Merge pull request #1518 from JoaoFula/reenable-proxy-test

openshift-merge-bot[bot] · web-flow · commit d8aafce3eb5e · 2026-04-16T23:18:44.000Z
OLS-2893 - reenabling proxy test and fixing configmap issue
diff --git a/internal/controller/appserver/deployment.go b/internal/controller/appserver/deployment.go
@@ -376,9 +376,9 @@ func GenerateOLSDeployment(r reconciler.Reconciler, cr *olsv1alpha1.OLSConfig) (
 	if err != nil && !apierrors.IsNotFound(err) {
 		return nil, fmt.Errorf("failed to get MCP Server ConfigMap resource version: %w", err)
 	}
-	proxyCACMResourceVersion, err := utils.GetProxyCACertResourceVersion(r, ctx, cr)
+	proxyCACMResourceVersion, err := utils.GetProxyCACertHash(r, ctx, cr)
 	if err != nil && !apierrors.IsNotFound(err) {
-		return nil, fmt.Errorf("failed to get Proxy CA ConfigMap resource version: %w", err)
+		return nil, fmt.Errorf("failed to get Proxy CA certificate hash: %w", err)
 	}
 
 	deployment := appsv1.Deployment{
@@ -389,7 +389,7 @@ func GenerateOLSDeployment(r reconciler.Reconciler, cr *olsv1alpha1.OLSConfig) (
 			Annotations: map[string]string{
 				utils.OLSConfigMapResourceVersionAnnotation:                configMapResourceVersion,
 				utils.OpenShiftMCPServerConfigMapResourceVersionAnnotation: mcpConfigMapResourceVersion,
-				utils.ProxyCACertResourceVersionAnnotation:                 proxyCACMResourceVersion,
+				utils.ProxyCACertHashAnnotation:                            proxyCACMResourceVersion,
 			},
 		},
 		Spec: appsv1.DeploymentSpec{
@@ -559,14 +559,15 @@ func updateOLSDeployment(r reconciler.Reconciler, ctx context.Context, cr *olsv1
 		}
 	}
 
-	// Step 4: Check if Proxy CA ConfigMap ResourceVersion has changed
-	currentProxyCACMVersion, err := utils.GetProxyCACertResourceVersion(r, ctx, cr)
+	// Step 4: Check if Proxy CA certificate content has changed
+	currentProxyCACMHash, err := utils.GetProxyCACertHash(r, ctx, cr)
 	if err != nil && !apierrors.IsNotFound(err) {
-		r.GetLogger().Info("failed to get Proxy CA ConfigMap ResourceVersion", "error", err)
+		r.GetLogger().Info("failed to get Proxy CA certificate hash", "error", err)
 		changed = true
 	} else {
-		storedProxyCACMVersion := existingDeployment.Annotations[utils.ProxyCACertResourceVersionAnnotation]
-		if storedProxyCACMVersion != currentProxyCACMVersion {
+		storedProxyCACMHash := existingDeployment.Annotations[utils.ProxyCACertHashAnnotation]
+		if storedProxyCACMHash != currentProxyCACMHash {
+			r.GetLogger().Info("Proxy CA certificate content changed, updating deployment")
 			changed = true
 		}
 	}
@@ -586,7 +587,7 @@ func updateOLSDeployment(r reconciler.Reconciler, ctx context.Context, cr *olsv1
 
 	existingDeployment.Annotations[utils.OLSConfigMapResourceVersionAnnotation] = desiredDeployment.Annotations[utils.OLSConfigMapResourceVersionAnnotation]
 	existingDeployment.Annotations[utils.OpenShiftMCPServerConfigMapResourceVersionAnnotation] = desiredDeployment.Annotations[utils.OpenShiftMCPServerConfigMapResourceVersionAnnotation]
-	existingDeployment.Annotations[utils.ProxyCACertResourceVersionAnnotation] = currentProxyCACMVersion
+	existingDeployment.Annotations[utils.ProxyCACertHashAnnotation] = currentProxyCACMHash
 
 	r.GetLogger().Info("updating OLS deployment", "name", existingDeployment.Name)
 
diff --git a/internal/controller/lcore/deployment.go b/internal/controller/lcore/deployment.go
@@ -793,9 +793,9 @@ func generateLCoreServerDeployment(r reconciler.Reconciler, ctx context.Context,
 	if err != nil && !apierrors.IsNotFound(err) {
 		return nil, fmt.Errorf("failed to get MCP Server ConfigMap resource version: %w", err)
 	}
-	proxyCACMResourceVersion, err := utils.GetProxyCACertResourceVersion(r, ctx, cr)
+	proxyCACMResourceVersion, err := utils.GetProxyCACertHash(r, ctx, cr)
 	if err != nil && !apierrors.IsNotFound(err) {
-		return nil, fmt.Errorf("failed to get Proxy CA ConfigMap resource version: %w", err)
+		return nil, fmt.Errorf("failed to get Proxy CA certificate hash: %w", err)
 	}
 
 	// Use helper functions to build common components
@@ -997,7 +997,7 @@ func generateLCoreServerDeployment(r reconciler.Reconciler, ctx context.Context,
 				utils.LCoreConfigMapResourceVersionAnnotation:              lcoreConfigMapResourceVersion,
 				utils.LlamaStackConfigMapResourceVersionAnnotation:         llamaStackConfigMapResourceVersion,
 				utils.OpenShiftMCPServerConfigMapResourceVersionAnnotation: mcpConfigMapResourceVersion,
-				utils.ProxyCACertResourceVersionAnnotation:                 proxyCACMResourceVersion,
+				utils.ProxyCACertHashAnnotation:                            proxyCACMResourceVersion,
 			},
 		},
 		Spec: appsv1.DeploymentSpec{
@@ -1130,14 +1130,15 @@ func updateLCoreDeployment(r reconciler.Reconciler, ctx context.Context, cr *ols
 		}
 	}
 
-	// Check if Proxy CA ConfigMap ResourceVersion has changed
-	currentProxyCACMVersion, err := utils.GetProxyCACertResourceVersion(r, ctx, cr)
+	// Check if Proxy CA certificate content has changed
+	currentProxyCACMHash, err := utils.GetProxyCACertHash(r, ctx, cr)
 	if err != nil && !apierrors.IsNotFound(err) {
-		r.GetLogger().Info("failed to get Proxy CA ConfigMap ResourceVersion", "error", err)
+		r.GetLogger().Info("failed to get Proxy CA certificate hash", "error", err)
 		changed = true
 	} else {
-		storedProxyCACMVersion := existingDeployment.Annotations[utils.ProxyCACertResourceVersionAnnotation]
-		if storedProxyCACMVersion != currentProxyCACMVersion {
+		storedProxyCACMHash := existingDeployment.Annotations[utils.ProxyCACertHashAnnotation]
+		if storedProxyCACMHash != currentProxyCACMHash {
+			r.GetLogger().Info("Proxy CA certificate content changed, updating deployment")
 			changed = true
 		}
 	}
@@ -1158,7 +1159,7 @@ func updateLCoreDeployment(r reconciler.Reconciler, ctx context.Context, cr *ols
 	existingDeployment.Annotations[utils.LCoreConfigMapResourceVersionAnnotation] = desiredDeployment.Annotations[utils.LCoreConfigMapResourceVersionAnnotation]
 	existingDeployment.Annotations[utils.LlamaStackConfigMapResourceVersionAnnotation] = desiredDeployment.Annotations[utils.LlamaStackConfigMapResourceVersionAnnotation]
 	existingDeployment.Annotations[utils.OpenShiftMCPServerConfigMapResourceVersionAnnotation] = desiredDeployment.Annotations[utils.OpenShiftMCPServerConfigMapResourceVersionAnnotation]
-	existingDeployment.Annotations[utils.ProxyCACertResourceVersionAnnotation] = currentProxyCACMVersion
+	existingDeployment.Annotations[utils.ProxyCACertHashAnnotation] = currentProxyCACMHash
 
 	r.GetLogger().Info("updating LCore deployment", "name", existingDeployment.Name)
 
@@ -1195,9 +1196,9 @@ func generateLCoreLibraryDeployment(r reconciler.Reconciler, ctx context.Context
 	if err != nil && !apierrors.IsNotFound(err) {
 		return nil, fmt.Errorf("failed to get MCP Server ConfigMap resource version: %w", err)
 	}
-	proxyCACMResourceVersion, err := utils.GetProxyCACertResourceVersion(r, ctx, cr)
+	proxyCACMResourceVersion, err := utils.GetProxyCACertHash(r, ctx, cr)
 	if err != nil && !apierrors.IsNotFound(err) {
-		return nil, fmt.Errorf("failed to get Proxy CA ConfigMap resource version: %w", err)
+		return nil, fmt.Errorf("failed to get Proxy CA certificate hash: %w", err)
 	}
 
 	// Use helper functions to build common components
@@ -1275,7 +1276,7 @@ func generateLCoreLibraryDeployment(r reconciler.Reconciler, ctx context.Context
 				utils.LCoreConfigMapResourceVersionAnnotation:              lcoreConfigMapResourceVersion,
 				utils.LlamaStackConfigMapResourceVersionAnnotation:         llamaStackConfigMapResourceVersion,
 				utils.OpenShiftMCPServerConfigMapResourceVersionAnnotation: mcpConfigMapResourceVersion,
-				utils.ProxyCACertResourceVersionAnnotation:                 proxyCACMResourceVersion,
+				utils.ProxyCACertHashAnnotation:                            proxyCACMResourceVersion,
 			},
 		},
 		Spec: appsv1.DeploymentSpec{
diff --git a/internal/controller/lcore/reconciler_test.go b/internal/controller/lcore/reconciler_test.go
@@ -229,7 +229,7 @@ var _ = Describe("LCore reconciliator", Ordered, func() {
 			cm.Name = proxyCACMName
 			cm.Namespace = utils.OLSNamespaceDefault
 			cm.Data = map[string]string{
-				"ca-bundle.crt": "test-proxy-ca-cert-content",
+				utils.ProxyCACertFileName: "test-proxy-ca-cert-content",
 			}
 			err = k8sClient.Create(ctx, cm)
 			Expect(err).NotTo(HaveOccurred())
diff --git a/internal/controller/utils/constants.go b/internal/controller/utils/constants.go
@@ -107,8 +107,8 @@ const (
 	OLSConsoleTLSHashKey = "hash/olsconsoletls"
 	// AdditionalCAHashKey is the key of the hash value of the additional CA certificates in the deployment annotations
 	AdditionalCAHashKey = "hash/additionalca"
-	// ProxyCACertResourceVersionAnnotation is the annotation key for tracking Proxy CA ConfigMap ResourceVersion
-	ProxyCACertResourceVersionAnnotation = "ols.openshift.io/proxy-ca-configmap-version"
+	// ProxyCACertHashAnnotation is the annotation key for tracking Proxy CA certificate content hash.
+	ProxyCACertHashAnnotation = "ols.openshift.io/proxy-ca-configmap-hash"
 	// OLSAppServerContainerPort is the port number of the lightspeed-service-api container exposes
 	OLSAppServerContainerPort = 8443
 	// OLSAppServerServicePort is the port number for OLS application server service.
diff --git a/internal/controller/utils/utils.go b/internal/controller/utils/utils.go
@@ -18,6 +18,7 @@ package utils
 import (
 	"context"
 	"crypto/sha1" //nolint:gosec
+	"crypto/sha256"
 	"crypto/x509"
 	"encoding/hex"
 	"encoding/json"
@@ -798,17 +799,34 @@ func GetConfigMapResourceVersion(r reconciler.Reconciler, ctx context.Context, c
 	return configMap.ResourceVersion, nil
 }
 
-// GetProxyCACertResourceVersion returns the ResourceVersion of the proxy CA ConfigMap
-// if proxy CA is configured. Returns empty string and nil error if proxy is not configured.
-func GetProxyCACertResourceVersion(r reconciler.Reconciler, ctx context.Context, cr *olsv1alpha1.OLSConfig) (string, error) {
+// GetProxyCACertHash returns a SHA256 hash of the proxy CA certificate content
+// if proxy CA is configured. This ensures deployments only restart when the certificate
+// content actually changes, not just when the ConfigMap ResourceVersion changes
+// (which can happen frequently for service-ca managed ConfigMaps).
+// Returns empty string and nil error if proxy is not configured.
+func GetProxyCACertHash(r reconciler.Reconciler, ctx context.Context, cr *olsv1alpha1.OLSConfig) (string, error) {
 	if cr.Spec.OLSConfig.ProxyConfig == nil {
 		return "", nil
 	}
 	cmName := GetProxyCACertConfigMapName(cr.Spec.OLSConfig.ProxyConfig.ProxyCACertificateRef)
 	if cmName == "" {
 		return "", nil
 	}
-	return GetConfigMapResourceVersion(r, ctx, cmName)
+
+	cm := &corev1.ConfigMap{}
+	err := r.Get(ctx, client.ObjectKey{Name: cmName, Namespace: r.GetNamespace()}, cm)
+	if err != nil {
+		return "", err
+	}
+
+	certKey := GetProxyCACertKey(cr.Spec.OLSConfig.ProxyConfig.ProxyCACertificateRef)
+	certData, ok := cm.Data[certKey]
+	if !ok {
+		return "", fmt.Errorf("proxy CA certificate key %s not found in ConfigMap %s", certKey, cmName)
+	}
+
+	hash := sha256.Sum256([]byte(certData))
+	return hex.EncodeToString(hash[:]), nil
 }
 
 // GetSecretResourceVersion returns the ResourceVersion of a Secret.
diff --git a/internal/controller/utils/utils_proxy_ca_test.go b/internal/controller/utils/utils_proxy_ca_test.go
diff --git a/test/e2e/proxy_test.go b/test/e2e/proxy_test.go

Original file line number	Diff line number	Diff line change
`@@ -229,7 +229,7 @@ var _ = Describe("LCore reconciliator", Ordered, func() {`
`229`	`229`	`cm.Name = proxyCACMName`
`230`	`230`	`cm.Namespace = utils.OLSNamespaceDefault`
`231`	`231`	`cm.Data = map[string]string{`
`232`		`- "ca-bundle.crt": "test-proxy-ca-cert-content",`
	`232`	`+ utils.ProxyCACertFileName: "test-proxy-ca-cert-content",`
`233`	`233`	`}`
`234`	`234`	`err = k8sClient.Create(ctx, cm)`
`235`	`235`	`Expect(err).NotTo(HaveOccurred())`