Skip to content

User-facing migration to ClusterBundle#702

Open
erikgb wants to merge 1 commit into
cert-manager:mainfrom
erikgb:migrate-to-clusterbundle
Open

User-facing migration to ClusterBundle#702
erikgb wants to merge 1 commit into
cert-manager:mainfrom
erikgb:migrate-to-clusterbundle

Conversation

@erikgb

@erikgb erikgb commented Aug 25, 2025

Copy link
Copy Markdown
Member

This PR introduces the new ClusterBundle CRD and enables the migration controller according to the accepted design.

The main controller is changed to reconcile ClusterBundle instead of Bundle.

I've tried to keep this PR as small as possible to make it easier to review. We will likely need to add additional tests for the new features in the ClusterBundle API (e.g., multiple keys) and consolidate the existing tests due to the more generic API. However, I suggest handling this in follow-up PRs. Let me know what you think!

@cert-manager-prow cert-manager-prow Bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Aug 25, 2025
@cert-manager-prow cert-manager-prow Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 19, 2025
@erikgb erikgb force-pushed the migrate-to-clusterbundle branch from ec6c107 to 551e847 Compare September 19, 2025 16:46
@cert-manager-prow cert-manager-prow Bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Sep 19, 2025
@erikgb erikgb force-pushed the migrate-to-clusterbundle branch from 551e847 to d9dd750 Compare September 21, 2025 16:49
@cert-manager-prow cert-manager-prow Bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Sep 25, 2025
@erikgb erikgb force-pushed the migrate-to-clusterbundle branch from 0b8b584 to 9dac46d Compare October 7, 2025 20:43
@cert-manager-prow cert-manager-prow Bot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Oct 7, 2025
@erikgb erikgb force-pushed the migrate-to-clusterbundle branch from 2da597b to f9e3118 Compare October 11, 2025 21:06
@cert-manager-prow cert-manager-prow Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 9, 2025
@erikgb erikgb force-pushed the migrate-to-clusterbundle branch from 2062dd2 to f114776 Compare November 9, 2025 11:27
@cert-manager-prow cert-manager-prow Bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 9, 2025
@erikgb erikgb force-pushed the migrate-to-clusterbundle branch from f114776 to b87a514 Compare December 28, 2025 16:36
@cert-manager-prow cert-manager-prow Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 7, 2026
@erikgb erikgb force-pushed the migrate-to-clusterbundle branch from b87a514 to 688c870 Compare January 17, 2026 10:23
@cert-manager-prow cert-manager-prow Bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 17, 2026
@erikgb erikgb force-pushed the migrate-to-clusterbundle branch from 9947942 to b456e1d Compare January 18, 2026 19:29
@cert-manager-prow cert-manager-prow Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 20, 2026
@erikgb erikgb force-pushed the migrate-to-clusterbundle branch from b456e1d to b87b744 Compare January 20, 2026 10:06

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 31 out of 31 changed files in this pull request and generated 13 comments.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pkg/bundle/internal/target/target.go Outdated
Comment thread pkg/bundle/internal/source/source.go Outdated
Comment thread deploy/charts/trust-manager/templates/crd-trust-manager.io_clusterbundles.yaml Outdated
Comment thread deploy/charts/trust-manager/templates/crd-trust-manager.io_clusterbundles.yaml Outdated
Comment thread test/smoke/suite_test.go Outdated
Comment thread test/env/data.go Outdated
Comment thread pkg/webhook/webhook.go Outdated
Comment thread pkg/webhook/validation.go Outdated
Comment thread pkg/webhook/validation_test.go Outdated
Comment thread pkg/bundle/controller/bundle_controller.go Outdated
@erikgb erikgb force-pushed the migrate-to-clusterbundle branch 2 times, most recently from 255e0ab to 83d044c Compare April 5, 2026 13:29
@erikgb erikgb force-pushed the migrate-to-clusterbundle branch from 83d044c to b18814e Compare April 7, 2026 09:06
@erikgb erikgb requested a review from Copilot April 7, 2026 09:06

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 31 out of 31 changed files in this pull request and generated 3 comments.

Comments suppressed due to low confidence (1)

pkg/bundle/internal/target/target.go:423

  • TrustBundleHash iterates over target.GetAnnotations() and target.GetLabels() maps directly. Go map iteration order is randomized, so this makes the computed hash nondeterministic when there are 2+ labels/annotations, potentially causing perpetual “needs update” churn. Consider hashing these maps in a deterministic order (e.g., sort keys first) before writing to the hasher.
	// Add Target annotations and labels to the hash so it becomes aware of changes and triggers an update.
	for k, v := range target.GetAnnotations() {
		_, _ = hash.Write([]byte(k + v))
	}
	for k, v := range target.GetLabels() {
		_, _ = hash.Write([]byte(k + v))
	}

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pkg/bundle/internal/target/target.go
Comment thread pkg/bundle/internal/target/target.go
Comment thread pkg/bundle/bundle.go Outdated
@erikgb erikgb force-pushed the migrate-to-clusterbundle branch from b18814e to 4a15924 Compare April 7, 2026 09:38
@erikgb erikgb requested a review from Copilot April 7, 2026 09:39

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 31 out of 31 changed files in this pull request and generated 1 comment.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pkg/bundle/bundle_test.go
@erikgb erikgb force-pushed the migrate-to-clusterbundle branch from 4a15924 to 29415dc Compare April 18, 2026 10:23
@cert-manager-prow cert-manager-prow Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 1, 2026
@erikgb erikgb force-pushed the migrate-to-clusterbundle branch from 29415dc to 0b406bb Compare May 1, 2026 09:44
@cert-manager-prow cert-manager-prow Bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 1, 2026
@cert-manager-prow cert-manager-prow Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 28, 2026
@erikgb erikgb force-pushed the migrate-to-clusterbundle branch from 0b406bb to ab4112f Compare June 28, 2026 09:43
@cert-manager-prow cert-manager-prow Bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 28, 2026
@erikgb erikgb force-pushed the migrate-to-clusterbundle branch from ab4112f to 307c211 Compare June 28, 2026 09:54
Signed-off-by: Erik Godding Boye <egboye@gmail.com>
@erikgb erikgb force-pushed the migrate-to-clusterbundle branch from c9982cf to 203f248 Compare June 28, 2026 10:09
@erikgb erikgb requested a review from Copilot June 28, 2026 10:18

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 32 out of 33 changed files in this pull request and generated 2 comments.

Files not reviewed (1)
  • pkg/applyconfigurations/trust/v1alpha1/bundle.go: Generated file

Comment on lines +257 to +261
// This is done to prevent mistakes. TLS Secrets should never include keys
// matching the private-key entry, including via wildcard patterns.
if secret.Type == corev1.SecretTypeTLS {
matchesPrivateKey, err := path.Match(b.ref.Key, corev1.TLSPrivateKeyKey)
if err != nil {
Comment thread test/gen/bundle.go

@SgtCoDFish SgtCoDFish left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve
/hold

I think the test comment from AI is a legitimate find but if you tell me it's fine I'm willing to roll with it.

As such, LGTM with a hold. If you agree the test comment is legit, then you can fix it and ping me for a re-review. If you disagree, just unhold and merge.

🚀


found := false
for k, v := range data {
ok, err := path.Match(b.ref.Key, k)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note: This will mean that Bundle resources could now set a key of *.crt and it would start matching, right?

I guess that's fine - probably worth calling out in the release notes.

Comment thread pkg/bundle/controller.go
var bundleList trustmanagerapi.ClusterBundleList
if err := b.client.List(ctx, &bundleList); err != nil {
logf.FromContext(ctx).Error(err, "failed to list all Bundles, exiting error")
os.Exit(-1)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion (non-blocking): For a different PR but seeing os.Exit here spooks me so much. Obviously not changed here, but I can't believe this is the best way to handle this.

},
expNeedsUpdate: true,
},
"if object exists with owner but no data, expect update": {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion(AI): target_test.go test fixtures still assert with old Kind: "Bundle" owner references

E.g. pkg/bundle/internal/target/target_test.go:130-138. The tests pass because metav1.IsControlledBy(obj, clusterBundle) returns false (mismatched kind), forcing needsUpdate=true — i.e. these tests pass "for the right outcome, the wrong reason." They're effectively also testing the migration-path side (old Bundle-owned target needs an update), which is useful, but a couple of explicit "object already owned by ClusterBundle" test cases would help guard the steady-state path.


I reckon this looks like a legit finding so I'm raising it as a comment!

@cert-manager-prow cert-manager-prow Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 29, 2026
@cert-manager-prow

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: SgtCoDFish

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow cert-manager-prow Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm Indicates that a PR is ready to be merged. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants