Skip to content

Add self-healing for CA bundle configmaps in user namespaces#3247

Merged
tekton-robot merged 1 commit intotektoncd:mainfrom
ab-ghosh:self-healing-ca-bundle-configmaps
Mar 4, 2026
Merged

Add self-healing for CA bundle configmaps in user namespaces#3247
tekton-robot merged 1 commit intotektoncd:mainfrom
ab-ghosh:self-healing-ca-bundle-configmaps

Conversation

@ab-ghosh
Copy link
Copy Markdown
Member

@ab-ghosh ab-ghosh commented Feb 26, 2026
edited
Loading

Changes

  • Added self healing check in getNamespacesToBeReconciled() to verify CA bundle configmaps (config-trusted-cabundle, config-service-cabundle) exist even when the namespace label indicates reconciliation is complete
  • Follows the same pattern as existing RBAC self-healing (RoleBinding existence check)
  • Logs a warning when missing configmaps are detected despite the label being present
  • Added unit tests

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

See the contribution guide for more details.

Release Notes

Add self-healing for CA bundle configmaps in user namespaces

@tekton-robot tekton-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Feb 26, 2026
@tekton-robot tekton-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Feb 26, 2026
@ab-ghosh
Copy link
Copy Markdown
Member Author

ab-ghosh commented Feb 26, 2026
edited
Loading

Tested the upgrade scenario and it's working as expected

pramodbindal
pramodbindal reviewed Feb 26, 2026
View reviewed changes
Comment thread pkg/reconciler/openshift/tektonconfig/rbac.go Outdated
needsCABundle = true
} else {
// Self-healing: verify configmaps exist even when label matches
_, err1 := r.kubeClientSet.CoreV1().ConfigMaps(ns.Name).Get(ctx, trustedCABundleConfigMap, metav1.GetOptions{})
Copy link
Copy Markdown
Member

@pramodbindal pramodbindal Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you can reuse the r.kubeClientSet.CoreV1().ConfigMaps(ns.Name) part.

@ab-ghosh ab-ghosh force-pushed the self-healing-ca-bundle-configmaps branch from ccaa779 to 16ef4a8 Compare February 26, 2026 10:41
@pramodbindal
Copy link
Copy Markdown
Member

pramodbindal commented Feb 26, 2026

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Feb 26, 2026
@mathur07
Copy link
Copy Markdown

mathur07 commented Feb 26, 2026

/lgtm

@tekton-robot
Copy link
Copy Markdown
Contributor

tekton-robot commented Feb 26, 2026

@mathur07: changing LGTM is restricted to collaborators

Details

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@ab-ghosh
Copy link
Copy Markdown
Member Author

ab-ghosh commented Feb 27, 2026

/cc @jkhelil

@tekton-robot tekton-robot requested a review from jkhelil February 27, 2026 06:01
jkhelil
jkhelil reviewed Feb 27, 2026
View reviewed changes
Comment thread pkg/reconciler/openshift/tektonconfig/rbac.go Outdated
}

// Check if namespace needs CA bundle reconciliation
needsCABundle := false
Copy link
Copy Markdown
Member

@jkhelil jkhelil Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ab-ghosh can you extract cabundle process in its own function for readbility
same for rbac
We wold have
for _, ns := range ... {
if shouldIgnore(ns) {
continue
}

if r.needsRBAC(ns) {
    result.RBACNamespaces = append(...)
}

if r.needsCABundle(ns) {
    result.CANamespaces = append(...)
}

}

@ab-ghosh ab-ghosh force-pushed the self-healing-ca-bundle-configmaps branch from 16ef4a8 to c0a2a1d Compare February 27, 2026 17:33
@tekton-robot tekton-robot removed the lgtm Indicates that a PR is ready to be merged. label Feb 27, 2026
@ab-ghosh
Add self-healing for CA bundle configmaps in user namespaces
305ba62 
Previously, the operator used the namespace label
namespace-trusted-configmaps-version to determine if CA bundle
configmaps were reconciled. Once the label matched the current
version, the namespace was permanently skipped even if the
configmaps were deleted externally.

This adds a self-healing check in getNamespacesToBeReconciled(),
matching the existing RBAC self-healing pattern that verifies
RoleBinding existence. When the label matches but either
config-trusted-cabundle or config-service-cabundle configmap is
missing, the namespace is marked for re-reconciliation and a
warning is logged.

Signed-off-by: ab-ghosh <abghosh@redhat.com>
@ab-ghosh ab-ghosh force-pushed the self-healing-ca-bundle-configmaps branch from c0a2a1d to 305ba62 Compare February 28, 2026 08:47
@jkhelil
Copy link
Copy Markdown
Member

jkhelil commented Mar 2, 2026

@ab-ghosh have you done a test on openshift ? (please create a couple of namespaces)
Please do an upgrade test also

@ab-ghosh
Copy link
Copy Markdown
Member Author

ab-ghosh commented Mar 2, 2026

@jkhelil I have already tested on openshift, including the upgrade test, before the code refactor.
will do the tests again to reconfirm after the refactor changes.

@ab-ghosh
Copy link
Copy Markdown
Member Author

ab-ghosh commented Mar 2, 2026

re-tested the changes on openshift and upgrade test, works as expected

@jkhelil
Copy link
Copy Markdown
Member

jkhelil commented Mar 2, 2026

/approve

@tekton-robot
Copy link
Copy Markdown
Contributor

tekton-robot commented Mar 2, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jkhelil

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 2, 2026
@jkhelil
Copy link
Copy Markdown
Member

jkhelil commented Mar 2, 2026

@anithapriyanatarajan @mbpavan PTAL

@mbpavan
Copy link
Copy Markdown
Contributor

mbpavan commented Mar 4, 2026

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Mar 4, 2026
@tekton-robot tekton-robot merged commit cc10d0d into tektoncd:main Mar 4, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jkhelil jkhelil jkhelil left review comments

@piyush-garg piyush-garg Awaiting requested review from piyush-garg

@pramodbindal pramodbindal Awaiting requested review from pramodbindal

Assignees

@pramodbindal pramodbindal

@mbpavan mbpavan

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@ab-ghosh @pramodbindal @mathur07 @tekton-robot @jkhelil @mbpavan