From 63944dba25c2b125a0c9cf215678100277451482 Mon Sep 17 00:00:00 2001
From: Enrique Llorente Pastora <ellorent@redhat.com>
Date: Thu, 2 Dec 2021 12:37:25 +0100
Subject: [PATCH] certificate: Reconcile only created secrets (#60)

If two cert-managers are running at a cluster they will each other
secrets since the kube-admission-webhook annotation is there. This
change filter the secrets and only reconcile the ones with the CA cert
name from webhook config and the services owned by them.

Signed-off-by: Quique Llorente <ellorent@redhat.com>
---
 pkg/certificate/controller.go | 37 +++++++++++++++++++++++++++++++----
 1 file changed, 33 insertions(+), 4 deletions(-)

diff --git a/pkg/certificate/controller.go b/pkg/certificate/controller.go
index 9f7d9256..218a6663 100644
--- a/pkg/certificate/controller.go
+++ b/pkg/certificate/controller.go
@@ -43,19 +43,48 @@ func (m *Manager) add(mgr manager.Manager, r reconcile.Reconciler) error {
 		return object.GetName() == m.webhookName
 	}
 
+	isCASecret := func(object client.Object) bool {
+		return object.GetName() == m.caSecretKey().Name
+	}
+
+	isServiceSecret := func(object client.Object) bool {
+		webhookConf, err := m.readyWebhookConfiguration()
+		if err != nil {
+			m.log.Info(fmt.Sprintf("failed checking if it's a generated secret: failed getting webhook configuration: %v", err))
+			return false
+		}
+
+		services, err := m.getServicesFromConfiguration(webhookConf)
+		if err != nil {
+			m.log.Info(fmt.Sprintf("failed checking if it's a generated secret: failed getting webhook configuration services: %v", err))
+			return false
+		}
+
+		for service, _ := range services {
+			if object.GetName() == service.Name {
+				return true
+			}
+		}
+		return false
+	}
+
+	isGeneratedSecret := func(object client.Object) bool {
+		return isCASecret(object) || isServiceSecret(object)
+	}
+
 	// Watch only events for selected m.webhookName
 	onEventForThisWebhook := predicate.Funcs{
 		CreateFunc: func(createEvent event.CreateEvent) bool {
-			return isWebhookConfig(createEvent.Object) || isAnnotatedResource(createEvent.Object)
+			return isWebhookConfig(createEvent.Object) || (isAnnotatedResource(createEvent.Object) && isGeneratedSecret(createEvent.Object))
 		},
 		DeleteFunc: func(deleteEvent event.DeleteEvent) bool {
-			return isAnnotatedResource(deleteEvent.Object)
+			return isAnnotatedResource(deleteEvent.Object) && isGeneratedSecret(deleteEvent.Object)
 		},
 		UpdateFunc: func(updateEvent event.UpdateEvent) bool {
-			return isWebhookConfig(updateEvent.ObjectOld) || isAnnotatedResource(updateEvent.ObjectOld)
+			return isWebhookConfig(updateEvent.ObjectOld) || (isAnnotatedResource(updateEvent.ObjectOld) && isGeneratedSecret(updateEvent.ObjectOld))
 		},
 		GenericFunc: func(genericEvent event.GenericEvent) bool {
-			return isWebhookConfig(genericEvent.Object) || isAnnotatedResource(genericEvent.Object)
+			return isWebhookConfig(genericEvent.Object) || (isAnnotatedResource(genericEvent.Object) && isGeneratedSecret(genericEvent.Object))
 		},
 	}