From b5fea3e6841e7d8aaefbd9b83f636fab13532884 Mon Sep 17 00:00:00 2001 From: Joe Rocklin <124265+joerocklin@users.noreply.github.com> Date: Wed, 29 Oct 2025 09:46:34 -0400 Subject: [PATCH] Ensure root CA certificate secret inherits cluster metadata Add support for propagating PostgresCluster metadata (labels and annotations) to the root CA certificate secret. This allows users to apply custom labels and annotations defined in the cluster spec to the shared root certificate secret. Changes: - Updated reconcileRootCertificate to merge cluster metadata into the root certificate secret's labels and annotations - Updated testCluster helper to include metadata for testing purposes - Added tests to verify labels and annotations are properly set on the root CA secret --- .../postgrescluster/helpers_test.go | 6 +++++- internal/controller/postgrescluster/pki.go | 2 ++ .../controller/postgrescluster/pki_test.go | 20 +++++++++++++++++++ 3 files changed, 27 insertions(+), 1 deletion(-) diff --git a/internal/controller/postgrescluster/helpers_test.go b/internal/controller/postgrescluster/helpers_test.go index 9f7d177627..5677e439e5 100644 --- a/internal/controller/postgrescluster/helpers_test.go +++ b/internal/controller/postgrescluster/helpers_test.go @@ -117,7 +117,11 @@ func testCluster() *v1beta1.PostgresCluster { }, Spec: v1beta1.PostgresClusterSpec{ PostgresVersion: 13, - Image: CrunchyPostgresHAImage, + Metadata: &v1beta1.Metadata{ + Labels: map[string]string{"env-label": "test-label-value"}, + Annotations: map[string]string{"env-annotation": "test-annotation-value"}, + }, + Image: CrunchyPostgresHAImage, ImagePullSecrets: []corev1.LocalObjectReference{{ Name: "myImagePullSecret"}, }, diff --git a/internal/controller/postgrescluster/pki.go b/internal/controller/postgrescluster/pki.go index 0e686d4f72..1ca2369511 100644 --- a/internal/controller/postgrescluster/pki.go +++ b/internal/controller/postgrescluster/pki.go @@ -64,6 +64,8 @@ func (r *Reconciler) reconcileRootCertificate( intent.Namespace, intent.Name = cluster.Namespace, naming.RootCertSecret intent.Data = make(map[string][]byte) intent.OwnerReferences = existing.OwnerReferences + intent.Annotations = naming.Merge(cluster.Spec.Metadata.GetAnnotationsOrNil()) + intent.Labels = naming.Merge(cluster.Spec.Metadata.GetLabelsOrNil()) // A root secret is scoped to the namespace where postgrescluster(s) // are deployed. For operator deployments with postgresclusters in more than diff --git a/internal/controller/postgrescluster/pki_test.go b/internal/controller/postgrescluster/pki_test.go index b61e983258..cfe5d77354 100644 --- a/internal/controller/postgrescluster/pki_test.go +++ b/internal/controller/postgrescluster/pki_test.go @@ -137,6 +137,26 @@ func TestReconcileCerts(t *testing.T) { assert.DeepEqual(t, *fromSecret, initialRoot.Certificate) }) + t.Run("check root CA secret labels", func(t *testing.T) { + err := tClient.Get(ctx, client.ObjectKeyFromObject(rootSecret), rootSecret) + assert.NilError(t, err) + + assert.Check(t, len(rootSecret.Labels) == 1, "root CA secret labels not set") + + expectedLabel := map[string]string{"env-label": "test-label-value"} + assert.DeepEqual(t, rootSecret.Labels, expectedLabel) + }) + + t.Run("check root CA secret annotations", func(t *testing.T) { + err := tClient.Get(ctx, client.ObjectKeyFromObject(rootSecret), rootSecret) + assert.NilError(t, err) + + assert.Check(t, len(rootSecret.Annotations) == 1, "root CA secret annotations not set") + + expectedAnnotation := map[string]string{"env-annotation": "test-annotation-value"} + assert.DeepEqual(t, rootSecret.Annotations, expectedAnnotation) + }) + t.Run("root certificate changes", func(t *testing.T) { // force the generation of a new root cert // create an empty secret and apply the change