ai-eval: DNM, feat(EP-1914): API types, controller implementation, e2e#423
Conversation
Introduces the TrustManager CRD (trustmanagers.operator.openshift.io/v1alpha1) as specified in the enhancement proposal (EP-1914). This cluster-scoped singleton resource enables day-2 installation and configuration of the trust-manager operand. Key additions: - TrustManager types with spec fields: logLevel, logFormat, trustNamespace, secretTargets, filterExpiredCertificates, defaultCAPackage, resources, affinity, tolerations, nodeSelector - SecretTargetsConfig with Custom/Disabled policy and authorizedSecrets - DefaultCAPackageConfig for OpenShift trusted CA bundle integration - FeatureTrustManager feature gate (Alpha, default disabled) - CRD manifest, deepcopy, client/lister/informer generation - Integration tests for CRD validation (status defaults, singleton, scope, immutability) - YAML test suite covering create/update validation scenarios Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Implements the controller-runtime based reconciler for the TrustManager CRD. The controller watches trustmanagers.operator.openshift.io resources and reconciles the trust-manager operand deployment in the cert-manager namespace, including ServiceAccount, RBAC, Certificates, Services, DefaultCAPackage ConfigMap, and Deployment resources. The controller follows the same patterns as the IstioCSR controller: - Feature-gated via FeatureTrustManager (Alpha, default disabled) - Separate controller-runtime manager with its own cache builder - Non-destructive cleanup on CR deletion per EP non-goals - Dynamic RBAC for SecretTargets policy - DefaultCAPackage integration with CNO trusted CA bundle injection Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds end-to-end tests for the TrustManager controller covering: - Basic trust-manager deployment with default configuration - Status field verification (Ready/Degraded conditions, observed state) - SecretTargets Custom policy with dynamic RBAC verification - DefaultCAPackage ConfigMap creation when policy is Enabled - Non-destructive cleanup on TrustManager CR deletion Tests follow the existing IstioCSR E2E test patterns using Ginkgo v2, polling helpers, and the dynamic resource loader. Test data YAML manifests are provided in testdata/trustmanager/. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
openshift-ci-robot
added
the
jira/valid-reference
|
@openshift-app-platform-shift[bot]: This pull request references CM-830 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: openshift-app-platform-shift[bot] The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
openshift-ci
Bot
added
the
needs-ok-to-test
|
Hi @openshift-app-platform-shift[bot]. Thanks for your PR. I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/retitle ai-eval: DNM, feat(EP-1914): API types, controller implementation, e2e |
openshift-ci
Bot
changed the title
openshift-ci-robot
removed
the
jira/valid-reference
|
@openshift-app-platform-shift[bot]: No Jira issue is referenced in the title of this pull request. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
This PR was authored/developed as a result of openshift/release#79009 rehearsal workflow because of input.Dockerfile trigger. |
|
/ok-to-test |
1 similar comment
|
/ok-to-test |
openshift-ci
Bot
added
ok-to-test
|
@openshift-app-platform-shift[bot]: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
2 participants
Summary
Related
Test plan
go build -tags e2e ./test/e2e/...succeedsgo vet -tags e2e ./test/e2e/...passesmake test-e2e E2E_GINKGO_LABEL_FILTER="Feature:TrustManager"🤖 Generated with Claude Code