add ownership for unshared secrets and configmaps

bindata/v4.0.0/controller/signing-cabundle.yaml

@@ -3,5 +3,7 @@ kind: ConfigMap
 metadata:
   namespace: openshift-service-ca
   name: signing-cabundle
+  annotations:
+    openshift.io/owning-component: service-ca
 data:
   ca-bundle.crt:

bindata/v4.0.0/controller/signing-secret.yaml

@@ -3,6 +3,8 @@ kind: Secret
 metadata:
   namespace: openshift-service-ca
   name: signing-key
+  annotations:
+    openshift.io/owning-component: service-ca
 type: kubernetes.io/tls
 data:
   tls.crt:

pkg/controller/api/api.go

@@ -13,6 +13,9 @@ const (
 	// IntermediateDataKey is the key used to identify the post-rotation
 	// trust-bridging certificate in the signing secret.
 	IntermediateDataKey = "intermediate-ca.crt"
+
+	// OwningJiraComponent is the name of the jira component owns the operator, operand, and the resource its creating
+	OwningJiraComponent = "service-ca"
 )
 
 // Constants for CA bundle injection

pkg/controller/cabundleinjector/configmap.go

@@ -10,6 +10,7 @@ import (
 	listers "k8s.io/client-go/listers/core/v1"
 	"k8s.io/klog/v2"
 
+	apiannotations "github.com/openshift/api/annotations"
 	"github.com/openshift/library-go/pkg/controller/factory"
 	"github.com/openshift/service-ca-operator/pkg/controller/api"
 )
@@ -109,6 +110,11 @@ func (bi *configMapCABundleInjector) Sync(ctx context.Context, syncCtx factory.S
 	// make a copy to avoid mutating cache state
 	configMapCopy := configMap.DeepCopy()
 	configMapCopy.Data = map[string]string{api.InjectionDataKey: bi.caBundle}
+	// set the owning-component unless someone else has claimed it.
+	if len(configMapCopy.Annotations[apiannotations.OpenShiftComponent]) == 0 {
+		configMapCopy.Annotations[apiannotations.OpenShiftComponent] = api.OwningJiraComponent
+	}
+
 	_, err = bi.client.ConfigMaps(configMapCopy.Namespace).Update(ctx, configMapCopy, metav1.UpdateOptions{})
 	return err
 }

pkg/controller/servingcert/controller/secret_creating_controller.go

@@ -22,6 +22,7 @@ import (
 	"k8s.io/client-go/util/cert"
 	"k8s.io/klog/v2"
 
+	apiannotations "github.com/openshift/api/annotations"
 	"github.com/openshift/library-go/pkg/controller"
 	"github.com/openshift/library-go/pkg/controller/factory"
 	"github.com/openshift/library-go/pkg/crypto"
@@ -327,8 +328,9 @@ func toBaseSecret(service *corev1.Service) *corev1.Secret {
 				Name:      service.Annotations[api.ServingCertSecretAnnotation],
 				Namespace: service.Namespace,
 				Annotations: map[string]string{
-					api.ServiceUIDAnnotation:  string(service.UID),
-					api.ServiceNameAnnotation: service.Name,
+					api.ServiceUIDAnnotation:          string(service.UID),
+					api.ServiceNameAnnotation:         service.Name,
+					apiannotations.OpenShiftComponent: api.OwningJiraComponent,
 				},
 			},
 			Type: corev1.SecretTypeTLS,
@@ -340,8 +342,9 @@ func toBaseSecret(service *corev1.Service) *corev1.Secret {
 			Name:      service.Annotations[api.AlphaServingCertSecretAnnotation],
 			Namespace: service.Namespace,
 			Annotations: map[string]string{
-				api.AlphaServiceUIDAnnotation:  string(service.UID),
-				api.AlphaServiceNameAnnotation: service.Name,
+				api.AlphaServiceUIDAnnotation:     string(service.UID),
+				api.AlphaServiceNameAnnotation:    service.Name,
+				apiannotations.OpenShiftComponent: api.OwningJiraComponent,
 			},
 		},
 		Type: corev1.SecretTypeTLS,
@@ -407,6 +410,7 @@ func toRequiredSecret(dnsSuffix string, ca *crypto.CA, intermediateCACert *x509.
 
 	secretCopy.Annotations[api.AlphaServingCertExpiryAnnotation] = servingCert.Certs[0].NotAfter.Format(time.RFC3339)
 	secretCopy.Annotations[api.ServingCertExpiryAnnotation] = servingCert.Certs[0].NotAfter.Format(time.RFC3339)
+	secretCopy.Annotations[apiannotations.OpenShiftComponent] = api.OwningJiraComponent
 
 	controller.EnsureOwnerRef(secretCopy, ownerRef(service))
 

pkg/controller/servingcert/controller/secret_creating_controller_test.go

@@ -23,6 +23,7 @@ import (
 	"k8s.io/client-go/util/workqueue"
 	kubediff "k8s.io/utils/diff"
 
+	apiannotations "github.com/openshift/api/annotations"
 	"github.com/openshift/library-go/pkg/controller/factory"
 	"github.com/openshift/library-go/pkg/crypto"
 	"github.com/openshift/library-go/pkg/operator/events"
@@ -145,8 +146,9 @@ func TestServiceServingCertControllerSync(t *testing.T) {
 				api.ServingCertCreatedByAnnotation:      signerName,
 			},
 			expectedSecretAnnotations: map[string]string{
-				api.AlphaServiceUIDAnnotation:  testServiceUID,
-				api.AlphaServiceNameAnnotation: testServiceName,
+				api.AlphaServiceUIDAnnotation:     testServiceUID,
+				api.AlphaServiceNameAnnotation:    testServiceName,
+				apiannotations.OpenShiftComponent: api.OwningJiraComponent,
 			},
 			updateSecret:  true,
 			updateService: true,
@@ -162,8 +164,9 @@ func TestServiceServingCertControllerSync(t *testing.T) {
 				api.ServingCertCreatedByAnnotation:      signerName,
 			},
 			expectedSecretAnnotations: map[string]string{
-				api.ServiceUIDAnnotation:  testServiceUID,
-				api.ServiceNameAnnotation: testServiceName,
+				api.ServiceUIDAnnotation:          testServiceUID,
+				api.ServiceNameAnnotation:         testServiceName,
+				apiannotations.OpenShiftComponent: api.OwningJiraComponent,
 			},
 			updateSecret:  true,
 			updateService: true,
@@ -180,8 +183,9 @@ func TestServiceServingCertControllerSync(t *testing.T) {
 				api.ServingCertCreatedByAnnotation:      signerName,
 			},
 			expectedSecretAnnotations: map[string]string{
-				api.ServiceUIDAnnotation:  testServiceUID,
-				api.ServiceNameAnnotation: testServiceName,
+				api.ServiceUIDAnnotation:          testServiceUID,
+				api.ServiceNameAnnotation:         testServiceName,
+				apiannotations.OpenShiftComponent: api.OwningJiraComponent,
 			},
 			updateSecret:  true,
 			updateService: true,
@@ -201,8 +205,9 @@ func TestServiceServingCertControllerSync(t *testing.T) {
 				api.ServingCertCreatedByAnnotation:      signerName,
 			},
 			expectedSecretAnnotations: map[string]string{
-				api.AlphaServiceUIDAnnotation:  testServiceUID,
-				api.AlphaServiceNameAnnotation: testServiceName,
+				api.AlphaServiceUIDAnnotation:     testServiceUID,
+				api.AlphaServiceNameAnnotation:    testServiceName,
+				apiannotations.OpenShiftComponent: api.OwningJiraComponent,
 			},
 			updateSecret:  true,
 			updateService: true,
@@ -222,8 +227,9 @@ func TestServiceServingCertControllerSync(t *testing.T) {
 				api.ServingCertCreatedByAnnotation:      signerName,
 			},
 			expectedSecretAnnotations: map[string]string{
-				api.ServiceUIDAnnotation:  testServiceUID,
-				api.ServiceNameAnnotation: testServiceName,
+				api.ServiceUIDAnnotation:          testServiceUID,
+				api.ServiceNameAnnotation:         testServiceName,
+				apiannotations.OpenShiftComponent: api.OwningJiraComponent,
 			},
 			updateSecret:  true,
 			updateService: true,
@@ -312,8 +318,9 @@ func TestServiceServingCertControllerSync(t *testing.T) {
 			},
 			secretData: generateServerCertPemForCA(t, ca, false),
 			expectedSecretAnnotations: map[string]string{
-				api.ServiceUIDAnnotation:  testServiceUID,
-				api.ServiceNameAnnotation: testServiceName,
+				api.ServiceUIDAnnotation:          testServiceUID,
+				api.ServiceNameAnnotation:         testServiceName,
+				apiannotations.OpenShiftComponent: api.OwningJiraComponent,
 			},
 			expectedServiceAnnotations: map[string]string{
 				api.ServingCertSecretAnnotation: testSecretName,
@@ -331,8 +338,9 @@ func TestServiceServingCertControllerSync(t *testing.T) {
 			},
 			secretData: generateServerCertPemForCA(t, ca, true),
 			expectedSecretAnnotations: map[string]string{
-				api.ServiceUIDAnnotation:  testServiceUID,
-				api.ServiceNameAnnotation: testServiceName,
+				api.ServiceUIDAnnotation:          testServiceUID,
+				api.ServiceNameAnnotation:         testServiceName,
+				apiannotations.OpenShiftComponent: api.OwningJiraComponent,
 			},
 			expectedServiceAnnotations: map[string]string{
 				api.ServingCertSecretAnnotation: testSecretName,
@@ -354,8 +362,9 @@ func TestServiceServingCertControllerSync(t *testing.T) {
 				api.ServingCertCreatedByAnnotation:      signerName,
 			},
 			expectedSecretAnnotations: map[string]string{
-				api.ServiceUIDAnnotation:  testServiceUID,
-				api.ServiceNameAnnotation: testServiceName,
+				api.ServiceUIDAnnotation:          testServiceUID,
+				api.ServiceNameAnnotation:         testServiceName,
+				apiannotations.OpenShiftComponent: api.OwningJiraComponent,
 			},
 			updateService: true,
 			updateSecret:  true,
@@ -377,8 +386,9 @@ func TestServiceServingCertControllerSync(t *testing.T) {
 				api.ServingCertCreatedByAnnotation:      signerName,
 			},
 			expectedSecretAnnotations: map[string]string{
-				api.ServiceUIDAnnotation:  testServiceUID,
-				api.ServiceNameAnnotation: testServiceName,
+				api.ServiceUIDAnnotation:          testServiceUID,
+				api.ServiceNameAnnotation:         testServiceName,
+				apiannotations.OpenShiftComponent: api.OwningJiraComponent,
 			},
 			updateService: true,
 			updateSecret:  true,

pkg/controller/servingcert/controller/secret_updating_controller.go

@@ -16,6 +16,7 @@ import (
 	listers "k8s.io/client-go/listers/core/v1"
 	"k8s.io/klog/v2"
 
+	apiannotations "github.com/openshift/api/annotations"
 	ocontroller "github.com/openshift/library-go/pkg/controller"
 	"github.com/openshift/library-go/pkg/controller/factory"
 	"github.com/openshift/library-go/pkg/crypto"
@@ -207,7 +208,14 @@ func (sc *serviceServingCertUpdateController) ensureSecretData(service *v1.Servi
 		}
 		return true, nil
 	}
-	return update, nil
+
+	// set the owning-component unless someone else has claimed it.
+	if !update && len(secretCopy.Annotations[apiannotations.OpenShiftComponent]) == 0 {
+		secretCopy.Annotations[apiannotations.OpenShiftComponent] = api.OwningJiraComponent
+		update = true
+	}
+
+	return false, nil
 }
 
 func toServiceName(secret *v1.Secret) (string, bool) {