- Around line 207-221: The test's error expectation is too generic; update the
table entries (the case with name "patch error propagates" and similar migrated
reconciliation tests) to assert the error message includes the specific webhook
resource name by matching the substring that contains
trustManagerWebhookConfigName (the Reconciler's ApplyResource error includes the
resource name), e.g. expect the returned error to contain
trustManagerWebhookConfigName along with "failed to apply resource", and adjust
other tests that assert "failed to check if resource" / "failed to apply
resource" to similarly include trustManagerWebhookConfigName so the assertions
target the specific webhook config rather than any resource.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 683e1b36-07c6-463b-8cd3-d29a46add8d5

📥 Commits

Reviewing files that changed from the base of the PR and between a2e7514 and f8b7c81.

📒 Files selected for processing (26)

• pkg/controller/common/applier.go
• pkg/controller/istiocsr/certificates.go
• pkg/controller/istiocsr/certificates_test.go
• pkg/controller/istiocsr/constants.go
• pkg/controller/istiocsr/install_instiocsr_test.go
• pkg/controller/istiocsr/install_istiocsr.go
• pkg/controller/istiocsr/networkpolicies.go
• pkg/controller/istiocsr/rbacs.go
• pkg/controller/istiocsr/rbacs_test.go
• pkg/controller/istiocsr/serviceaccounts.go
• pkg/controller/istiocsr/serviceaccounts_test.go
• pkg/controller/istiocsr/services.go
• pkg/controller/istiocsr/services_test.go
• pkg/controller/trustmanager/certificates.go
• pkg/controller/trustmanager/certificates_test.go
• pkg/controller/trustmanager/controller_test.go
• pkg/controller/trustmanager/deployments.go
• pkg/controller/trustmanager/deployments_test.go
• pkg/controller/trustmanager/rbacs.go
• pkg/controller/trustmanager/rbacs_test.go
• pkg/controller/trustmanager/serviceaccounts.go
• pkg/controller/trustmanager/serviceaccounts_test.go
• pkg/controller/trustmanager/services.go
• pkg/controller/trustmanager/services_test.go
• pkg/controller/trustmanager/webhooks.go
• pkg/controller/trustmanager/webhooks_test.go

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkg/controller/istiocsr/serviceaccounts_test.go (1)

22-25: ⚡ Quick win

Cover the no-op branch explicitly.

Now that this table has assertCalls, the "serviceaccount reconciliation successful" case should also assert PatchCallCount() == 0. Right now that case still passes if ApplyResource starts patching unchanged ServiceAccounts on every reconcile, which is one of the main regression risks in this SSA migration.

Suggested assertion

 		{
 			name: "serviceaccount reconciliation successful",
 			preReq: func(r *Reconciler, m *fakes.FakeCtrlClient) {
 				m.ExistsCalls(func(ctx context.Context, ns types.NamespacedName, obj client.Object) (bool, error) {
 					switch o := obj.(type) {
 					case *corev1.ServiceAccount:
 						serviceaccount := testServiceAccount()
 						serviceaccount.DeepCopyInto(o)
 					}
 					return true, nil
 				})
 			},
+			assertCalls: func(t *testing.T, mock *fakes.FakeCtrlClient) {
+				if mock.PatchCallCount() != 0 {
+					t.Errorf("createOrApplyServiceAccounts() Patch call count: %d, want 0", mock.PatchCallCount())
+				}
+			},
 		},

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/istiocsr/serviceaccounts_test.go` around lines 22 - 25, Update
the "serviceaccount reconciliation successful" testcase in the table-driven test
in serviceaccounts_test.go to explicitly assert that no patch operations
occurred: inside its assertCalls function, call mock.PatchCallCount() and
require it equals 0 (on the provided *fakes.FakeCtrlClient) to ensure
ApplyResource did not issue patches for unchanged ServiceAccounts; keep other
existing assertions and reference the Reconciler and ApplyResource behavior as
context.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/controller/istiocsr/rbacs.go`:
- Around line 265-269: createOrApplyRoleBindings and
createOrApplyRoleBindingForLeases currently always call common.ApplyResource
(Server-Side Apply) but RoleBinding.roleRef is immutable—mirror the
ClusterRoleBinding handler's pattern: after calling common.ApplyResource (with
hasObjectChanged from getRoleBindingObject/hasObjectChanged), detect when the
failure or diff indicates only a roleRef drift (compare desired.RoleRef to the
live object.RoleRef), then delete the existing rbacv1.RoleBinding and recreate
the desired object (preserving owner refs/events/fieldOwner) as a fallback;
implement this delete-then-create flow in both createOrApplyRoleBindings and
createOrApplyRoleBindingForLeases using the same logic used in the
ClusterRoleBinding handler to avoid permanent SSA validation errors.

---

Nitpick comments:
In `@pkg/controller/istiocsr/serviceaccounts_test.go`:
- Around line 22-25: Update the "serviceaccount reconciliation successful"
testcase in the table-driven test in serviceaccounts_test.go to explicitly
assert that no patch operations occurred: inside its assertCalls function, call
mock.PatchCallCount() and require it equals 0 (on the provided
*fakes.FakeCtrlClient) to ensure ApplyResource did not issue patches for
unchanged ServiceAccounts; keep other existing assertions and reference the
Reconciler and ApplyResource behavior as context.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3367fe15-60ea-4966-a17e-6222e23128a6

📥 Commits

Reviewing files that changed from the base of the PR and between f8b7c81 and fdd735e.

📒 Files selected for processing (26)

• pkg/controller/common/applier.go
• pkg/controller/istiocsr/certificates.go
• pkg/controller/istiocsr/certificates_test.go
• pkg/controller/istiocsr/constants.go
• pkg/controller/istiocsr/install_instiocsr_test.go
• pkg/controller/istiocsr/install_istiocsr.go
• pkg/controller/istiocsr/networkpolicies.go
• pkg/controller/istiocsr/rbacs.go
• pkg/controller/istiocsr/rbacs_test.go
• pkg/controller/istiocsr/serviceaccounts.go
• pkg/controller/istiocsr/serviceaccounts_test.go
• pkg/controller/istiocsr/services.go
• pkg/controller/istiocsr/services_test.go
• pkg/controller/trustmanager/certificates.go
• pkg/controller/trustmanager/certificates_test.go
• pkg/controller/trustmanager/controller_test.go
• pkg/controller/trustmanager/deployments.go
• pkg/controller/trustmanager/deployments_test.go
• pkg/controller/trustmanager/rbacs.go
• pkg/controller/trustmanager/rbacs_test.go
• pkg/controller/trustmanager/serviceaccounts.go
• pkg/controller/trustmanager/serviceaccounts_test.go
• pkg/controller/trustmanager/services.go
• pkg/controller/trustmanager/services_test.go
• pkg/controller/trustmanager/webhooks.go
• pkg/controller/trustmanager/webhooks_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/controller/trustmanager/certificates.go
• pkg/controller/trustmanager/certificates_test.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

Is roleRefimmutable on KubernetesRoleBinding resources, and does changing it require deleting and recreating the binding instead of patching/applying it?

💡 Result:

Yes, roleRef is immutable on Kubernetes RoleBinding resources. Changing it requires deleting and recreating the binding, as patching or applying an update to roleRef will result in a validation error.[1][2] The official Kubernetes API documentation explicitly states: "This field is immutable."[1] The RBAC documentation confirms: "After you create a binding, you cannot change the Role or ClusterRole that it refers to. If you try to change a binding's roleRef, you get a validation error. If you do want to change the roleRef for a binding, you need to remove the binding object and create a replacement."[2] This behavior is enforced in the validation code and recently formalized with the +k8s:immutable tag in Kubernetes source code (as of early 2026).[3] Multiple sources, including Stack Overflow discussions citing the docs and code, report the exact error: "cannot change roleRef".[4][5]

Citations:

• 1: https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/role-binding-v1
• 2: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
• 3: Migrate RoleBinding.RoleRef to +k8s:immutable declarative validation kubernetes/kubernetes#137094
• 4: https://stackoverflow.com/questions/69069078/why-kubernetes-doesnt-allow-roleref-of-rolebinding-to-be-updated
• 5: https://stackoverflow.com/questions/59825777/rbac-kubectl-add-patch-to-existing-rolebinding

---

🏁 Script executed:

# First, let's locate and examine the file mentioned in the review
fd -t f "rbacs.go" --exec wc -l {} \;

Repository: openshift/cert-manager-operator

Length of output: 157

---

🏁 Script executed:

# Now let's read the relevant sections of the file
cat -n pkg/controller/istiocsr/rbacs.go | sed -n '260,300p'

Repository: openshift/cert-manager-operator

Length of output: 2800

---

🏁 Script executed:

# Check the ClusterRoleBinding section mentioned (lines 329-350)
cat -n pkg/controller/istiocsr/rbacs.go | sed -n '320,360p'

Repository: openshift/cert-manager-operator

Length of output: 2181

---

🏁 Script executed:

# Let's also check the common.ApplyResource function to understand its behavior
fd -t f -name "*.go" | xargs grep -l "func.*ApplyResource" | head -5

Repository: openshift/cert-manager-operator

Length of output: 306

---

🏁 Script executed:

# Search for ApplyResource implementation
grep -r "func.*ApplyResource" --include="*.go" | head -10

Repository: openshift/cert-manager-operator

Length of output: 281

---

🏁 Script executed:

# Alternative search with rg
rg "func.*ApplyResource" --type go -A 5

Repository: openshift/cert-manager-operator

Length of output: 929

---

🏁 Script executed:

# Read the ApplyResource implementation
cat -n pkg/controller/common/applier.go | head -150

Repository: openshift/cert-manager-operator

Length of output: 2180

---

🏁 Script executed:

# Check file size first
wc -l pkg/controller/common/applier.go

Repository: openshift/cert-manager-operator

Length of output: 111

---

Preserve the delete/recreate path for RoleBinding.RoleRef drift.

Both createOrApplyRoleBindings (265–269) and createOrApplyRoleBindingForLeases (294–298) use ApplyResource, which patches via Server-Side Apply. Kubernetes treats RoleBinding.roleRef as immutable, so attempting to patch a changed roleRef will fail with a validation error and permanently break reconciliation. The ClusterRoleBinding handler (329–350) already implements the required delete/recreate fallback when roleRef changes; apply the same pattern here.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/istiocsr/rbacs.go` around lines 265 - 269,
createOrApplyRoleBindings and createOrApplyRoleBindingForLeases currently always
call common.ApplyResource (Server-Side Apply) but RoleBinding.roleRef is
immutable—mirror the ClusterRoleBinding handler's pattern: after calling
common.ApplyResource (with hasObjectChanged from
getRoleBindingObject/hasObjectChanged), detect when the failure or diff
indicates only a roleRef drift (compare desired.RoleRef to the live
object.RoleRef), then delete the existing rbacv1.RoleBinding and recreate the
desired object (preserving owner refs/events/fieldOwner) as a fallback;
implement this delete-then-create flow in both createOrApplyRoleBindings and
createOrApplyRoleBindingForLeases using the same logic used in the
ClusterRoleBinding handler to avoid permanent SSA validation errors.

[openshift-ci]

@sebrandon1: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-operator-tech-preview	fdd735e	link	false	/test e2e-operator-tech-preview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.