feat: inject bundle data into configmap

erikgb · erikgb · commit 70abe6839f39 · 2025-07-27T21:02:56.000+02:00
Signed-off-by: Erik Godding Boye &lt;egboye@gmail.com&gt;
diff --git a/pkg/bundle/inject/controller.go b/pkg/bundle/inject/controller.go
@@ -0,0 +1,174 @@
+/*
+Copyright 2021 The cert-manager Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package inject
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	v1 "k8s.io/client-go/applyconfigurations/core/v1"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/builder"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+
+	"github.com/cert-manager/trust-manager/pkg/apis/trust/v1alpha1"
+	"github.com/cert-manager/trust-manager/pkg/bundle/controller"
+	"github.com/cert-manager/trust-manager/pkg/bundle/internal/source"
+	"github.com/cert-manager/trust-manager/pkg/bundle/internal/ssa_client"
+)
+
+const (
+	// BundleInjectBundleNameLabelKey is the key of the label that will trigger the injection of bundle data into the resource.
+	// The label value should be the name of the bundle to inject data from.
+	BundleInjectBundleNameLabelKey = "inject.trust-manager.io/bundle-name"
+	// BundleInjectKeyLabelKey is the key for an optional label to specify the key to inject the bundle data into the resource.
+	// The bundle data will be injected into the 'ca-bundle.crt' key if this label is not found in resource.
+	BundleInjectKeyLabelKey = "inject.trust-manager.io/key"
+)
+
+type Injector struct {
+	client.Client
+	bundleBuilder *source.BundleBuilder
+}
+
+func (i *Injector) SetupWithManager(mgr ctrl.Manager, opts controller.Options) error {
+	i.bundleBuilder = &source.BundleBuilder{
+		Reader:  mgr.GetClient(),
+		Options: opts,
+	}
+
+	return ctrl.NewControllerManagedBy(mgr).
+		Named("configmap-injector").
+		For(&metav1.PartialObjectMetadata{TypeMeta: metav1.TypeMeta{APIVersion: "v1", Kind: "ConfigMap"}},
+			builder.WithPredicates(
+				hasLabelPredicate(BundleInjectBundleNameLabelKey),
+			)).
+		Complete(i)
+}
+
+func (i *Injector) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {
+	target := &metav1.PartialObjectMetadata{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+			Kind:       "ConfigMap",
+		},
+	}
+
+	if err := i.Get(ctx, request.NamespacedName, target); err != nil {
+		if apierrors.IsNotFound(err) {
+			return reconcile.Result{}, nil
+		}
+		return reconcile.Result{}, err
+	}
+
+	bundleName := target.GetLabels()[BundleInjectBundleNameLabelKey]
+	if bundleName == "" {
+		return reconcile.Result{}, nil
+	}
+
+	bundle := &v1alpha1.Bundle{}
+	if err := i.Get(ctx, types.NamespacedName{Name: bundleName}, bundle); err != nil {
+		return reconcile.Result{}, fmt.Errorf("failed to look up bundle %q: %w", bundleName, err)
+	}
+
+	// TODO: Add support for additional formats
+	bundleData, err := i.bundleBuilder.BuildBundle(ctx, bundle.Spec.Sources, nil)
+	if err != nil {
+		return reconcile.Result{}, fmt.Errorf("failed to build bundle %q: %w", bundleName, err)
+	}
+	key := target.GetLabels()[BundleInjectKeyLabelKey]
+	if key == "" {
+		key = "ca-bundle.crt"
+	}
+
+	applyConfig := v1.ConfigMap(request.Name, request.Namespace).
+		WithAnnotations(map[string]string{
+			v1alpha1.BundleHashAnnotationKey: trustBundleHash([]byte(bundleData.Data)),
+		}).
+		WithData(map[string]string{key: bundleData.Data})
+
+	return reconcile.Result{}, patchConfigMap(ctx, i.Client, applyConfig)
+}
+
+func trustBundleHash(data []byte) string {
+	hash := sha256.New()
+	_, _ = hash.Write(data)
+	hashValue := [32]byte{}
+	hash.Sum(hashValue[:0])
+	dataHash := hex.EncodeToString(hashValue[:])
+	return dataHash
+}
+
+type Cleaner struct {
+	client.Client
+}
+
+func (c *Cleaner) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		Named("configmap-injector-cleaner").
+		For(&metav1.PartialObjectMetadata{TypeMeta: metav1.TypeMeta{APIVersion: "v1", Kind: "ConfigMap"}},
+			builder.WithPredicates(
+				hasAnnotationPredicate(v1alpha1.BundleHashAnnotationKey),
+				predicate.Not(hasLabelPredicate(BundleInjectBundleNameLabelKey)),
+			)).
+		Complete(c)
+}
+
+func (c *Cleaner) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {
+	applyConfig := v1.ConfigMap(request.Name, request.Namespace)
+
+	return reconcile.Result{}, patchConfigMap(ctx, c.Client, applyConfig)
+}
+
+func patchConfigMap(ctx context.Context, c client.Client, applyConfig *v1.ConfigMapApplyConfiguration) error {
+	obj := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      *applyConfig.Name,
+			Namespace: *applyConfig.Namespace,
+		},
+	}
+
+	encodedPatch, err := json.Marshal(applyConfig)
+	if err != nil {
+		return err
+	}
+
+	return c.Patch(ctx, obj, ssa_client.ApplyPatch{Patch: encodedPatch}, ssa_client.FieldManager, client.ForceOwnership)
+}
+
+func hasLabelPredicate(key string) predicate.Predicate {
+	return predicate.NewPredicateFuncs(func(obj client.Object) bool {
+		_, ok := obj.GetLabels()[key]
+		return ok
+	})
+}
+
+func hasAnnotationPredicate(key string) predicate.Predicate {
+	return predicate.NewPredicateFuncs(func(obj client.Object) bool {
+		_, ok := obj.GetAnnotations()[key]
+		return ok
+	})
+}
diff --git a/test/integration/bundle/inject/controller_test.go b/test/integration/bundle/inject/controller_test.go
@@ -0,0 +1,94 @@
+/*
+Copyright 2021 The cert-manager Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package inject
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/controller-runtime/pkg/envtest/komega"
+
+	"github.com/cert-manager/trust-manager/pkg/bundle/inject"
+	"github.com/cert-manager/trust-manager/test/dummy"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("Injector", func() {
+	var namespace string
+
+	BeforeEach(func() {
+		ns := &corev1.Namespace{}
+		ns.GenerateName = "inject-"
+		Expect(k8sClient.Create(ctx, ns)).To(Succeed())
+		namespace = ns.Name
+	})
+
+	It("should inject bundle data when ConfigMap labeled", func() {
+		cm := &corev1.ConfigMap{}
+		cm.GenerateName = "cm-"
+		cm.Namespace = namespace
+		cm.Labels = map[string]string{
+			inject.BundleInjectBundleNameLabelKey: bundleName,
+			"app":                                 "my-app",
+		}
+		cm.Data = map[string]string{
+			"tls.crt": "bar",
+			"tls.key": "baz",
+		}
+		Expect(k8sClient.Create(ctx, cm)).To(Succeed())
+
+		// Wait for ConfigMap to be processed by controller
+		Eventually(komega.Object(cm)).Should(
+			HaveField("Data",
+				HaveKeyWithValue("ca-bundle.crt", dummy.TestCertificate1),
+			),
+		)
+		Expect(cm.Labels).To(HaveKeyWithValue("app", "my-app"))
+
+		By("changing key label on ConfigMap, it should switch key", func() {
+			Expect(komega.Update(cm, func() {
+				cm.Labels[inject.BundleInjectKeyLabelKey] = "ca.crt"
+			})()).To(Succeed())
+
+			// Wait for ConfigMap to be processed by controller
+			Eventually(komega.Object(cm)).Should(
+				HaveField("Data", SatisfyAll(
+					HaveKeyWithValue("ca.crt", dummy.TestCertificate1),
+					Not(HaveKey("ca-bundle.crt")),
+				)),
+			)
+		})
+
+		By("removing label from ConfigMap, it should remove bundle data", func() {
+			Expect(komega.Update(cm, func() {
+				delete(cm.Labels, inject.BundleInjectBundleNameLabelKey)
+			})()).To(Succeed())
+
+			// Wait for ConfigMap to be processed by controller
+			Eventually(komega.Object(cm)).Should(
+				HaveField("Data",
+					Not(HaveKey("ca.crt")),
+				),
+			)
+			Expect(cm.Labels).To(HaveKeyWithValue("app", "my-app"))
+			Expect(cm.Data).To(Equal(map[string]string{
+				"tls.crt": "bar",
+				"tls.key": "baz",
+			}))
+		})
+	})
+})
diff --git a/test/integration/bundle/inject/suite_test.go b/test/integration/bundle/inject/suite_test.go
