Address review comments

chiragkyal · chiragkyal · commit 5525eafa161a · 2026-06-17T18:53:14.000+05:30
Signed-off-by: chiragkyal &lt;ckyal@redhat.com&gt;
diff --git a/pkg/controller/external_secrets/certificate.go b/pkg/controller/external_secrets/certificate.go
@@ -71,10 +71,9 @@ func (r *Reconciler) createOrApplyCertificate(esc *operatorv1alpha1.ExternalSecr
 		r.log.V(4).Info("certificate resource already exists and is in expected state", "name", certificateName)
 	}
 	if !exist {
-		if err := r.createWithFallback(desired, resourceMetadata, certificateName); err != nil {
+		if err := r.createWithFallback(desired, resourceMetadata, certificateName, esc); err != nil {
 			return err
 		}
-		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "certificate resource %s created", certificateName)
 	}
 
 	return nil
diff --git a/pkg/controller/external_secrets/configmap.go b/pkg/controller/external_secrets/configmap.go
@@ -1,18 +1,15 @@
 package external_secrets
 
 import (
-	"encoding/json"
 	"fmt"
 	"maps"
 
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	operatorv1alpha1 "github.com/openshift/external-secrets-operator/api/v1alpha1"
-	operatorclient "github.com/openshift/external-secrets-operator/pkg/controller/client"
 	"github.com/openshift/external-secrets-operator/pkg/controller/common"
 )
 
@@ -70,8 +67,7 @@ func (r *Reconciler) ensureTrustedCABundleConfigMap(esc *operatorv1alpha1.Extern
 				return common.FromClientError(err, "failed to create %s trusted CA bundle ConfigMap resource", configMapName)
 			}
 			r.log.V(1).Info("trusted CA bundle ConfigMap exists on API server but absent from label-filtered cache, patching metadata", "name", configMapName)
-			common.RemoveObsoleteAnnotations(desiredConfigMap, resourceMetadata)
-			if patchErr := r.patchConfigMapMetadata(desiredConfigMap, r.UncachedClient); patchErr != nil {
+			if patchErr := r.patchResourceMetadata(desiredConfigMap, resourceMetadata); patchErr != nil {
 				return common.FromClientError(patchErr, "failed to patch %s trusted CA bundle ConfigMap metadata", configMapName)
 			}
 			r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "trusted CA bundle ConfigMap resource %s restored to desired state", configMapName)
@@ -85,8 +81,7 @@ func (r *Reconciler) ensureTrustedCABundleConfigMap(esc *operatorv1alpha1.Extern
 	// Use a metadata-only patch so CNO-managed Data/BinaryData are never touched.
 	if exist && common.ObjectMetadataModified(desiredConfigMap, existingConfigMap, &resourceMetadata) {
 		r.log.V(1).Info("trusted CA bundle ConfigMap has been modified, patching metadata to desired state", "name", configMapName)
-		common.RemoveObsoleteAnnotations(desiredConfigMap, resourceMetadata)
-		if err := r.patchConfigMapMetadata(desiredConfigMap, r.CtrlClient); err != nil {
+		if err := r.patchResourceMetadata(desiredConfigMap, resourceMetadata); err != nil {
 			return common.FromClientError(err, "failed to patch %s trusted CA bundle ConfigMap metadata", configMapName)
 		}
 		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "trusted CA bundle ConfigMap resource %s reconciled back to desired state", configMapName)
@@ -97,25 +92,6 @@ func (r *Reconciler) ensureTrustedCABundleConfigMap(esc *operatorv1alpha1.Extern
 	return nil
 }
 
-// patchConfigMapMetadata sends a MergePatch that sets only labels and annotations
-// on the ConfigMap, leaving all other fields (especially Data/BinaryData managed
-// by CNO) untouched. The caller chooses the client: the cached client when the
-// object is visible in the informer cache, or the uncached client when it has
-// fallen out of the label-filtered cache.
-func (r *Reconciler) patchConfigMapMetadata(desired *corev1.ConfigMap, patchClient operatorclient.CtrlClient) error {
-	patch := map[string]interface{}{
-		"metadata": map[string]interface{}{
-			"labels":      desired.Labels,
-			"annotations": desired.Annotations,
-		},
-	}
-	patchBytes, err := json.Marshal(patch)
-	if err != nil {
-		return fmt.Errorf("failed to marshal metadata patch: %w", err)
-	}
-	return patchClient.Patch(r.ctx, desired, client.RawPatch(types.MergePatchType, patchBytes))
-}
-
 // getTrustedCABundleLabels merges resource labels with the injection label.
 func getTrustedCABundleLabels(resourceLabels map[string]string) map[string]string {
 	labels := make(map[string]string)
diff --git a/pkg/controller/external_secrets/configmap_test.go b/pkg/controller/external_secrets/configmap_test.go
@@ -119,18 +119,17 @@ func TestEnsureTrustedCABundleConfigMap(t *testing.T) {
 			// When the managed label (app=external-secrets) is removed from the ConfigMap,
 			// the object falls out of the label-filtered cache. The cached Exists() returns
 			// false, Create() fails with AlreadyExists, and the controller must patch only
-			// the metadata (labels/annotations) via the uncached client, leaving
-			// CNO-managed Data/BinaryData untouched.
-			name:             "Create returns AlreadyExists (label-filtered cache miss): uncached client patches metadata",
+			// the metadata (labels/annotations), leaving CNO-managed Data/BinaryData untouched.
+			name:             "Create returns AlreadyExists (label-filtered cache miss): patches metadata to restore labels",
 			resourceMetadata: testResourceMetadata(commontest.TestExternalSecretsConfig()),
-			preReq: func(_ *Reconciler, cached *fakes.FakeCtrlClient, uncached *fakes.FakeCtrlClient) {
+			preReq: func(_ *Reconciler, cached *fakes.FakeCtrlClient, _ *fakes.FakeCtrlClient) {
 				cached.ExistsCalls(func(_ context.Context, _ types.NamespacedName, _ client.Object) (bool, error) {
 					return false, nil
 				})
 				cached.CreateCalls(func(_ context.Context, _ client.Object, _ ...client.CreateOption) error {
 					return apierrors.NewAlreadyExists(schema.GroupResource{Resource: "configmaps"}, trustedCABundleConfigMapName)
 				})
-				uncached.PatchCalls(func(_ context.Context, obj client.Object, patch client.Patch, _ ...client.PatchOption) error {
+				cached.PatchCalls(func(_ context.Context, obj client.Object, patch client.Patch, _ ...client.PatchOption) error {
 					cm, ok := obj.(*corev1.ConfigMap)
 					if !ok {
 						t.Errorf("expected ConfigMap, got %T", obj)
@@ -178,16 +177,16 @@ func TestEnsureTrustedCABundleConfigMap(t *testing.T) {
 			wantErr: "failed to create external-secrets/external-secrets-trusted-ca-bundle trusted CA bundle ConfigMap resource: test client error",
 		},
 		{
-			name:             "uncached Patch fails after AlreadyExists from Create",
+			name:             "Patch fails after AlreadyExists from Create",
 			resourceMetadata: testResourceMetadata(commontest.TestExternalSecretsConfig()),
-			preReq: func(_ *Reconciler, cached *fakes.FakeCtrlClient, uncached *fakes.FakeCtrlClient) {
+			preReq: func(_ *Reconciler, cached *fakes.FakeCtrlClient, _ *fakes.FakeCtrlClient) {
 				cached.ExistsCalls(func(_ context.Context, _ types.NamespacedName, _ client.Object) (bool, error) {
 					return false, nil
 				})
 				cached.CreateCalls(func(_ context.Context, _ client.Object, _ ...client.CreateOption) error {
 					return apierrors.NewAlreadyExists(schema.GroupResource{Resource: "configmaps"}, trustedCABundleConfigMapName)
 				})
-				uncached.PatchCalls(func(_ context.Context, _ client.Object, _ client.Patch, _ ...client.PatchOption) error {
+				cached.PatchCalls(func(_ context.Context, _ client.Object, _ client.Patch, _ ...client.PatchOption) error {
 					return commontest.ErrTestClient
 				})
 			},
@@ -249,10 +248,10 @@ func TestEnsureTrustedCABundleConfigMap(t *testing.T) {
 			if tt.wantCreate && cached.CreateCallCount() == 0 {
 				t.Error("expected Create to be called, but it wasn't")
 			}
-			if tt.wantPatch && cached.PatchCallCount() == 0 && uncached.PatchCallCount() == 0 {
-				t.Error("expected Patch to be called (on cached or uncached client), but it wasn't")
+			if tt.wantPatch && cached.PatchCallCount() == 0 {
+				t.Error("expected Patch to be called, but it wasn't")
 			}
-			if !tt.wantPatch && (cached.PatchCallCount() > 0 || uncached.PatchCallCount() > 0) {
+			if !tt.wantPatch && cached.PatchCallCount() > 0 {
 				t.Error("expected no Patch call, but one was made")
 			}
 		})
diff --git a/pkg/controller/external_secrets/controller.go b/pkg/controller/external_secrets/controller.go
@@ -267,47 +267,33 @@ func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error {
 	}
 
 	isManagedResource := func(object client.Object) bool {
-		return object.GetLabels() != nil && object.GetLabels()[requestEnqueueLabelKey] == requestEnqueueLabelValue
-	}
-
-	logIgnored := func(obj client.Object) {
-		r.log.V(4).Info("object not of interest, ignoring reconcile event", "object", fmt.Sprintf("%T", obj), "name", obj.GetName(), "namespace", obj.GetNamespace())
+		labels := object.GetLabels()
+		matches := labels != nil && labels[requestEnqueueLabelKey] == requestEnqueueLabelValue
+		r.log.V(4).Info("predicate evaluation", "object", fmt.Sprintf("%T", object), "name", object.GetName(), "namespace", object.GetNamespace(), "labels", labels, "matches", matches)
+		return matches
 	}
 
 	// On updates, check both old and new objects so that events where the managed
 	// label is removed externally still trigger reconciliation and label restoration.
 	managedResources := predicate.Funcs{
 		CreateFunc: func(e event.CreateEvent) bool {
-			if !isManagedResource(e.Object) {
-				logIgnored(e.Object)
-				return false
-			}
-			return true
+			return isManagedResource(e.Object)
 		},
 		UpdateFunc: func(e event.UpdateEvent) bool {
-			if !isManagedResource(e.ObjectOld) && !isManagedResource(e.ObjectNew) {
-				logIgnored(e.ObjectNew)
-				return false
-			}
-			return true
+			return isManagedResource(e.ObjectOld) || isManagedResource(e.ObjectNew)
 		},
 		DeleteFunc: func(e event.DeleteEvent) bool {
-			if !isManagedResource(e.Object) {
-				logIgnored(e.Object)
-				return false
-			}
-			return true
+			return isManagedResource(e.Object)
 		},
 		GenericFunc: func(e event.GenericEvent) bool {
-			if !isManagedResource(e.Object) {
-				logIgnored(e.Object)
-				return false
-			}
-			return true
+			return isManagedResource(e.Object)
 		},
 	}
 
-	withIgnoreStatusUpdatePredicates := builder.WithPredicates(predicate.GenerationChangedPredicate{}, managedResources)
+	withIgnoreStatusUpdatePredicates := builder.WithPredicates(
+		predicate.Or(predicate.GenerationChangedPredicate{}, predicate.LabelChangedPredicate{}),
+		managedResources,
+	)
 	managedResourcePredicate := builder.WithPredicates(managedResources)
 
 	mgrBuilder := ctrl.NewControllerManagedBy(mgr).
diff --git a/pkg/controller/external_secrets/deployments.go b/pkg/controller/external_secrets/deployments.go
@@ -88,10 +88,9 @@ func (r *Reconciler) createOrApplyDeploymentFromAsset(esc *operatorv1alpha1.Exte
 		}
 		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "deployment resource %s updated", deploymentName)
 	case !exist:
-		if err := r.createWithFallback(deployment, resourceMetadata, deploymentName); err != nil {
+		if err := r.createWithFallback(deployment, resourceMetadata, deploymentName, esc); err != nil {
 			return err
 		}
-		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "deployment resource %s created", deploymentName)
 	default:
 		r.log.V(4).Info("deployment resource already exists and is in expected state", "name", deploymentName)
 	}
diff --git a/pkg/controller/external_secrets/networkpolicy.go b/pkg/controller/external_secrets/networkpolicy.go
@@ -144,10 +144,9 @@ func (r *Reconciler) createOrApplyCustomNetworkPolicy(esc *operatorv1alpha1.Exte
 		}
 		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "NetworkPolicy %s updated", networkPolicyName)
 	case !exists:
-		if err := r.createWithFallback(networkPolicy, resourceMetadata, networkPolicyName); err != nil {
+		if err := r.createWithFallback(networkPolicy, resourceMetadata, networkPolicyName, esc); err != nil {
 			return err
 		}
-		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "NetworkPolicy %s created", networkPolicyName)
 	default:
 		r.log.V(4).Info("NetworkPolicy already up-to-date", "name", networkPolicyName)
 	}
@@ -183,10 +182,9 @@ func (r *Reconciler) createOrApplyNetworkPolicyFromAsset(esc *operatorv1alpha1.E
 		}
 		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "NetworkPolicy %s updated", networkPolicyName)
 	case !exists:
-		if err := r.createWithFallback(networkPolicy, resourceMetadata, networkPolicyName); err != nil {
+		if err := r.createWithFallback(networkPolicy, resourceMetadata, networkPolicyName, esc); err != nil {
 			return err
 		}
-		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "NetworkPolicy %s created", networkPolicyName)
 	default:
 		r.log.V(4).Info("NetworkPolicy already up-to-date", "name", networkPolicyName)
 	}
@@ -288,10 +286,9 @@ func (r *Reconciler) reconcileProxyEgressPolicy(esc *operatorv1alpha1.ExternalSe
 		}
 		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "proxy egress NetworkPolicy %s updated", npName)
 	case !exists:
-		if err := r.createWithFallback(np, resourceMetadata, npName); err != nil {
+		if err := r.createWithFallback(np, resourceMetadata, npName, esc); err != nil {
 			return err
 		}
-		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "proxy egress NetworkPolicy %s created", npName)
 		if recon {
 			r.eventRecorder.Eventf(esc, corev1.EventTypeWarning, "ResourceAlreadyExists", "proxy egress NetworkPolicy %s already exists", npName)
 		}
diff --git a/pkg/controller/external_secrets/rbacs.go b/pkg/controller/external_secrets/rbacs.go
@@ -125,10 +125,9 @@ func (r *Reconciler) createOrApplyClusterRole(esc *operatorv1alpha1.ExternalSecr
 		r.log.V(4).Info("clusterrole resource already exists and is in expected state", "name", clusterRoleName)
 	}
 	if !exist {
-		if err := r.createWithFallback(obj, resourceMetadata, clusterRoleName); err != nil {
+		if err := r.createWithFallback(obj, resourceMetadata, clusterRoleName, esc); err != nil {
 			return err
 		}
-		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "clusterrole resource %s created", clusterRoleName)
 	}
 
 	return nil
@@ -171,10 +170,9 @@ func (r *Reconciler) createOrApplyClusterRoleBinding(esc *operatorv1alpha1.Exter
 		r.log.V(4).Info("clusterrolebinding resource already exists and is in expected state", "name", clusterRoleBindingName)
 	}
 	if !exist {
-		if err := r.createWithFallback(obj, resourceMetadata, clusterRoleBindingName); err != nil {
+		if err := r.createWithFallback(obj, resourceMetadata, clusterRoleBindingName, esc); err != nil {
 			return err
 		}
-		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "clusterrolebinding resource %s created", clusterRoleBindingName)
 	}
 
 	return nil
@@ -215,10 +213,9 @@ func (r *Reconciler) createOrApplyRole(esc *operatorv1alpha1.ExternalSecretsConf
 		r.log.V(4).Info("role resource already exists and is in expected state", "name", roleName)
 	}
 	if !exist {
-		if err := r.createWithFallback(obj, resourceMetadata, roleName); err != nil {
+		if err := r.createWithFallback(obj, resourceMetadata, roleName, esc); err != nil {
 			return err
 		}
-		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "role resource %s created", roleName)
 	}
 
 	return nil
@@ -258,10 +255,9 @@ func (r *Reconciler) createOrApplyRoleBinding(esc *operatorv1alpha1.ExternalSecr
 		r.log.V(4).Info("rolebinding resource already exists and is in expected state", "name", roleBindingName)
 	}
 	if !exist {
-		if err := r.createWithFallback(obj, resourceMetadata, roleBindingName); err != nil {
+		if err := r.createWithFallback(obj, resourceMetadata, roleBindingName, esc); err != nil {
 			return err
 		}
-		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "rolebinding resource %s created", roleBindingName)
 	}
 
 	return nil
diff --git a/pkg/controller/external_secrets/secret.go b/pkg/controller/external_secrets/secret.go
@@ -44,10 +44,9 @@ func (r *Reconciler) createOrApplySecret(esc *operatorv1alpha1.ExternalSecretsCo
 	}
 
 	if !exist {
-		if err := r.createWithFallback(desired, resourceMetadata, secretName); err != nil {
+		if err := r.createWithFallback(desired, resourceMetadata, secretName, esc); err != nil {
 			return err
 		}
-		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "secret resource %s created", secretName)
 	}
 	return nil
 }
diff --git a/pkg/controller/external_secrets/serviceaccounts.go b/pkg/controller/external_secrets/serviceaccounts.go
@@ -69,10 +69,9 @@ func (r *Reconciler) createOrApplyServiceAccounts(esc *operatorv1alpha1.External
 		}
 
 		if !exist {
-			if err := r.createWithFallback(desired, resourceMetadata, serviceAccountName); err != nil {
+			if err := r.createWithFallback(desired, resourceMetadata, serviceAccountName, esc); err != nil {
 				return err
 			}
-			r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "Created serviceaccount %s", serviceAccountName)
 		}
 	}
 
diff --git a/pkg/controller/external_secrets/services.go b/pkg/controller/external_secrets/services.go
@@ -74,10 +74,9 @@ func (r *Reconciler) createOrApplyServiceFromAsset(esc *operatorv1alpha1.Externa
 		}
 		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "Service %s updated", serviceName)
 	case !exists:
-		if err := r.createWithFallback(service, resourceMetadata, serviceName); err != nil {
+		if err := r.createWithFallback(service, resourceMetadata, serviceName, esc); err != nil {
 			return err
 		}
-		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "Service %s created", serviceName)
 	default:
 		r.log.V(4).Info("Service already up-to-date", "name", serviceName)
 	}
diff --git a/pkg/controller/external_secrets/utils.go b/pkg/controller/external_secrets/utils.go
@@ -2,11 +2,14 @@ package external_secrets
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"net/url"
 	"os"
 
+	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/client-go/util/retry"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -213,11 +216,20 @@ func validateProxy(rawURL string) error {
 // When Create returns AlreadyExists, this method bypasses the stale cache by using the
 // uncached client to update the resource directly on the API server, restoring the managed
 // labels and annotations to the desired state.
-func (r *Reconciler) createWithFallback(desired client.Object, resourceMetadata common.ResourceMetadata, resourceName string) error {
-	gvk, gvkErr := apiutil.GVKForObject(desired, r.Scheme)
+//
+// It records a "created" event on success, or a "restored" event when the AlreadyExists
+// fallback path is taken.
+func (r *Reconciler) createWithFallback(desired client.Object, resourceMetadata common.ResourceMetadata, resourceName string, esc *operatorv1alpha1.ExternalSecretsConfig) error {
 	kind := desired.GetObjectKind().GroupVersionKind().Kind
-	if gvkErr == nil {
-		kind = gvk.Kind
+	if kind == "" {
+		gvk, gvkErr := apiutil.GVKForObject(desired, r.Scheme)
+		if gvkErr != nil {
+			r.log.V(5).Info("could not determine GVK, falling back to Go type name",
+				"type", fmt.Sprintf("%T", desired), "err", gvkErr)
+			kind = fmt.Sprintf("%T", desired)
+		} else {
+			kind = gvk.Kind
+		}
 	}
 
 	if err := r.Create(r.ctx, desired); err != nil {
@@ -231,6 +243,26 @@ func (r *Reconciler) createWithFallback(desired client.Object, resourceMetadata
 		if err := r.UncachedClient.UpdateWithRetry(r.ctx, desired); err != nil {
 			return common.FromClientError(err, "failed to restore %s %s to desired state", kind, resourceName)
 		}
+		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "%s resource %s restored to desired state", kind, resourceName)
+		return nil
 	}
+	r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "%s resource %s created", kind, resourceName)
 	return nil
 }
+
+// patchResourceMetadata sends a MergePatch that sets only labels and annotations on the
+// object, leaving all other fields untouched. It also removes obsolete annotations before patching.
+func (r *Reconciler) patchResourceMetadata(desired client.Object, resourceMetadata common.ResourceMetadata) error {
+	common.RemoveObsoleteAnnotations(desired, resourceMetadata)
+	patch := map[string]interface{}{
+		"metadata": map[string]interface{}{
+			"labels":      desired.GetLabels(),
+			"annotations": desired.GetAnnotations(),
+		},
+	}
+	patchBytes, err := json.Marshal(patch)
+	if err != nil {
+		return fmt.Errorf("failed to marshal metadata patch: %w", err)
+	}
+	return r.CtrlClient.Patch(r.ctx, desired, client.RawPatch(types.MergePatchType, patchBytes))
+}
diff --git a/pkg/controller/external_secrets/utils_test.go b/pkg/controller/external_secrets/utils_test.go
diff --git a/pkg/controller/external_secrets/validatingwebhook.go b/pkg/controller/external_secrets/validatingwebhook.go
diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go

Original file line number	Diff line number	Diff line change
`@@ -71,10 +71,9 @@ func (r Reconciler) createOrApplyCertificate(esc operatorv1alpha1.ExternalSecr`
`71`	`71`	`r.log.V(4).Info("certificate resource already exists and is in expected state", "name", certificateName)`
`72`	`72`	`}`
`73`	`73`	`if !exist {`
`74`		`- if err := r.createWithFallback(desired, resourceMetadata, certificateName); err != nil {`
	`74`	`+ if err := r.createWithFallback(desired, resourceMetadata, certificateName, esc); err != nil {`
`75`	`75`	`return err`
`76`	`76`	`}`
`77`		`- r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "certificate resource %s created", certificateName)`
`78`	`77`	`}`
`79`	`78`
`80`	`79`	`return nil`
Original file line number	Diff line number	Diff line change
`@@ -88,10 +88,9 @@ func (r Reconciler) createOrApplyDeploymentFromAsset(esc operatorv1alpha1.Exte`
`88`	`88`	`}`
`89`	`89`	`r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "deployment resource %s updated", deploymentName)`
`90`	`90`	`case !exist:`
`91`		`- if err := r.createWithFallback(deployment, resourceMetadata, deploymentName); err != nil {`
	`91`	`+ if err := r.createWithFallback(deployment, resourceMetadata, deploymentName, esc); err != nil {`
`92`	`92`	`return err`
`93`	`93`	`}`
`94`		`- r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "deployment resource %s created", deploymentName)`
`95`	`94`	`default:`
`96`	`95`	`r.log.V(4).Info("deployment resource already exists and is in expected state", "name", deploymentName)`
`97`	`96`	`}`
Original file line number	Diff line number	Diff line change
`@@ -144,10 +144,9 @@ func (r Reconciler) createOrApplyCustomNetworkPolicy(esc operatorv1alpha1.Exte`
`144`	`144`	`}`
`145`	`145`	`r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "NetworkPolicy %s updated", networkPolicyName)`
`146`	`146`	`case !exists:`
`147`		`- if err := r.createWithFallback(networkPolicy, resourceMetadata, networkPolicyName); err != nil {`
	`147`	`+ if err := r.createWithFallback(networkPolicy, resourceMetadata, networkPolicyName, esc); err != nil {`
`148`	`148`	`return err`
`149`	`149`	`}`
`150`		`- r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "NetworkPolicy %s created", networkPolicyName)`
`151`	`150`	`default:`
`152`	`151`	`r.log.V(4).Info("NetworkPolicy already up-to-date", "name", networkPolicyName)`
`153`	`152`	`}`
`@@ -183,10 +182,9 @@ func (r Reconciler) createOrApplyNetworkPolicyFromAsset(esc operatorv1alpha1.E`
`183`	`182`	`}`
`184`	`183`	`r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "NetworkPolicy %s updated", networkPolicyName)`
`185`	`184`	`case !exists:`
`186`		`- if err := r.createWithFallback(networkPolicy, resourceMetadata, networkPolicyName); err != nil {`
	`185`	`+ if err := r.createWithFallback(networkPolicy, resourceMetadata, networkPolicyName, esc); err != nil {`
`187`	`186`	`return err`
`188`	`187`	`}`
`189`		`- r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "NetworkPolicy %s created", networkPolicyName)`
`190`	`188`	`default:`
`191`	`189`	`r.log.V(4).Info("NetworkPolicy already up-to-date", "name", networkPolicyName)`
`192`	`190`	`}`
`@@ -288,10 +286,9 @@ func (r Reconciler) reconcileProxyEgressPolicy(esc operatorv1alpha1.ExternalSe`
`288`	`286`	`}`
`289`	`287`	`r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "proxy egress NetworkPolicy %s updated", npName)`
`290`	`288`	`case !exists:`
`291`		`- if err := r.createWithFallback(np, resourceMetadata, npName); err != nil {`
	`289`	`+ if err := r.createWithFallback(np, resourceMetadata, npName, esc); err != nil {`
`292`	`290`	`return err`
`293`	`291`	`}`
`294`		`- r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "proxy egress NetworkPolicy %s created", npName)`
`295`	`292`	`if recon {`
`296`	`293`	`r.eventRecorder.Eventf(esc, corev1.EventTypeWarning, "ResourceAlreadyExists", "proxy egress NetworkPolicy %s already exists", npName)`
`297`	`294`	`}`
Original file line number	Diff line number	Diff line change
`@@ -125,10 +125,9 @@ func (r Reconciler) createOrApplyClusterRole(esc operatorv1alpha1.ExternalSecr`
`125`	`125`	`r.log.V(4).Info("clusterrole resource already exists and is in expected state", "name", clusterRoleName)`
`126`	`126`	`}`
`127`	`127`	`if !exist {`
`128`		`- if err := r.createWithFallback(obj, resourceMetadata, clusterRoleName); err != nil {`
	`128`	`+ if err := r.createWithFallback(obj, resourceMetadata, clusterRoleName, esc); err != nil {`
`129`	`129`	`return err`
`130`	`130`	`}`
`131`		`- r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "clusterrole resource %s created", clusterRoleName)`
`132`	`131`	`}`
`133`	`132`
`134`	`133`	`return nil`
`@@ -171,10 +170,9 @@ func (r Reconciler) createOrApplyClusterRoleBinding(esc operatorv1alpha1.Exter`
`171`	`170`	`r.log.V(4).Info("clusterrolebinding resource already exists and is in expected state", "name", clusterRoleBindingName)`
`172`	`171`	`}`
`173`	`172`	`if !exist {`
`174`		`- if err := r.createWithFallback(obj, resourceMetadata, clusterRoleBindingName); err != nil {`
	`173`	`+ if err := r.createWithFallback(obj, resourceMetadata, clusterRoleBindingName, esc); err != nil {`
`175`	`174`	`return err`
`176`	`175`	`}`
`177`		`- r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "clusterrolebinding resource %s created", clusterRoleBindingName)`
`178`	`176`	`}`
`179`	`177`
`180`	`178`	`return nil`
`@@ -215,10 +213,9 @@ func (r Reconciler) createOrApplyRole(esc operatorv1alpha1.ExternalSecretsConf`
`215`	`213`	`r.log.V(4).Info("role resource already exists and is in expected state", "name", roleName)`
`216`	`214`	`}`
`217`	`215`	`if !exist {`
`218`		`- if err := r.createWithFallback(obj, resourceMetadata, roleName); err != nil {`
	`216`	`+ if err := r.createWithFallback(obj, resourceMetadata, roleName, esc); err != nil {`
`219`	`217`	`return err`
`220`	`218`	`}`
`221`		`- r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "role resource %s created", roleName)`
`222`	`219`	`}`
`223`	`220`
`224`	`221`	`return nil`
`@@ -258,10 +255,9 @@ func (r Reconciler) createOrApplyRoleBinding(esc operatorv1alpha1.ExternalSecr`
`258`	`255`	`r.log.V(4).Info("rolebinding resource already exists and is in expected state", "name", roleBindingName)`
`259`	`256`	`}`
`260`	`257`	`if !exist {`
`261`		`- if err := r.createWithFallback(obj, resourceMetadata, roleBindingName); err != nil {`
	`258`	`+ if err := r.createWithFallback(obj, resourceMetadata, roleBindingName, esc); err != nil {`
`262`	`259`	`return err`
`263`	`260`	`}`
`264`		`- r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "rolebinding resource %s created", roleBindingName)`
`265`	`261`	`}`
`266`	`262`
`267`	`263`	`return nil`
Original file line number	Diff line number	Diff line change
`@@ -44,10 +44,9 @@ func (r Reconciler) createOrApplySecret(esc operatorv1alpha1.ExternalSecretsCo`
`44`	`44`	`}`
`45`	`45`
`46`	`46`	`if !exist {`
`47`		`- if err := r.createWithFallback(desired, resourceMetadata, secretName); err != nil {`
	`47`	`+ if err := r.createWithFallback(desired, resourceMetadata, secretName, esc); err != nil {`
`48`	`48`	`return err`
`49`	`49`	`}`
`50`		`- r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "secret resource %s created", secretName)`
`51`	`50`	`}`
`52`	`51`	`return nil`
`53`	`52`	`}`
Original file line number	Diff line number	Diff line change
`@@ -69,10 +69,9 @@ func (r Reconciler) createOrApplyServiceAccounts(esc operatorv1alpha1.External`
`69`	`69`	`}`
`70`	`70`
`71`	`71`	`if !exist {`
`72`		`- if err := r.createWithFallback(desired, resourceMetadata, serviceAccountName); err != nil {`
	`72`	`+ if err := r.createWithFallback(desired, resourceMetadata, serviceAccountName, esc); err != nil {`
`73`	`73`	`return err`
`74`	`74`	`}`
`75`		`- r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "Created serviceaccount %s", serviceAccountName)`
`76`	`75`	`}`
`77`	`76`	`}`
`78`	`77`
Original file line number	Diff line number	Diff line change
`@@ -74,10 +74,9 @@ func (r Reconciler) createOrApplyServiceFromAsset(esc operatorv1alpha1.Externa`
`74`	`74`	`}`
`75`	`75`	`r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "Service %s updated", serviceName)`
`76`	`76`	`case !exists:`
`77`		`- if err := r.createWithFallback(service, resourceMetadata, serviceName); err != nil {`
	`77`	`+ if err := r.createWithFallback(service, resourceMetadata, serviceName, esc); err != nil {`
`78`	`78`	`return err`
`79`	`79`	`}`
`80`		`- r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "Service %s created", serviceName)`
`81`	`80`	`default:`
`82`	`81`	`r.log.V(4).Info("Service already up-to-date", "name", serviceName)`
`83`	`82`	`}`