[b/r] Move custom Issuer labeling to ControlPlane controller, fix error handling

Move custom Issuer backup labeling from BackupConfig controller to ca.go
where the ControlPlane controller already processes custom issuers. This
is more explicit — labels what it knows about from spec.tls.*.ca.customIssuer
rather than inferring from ownerRef absence.

Remove Issuers from BackupConfig spec, status, conditions, RBAC, watches,
and tests. Add error return to GetCertSecretBackupLabels and fix all
callers to propagate errors for retry. Rename GetConfig parameter from
gvk to crdName.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: stuggi

api/backup/v1beta1/conditions.go

@@ -15,9 +15,6 @@ const (
 	// OpenStackBackupConfigNADsReadyCondition - NetworkAttachmentDefinitions labeling status
 	OpenStackBackupConfigNADsReadyCondition condition.Type = "NADsReady"
 
-	// OpenStackBackupConfigIssuersReadyCondition - cert-manager Issuers labeling status
-	OpenStackBackupConfigIssuersReadyCondition condition.Type = "IssuersReady"
-
 	// OpenStackBackupConfigCRsReadyCondition - CR instances labeling status
 	OpenStackBackupConfigCRsReadyCondition condition.Type = "CRsReady"
 )

api/backup/v1beta1/openstackbackupconfig_types.go

@@ -55,15 +55,6 @@ type OpenStackBackupConfigSpec struct {
 	// +kubebuilder:default={labeling:enabled}
 	NetworkAttachmentDefinitions ResourceBackupConfig `json:"networkAttachmentDefinitions"`
 
-	// Issuers configuration for backup labeling of cert-manager Issuers.
-	// Only custom (user-provided) Issuers without ownerReferences are labeled.
-	// Operator-created Issuers (rootca-*, selfsigned-issuer) have ownerRefs
-	// and are recreated by the operator during reconciliation.
-	// Custom Issuers default to restore order 20 (after secrets at order 10,
-	// since Issuers reference CA secrets).
-	// +kubebuilder:validation:Optional
-	// +kubebuilder:default={labeling:enabled,restoreOrder:"20"}
-	Issuers ResourceBackupConfig `json:"issuers"`
 }
 
 // ResourceBackupConfig defines backup labeling rules for a resource type
@@ -118,9 +109,6 @@ type ResourceCounts struct {
 	// +kubebuilder:validation:Optional
 	NetworkAttachmentDefinitions int `json:"networkAttachmentDefinitions,omitempty"`
 
-	// Issuers is the number of cert-manager Issuers labeled for backup
-	// +kubebuilder:validation:Optional
-	Issuers int `json:"issuers,omitempty"`
 }
 
 // +kubebuilder:object:root=true
@@ -129,7 +117,6 @@ type ResourceCounts struct {
 // +kubebuilder:printcolumn:name="Secrets",type="integer",JSONPath=".status.labeledResources.secrets",description="Labeled Secrets"
 // +kubebuilder:printcolumn:name="ConfigMaps",type="integer",JSONPath=".status.labeledResources.configMaps",description="Labeled ConfigMaps"
 // +kubebuilder:printcolumn:name="NADs",type="integer",JSONPath=".status.labeledResources.networkAttachmentDefinitions",description="Labeled NADs"
-// +kubebuilder:printcolumn:name="Custom Issuers",type="integer",JSONPath=".status.labeledResources.issuers",description="Labeled custom cert-manager Issuers (without ownerReferences)"
 // +kubebuilder:metadata:labels=backup.openstack.org/restore=true
 // +kubebuilder:metadata:labels=backup.openstack.org/category=controlplane
 // +kubebuilder:metadata:labels=backup.openstack.org/restore-order=20

api/backup/v1beta1/zz_generated.deepcopy.go

@@ -33,10 +33,6 @@ spec:
       jsonPath: .status.labeledResources.networkAttachmentDefinitions
       name: NADs
       type: integer
-    - description: Labeled custom cert-manager Issuers (without ownerReferences)
-      jsonPath: .status.labeledResources.issuers
-      name: Custom Issuers
-      type: integer
     name: v1beta1
     schema:
       openAPIV3Schema:
@@ -113,52 +109,6 @@ spec:
                 description: DefaultRestoreOrder is the restore order assigned to
                   user-provided resources
                 type: string
-              issuers:
-                default:
-                  labeling: enabled
-                  restoreOrder: "20"
-                description: |-
-                  Issuers configuration for backup labeling of cert-manager Issuers.
-                  Only custom (user-provided) Issuers without ownerReferences are labeled.
-                  Operator-created Issuers (rootca-*, selfsigned-issuer) have ownerRefs
-                  and are recreated by the operator during reconciliation.
-                  Custom Issuers default to restore order 20 (after secrets at order 10,
-                  since Issuers reference CA secrets).
-                properties:
-                  excludeLabelKeys:
-                    description: |-
-                      ExcludeLabelKeys is a list of label keys - resources with any of these labels are excluded
-                      Example: ["service-cert", "osdp-service"] excludes service-cert and dataplane service secrets
-                    items:
-                      type: string
-                    type: array
-                  excludeNames:
-                    description: |-
-                      ExcludeNames is a list of resource names to exclude from backup labeling
-                      Example: ["kube-root-ca.crt", "openshift-service-ca.crt"] for system ConfigMaps
-                    items:
-                      type: string
-                    type: array
-                  includeLabelSelector:
-                    additionalProperties:
-                      type: string
-                    description: |-
-                      IncludeLabelSelector allows filtering resources by label selector
-                      Only resources matching this selector will be labeled (in addition to ownerRef check)
-                    type: object
-                  labeling:
-                    description: Labeling controls whether to label this resource
-                      type for backup
-                    enum:
-                    - enabled
-                    - disabled
-                    type: string
-                  restoreOrder:
-                    description: |-
-                      RestoreOrder overrides the default restore order for this resource type.
-                      If empty, the global DefaultRestoreOrder is used.
-                    type: string
-                type: object
               networkAttachmentDefinitions:
                 default:
                   labeling: enabled
@@ -294,10 +244,6 @@ spec:
                     description: ConfigMaps is the number of configmaps labeled for
                       backup
                     type: integer
-                  issuers:
-                    description: Issuers is the number of cert-manager Issuers labeled
-                      for backup
-                    type: integer
                   networkAttachmentDefinitions:
                     description: NetworkAttachmentDefinitions is the number of NADs
                       labeled for backup

api/bases/backup.openstack.org_openstackbackupconfigs.yaml

@@ -33,10 +33,6 @@ spec:
       jsonPath: .status.labeledResources.networkAttachmentDefinitions
       name: NADs
       type: integer
-    - description: Labeled custom cert-manager Issuers (without ownerReferences)
-      jsonPath: .status.labeledResources.issuers
-      name: Custom Issuers
-      type: integer
     name: v1beta1
     schema:
       openAPIV3Schema:
@@ -113,52 +109,6 @@ spec:
                 description: DefaultRestoreOrder is the restore order assigned to
                   user-provided resources
                 type: string
-              issuers:
-                default:
-                  labeling: enabled
-                  restoreOrder: "20"
-                description: |-
-                  Issuers configuration for backup labeling of cert-manager Issuers.
-                  Only custom (user-provided) Issuers without ownerReferences are labeled.
-                  Operator-created Issuers (rootca-*, selfsigned-issuer) have ownerRefs
-                  and are recreated by the operator during reconciliation.
-                  Custom Issuers default to restore order 20 (after secrets at order 10,
-                  since Issuers reference CA secrets).
-                properties:
-                  excludeLabelKeys:
-                    description: |-
-                      ExcludeLabelKeys is a list of label keys - resources with any of these labels are excluded
-                      Example: ["service-cert", "osdp-service"] excludes service-cert and dataplane service secrets
-                    items:
-                      type: string
-                    type: array
-                  excludeNames:
-                    description: |-
-                      ExcludeNames is a list of resource names to exclude from backup labeling
-                      Example: ["kube-root-ca.crt", "openshift-service-ca.crt"] for system ConfigMaps
-                    items:
-                      type: string
-                    type: array
-                  includeLabelSelector:
-                    additionalProperties:
-                      type: string
-                    description: |-
-                      IncludeLabelSelector allows filtering resources by label selector
-                      Only resources matching this selector will be labeled (in addition to ownerRef check)
-                    type: object
-                  labeling:
-                    description: Labeling controls whether to label this resource
-                      type for backup
-                    enum:
-                    - enabled
-                    - disabled
-                    type: string
-                  restoreOrder:
-                    description: |-
-                      RestoreOrder overrides the default restore order for this resource type.
-                      If empty, the global DefaultRestoreOrder is used.
-                    type: string
-                type: object
               networkAttachmentDefinitions:
                 default:
                   labeling: enabled
@@ -294,10 +244,6 @@ spec:
                     description: ConfigMaps is the number of configmaps labeled for
                       backup
                     type: integer
-                  issuers:
-                    description: Issuers is the number of cert-manager Issuers labeled
-                      for backup
-                    type: integer
                   networkAttachmentDefinitions:
                     description: NetworkAttachmentDefinitions is the number of NADs
                       labeled for backup

config/crd/bases/backup.openstack.org_openstackbackupconfigs.yaml

@@ -25,8 +25,6 @@ import (
 	"github.com/go-logr/logr"
 	backupv1beta1 "github.com/openstack-k8s-operators/openstack-operator/api/backup/v1beta1"
 
-	certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
-
 	"github.com/openstack-k8s-operators/lib-common/modules/common/backup"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
@@ -229,20 +227,6 @@ func (r *OpenStackBackupConfigReconciler) labelNetworkAttachmentDefinitions(ctx
 	return r.labelResourceItems(ctx, log, items, instance.Spec.NetworkAttachmentDefinitions, defaultLabels)
 }
 
-// labelIssuers labels cert-manager Issuers in the target namespace
-func (r *OpenStackBackupConfigReconciler) labelIssuers(ctx context.Context, log logr.Logger, instance *backupv1beta1.OpenStackBackupConfig) (int, error) {
-	list := &certmgrv1.IssuerList{}
-	if err := r.List(ctx, list, client.InNamespace(instance.Namespace)); err != nil {
-		return 0, err
-	}
-	items := make([]client.Object, len(list.Items))
-	for i := range list.Items {
-		items[i] = &list.Items[i]
-	}
-	defaultLabels := backup.GetRestoreLabels(getRestoreOrder(instance.Spec.Issuers, instance.Spec.DefaultRestoreOrder), "")
-	return r.labelResourceItems(ctx, log, items, instance.Spec.Issuers, defaultLabels)
-}
-
 // labelCRInstances labels CR instances based on CRD backup-restore labels
 // This labels CRs like OpenStackControlPlane, OpenStackVersion, NetConfig, etc.
 // based on their CRD's backup/restore configuration.
@@ -307,8 +291,6 @@ func (r *OpenStackBackupConfigReconciler) labelCRInstances(ctx context.Context,
 // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;update;patch
 // +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;update;patch
 // +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch;update;patch
-// +kubebuilder:rbac:groups=cert-manager.io,resources=issuers,verbs=get;list;watch;update;patch
-// +kubebuilder:rbac:groups=cert-manager.io,resources=certificates,verbs=get;list;watch
 // +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;watch
 // RBAC for labeling CR instances across all openstack.org API groups.
 // Kubernetes RBAC does not support wildcard group patterns (*.openstack.org),
@@ -376,7 +358,6 @@ func (r *OpenStackBackupConfigReconciler) Reconcile(ctx context.Context, req ctr
 		condition.UnknownCondition(backupv1beta1.OpenStackBackupConfigSecretsReadyCondition, condition.InitReason, condition.InitReason),
 		condition.UnknownCondition(backupv1beta1.OpenStackBackupConfigConfigMapsReadyCondition, condition.InitReason, condition.InitReason),
 		condition.UnknownCondition(backupv1beta1.OpenStackBackupConfigNADsReadyCondition, condition.InitReason, condition.InitReason),
-		condition.UnknownCondition(backupv1beta1.OpenStackBackupConfigIssuersReadyCondition, condition.InitReason, condition.InitReason),
 		condition.UnknownCondition(backupv1beta1.OpenStackBackupConfigCRsReadyCondition, condition.InitReason, condition.InitReason),
 	)
 	instance.Status.Conditions.Init(&cl)
@@ -454,21 +435,6 @@ func (r *OpenStackBackupConfigReconciler) Reconcile(ctx context.Context, req ctr
 			"Labeled %d NADs", nadCount))
 	}
 
-	issuerCount, err := r.labelIssuers(ctx, log, instance)
-	if err != nil {
-		log.Error(err, "Failed to label issuers")
-		instance.Status.Conditions.Set(condition.FalseCondition(
-			backupv1beta1.OpenStackBackupConfigIssuersReadyCondition,
-			condition.ErrorReason,
-			condition.SeverityWarning,
-			"Failed to label issuers: %v", err))
-		reconcileErrs = append(reconcileErrs, err)
-	} else {
-		instance.Status.Conditions.Set(condition.TrueCondition(
-			backupv1beta1.OpenStackBackupConfigIssuersReadyCondition,
-			"Labeled %d issuers", issuerCount))
-	}
-
 	// Label CR instances based on CRD backup-restore labels
 	crCount, err := r.labelCRInstances(ctx, log, instance)
 	if err != nil {
@@ -489,13 +455,11 @@ func (r *OpenStackBackupConfigReconciler) Reconcile(ctx context.Context, req ctr
 	instance.Status.LabeledResources.Secrets = secretCount
 	instance.Status.LabeledResources.ConfigMaps = configMapCount
 	instance.Status.LabeledResources.NetworkAttachmentDefinitions = nadCount
-	instance.Status.LabeledResources.Issuers = issuerCount
-
 	if len(reconcileErrs) > 0 {
 		return ctrl.Result{}, stderrors.Join(reconcileErrs...)
 	}
 
-	log.Info("Successfully labeled resources", "secrets", secretCount, "configmaps", configMapCount, "nads", nadCount, "issuers", issuerCount, "crs", crCount)
+	log.Info("Successfully labeled resources", "secrets", secretCount, "configmaps", configMapCount, "nads", nadCount, "crs", crCount)
 	return ctrl.Result{}, nil
 }
 
@@ -585,8 +549,7 @@ func (r *OpenStackBackupConfigReconciler) SetupWithManager(mgr ctrl.Manager) err
 		For(&backupv1beta1.OpenStackBackupConfig{}).
 		Watches(&corev1.Secret{}, handler.EnqueueRequestsFromMapFunc(findBackupConfigForSrc), builder.WithPredicates(backupResourcePredicate)).
 		Watches(&corev1.ConfigMap{}, handler.EnqueueRequestsFromMapFunc(findBackupConfigForSrc), builder.WithPredicates(backupResourcePredicate)).
-		Watches(&k8s_networkingv1.NetworkAttachmentDefinition{}, handler.EnqueueRequestsFromMapFunc(findBackupConfigForSrc), builder.WithPredicates(backupResourcePredicate)).
-		Watches(&certmgrv1.Issuer{}, handler.EnqueueRequestsFromMapFunc(findBackupConfigForSrc), builder.WithPredicates(backupResourcePredicate))
+		Watches(&k8s_networkingv1.NetworkAttachmentDefinition{}, handler.EnqueueRequestsFromMapFunc(findBackupConfigForSrc), builder.WithPredicates(backupResourcePredicate))
 
 	// Build CRD label cache and add watches for CRD instance types.
 	// Uses the API reader since the manager's cache is not started yet.

internal/controller/backup/openstackbackupconfig_controller.go

@@ -80,13 +80,6 @@ func ReconcileBackupConfig(ctx context.Context, instance *corev1beta1.OpenStackC
 		if backupConfig.Spec.NetworkAttachmentDefinitions.Labeling == nil {
 			backupConfig.Spec.NetworkAttachmentDefinitions.Labeling = &defaultLabeling
 		}
-		if backupConfig.Spec.Issuers.Labeling == nil {
-			backupConfig.Spec.Issuers.Labeling = &defaultLabeling
-		}
-		if backupConfig.Spec.Issuers.RestoreOrder == "" {
-			backupConfig.Spec.Issuers.RestoreOrder = "20"
-		}
-
 		return nil
 	})
 

internal/openstack/backup.go

@@ -134,8 +134,10 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h
 	} else {
 		customIssuer := *instance.Spec.TLS.Ingress.Ca.CustomIssuer
 
-		// add CA labelselector to issuer
-		caCertSecretName, err := addIssuerLabelAnnotation(ctx, helper, customIssuer, instance.Namespace, issuerLabels, issuerAnnotations)
+		// add CA labelselector and backup/restore labels to custom issuer
+		caCertSecretName, err := addIssuerLabelAnnotation(ctx, helper, customIssuer, instance.Namespace,
+			util.MergeMaps(issuerLabels, backup.GetRestoreLabels(backup.RestoreOrder20, backup.CategoryControlPlane)),
+			issuerAnnotations)
 		if err != nil {
 			instance.Status.Conditions.Set(condition.FalseCondition(
 				corev1.OpenStackControlPlaneCAReadyCondition,
@@ -211,8 +213,10 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h
 		}
 	} else {
 		customIssuer := *instance.Spec.TLS.PodLevel.Internal.Ca.CustomIssuer
-		// add CA labelselector to issuer
-		caCertSecretName, err := addIssuerLabelAnnotation(ctx, helper, customIssuer, instance.Namespace, issuerLabels, issuerAnnotations)
+		// add CA labelselector and backup/restore labels to custom issuer
+		caCertSecretName, err := addIssuerLabelAnnotation(ctx, helper, customIssuer, instance.Namespace,
+			util.MergeMaps(issuerLabels, backup.GetRestoreLabels(backup.RestoreOrder20, backup.CategoryControlPlane)),
+			issuerAnnotations)
 		if err != nil {
 			instance.Status.Conditions.Set(condition.FalseCondition(
 				corev1.OpenStackControlPlaneCAReadyCondition,
@@ -289,8 +293,10 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h
 		}
 	} else {
 		customIssuer := *instance.Spec.TLS.PodLevel.Libvirt.Ca.CustomIssuer
-		// add CA labelselector to issuer
-		caCertSecretName, err := addIssuerLabelAnnotation(ctx, helper, customIssuer, instance.Namespace, issuerLabels, issuerAnnotations)
+		// add CA labelselector and backup/restore labels to custom issuer
+		caCertSecretName, err := addIssuerLabelAnnotation(ctx, helper, customIssuer, instance.Namespace,
+			util.MergeMaps(issuerLabels, backup.GetRestoreLabels(backup.RestoreOrder20, backup.CategoryControlPlane)),
+			issuerAnnotations)
 		if err != nil {
 			instance.Status.Conditions.Set(condition.FalseCondition(
 				corev1.OpenStackControlPlaneCAReadyCondition,
@@ -366,8 +372,10 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h
 		}
 	} else {
 		customIssuer := *instance.Spec.TLS.PodLevel.Ovn.Ca.CustomIssuer
-		// add CA labelselector to issuer
-		caCertSecretName, err := addIssuerLabelAnnotation(ctx, helper, customIssuer, instance.Namespace, issuerLabels, issuerAnnotations)
+		// add CA labelselector and backup/restore labels to custom issuer
+		caCertSecretName, err := addIssuerLabelAnnotation(ctx, helper, customIssuer, instance.Namespace,
+			util.MergeMaps(issuerLabels, backup.GetRestoreLabels(backup.RestoreOrder20, backup.CategoryControlPlane)),
+			issuerAnnotations)
 		if err != nil {
 			instance.Status.Conditions.Set(condition.FalseCondition(
 				corev1.OpenStackControlPlaneCAReadyCondition,