fix(domainCA): lookup in kcpsetup regardless if oidc patch is enabled (#141)

* fix(domainCA): lookup in kcpsetup regardless if oidc patch is enabled

On-behalf-of: @SAP [email protected]
Signed-off-by: Angel Kafazov <[email protected]>

* fix(controller): pin ocm-controller image version

On-behalf-of: @SAP [email protected]
Signed-off-by: Angel Kafazov <[email protected]>

---------

Signed-off-by: Angel Kafazov <[email protected]>

Author: akafazov

pkg/subroutines/kcpsetup.go

@@ -244,22 +244,20 @@ func (r *KcpsetupSubroutine) getCABundleInventory(
 	validatingB64Data := base64.StdEncoding.EncodeToString(validatingCaData)
 	caBundles[validatingKey] = validatingB64Data
 
-	if r.cfg.Subroutines.PatchOIDC.DomainCALookup {
-		domainCA, err := r.getCaBundle(ctx, &corev1alpha1.WebhookConfiguration{
-			SecretData: "tls.crt",
-			SecretRef: corev1alpha1.SecretReference{
-				Name:      "domain-certificate-ca",
-				Namespace: "platform-mesh-system",
-			},
-		})
-		if err != nil {
-			log.Error().Err(err).Msg("Failed to get Domain CA bundle")
-			return nil, errors.Wrap(err, "Failed to get Domain CA bundle")
-		}
-
-		caBundles["domainCA"] = base64.StdEncoding.EncodeToString(domainCA)
+	domainCA, err := r.getCaBundle(ctx, &corev1alpha1.WebhookConfiguration{
+		SecretData: "tls.crt",
+		SecretRef: corev1alpha1.SecretReference{
+			Name:      "domain-certificate-ca",
+			Namespace: "platform-mesh-system",
+		},
+	})
+	if err != nil {
+		log.Error().Err(err).Msg("Failed to get Domain CA bundle")
+		return nil, errors.Wrap(err, "Failed to get Domain CA bundle")
 	}
 
+	caBundles["domainCA"] = base64.StdEncoding.EncodeToString(domainCA)
+
 	// Cache the results
 	r.caBundleCache = caBundles
 

pkg/subroutines/kcpsetup_test.go

@@ -148,6 +148,21 @@ func (s *KcpsetupTestSuite) Test_getCABundleInventory() {
 		}).
 		Once() // Only called once due to caching
 
+	s.clientMock.EXPECT().
+		Get(mock.Anything, types.NamespacedName{
+			Name:      "domain-certificate-ca",
+			Namespace: "platform-mesh-system",
+		}, mock.Anything).
+		RunAndReturn(func(ctx context.Context, nn types.NamespacedName, obj client.Object, opts ...client.GetOption) error {
+			secret := obj.(*corev1.Secret)
+			secret.Data = map[string][]byte{
+				"ca.crt":  []byte("test-ca-data"),
+				"tls.crt": []byte("test-tls-crt"),
+				"tls.key": []byte("test-tls-key"),
+			}
+			return nil
+		})
+
 	// First call should fetch from secrets
 	inventory, err := s.testObj.GetCABundleInventory(ctx)
 	s.Assert().NoError(err)
@@ -323,6 +338,20 @@ func (s *KcpsetupTestSuite) TestProcess() {
 			}
 			return nil
 		})
+	s.clientMock.EXPECT().
+		Get(mock.Anything, types.NamespacedName{
+			Name:      "domain-certificate-ca",
+			Namespace: "platform-mesh-system",
+		}, mock.Anything).
+		RunAndReturn(func(ctx context.Context, nn types.NamespacedName, obj client.Object, opts ...client.GetOption) error {
+			secret := obj.(*corev1.Secret)
+			secret.Data = map[string][]byte{
+				"ca.crt":  []byte("test-ca-data"),
+				"tls.crt": []byte("test-tls-crt"),
+				"tls.key": []byte("test-tls-key"),
+			}
+			return nil
+		})
 
 	// Mock the webhook server cert lookup (called once since we cache results)
 	s.clientMock.EXPECT().
@@ -572,6 +601,21 @@ func (s *KcpsetupTestSuite) TestCreateWorkspaces() {
 		Return(nil).
 		Once()
 
+		// Mock the mutating webhook secret lookup (called once due to caching)
+	mockedK8sClient.EXPECT().Get(mock.Anything, types.NamespacedName{
+		Name:      "domain-certificate-ca",
+		Namespace: webhookConfig.SecretRef.Namespace,
+	}, mock.AnythingOfType("*v1.Secret")).
+		Run(func(ctx context.Context, key types.NamespacedName, obj client.Object, opts ...client.GetOption) {
+			sec := obj.(*corev1.Secret)
+			sec.Data = map[string][]byte{
+				"ca.crt":  []byte("test-ca-data"),
+				"tls.crt": []byte("test-tls-crt"),
+				"tls.key": []byte("test-tls-key"),
+			}
+		}).
+		Return(nil)
+
 	// Mock the validating webhook secret lookup (called once due to caching)
 	mockedK8sClient.EXPECT().Get(mock.Anything, types.NamespacedName{
 		Name:      validatingWebhookConfig.SecretRef.Name,