CM-716: Address review feedback - RBAC, predicate, and label fixes

sebrandon1 · sebrandon1 · commit 3510c2bcb94b · 2026-05-06T10:17:04.000-05:00
- Remove unused MachineConfig/MachineConfiguration RBAC rules from
  the HTTP01Proxy ClusterRole (the controller never touches MCO APIs)
- Remove GenerationChangedPredicate from the primary HTTP01Proxy watch
  so deletion/finalizer events are not filtered out
- Merge resource labels into DaemonSet pod template instead of
  overwriting to preserve asset-defined labels like app.kubernetes.io/*
diff --git a/bindata/http01-proxy/cert-manager-http01-proxy-clusterrole.yaml b/bindata/http01-proxy/cert-manager-http01-proxy-clusterrole.yaml
@@ -17,18 +17,3 @@ rules:
       - get
       - list
       - watch
-  - apiGroups:
-      - operator.openshift.io
-    resources:
-      - machineconfigurations
-    verbs:
-      - update
-  - apiGroups:
-      - machineconfiguration.openshift.io
-    resources:
-      - machineconfigs
-    verbs:
-      - get
-      - list
-      - create
-      - update
diff --git a/pkg/controller/http01proxy/controller.go b/pkg/controller/http01proxy/controller.go
@@ -102,7 +102,7 @@ func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error {
 	withIgnoreStatusUpdatePredicates := builder.WithPredicates(predicate.GenerationChangedPredicate{}, controllerManagedResources)
 
 	return ctrl.NewControllerManagedBy(mgr).
-		For(&v1alpha1.HTTP01Proxy{}, builder.WithPredicates(predicate.GenerationChangedPredicate{})).
+		For(&v1alpha1.HTTP01Proxy{}).
 		Named(ControllerName).
 		Watches(&appsv1.DaemonSet{}, handler.EnqueueRequestsFromMapFunc(mapFunc), withIgnoreStatusUpdatePredicates).
 		Watches(&rbacv1.ClusterRole{}, handler.EnqueueRequestsFromMapFunc(mapFunc), controllerManagedResourcePredicates).
diff --git a/pkg/controller/http01proxy/daemonsets.go b/pkg/controller/http01proxy/daemonsets.go
@@ -33,7 +33,12 @@ func (r *Reconciler) getDaemonSetObject(proxy *v1alpha1.HTTP01Proxy, resourceLab
 
 	ds.SetNamespace(proxy.GetNamespace())
 	common.UpdateResourceLabels(ds, resourceLabels)
-	ds.Spec.Template.Labels = resourceLabels
+	if ds.Spec.Template.Labels == nil {
+		ds.Spec.Template.Labels = map[string]string{}
+	}
+	for k, v := range resourceLabels {
+		ds.Spec.Template.Labels[k] = v
+	}
 
 	// Update image
 	image := os.Getenv(http01proxyImageNameEnvVarName)
diff --git a/pkg/operator/assets/bindata.go b/pkg/operator/assets/bindata.go
