Skip to content

Fix conversion Bundle->ClusterBundle#844

Merged
cert-manager-prow[bot] merged 1 commit into
cert-manager:mainfrom
erikgb:fix-conversion
Jan 20, 2026
Merged

Fix conversion Bundle->ClusterBundle#844
cert-manager-prow[bot] merged 1 commit into
cert-manager:mainfrom
erikgb:fix-conversion

Conversation

@erikgb

@erikgb erikgb commented Jan 18, 2026

Copy link
Copy Markdown
Member

This change is extracted from #702 to make that PR smaller and easier to review.

While working on the user-facing migration, I struggled to get some of the tests to pass. After investigation, I detected some bugs that need to be fixed:

  1. We allow multiple source elements with in-line CA certificates in the Bundle sources array, while ClusterBundle only provides a single field for this. This mismatch (many-to-one) is a bit problematic; I considered several ways to fix this, but ended up with the simplest solution: concatenate all in-line source CA certificates into the ClusterBundle inLineCAs field when converting. This breaks round-trip conversion, but we only need conversion from Bundle to ClusterBundle.
  2. One of our integration tests is asserting that we can produce the legacy JKS format. And this test breaks if using the PCKS#12 encoder to encode the JKS. To ensure we don't break any users, it is required to keep the legacy JKS encoder until we remove JKS support completely. To choose the correct encoder to use, we need an annotation to support the migrated bundle controller in User-facing migration to ClusterBundle #702

@cert-manager-prow cert-manager-prow Bot added the dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. label Jan 18, 2026
@erikgb erikgb requested a review from Copilot January 18, 2026 21:48
@cert-manager-prow cert-manager-prow Bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jan 18, 2026
@erikgb erikgb force-pushed the fix-conversion branch 2 times, most recently from ebd4aed to cb975d7 Compare January 18, 2026 21:51

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes the conversion logic from Bundle to ClusterBundle to support user-facing migration. The changes address two main issues: handling multiple inline CA certificate sources and preserving the JKS encoder annotation for legacy support.

Changes:

  • Concatenates multiple inline CA sources in Bundle into a single inLineCAs field in ClusterBundle
  • Exports the JKS annotation constant and ensures it's copied during conversion
  • Adds test coverage for multi-source inline CA concatenation and JKS format annotation

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
pkg/apis/trust/v1alpha1/conversion.go Exports AnnotationKeyJKSKey constant and implements inline CA concatenation logic with newline handling
pkg/bundle/controller/bundle_controller.go Moves APIVersion/Kind assignment after conversion and adds annotation copying logic
pkg/apis/trust/v1alpha1/conversion_test.go Adds unit test for multiple inline source concatenation and updates import aliases
test/integration/clusterbundle/migration_test.go Adds integration test for JKS target conversion with annotation verification

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines 148 to 154
clusterBundle := &trustmanagerapi.ClusterBundle{}
clusterBundle.APIVersion = "trust-manager.io/v1alpha2"
clusterBundle.Kind = "ClusterBundle"
clusterBundle.Name = bundle.Name
clusterBundle.Name = cb.Name
if jksKey, ok := cb.Annotations[trustapi.AnnotationKeyJKSKey]; ok {
clusterBundle.Annotations = map[string]string{trustapi.AnnotationKeyJKSKey: jksKey}
}
clusterBundle.Spec = cb.Spec
return clusterBundle, nil

Copilot AI Jan 18, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The variable 'clusterBundle' is being created unnecessarily here, and then all fields are manually copied from 'cb'. This creates redundant code and potentially wastes resources. Instead, you should directly use and modify 'cb', then return it. The current implementation creates two ClusterBundle objects when only one is needed.

Copilot uses AI. Check for mistakes.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, that's not entirely true, Copilot. I am NOT copying ALL fields, and I don't want most of the metadata converted from Bundle.

@erikgb

erikgb commented Jan 18, 2026

Copy link
Copy Markdown
Member Author

/cc @SgtCoDFish @inteon

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines 148 to 154
clusterBundle := &trustmanagerapi.ClusterBundle{}
clusterBundle.APIVersion = "trust-manager.io/v1alpha2"
clusterBundle.Kind = "ClusterBundle"
clusterBundle.Name = bundle.Name
clusterBundle.Name = cb.Name
if jksKey, ok := cb.Annotations[trustapi.AnnotationKeyJKSKey]; ok {
clusterBundle.Annotations = map[string]string{trustapi.AnnotationKeyJKSKey: jksKey}
}
clusterBundle.Spec = cb.Spec
return clusterBundle, nil

Copilot AI Jan 18, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The conversion result from bundle.ConvertTo(cb) includes complete ObjectMeta (all annotations, labels, etc.), but then a new ClusterBundle object is created with only selective fields copied (Name, JKS annotation, and Spec). This means any user-added labels or annotations on the Bundle (other than the JKS annotation) will not be present on the ClusterBundle. If this is intentional for Server-Side Apply semantics (to only manage specific fields), it should be documented with a comment. If user metadata should be preserved during migration, consider copying the full ObjectMeta or at least all annotations and labels from cb.

Copilot uses AI. Check for mistakes.

@SgtCoDFish SgtCoDFish left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Few suggestions and comments - what do you think?

Comment thread pkg/apis/trust/v1alpha1/conversion.go
Comment thread pkg/apis/trust/v1alpha1/conversion.go Outdated
Comment on lines +88 to +93
// The following logic is not pretty, but is required as we allow multiple inline sources
// in the Bundle sources array.
// It breaks the round-trippable conversion Bundle->ClusterBundle->Bundle,
// but works for converting Bundle->ClusterBundle, and that's what we need for the migration.
cas := strings.TrimSuffix(*obj.Spec.InLineCAs, "\n") + "\n" + *in.InLine
obj.Spec.InLineCAs = &cas

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note: I'm not massively against breaking strict round-trippability here (this should probably be a pretty rare case). Plus, I can't really see a way for this to lead to actual data loss, just a change of format. This seems OK to me!

Comment thread pkg/apis/trust/v1alpha1/conversion_test.go
Signed-off-by: Erik Godding Boye <egboye@gmail.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@SgtCoDFish SgtCoDFish left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

Thank you for this 😁

@cert-manager-prow cert-manager-prow Bot added the lgtm Indicates that a PR is ready to be merged. label Jan 20, 2026
@cert-manager-prow

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: SgtCoDFish

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow cert-manager-prow Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 20, 2026
@cert-manager-prow cert-manager-prow Bot merged commit 7539727 into cert-manager:main Jan 20, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants