[CD] Filter Secret caching

controllers/common/utils.go

@@ -264,6 +264,21 @@ func MergeMap(in map[string]string, mergeMap map[string]string) map[string]strin
 	return mergeMap
 }
 
+func MergeMaps(dst map[string]string, srcs ...map[string]string) map[string]string {
+	if dst == nil {
+		dst = make(map[string]string)
+	}
+	if len(srcs) < 1 {
+		return dst
+	}
+	for _, src := range srcs {
+		for k, v := range src {
+			dst[k] = v
+		}
+	}
+	return dst
+}
+
 func GetBindInfoRefreshMap() map[string]string {
 	return map[string]string{
 		"bindinfoRefresh/configmap": DatastoreEDBCMName,
@@ -297,3 +312,12 @@ func ReduceSubreconcilerResultsAndErrors(results []*ctrl.Result, errs []error) (
 
 	return
 }
+
+// GetCommonLabels sets Kubernetes' recommended labels for the given object.  It
+// returns true if any labels were changed, false otherwise.
+func GetCommonLabels() (l map[string]string) {
+	return map[string]string{
+		"app.kubernetes.io/part-of":    "im",
+		"app.kubernetes.io/managed-by": "ibm-iam-operator",
+	}
+}

controllers/oidc.security/client_controller.go

@@ -18,6 +18,7 @@ package oidcsecurity
 
 import (
 	"context"
+	"maps"
 	"net/http"
 	"strconv"
 	"strings"
@@ -286,6 +287,16 @@ func (r *ClientReconciler) ensureSecretAndClientIdSet(ctx context.Context, req c
 		return subreconciler.Requeue()
 	}
 
+	labels := common.MergeMaps(nil, secret.Labels, common.GetCommonLabels())
+	if !maps.Equal(secret.Labels, labels) {
+		secret.Labels = labels
+		if err = r.Update(ctx, secret); err != nil {
+			reqLogger.Error(err, "Failed to add missing labels")
+			return subreconciler.RequeueWithError(err)
+		}
+		return subreconciler.Requeue()
+	}
+
 	secretClientId := string(secret.Data["CLIENT_ID"])
 	if clientCR.Spec.ClientId != secretClientId {
 		clientCR.Spec.ClientId = string(secret.Data["CLIENT_ID"])
@@ -748,10 +759,10 @@ func getClientCredsFromSecret(secret *corev1.Secret) (clientCreds *ClientCredent
 
 func (r *ClientReconciler) createNewSecretForClient(ctx context.Context, client *oidcsecurityv1.Client) (*corev1.Secret, error) {
 	reqLogger := logf.FromContext(ctx, "Request.Namespace", client.Namespace, "client.Name", client.Name)
-	labels := map[string]string{
+	labels := common.MergeMaps(nil, map[string]string{
 		"app.kubernetes.io/managed-by":          "OIDCClientRegistration.oidc.security.ibm.com",
 		"client.oidc.security.ibm.com/owned-by": client.Name,
-	}
+	}, common.GetCommonLabels())
 
 	secret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{

controllers/oidc.security/errors.go

@@ -56,6 +56,7 @@ func NewOIDCClientRegistrationError(clientID, requestMethod, origErrMsg string,
 		return
 	}
 	if response == nil || response.Body == nil {
+		oidcErr.Description = "no response received"
 		return
 	}
 	defer response.Body.Close()

controllers/oidc.security/zen_registration.go

@@ -56,7 +56,7 @@ func (r *ClientReconciler) getZenInstanceRegistration(ctx context.Context, clien
 	switch v := err.(type) {
 	case *OIDCClientRegistrationError:
 		// Return no response or error if the OIDC client isn't found given a token couldn't be retrieved
-		if v.response.StatusCode == 404 {
+		if v.response != nil && v.response.StatusCode == 404 {
 			return nil, nil
 		}
 		return
@@ -181,7 +181,7 @@ func (r *ClientReconciler) registerZenInstance(ctx context.Context, clientCR *oi
 	switch v := err.(type) {
 	case *OIDCClientRegistrationError:
 		// Return no response or error if the OIDC client isn't found given a token couldn't be retrieved
-		if v.response.StatusCode == 404 {
+		if v.response != nil && v.response.StatusCode == 404 {
 			return nil
 		}
 		return

controllers/operator/deployment.go

@@ -147,8 +147,11 @@ func (r *AuthenticationReconciler) handleDeployment(instance *operatorv1alpha1.A
 		if val, ok := currentDeployment.Spec.Template.ObjectMeta.Annotations[bindInfoAnnotation]; ok {
 			authDep.Spec.Template.ObjectMeta.Annotations[bindInfoAnnotation] = val
 		}
-		metaLabels := ctrlCommon.MergeMap(map[string]string{"operator.ibm.com/bindinfoRefresh": "enabled"}, currentDeployment.Labels)
-		metaAnnotations := ctrlCommon.MergeMap(ctrlCommon.GetBindInfoRefreshMap(), currentDeployment.Annotations)
+		metaLabels := ctrlCommon.MergeMaps(nil,
+			currentDeployment.Labels,
+			map[string]string{"operator.ibm.com/bindinfoRefresh": "enabled"},
+			ctrlCommon.GetCommonLabels())
+		metaAnnotations := ctrlCommon.MergeMaps(nil, currentDeployment.Annotations, ctrlCommon.GetBindInfoRefreshMap())
 		currentDeployment.Labels = metaLabels
 		currentDeployment.Annotations = metaAnnotations
 		currentDeployment.Spec = authDep.Spec
@@ -207,8 +210,12 @@ func (r *AuthenticationReconciler) handleDeployment(instance *operatorv1alpha1.A
 		if val, ok := currentManagerDeployment.Spec.Template.ObjectMeta.Annotations[bindInfoAnnotation]; ok {
 			ocwDep.Spec.Template.ObjectMeta.Annotations[bindInfoAnnotation] = val
 		}
-		metaLabels := ctrlCommon.MergeMap(map[string]string{"operator.ibm.com/bindinfoRefresh": "enabled"}, currentManagerDeployment.Labels)
-		metaAnnotations := ctrlCommon.MergeMap(ctrlCommon.GetBindInfoRefreshMap(), currentManagerDeployment.Annotations)
+		metaLabels := ctrlCommon.MergeMaps(nil,
+			currentManagerDeployment.Labels,
+			map[string]string{"operator.ibm.com/bindinfoRefresh": "enabled"},
+			ctrlCommon.GetCommonLabels(),
+		)
+		metaAnnotations := ctrlCommon.MergeMaps(nil, currentManagerDeployment.Annotations, ctrlCommon.GetBindInfoRefreshMap())
 		currentManagerDeployment.Labels = metaLabels
 		currentManagerDeployment.Annotations = metaAnnotations
 		currentManagerDeployment.Spec = ocwDep.Spec
@@ -270,8 +277,11 @@ func (r *AuthenticationReconciler) handleDeployment(instance *operatorv1alpha1.A
 		if val, ok := currentProviderDeployment.Spec.Template.ObjectMeta.Annotations[bindInfoAnnotation]; ok {
 			provDep.Spec.Template.ObjectMeta.Annotations[bindInfoAnnotation] = val
 		}
-		metaLabels := ctrlCommon.MergeMap(map[string]string{"operator.ibm.com/bindinfoRefresh": "enabled"}, currentProviderDeployment.Labels)
-		metaAnnotations := ctrlCommon.MergeMap(ctrlCommon.GetBindInfoRefreshMap(), currentProviderDeployment.Annotations)
+		metaLabels := ctrlCommon.MergeMaps(nil,
+			currentProviderDeployment.Labels,
+			map[string]string{"operator.ibm.com/bindinfoRefresh": "enabled"},
+			ctrlCommon.GetCommonLabels())
+		metaAnnotations := ctrlCommon.MergeMaps(nil, currentProviderDeployment.Annotations, ctrlCommon.GetBindInfoRefreshMap())
 		currentProviderDeployment.Labels = metaLabels
 		currentProviderDeployment.Annotations = metaAnnotations
 		currentProviderDeployment.Spec = provDep.Spec
@@ -333,16 +343,22 @@ func generateDeploymentObject(instance *operatorv1alpha1.Authentication, scheme
 	ldapCACert := instance.Spec.AuthService.LdapsCACert
 	routerCertSecret := instance.Spec.AuthService.RouterCertSecret
 
-	metaLabels := common.MergeMap(map[string]string{"app": deployment}, instance.Spec.Labels)
-	metaLabels = common.MergeMap(map[string]string{"operator.ibm.com/bindinfoRefresh": "enabled"}, metaLabels)
+	metaLabels := common.MergeMaps(nil,
+		instance.Spec.Labels,
+		map[string]string{"app": deployment},
+		ctrlCommon.GetCommonLabels(),
+		map[string]string{"operator.ibm.com/bindinfoRefresh": "enabled"})
 	podMetadataLabels := map[string]string{
 		"app":                        deployment,
 		"k8s-app":                    deployment,
 		"component":                  deployment,
 		"app.kubernetes.io/instance": "platform-auth-service",
 		"intent":                     "projected",
 	}
-	podLabels := common.MergeMap(podMetadataLabels, instance.Spec.Labels)
+	podLabels := common.MergeMaps(nil,
+		instance.Spec.Labels,
+		podMetadataLabels,
+		ctrlCommon.GetCommonLabels())
 
 	idpDeployment := &appsv1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{
@@ -493,16 +509,19 @@ func generateProviderDeploymentObject(instance *operatorv1alpha1.Authentication,
 	ldapCACert := instance.Spec.AuthService.LdapsCACert
 	routerCertSecret := instance.Spec.AuthService.RouterCertSecret
 
-	metaLabels := common.MergeMap(map[string]string{"app": deployment}, instance.Spec.Labels)
-	metaLabels = common.MergeMap(map[string]string{"operator.ibm.com/bindinfoRefresh": "enabled"}, metaLabels)
+	metaLabels := common.MergeMaps(nil,
+		instance.Spec.Labels,
+		map[string]string{"app": deployment},
+		map[string]string{"operator.ibm.com/bindinfoRefresh": "enabled"},
+		ctrlCommon.GetCommonLabels())
 	podMetadataLabels := map[string]string{
 		"app":                        deployment,
 		"k8s-app":                    deployment,
 		"component":                  deployment,
 		"app.kubernetes.io/instance": "platform-identity-provider",
 		"intent":                     "projected",
 	}
-	podLabels := common.MergeMap(podMetadataLabels, instance.Spec.Labels)
+	podLabels := common.MergeMaps(nil, instance.Spec.Labels, podMetadataLabels, ctrlCommon.GetCommonLabels())
 
 	idpDeployment := &appsv1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{
@@ -653,16 +672,19 @@ func generateManagerDeploymentObject(instance *operatorv1alpha1.Authentication,
 	ldapCACert := instance.Spec.AuthService.LdapsCACert
 	routerCertSecret := instance.Spec.AuthService.RouterCertSecret
 
-	metaLabels := common.MergeMap(map[string]string{"app": deployment}, instance.Spec.Labels)
-	metaLabels = common.MergeMap(map[string]string{"operator.ibm.com/bindinfoRefresh": "enabled"}, metaLabels)
+	metaLabels := common.MergeMaps(nil,
+		instance.Spec.Labels,
+		map[string]string{"app": deployment},
+		map[string]string{"operator.ibm.com/bindinfoRefresh": "enabled"},
+		ctrlCommon.GetCommonLabels())
 	podMetadataLabels := map[string]string{
 		"app":                        deployment,
 		"k8s-app":                    deployment,
 		"component":                  deployment,
 		"app.kubernetes.io/instance": "platform-identity-management",
 		"intent":                     "projected",
 	}
-	podLabels := common.MergeMap(podMetadataLabels, instance.Spec.Labels)
+	podLabels := common.MergeMaps(nil, instance.Spec.Labels, podMetadataLabels, ctrlCommon.GetCommonLabels())
 
 	idpDeployment := &appsv1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{

controllers/operator/job.go

@@ -21,6 +21,7 @@ import (
 
 	operatorv1alpha1 "github.com/IBM/ibm-iam-operator/apis/operator/v1alpha1"
 	"github.com/IBM/ibm-iam-operator/controllers/common"
+	ctrlcommon "github.com/IBM/ibm-iam-operator/controllers/common"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -92,12 +93,15 @@ func generateJobObject(instance *operatorv1alpha1.Authentication, scheme *runtim
 	image := common.GetImageRef("IM_INITCONTAINER_IMAGE")
 	resources := instance.Spec.ClientRegistration.Resources
 
-	metaLabels := common.MergeMap(map[string]string{"app": jobName}, instance.Spec.Labels)
+	metaLabels := common.MergeMaps(nil,
+		instance.Spec.Labels,
+		map[string]string{"app": jobName},
+		ctrlcommon.GetCommonLabels())
 	podMetaLabels := map[string]string{
 		"app":                        jobName,
 		"app.kubernetes.io/instance": "oidc-client-registration",
 	}
-	podLabels := common.MergeMap(podMetaLabels, instance.Spec.Labels)
+	podLabels := common.MergeMaps(nil, instance.Spec.Labels, podMetaLabels, ctrlcommon.GetCommonLabels())
 	if resources == nil {
 		resources = &corev1.ResourceRequirements{
 			Limits: map[corev1.ResourceName]resource.Quantity{

controllers/operator/routes.go

@@ -490,7 +490,7 @@ func (r *AuthenticationReconciler) newRoute(authCR *operatorv1alpha1.Authenticat
 	weight := int32(100)
 
 	commonLabel := map[string]string{"app": "im"}
-	routeLabels := ctrlcommon.MergeMap(commonLabel, authCR.Spec.Labels)
+	routeLabels := ctrlcommon.MergeMaps(nil, authCR.Spec.Labels, commonLabel, ctrlcommon.GetCommonLabels())
 
 	route := &routev1.Route{
 		TypeMeta: metav1.TypeMeta{

controllers/operator/secret.go

@@ -18,6 +18,7 @@ package operator
 
 import (
 	"context"
+	"maps"
 	"reflect"
 	"time"
 
@@ -111,6 +112,11 @@ func (r *AuthenticationReconciler) handleSecret(instance *operatorv1alpha1.Authe
 			}
 		} else {
 			secretUpdateRequired := false
+			generatedLabels := ctrlCommon.MergeMaps(nil, currentSecret.Labels, ctrlCommon.GetCommonLabels())
+			if !maps.Equal(generatedLabels, currentSecret.Labels) {
+				currentSecret.Labels = generatedLabels
+				secretUpdateRequired = true
+			}
 			if secret == "platform-auth-idp-encryption" {
 				if _, keyExists := currentSecret.Data["ENCRYPTION_IV"]; !keyExists {
 					reqLogger.Info("Updating an existing Secret", "Secret.Namespace", currentSecret.Namespace, "Secret.Name", currentSecret.Name)
@@ -154,10 +160,12 @@ func (r *AuthenticationReconciler) handleSecret(instance *operatorv1alpha1.Authe
 
 func generateSecretObject(instance *operatorv1alpha1.Authentication, scheme *runtime.Scheme, secretName string, secretData map[string][]byte) *corev1.Secret {
 	reqLogger := log.WithValues("Instance.Namespace", instance.Namespace, "Instance.Name", instance.Name, "Secret.Name", secretName)
+	labels := ctrlCommon.MergeMaps(nil, ctrlCommon.GetCommonLabels())
 	newSecret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      secretName,
 			Namespace: instance.Namespace,
+			Labels:    labels,
 		},
 		Type: corev1.SecretTypeOpaque,
 		Data: secretData,
@@ -195,14 +203,16 @@ func (r *AuthenticationReconciler) createClusterCACert(i *operatorv1alpha1.Authe
 	reqLogger := log.WithValues("Instance.Namespace", i.Namespace, "Instance.Name", i.Name, "Secret.Name", secretName)
 
 	// create ibmcloud-cluster-ca-cert
-	labels := map[string]string{
-		"app":                          "platform-auth-service",
-		"component":                    "platform-auth-service",
-		"app.kubernetes.io/component":  "platform-auth-service",
-		"app.kubernetes.io/name":       "platform-auth-service",
-		"app.kubernetes.io/instance":   "platform-auth-service",
-		"app.kubernetes.io/managed-by": "",
-	}
+	labels := ctrlCommon.MergeMaps(nil,
+		map[string]string{
+			"app":                          "platform-auth-service",
+			"component":                    "platform-auth-service",
+			"app.kubernetes.io/component":  "platform-auth-service",
+			"app.kubernetes.io/name":       "platform-auth-service",
+			"app.kubernetes.io/instance":   "platform-auth-service",
+			"app.kubernetes.io/managed-by": "",
+		},
+		ctrlCommon.GetCommonLabels())
 	clusterSecret := &corev1.Secret{
 		TypeMeta: metav1.TypeMeta{
 			Kind: "Secret",

go.mod

@@ -22,6 +22,7 @@ require (
 )
 
 require (
+	github.com/IBM/controller-filtered-cache v0.3.6 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
@@ -34,6 +35,7 @@ require (
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
+	github.com/gobuffalo/flect v1.0.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
@@ -86,6 +88,7 @@ require (
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.28.1 // indirect
 	k8s.io/component-base v0.28.1 // indirect
+	k8s.io/klog v1.0.0 // indirect
 	k8s.io/klog/v2 v2.100.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20230905202853-d090da108d2f // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect

go.sum

@@ -1,3 +1,5 @@
+github.com/IBM/controller-filtered-cache v0.3.6 h1:ubY+/6eUYWNVtixxfASAH6Vl6Ip8+4uLgTJRI9A3BuI=
+github.com/IBM/controller-filtered-cache v0.3.6/go.mod h1:mlxnsjbBam62wAdh3w5vu+mewZbOszFAQs8KMo9oGC0=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A=
 github.com/benbjohnson/clock v1.3.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
@@ -21,6 +23,7 @@ github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJ
 github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4=
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
+github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
 github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
 github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
@@ -34,6 +37,8 @@ github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/
 github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
+github.com/gobuffalo/flect v1.0.2 h1:eqjPGSo2WmjgY2XlpGwo2NXgL3RucAKo4k4qQMNA5sA=
+github.com/gobuffalo/flect v1.0.2/go.mod h1:A5msMlrHtLqh9umBSnvabjsMrCcCpAyzglnDvkbYKHs=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
@@ -265,6 +270,8 @@ k8s.io/client-go v0.28.1 h1:pRhMzB8HyLfVwpngWKE8hDcXRqifh1ga2Z/PU9SXVK8=
 k8s.io/client-go v0.28.1/go.mod h1:pEZA3FqOsVkCc07pFVzK076R+P/eXqsgx5zuuRWukNE=
 k8s.io/component-base v0.28.1 h1:LA4AujMlK2mr0tZbQDZkjWbdhTV5bRyEyAFe0TJxlWg=
 k8s.io/component-base v0.28.1/go.mod h1:jI11OyhbX21Qtbav7JkhehyBsIRfnO8oEgoAR12ArIU=
+k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8=
+k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
 k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
 k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
 k8s.io/kube-openapi v0.0.0-20230905202853-d090da108d2f h1:eeEUOoGYWhOz7EyXqhlR2zHKNw2mNJ9vzJmub6YN6kk=