Refactor merge logic and improve secret validation

Add helper functions for security item detection (isSecurityItem, isSecurityAnnotation)
Extract filter/extract operations into reusable functions for volumes, annotations, and mounts
Improve SPP validation to fail-closed (reject on parse errors instead of allowing)
Refactor parseValidSppsFromSecret to reuse ptp4lConf parser for consistency
Add detailed comments explaining secret hash change detection mechanism
Downgrade controller-gen from v0.19.0 to v0.15.0 for compatibility
Add kubebuilder marker to skip auto-generation for Ptp4lConf type
Regenerate CRDs and RBAC with ptpSecretName field support

Author: gtannous-spec

Makefile

@@ -155,7 +155,7 @@ ENVTEST ?= $(LOCALBIN)/setup-envtest
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v4.5.7
-CONTROLLER_TOOLS_VERSION ?= v0.19.0
+CONTROLLER_TOOLS_VERSION ?= v0.15.0
 
 KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"
 .PHONY: kustomize

api/v1/ptpconfig_webhook.go

@@ -71,6 +71,7 @@ type ptp4lConf struct {
 	sections map[string]ptp4lConfSection
 }
 
+// +kubebuilder:object:generate=false
 // Ptp4lConf is a public wrapper for ptp4lConf
 type Ptp4lConf struct {
 	conf ptp4lConf
@@ -390,9 +391,12 @@ func (r *PtpConfig) validateSppInSecret(profile PtpProfile, secret *corev1.Secre
 	// Parse the secret data to find valid SPP values
 	validSpps, err := parseValidSppsFromSecret(secret)
 	if err != nil {
-		ptpconfiglog.Error(err, "failed to parse SPPs from secret", "secret", secret.Name, "profile", profileName)
-		// Fail open - don't block if we can't parse
-		return nil
+		return fmt.Errorf("failed to parse SPPs from secret '%s' for profile '%s': %v", secret.Name, profileName, err)
+	}
+
+	// If no SPPs found in secret, that's an error
+	if len(validSpps) == 0 {
+		return fmt.Errorf("no SPPs defined in secret '%s'. Secret must contain 'spp <number>' lines in security associations", secret.Name)
 	}
 
 	// Check if the specified SPP exists in the secret
@@ -412,33 +416,25 @@ func parseValidSppsFromSecret(secret *corev1.Secret) ([]string, error) {
 
 	// Iterate through all keys in the secret
 	for key, value := range secret.Data {
-		// Parse the security configuration
+		// Parse the security configuration using existing ptp4l parser
 		content := string(value)
-		lines := strings.Split(content, "\n")
-
-		// Look for any line starting with "spp <number>"
-		for _, line := range lines {
-			line = strings.TrimSpace(line)
-
-			// Skip empty lines and comments
-			if line == "" || strings.HasPrefix(line, "#") {
-				continue
-			}
+		conf := &ptp4lConf{}
+		if err := conf.populatePtp4lConf(&content, nil); err != nil {
+			// If parsing fails, return error (strict validation)
+			return nil, fmt.Errorf("failed to parse security file format: %v", err)
+		}
 
-			// Check if line starts with "spp " (case-insensitive)
-			if strings.HasPrefix(strings.ToLower(line), "spp ") {
-				parts := strings.Fields(line)
-				if len(parts) >= 2 {
-					sppNumber := parts[1]
-					// Add if not already in list
-					if !contains(validSpps, sppNumber) {
-						validSpps = append(validSpps, sppNumber)
-					}
+		// Extract SPP values from all [security_association] sections
+		for sectionName, section := range conf.sections {
+			// Look for security_association sections or any section with spp
+			if sppValue, exists := section.options["spp"]; exists {
+				// Found an spp value
+				if !contains(validSpps, sppValue) {
+					validSpps = append(validSpps, sppValue)
+					ptpconfiglog.Info("found SPP in secret", "section", sectionName, "spp", sppValue, "key", key)
 				}
 			}
 		}
-
-		ptpconfiglog.Info("parsed SPPs from secret", "key", key, "spps", validSpps)
 	}
 
 	return validSpps, nil

bundle/manifests/ptp-operator.clusterserviceversion.yaml

@@ -61,7 +61,7 @@ metadata:
     categories: Networking
     certified: "false"
     containerImage: quay.io/openshift/origin-ptp-operator:4.21
-    createdAt: "2025-11-03T12:52:29Z"
+    createdAt: "2025-11-18T22:08:29Z"
     description: This software enables configuration of Precision Time Protocol(PTP)
       on Kubernetes. It detects hardware capable PTP devices on each node, and configures
       linuxptp processes such as ptp4l, phc2sys and timemaster.
@@ -280,6 +280,24 @@ spec:
           - rolebindings
           verbs:
           - '*'
+        - apiGroups:
+          - ""
+          resources:
+          - secrets
+          verbs:
+          - get
+          - list
+          - watch
+        - apiGroups:
+          - apps
+          resources:
+          - daemonsets
+          verbs:
+          - get
+          - list
+          - patch
+          - update
+          - watch
         - apiGroups:
           - config.openshift.io
           resources:

bundle/manifests/ptp.openshift.io_ptpconfigs.yaml

@@ -90,6 +90,8 @@ spec:
                       maximum: 65
                       minimum: 1
                       type: integer
+                    ptpSecretName:
+                      type: string
                     ptpSettings:
                       additionalProperties:
                         type: string

config/crd/bases/ptp.openshift.io_hardwareconfigs.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.19.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: hardwareconfigs.ptp.openshift.io
 spec:
   group: ptp.openshift.io

config/crd/bases/ptp.openshift.io_nodeptpdevices.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.19.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: nodeptpdevices.ptp.openshift.io
 spec:
   group: ptp.openshift.io

config/crd/bases/ptp.openshift.io_ptpconfigs.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.19.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: ptpconfigs.ptp.openshift.io
 spec:
   group: ptp.openshift.io

config/crd/bases/ptp.openshift.io_ptpoperatorconfigs.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.19.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: ptpoperatorconfigs.ptp.openshift.io
 spec:
   group: ptp.openshift.io

config/rbac/role.yaml

@@ -72,7 +72,6 @@ rules:
   - ptp.openshift.io
   resources:
   - ptpconfigs
-  - ptpoperatorconfigs
   verbs:
   - create
   - delete
@@ -85,13 +84,37 @@ rules:
   - ptp.openshift.io
   resources:
   - ptpconfigs/finalizers
-  - ptpoperatorconfigs/finalizers
   verbs:
   - update
 - apiGroups:
   - ptp.openshift.io
   resources:
   - ptpconfigs/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - ptp.openshift.io
+  resources:
+  - ptpoperatorconfigs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ptp.openshift.io
+  resources:
+  - ptpoperatorconfigs/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - ptp.openshift.io
+  resources:
   - ptpoperatorconfigs/status
   verbs:
   - get

manifests/stable/ptp-operator.clusterserviceversion.yaml

@@ -61,7 +61,7 @@ metadata:
     categories: Networking
     certified: "false"
     containerImage: quay.io/openshift/origin-ptp-operator:4.21
-    createdAt: "2025-11-03T12:52:29Z"
+    createdAt: "2025-11-18T22:08:29Z"
     description: This software enables configuration of Precision Time Protocol(PTP)
       on Kubernetes. It detects hardware capable PTP devices on each node, and configures
       linuxptp processes such as ptp4l, phc2sys and timemaster.
@@ -280,6 +280,24 @@ spec:
           - rolebindings
           verbs:
           - '*'
+        - apiGroups:
+          - ""
+          resources:
+          - secrets
+          verbs:
+          - get
+          - list
+          - watch
+        - apiGroups:
+          - apps
+          resources:
+          - daemonsets
+          verbs:
+          - get
+          - list
+          - patch
+          - update
+          - watch
         - apiGroups:
           - config.openshift.io
           resources: