CM-830: Add TrustManager controller for trust-manager operand management#422
Conversation
Introduces the TrustManager CRD (trustmanagers.operator.openshift.io/v1alpha1) as specified in the enhancement proposal (EP-1914). This cluster-scoped singleton resource enables day-2 installation and configuration of the trust-manager operand. Key additions: - TrustManager types with spec fields: logLevel, logFormat, trustNamespace, secretTargets, filterExpiredCertificates, defaultCAPackage, resources, affinity, tolerations, nodeSelector - SecretTargetsConfig with Custom/Disabled policy and authorizedSecrets - DefaultCAPackageConfig for OpenShift trusted CA bundle integration - FeatureTrustManager feature gate (Alpha, default disabled) - CRD manifest, deepcopy, client/lister/informer generation - Integration tests for CRD validation (status defaults, singleton, scope, immutability) - YAML test suite covering create/update validation scenarios Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Implements the controller-runtime based reconciler for the TrustManager CRD. The controller watches trustmanagers.operator.openshift.io resources and reconciles the trust-manager operand deployment in the cert-manager namespace, including ServiceAccount, RBAC, Certificates, Services, DefaultCAPackage ConfigMap, and Deployment resources. The controller follows the same patterns as the IstioCSR controller: - Feature-gated via FeatureTrustManager (Alpha, default disabled) - Separate controller-runtime manager with its own cache builder - Non-destructive cleanup on CR deletion per EP non-goals - Dynamic RBAC for SecretTargets policy - DefaultCAPackage integration with CNO trusted CA bundle injection Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
openshift-ci-robot
added
the
jira/valid-reference
|
@openshift-app-platform-shift[bot]: This pull request references CM-830 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: openshift-app-platform-shift[bot] The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
openshift-ci
Bot
added
the
needs-ok-to-test
|
Hi @openshift-app-platform-shift[bot]. Thanks for your PR. I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/close |
|
@swghosh: Closed this PR. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
2 participants
Summary
TrustManagerCRD (trustmanagers.operator.openshift.io/v1alpha1)FeatureTrustManagerfeature gate (Alpha, default disabled)Related
Test plan
go build ./...succeedsgo vet ./...passesTrustManagerfeature gate and verify controller startsTrustManagerCR namedclusterand verify all dependent resources are createdEnabledCustom🤖 Generated with Claude Code