Skip to content

Add self-healing for CA bundle configmaps in user namespaces#3247

Open
ab-ghosh wants to merge 1 commit intotektoncd:mainfrom
ab-ghosh:self-healing-ca-bundle-configmaps
Open

Add self-healing for CA bundle configmaps in user namespaces#3247
ab-ghosh wants to merge 1 commit intotektoncd:mainfrom
ab-ghosh:self-healing-ca-bundle-configmaps

Conversation

@ab-ghosh
Copy link
Member

@ab-ghosh ab-ghosh commented Feb 26, 2026
edited
Loading

Changes

  • Added self healing check in getNamespacesToBeReconciled() to verify CA bundle configmaps (config-trusted-cabundle, config-service-cabundle) exist even when the namespace label indicates reconciliation is complete
  • Follows the same pattern as existing RBAC self-healing (RoleBinding existence check)
  • Logs a warning when missing configmaps are detected despite the label being present
  • Added unit tests

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

See the contribution guide for more details.

Release Notes

Add self-healing for CA bundle configmaps in user namespaces

@tekton-robot tekton-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Feb 26, 2026
@tekton-robot
Copy link
Contributor

tekton-robot commented Feb 26, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign mbpavan after the PR has been reviewed.
You can assign the PR to them by writing /assign @mbpavan in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Feb 26, 2026
@ab-ghosh
Copy link
Member Author

ab-ghosh commented Feb 26, 2026
edited
Loading

Tested the upgrade scenario and it's working as expected

pramodbindal
pramodbindal reviewed Feb 26, 2026
View reviewed changes
pkg/reconciler/openshift/tektonconfig/rbac.go Outdated
needsCABundle = true
} else {
// Self-healing: verify configmaps exist even when label matches
_, err1 := r.kubeClientSet.CoreV1().ConfigMaps(ns.Name).Get(ctx, trustedCABundleConfigMap, metav1.GetOptions{})
Copy link
Member

@pramodbindal pramodbindal Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you can reuse the r.kubeClientSet.CoreV1().ConfigMaps(ns.Name) part.

@ab-ghosh ab-ghosh force-pushed the self-healing-ca-bundle-configmaps branch from ccaa779 to 16ef4a8 Compare February 26, 2026 10:41
@pramodbindal
Copy link
Member

pramodbindal commented Feb 26, 2026

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Feb 26, 2026
@mathur07
Copy link

mathur07 commented Feb 26, 2026

/lgtm

@tekton-robot
Copy link
Contributor

tekton-robot commented Feb 26, 2026

@mathur07: changing LGTM is restricted to collaborators

Details

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@ab-ghosh
Copy link
Member Author

ab-ghosh commented Feb 27, 2026

/cc @jkhelil

@tekton-robot tekton-robot requested a review from jkhelil February 27, 2026 06:01
jkhelil
jkhelil reviewed Feb 27, 2026
View reviewed changes
pkg/reconciler/openshift/tektonconfig/rbac.go Outdated
}

// Check if namespace needs CA bundle reconciliation
needsCABundle := false
Copy link
Member

@jkhelil jkhelil Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ab-ghosh can you extract cabundle process in its own function for readbility
same for rbac
We wold have
for _, ns := range ... {
if shouldIgnore(ns) {
continue
}

if r.needsRBAC(ns) {
    result.RBACNamespaces = append(...)
}

if r.needsCABundle(ns) {
    result.CANamespaces = append(...)
}

}

@ab-ghosh
Add self-healing for CA bundle configmaps in user namespaces
c0a2a1d 
Previously, the operator used the namespace label
namespace-trusted-configmaps-version to determine if CA bundle
configmaps were reconciled. Once the label matched the current
version, the namespace was permanently skipped even if the
configmaps were deleted externally.

This adds a self-healing check in getNamespacesToBeReconciled(),
matching the existing RBAC self-healing pattern that verifies
RoleBinding existence. When the label matches but either
config-trusted-cabundle or config-service-cabundle configmap is
missing, the namespace is marked for re-reconciliation and a
warning is logged.

Signed-off-by: ab-ghosh <abghosh@redhat.com>
@ab-ghosh ab-ghosh force-pushed the self-healing-ca-bundle-configmaps branch from 16ef4a8 to c0a2a1d Compare February 27, 2026 17:33
@tekton-robot
Copy link
Contributor

tekton-robot commented Feb 27, 2026

New changes are detected. LGTM label has been removed.

@tekton-robot tekton-robot removed the lgtm Indicates that a PR is ready to be merged. label Feb 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jkhelil jkhelil jkhelil left review comments

@piyush-garg piyush-garg Awaiting requested review from piyush-garg

@pramodbindal pramodbindal Awaiting requested review from pramodbindal

Assignees

@pramodbindal pramodbindal

Labels

release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ab-ghosh @tekton-robot @pramodbindal @mathur07 @jkhelil