ESO-155: Fixes bitwarden deployment to use custom certificates

[bharath-b-rh]

PR has following changes

• Updates bitwarden deployment to use the user configured secret for certificates.
• Updates tests to validate the deployment object is updated as per user configuration.

[openshift-ci-robot]

@bharath-b-rh: This pull request references ESO-155 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.21.0" version, but no target version was set.

In response to this:

PR has following changes

• Updates bitwarden deployment to use the user configured secret for certificates.
• Updates tests to validate the deployment object is updated as per user configuration.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bharath-b-rh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [bharath-b-rh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mytreya-rh]

[claude generated] Good improvement for Bitwarden certificate management! The changes properly address user-configured secrets for certificates. However, there are areas for improvement in error handling, validation, and test completeness.

[mytreya-rh]

[claude generated] Good architectural improvement: Adding the volume config update here ensures Bitwarden deployments get the proper certificate configuration. However, consider adding error handling for cases where the deployment structure is unexpected.

[mytreya-rh]

[claude generated] Security consideration: The code assumes volume.Secret is not nil, but this could cause a nil pointer dereference panic if the volume is configured as a different type (ConfigMap, EmptyDir, etc.). Consider adding a nil check: if volume.Secret != nil before accessing SecretName.

[mytreya-rh]

[claude generated] Test improvement: Good addition of deployment capture mechanism. This allows proper validation of the reconciler's behavior. Consider adding validation for the case where capturedDeployment is nil.

[mytreya-rh]

[claude generated] Excellent test coverage: The new Bitwarden test case thoroughly validates both volume secret name updates and container image updates. This provides good regression protection for the certificate configuration feature.

[mytreya-rh]

/lgtm

Added few suggestions but not too particular about addressing as part of this PR.

[mytreya-rh]

The validation logic is a bit too verbose.
Please consider a declarative approach now or in future.
Like a list of paths/hierarchies in the deployment struct, the expected value, and the assertion text.

[mytreya-rh]

Initially we are creating a list of various deployments, and feeding it to createOrApplyDeploymentFromAsset.
createOrApplyDeploymentFromAsset is calling the current function, and then we are again having conditional logic based on the specific kind of deployment we are working with.

i feel we can refactor it by supplementing the "deployments" struct:

deployments := []struct {
		assetName string
		condition bool
	}

with more fields so that the code that works on it further need not differentiate on the actual kind.

Attaching an example implementation (it excludes the current PR changes):
restructure.patch

[bharath-b-rh]

Agree, will create a follow up PR to refactor the code.

[openshift-ci]

New changes are detected. LGTM label has been removed.

[coderabbitai]

Walkthrough

Adds a helper that sets the Bitwarden TLS certs volume SecretName from BitwardenSecretManagerProvider.SecretRef and calls it when building the Bitwarden Deployment. Tests were expanded to capture the reconciled Deployment, assert the volume secret name, verify container image, and validate pod spec fields in a new Bitwarden-with-secretRef test.

Changes

Cohort / File(s)	Change summary
Controller logic: Bitwarden volume config pkg/controller/external_secrets/deployments.go	Adds updateBitwardenVolumeConfig(deployment, esc) which ensures a bitwarden-tls-certs volume exists, creates or updates a SecretVolumeSource, and sets its SecretName from BitwardenSecretManagerProvider.SecretRef.Name; invoked from getDeploymentObject for the Bitwarden deployment asset.
Tests: Deployment capture and validation pkg/controller/external_secrets/deployments_test.go	Extends test harness to pass a captured Deployment pointer into preReq, capture Create/Update calls via DeepCopy, introduces validateDeployment callback and a new test case "bitwarden is enabled with secretRef for certificates" that asserts the volume secret name, checks the bitwarden-sdk-server container image (uses commontest.TestExternalSecretsImageName), and validates pod spec fields (affinity, pod/node affinity, tolerations, nodeSelector, resources).

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title “ESO-155: Fixes bitwarden deployment to use custom certificates” directly conveys that the change enables the Bitwarden deployment to utilize custom certificate secrets and references the associated Jira issue, making it specific and aligned with the core code modifications.
Description Check	✅ Passed	The pull request description clearly states that the Bitwarden deployment is updated to use a user-configured certificate secret and that tests have been updated to validate this behavior, which accurately reflects the underlying code and test changes.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between abab87b and 5e3364d.

📒 Files selected for processing (2)

• pkg/controller/external_secrets/deployments.go (2 hunks)
• pkg/controller/external_secrets/deployments_test.go (16 hunks)

🔇 Additional comments (4)

pkg/controller/external_secrets/deployments.go (1)

134-134: LGTM!

The call to updateBitwardenVolumeConfig is appropriately placed in the Bitwarden deployment path to configure custom certificates.

pkg/controller/external_secrets/deployments_test.go (3)

24-26: Good test infrastructure enhancement.

The addition of capturedDeployment parameter and validateDeployment callback enables thorough validation of reconciler behavior. This pattern provides excellent test coverage for deployment mutations.

---

526-616: Excellent test coverage for Bitwarden certificate configuration.

The new test case thoroughly validates the Bitwarden deployment update behavior:

• Verifies the bitwarden-tls-certs volume secret name is correctly updated from user configuration
• Validates the bitwarden-sdk-server container image is properly set
• Confirms basic deployment structure integrity

The test properly addresses previous feedback by using bitwardenDeploymentAssetName and validating against the expected image constant.

---

649-651: Clean validation pattern.

The conditional invocation of validateDeployment only when a deployment is captured is a clean approach that avoids test failures when deployments aren't expected to be modified.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 5f07a1e and faa64e8.

📒 Files selected for processing (2)

• pkg/controller/external_secrets/deployments.go (2 hunks)
• pkg/controller/external_secrets/deployments_test.go (16 hunks)

🔇 Additional comments (4)

pkg/controller/external_secrets/deployments.go (1)

134-134: LGTM!

The integration of the Bitwarden volume configuration update is properly placed within the bitwarden deployment case.

pkg/controller/external_secrets/deployments_test.go (3)

24-47: LGTM!

The deployment capture mechanism is well implemented and enables proper validation of the reconciler's behavior. The use of a pointer-to-pointer pattern allows the preReq function to populate the captured deployment for later validation.

Also applies to: 630-633

---

52-312: Comprehensive validation with room for future refactoring.

The validation functions provide thorough coverage of deployment configurations including images, labels, affinity rules, tolerations, node selectors, and resource requirements. While the validation logic is verbose, it ensures proper behavior.

As per a past review comment: Consider a declarative approach in future refactoring—a list of paths/hierarchies in the deployment struct with expected values and assertion text could reduce verbosity.

---

651-658: LGTM!

The validation ensures that the status image is correctly updated after successful deployment reconciliation and that the validateDeployment callback is invoked when provided. This completes the end-to-end validation flow.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Add nil checks to prevent potential panics.

The function has two nil pointer dereference risks:

1. Line 398: esc.Spec.Plugins.BitwardenSecretManagerProvider.SecretRef - No nil check for BitwardenSecretManagerProvider before accessing SecretRef
2. Line 402: deployment.Spec.Template.Spec.Volumes[i].Secret.SecretName - No nil check for Secret before accessing SecretName. If the volume is configured as a different type (ConfigMap, EmptyDir, etc.), this will panic.

Apply this diff to add defensive checks and optimize the loop:

 func updateBitwardenVolumeConfig(deployment *appsv1.Deployment, esc *operatorv1alpha1.ExternalSecretsConfig) {
-	if esc.Spec.Plugins.BitwardenSecretManagerProvider.SecretRef != nil &&
-		esc.Spec.Plugins.BitwardenSecretManagerProvider.SecretRef.Name != "" {
+	if esc.Spec.Plugins.BitwardenSecretManagerProvider != nil &&
+		esc.Spec.Plugins.BitwardenSecretManagerProvider.SecretRef != nil &&
+		esc.Spec.Plugins.BitwardenSecretManagerProvider.SecretRef.Name != "" {
 		for i := range deployment.Spec.Template.Spec.Volumes {
 			if deployment.Spec.Template.Spec.Volumes[i].Name == "bitwarden-tls-certs" {
+				if deployment.Spec.Template.Spec.Volumes[i].Secret == nil {
+					continue
+				}
 				deployment.Spec.Template.Spec.Volumes[i].Secret.SecretName = esc.Spec.Plugins.BitwardenSecretManagerProvider.SecretRef.Name
+				break
 			}
 		}
 	}
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	func updateBitwardenVolumeConfig(deployment *appsv1.Deployment, esc *operatorv1alpha1.ExternalSecretsConfig) {
	if esc.Spec.Plugins.BitwardenSecretManagerProvider.SecretRef != nil &&
	esc.Spec.Plugins.BitwardenSecretManagerProvider.SecretRef.Name != "" {
	for i := range deployment.Spec.Template.Spec.Volumes {
	if deployment.Spec.Template.Spec.Volumes[i].Name == "bitwarden-tls-certs" {
	deployment.Spec.Template.Spec.Volumes[i].Secret.SecretName = esc.Spec.Plugins.BitwardenSecretManagerProvider.SecretRef.Name
	}
	}
	}
	}
	func updateBitwardenVolumeConfig(deployment *appsv1.Deployment, esc *operatorv1alpha1.ExternalSecretsConfig) {
	if esc.Spec.Plugins.BitwardenSecretManagerProvider != nil &&
	esc.Spec.Plugins.BitwardenSecretManagerProvider.SecretRef != nil &&
	esc.Spec.Plugins.BitwardenSecretManagerProvider.SecretRef.Name != "" {
	for i := range deployment.Spec.Template.Spec.Volumes {
	if deployment.Spec.Template.Spec.Volumes[i].Name == "bitwarden-tls-certs" {
	if deployment.Spec.Template.Spec.Volumes[i].Secret == nil {
	continue
	}
	deployment.Spec.Template.Spec.Volumes[i].Secret.SecretName = esc.Spec.Plugins.BitwardenSecretManagerProvider.SecretRef.Name
	break
	}
	}
	}
	}

🤖 Prompt for AI Agents

In pkg/controller/external_secrets/deployments.go around lines 397 to 406, guard
against nil dereferences by first checking
esc.Spec.Plugins.BitwardenSecretManagerProvider is not nil before accessing its
SecretRef, then check SecretRef is non-nil and has a non-empty Name; iterate the
deployment.Spec.Template.Spec.Volumes and for each volume only update
Secret.SecretName if volume.Secret is non-nil (skip other volume types), assign
the SecretName from
esc.Spec.Plugins.BitwardenSecretManagerProvider.SecretRef.Name and break the
loop once the "bitwarden-tls-certs" volume is found and updated.

[openshift-ci-robot]

@bharath-b-rh: This pull request references ESO-155 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.21.0" version, but no target version was set.

In response to this:

PR has following changes

• Updates bitwarden deployment to use the user configured secret for certificates.
• Updates tests to validate the deployment object is updated as per user configuration.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[bharath-b-rh]

/label px-approved
/label docs-approved

[bharath-b-rh]

/remove qe-approved

[bharath-b-rh]

/remove-qe-approved

[bharath-b-rh]

/hold for verification

[openshift-ci]

@bharath-b-rh: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-operator	5e3364d	link	true	/test e2e-operator

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-merge-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.