use JSON Patch to fully replace labels/annotations on co-managed resources

Signed-off-by: chiragkyal <ckyal@redhat.com>

Author: chiragkyal

pkg/controller/external_secrets/configmap_test.go

@@ -104,50 +104,50 @@ func TestEnsureTrustedCABundleConfigMap(t *testing.T) {
 					if cm.Labels[trustedCABundleInjectLabel] != "true" {
 						t.Errorf("expected inject label in patch target, got %q", cm.Labels[trustedCABundleInjectLabel])
 					}
-					if patch.Type() != types.MergePatchType {
-						t.Errorf("expected MergePatch, got %s", patch.Type())
-					}
-					return nil
-				})
-			},
-			wantPatch: true,
+				if patch.Type() != types.JSONPatchType {
+					t.Errorf("expected JSONPatch, got %s", patch.Type())
+				}
+				return nil
+			})
 		},
-		{
-			// Regression test for: labels updating with app: external-secrets of cm
-			// external-secrets-trusted-ca-bundle will block the reconcile in the http_proxy env.
-			//
-			// When the managed label (app=external-secrets) is removed from the ConfigMap,
-			// the object falls out of the label-filtered cache. The cached Exists() returns
-			// false, Create() fails with AlreadyExists, and the controller must patch only
-			// the metadata (labels/annotations), leaving CNO-managed Data/BinaryData untouched.
-			name:             "Create returns AlreadyExists (label-filtered cache miss): patches metadata to restore labels",
-			resourceMetadata: testResourceMetadata(commontest.TestExternalSecretsConfig()),
-			preReq: func(_ *Reconciler, cached *fakes.FakeCtrlClient, _ *fakes.FakeCtrlClient) {
-				cached.ExistsCalls(func(_ context.Context, _ types.NamespacedName, _ client.Object) (bool, error) {
-					return false, nil
-				})
-				cached.CreateCalls(func(_ context.Context, _ client.Object, _ ...client.CreateOption) error {
-					return apierrors.NewAlreadyExists(schema.GroupResource{Resource: "configmaps"}, trustedCABundleConfigMapName)
-				})
-				cached.PatchCalls(func(_ context.Context, obj client.Object, patch client.Patch, _ ...client.PatchOption) error {
-					cm, ok := obj.(*corev1.ConfigMap)
-					if !ok {
-						t.Errorf("expected ConfigMap, got %T", obj)
-					}
-					if cm.Labels["app"] != "external-secrets" {
-						t.Errorf("expected app=external-secrets label in patch target, got %q", cm.Labels["app"])
-					}
-					if cm.Labels[trustedCABundleInjectLabel] != "true" {
-						t.Errorf("expected inject label in patch target, got %q", cm.Labels[trustedCABundleInjectLabel])
-					}
-					if patch.Type() != types.MergePatchType {
-						t.Errorf("expected MergePatch, got %s", patch.Type())
-					}
-					return nil
-				})
-			},
-			wantPatch: true,
+		wantPatch: true,
+	},
+	{
+		// Regression test for: labels updating with app: external-secrets of cm
+		// external-secrets-trusted-ca-bundle will block the reconcile in the http_proxy env.
+		//
+		// When the managed label (app=external-secrets) is removed from the ConfigMap,
+		// the object falls out of the label-filtered cache. The cached Exists() returns
+		// false, Create() fails with AlreadyExists, and the controller must patch only
+		// the metadata (labels/annotations), leaving CNO-managed Data/BinaryData untouched.
+		name:             "Create returns AlreadyExists (label-filtered cache miss): patches metadata to restore labels",
+		resourceMetadata: testResourceMetadata(commontest.TestExternalSecretsConfig()),
+		preReq: func(_ *Reconciler, cached *fakes.FakeCtrlClient, _ *fakes.FakeCtrlClient) {
+			cached.ExistsCalls(func(_ context.Context, _ types.NamespacedName, _ client.Object) (bool, error) {
+				return false, nil
+			})
+			cached.CreateCalls(func(_ context.Context, _ client.Object, _ ...client.CreateOption) error {
+				return apierrors.NewAlreadyExists(schema.GroupResource{Resource: "configmaps"}, trustedCABundleConfigMapName)
+			})
+			cached.PatchCalls(func(_ context.Context, obj client.Object, patch client.Patch, _ ...client.PatchOption) error {
+				cm, ok := obj.(*corev1.ConfigMap)
+				if !ok {
+					t.Errorf("expected ConfigMap, got %T", obj)
+				}
+				if cm.Labels["app"] != "external-secrets" {
+					t.Errorf("expected app=external-secrets label in patch target, got %q", cm.Labels["app"])
+				}
+				if cm.Labels[trustedCABundleInjectLabel] != "true" {
+					t.Errorf("expected inject label in patch target, got %q", cm.Labels[trustedCABundleInjectLabel])
+				}
+				if patch.Type() != types.JSONPatchType {
+					t.Errorf("expected JSONPatch, got %s", patch.Type())
+				}
+				return nil
+			})
 		},
+		wantPatch: true,
+	},
 		{
 			name:             "proxy not configured: ConfigMap reconcile skipped",
 			resourceMetadata: testResourceMetadata(commontest.TestExternalSecretsConfig()),

pkg/controller/external_secrets/utils.go

@@ -250,19 +250,42 @@ func (r *Reconciler) createWithFallback(desired client.Object, resourceMetadata
 	return nil
 }
 
-// patchResourceMetadata sends a MergePatch that sets only labels and annotations on the
-// object, leaving all other fields untouched. It also removes obsolete annotations before patching.
+// jsonPatchOp is a single JSON Patch operation.
+type jsonPatchOp struct {
+	Op    string      `json:"op"`
+	Path  string      `json:"path"`
+	Value interface{} `json:"value"`
+}
+
+// patchResourceMetadata fully replaces the labels and annotations on an object using a
+// JSON Patch, leaving all other fields untouched. This is safe for co-managed
+// resources where this operator owns all metadata but data fields are owned by an external
+// controller (e.g. CNO-managed ConfigMap data, cert-controller-managed TLS Secret data).
+//
+// JSON Patch "add" on an existing path replaces the entire value, so the resulting
+// labels/annotations on the server exactly match desired.
+//
+// RemoveObsoleteAnnotations is called defensively to strip any deleted annotation keys
+// from desired before building the patch, regardless of whether the caller already did so.
 func (r *Reconciler) patchResourceMetadata(desired client.Object, resourceMetadata common.ResourceMetadata) error {
 	common.RemoveObsoleteAnnotations(desired, resourceMetadata)
-	patch := map[string]interface{}{
-		"metadata": map[string]interface{}{
-			"labels":      desired.GetLabels(),
-			"annotations": desired.GetAnnotations(),
-		},
+
+	annotations := desired.GetAnnotations()
+	if annotations == nil {
+		annotations = map[string]string{}
+	}
+	labels := desired.GetLabels()
+	if labels == nil {
+		labels = map[string]string{}
+	}
+
+	ops := []jsonPatchOp{
+		{Op: "add", Path: "/metadata/labels", Value: labels},
+		{Op: "add", Path: "/metadata/annotations", Value: annotations},
 	}
-	patchBytes, err := json.Marshal(patch)
+	patchBytes, err := json.Marshal(ops)
 	if err != nil {
 		return fmt.Errorf("failed to marshal metadata patch: %w", err)
 	}
-	return r.CtrlClient.Patch(r.ctx, desired, client.RawPatch(types.MergePatchType, patchBytes))
+	return r.CtrlClient.Patch(r.ctx, desired, client.RawPatch(types.JSONPatchType, patchBytes))
 }