copy secret in each namespace

internal/controllers/certmanager.go

@@ -56,7 +56,7 @@ func (r *Reconciler) setupTLS(ctx context.Context, cr *model.CryostatInstance) (
 	}
 
 	// Create CA certificate for Cryostat using the self-signed issuer
-	caCert := resources.NewCryostatCACert(cr)
+	caCert := resources.NewCryostatCACert(cr, cr.InstallNamespace)
 	err = r.createOrUpdateCertificate(ctx, caCert, cr.Object)
 	if err != nil {
 		return nil, err
@@ -122,6 +122,33 @@ func (r *Reconciler) setupTLS(ctx context.Context, cr *model.CryostatInstance) (
 		return nil, err
 	}
 
+	// Copy Cryostat CA secret in each target namespace
+	for _, ns := range cr.TargetNamespaces {
+		secret, err := r.GetCertificateSecret(ctx, caCert)
+		if err != nil {
+			return nil, err
+		}
+		namespaceSecret := secret.DeepCopy()
+		namespaceSecret.Namespace = ns
+	}
+	// Delete any Cryostat CA secrets in target namespaces that are no longer requested
+	for _, ns := range toDelete(cr) {
+		secret, err := r.GetCertificateSecret(ctx, caCert)
+		if err != nil {
+			return nil, err
+		}
+		namespaceSecret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      secret.Name,
+				Namespace: ns,
+			},
+		}
+		err = r.deleteSecret(ctx, namespaceSecret)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	// Get the Cryostat CA certificate bytes from certificate secret
 	caBytes, err := r.getCertficateBytes(ctx, caCert)
 	if err != nil {

internal/controllers/clustercryostat_controller_test.go

@@ -66,6 +66,10 @@ var _ = Describe("ClusterCryostatController", func() {
 			t.expectRBAC()
 		})
 
+		It("should create Cryostat CA Certificate in each namespace", func() {
+			t.expectCertificates()
+		})
+
 		It("should update the target namespaces in Status", func() {
 			t.expectTargetNamespaces()
 		})
@@ -94,6 +98,15 @@ var _ = Describe("ClusterCryostatController", func() {
 				Expect(err).ToNot(BeNil())
 				Expect(errors.IsNotFound(err)).To(BeTrue())
 			})
+			It("leave Cryostat CA Certificate for the first namespace", func() {
+				t.expectCertificates()
+			})
+			It("should remove Cryostat CA Certificate from the second namespace", func() {
+				certificate := t.NewCACert(targetNamespaces[1])
+				err := t.Client.Get(context.Background(), types.NamespacedName{Name: certificate.Name, Namespace: certificate.Namespace}, certificate)
+				Expect(err).ToNot(BeNil())
+				Expect(errors.IsNotFound(err)).To(BeTrue())
+			})
 			It("should update the target namespaces in Status", func() {
 				t.expectTargetNamespaces()
 			})

internal/controllers/common/resource_definitions/certificates.go

@@ -54,11 +54,11 @@ func NewCryostatCAIssuer(cr *model.CryostatInstance) *certv1.Issuer {
 	}
 }
 
-func NewCryostatCACert(cr *model.CryostatInstance) *certv1.Certificate {
+func NewCryostatCACert(cr *model.CryostatInstance, namespace string) *certv1.Certificate {
 	return &certv1.Certificate{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      cr.Name + "-ca",
-			Namespace: cr.InstallNamespace,
+			Namespace: namespace,
 		},
 		Spec: certv1.CertificateSpec{
 			CommonName: fmt.Sprintf("ca.%s.cert-manager", cr.Name),

internal/controllers/reconciler_test.go

@@ -1838,7 +1838,7 @@ func (c *controllerTest) commonTests() {
 				})
 
 				It("should fail to reconcile", func() {
-					t.expectAlreadyOwnedError(reconcileErr, "RoleBinding", t.NewRoleBinding(nsInput.Namespace), otherInput)
+					t.expectAlreadyOwnedError(reconcileErr, "Certificate", t.NewCACert(nsInput.Namespace), otherInput)
 				})
 
 				It("should emit a CryostatNameConflict event", func() {
@@ -2267,7 +2267,7 @@ func (t *cryostatTestInput) expectWaitingForCertificate() {
 
 func (t *cryostatTestInput) expectCertificates() {
 	// Check certificates
-	certs := []*certv1.Certificate{t.NewCryostatCert(), t.NewCACert(), t.NewReportsCert()}
+	certs := []*certv1.Certificate{t.NewCryostatCert(), t.NewCACert(t.Namespace), t.NewReportsCert()}
 	if !t.Minimal {
 		certs = append(certs, t.NewGrafanaCert())
 	} else {
@@ -2284,6 +2284,16 @@ func (t *cryostatTestInput) expectCertificates() {
 		t.checkMetadata(actual, expected)
 		Expect(actual.Spec).To(Equal(expected.Spec))
 	}
+	// Check for Cryostat CA Certificate in each target namespace
+	Expect(t.TargetNamespaces).ToNot(BeEmpty()) // Sanity check for tests
+	for _, ns := range t.TargetNamespaces {
+		actual := &certv1.Certificate{}
+		expected := t.NewCACert(ns)
+		err := t.Client.Get(context.Background(), types.NamespacedName{Name: expected.Name, Namespace: expected.Namespace}, actual)
+		Expect(err).ToNot(HaveOccurred())
+		t.checkMetadata(actual, expected)
+		Expect(actual.Spec).To(Equal(expected.Spec))
+	}
 	// Check issuers as well
 	issuers := []*certv1.Issuer{t.NewSelfSignedIssuer(), t.NewCryostatCAIssuer()}
 	for _, expected := range issuers {

internal/test/clients.go

@@ -70,7 +70,7 @@ func (c *testClient) makeCertificatesReady(ctx context.Context, obj runtime.Obje
 	// If this object is one of the operator-managed certificates, mock the behaviour
 	// of cert-manager processing those certificates
 	cert, ok := obj.(*certv1.Certificate)
-	if ok && c.matchesName(cert, c.NewCryostatCert(), c.NewCACert(), c.NewGrafanaCert(), c.NewReportsCert()) &&
+	if ok && c.matchesName(cert, c.NewCryostatCert(), c.NewCACert(c.Namespace), c.NewGrafanaCert(), c.NewReportsCert()) &&
 		len(cert.Status.Conditions) == 0 {
 		// Create certificate secret
 		c.createCertSecret(ctx, cert)

internal/test/resources.go

@@ -1063,11 +1063,11 @@ func (r *TestResources) NewReportsCert() *certv1.Certificate {
 	}
 }
 
-func (r *TestResources) NewCACert() *certv1.Certificate {
+func (r *TestResources) NewCACert(ns string) *certv1.Certificate {
 	return &certv1.Certificate{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      r.Name + "-ca",
-			Namespace: r.Namespace,
+			Namespace: ns,
 		},
 		Spec: certv1.CertificateSpec{
 			CommonName: fmt.Sprintf("ca.%s.cert-manager", r.Name),