From d3306dfee902b9240741a100b7ddf0210f411697 Mon Sep 17 00:00:00 2001
From: Matthias Wessendorf <mwessend@redhat.com>
Date: Tue, 17 Dec 2024 15:40:11 +0100
Subject: [PATCH] Add knobs for tls support on controllers

Signed-off-by: Matthias Wessendorf <mwessend@redhat.com>
---
 cmd/controller/main.go                        | 16 +++++++++-----
 pkg/reconciler/integration/sink/controller.go | 22 +++++++++++--------
 2 files changed, 24 insertions(+), 14 deletions(-)

diff --git a/cmd/controller/main.go b/cmd/controller/main.go
index 33fff539657..8a651060090 100644
--- a/cmd/controller/main.go
+++ b/cmd/controller/main.go
@@ -20,15 +20,15 @@ import (
 	// Uncomment the following line to load the gcp plugin (only required to authenticate against GKE clusters).
 	// _ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
 
+	"knative.dev/eventing/pkg/apis/feature"
 	"knative.dev/eventing/pkg/client/certmanager/injection/informers/acme/v1/challenge"
 	v1certificate "knative.dev/eventing/pkg/client/certmanager/injection/informers/certmanager/v1/certificate"
-
 	"knative.dev/eventing/pkg/client/certmanager/injection/informers/certmanager/v1/certificaterequest"
 	"knative.dev/eventing/pkg/client/certmanager/injection/informers/certmanager/v1/clusterissuer"
 	"knative.dev/eventing/pkg/client/certmanager/injection/informers/certmanager/v1/issuer"
 	"knative.dev/pkg/injection"
-
 	"knative.dev/pkg/injection/sharedmain"
+	"knative.dev/pkg/logging"
 
 	filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"
 	"knative.dev/pkg/signals"
@@ -64,9 +64,15 @@ func main() {
 		"app.kubernetes.io/name",
 	)
 
-	for _, inf := range []injection.InformerInjector{challenge.WithInformer, v1certificate.WithInformer, certificaterequest.WithInformer, clusterissuer.WithInformer, issuer.WithInformer} {
-		injection.Default.RegisterInformer(inf)
-	}
+	var featureStore *feature.Store
+	featureStore = feature.NewStore(logging.FromContext(ctx).Named("feature-config-store"), func(name string, value interface{}) {
+		featureFlags := value.(feature.Flags)
+		if !featureFlags.IsDisabledTransportEncryption() && featureStore != nil {
+			for _, inf := range []injection.InformerInjector{challenge.WithInformer, v1certificate.WithInformer, certificaterequest.WithInformer, clusterissuer.WithInformer, issuer.WithInformer} {
+				injection.Default.RegisterInformer(inf)
+			}
+		}
+	})
 
 	sharedmain.MainWithContext(ctx, "controller",
 		// Messaging
diff --git a/pkg/reconciler/integration/sink/controller.go b/pkg/reconciler/integration/sink/controller.go
index d7b828b75d4..3019bf28783 100644
--- a/pkg/reconciler/integration/sink/controller.go
+++ b/pkg/reconciler/integration/sink/controller.go
@@ -19,6 +19,8 @@ package sink
 import (
 	"context"
 
+	cmclient "knative.dev/eventing/pkg/client/certmanager/injection/client"
+	cmcertinformer "knative.dev/eventing/pkg/client/certmanager/injection/informers/certmanager/v1/certificate"
 	pkgreconciler "knative.dev/pkg/reconciler"
 
 	"k8s.io/client-go/tools/cache"
@@ -30,9 +32,6 @@ import (
 	deploymentinformer "knative.dev/pkg/client/injection/kube/informers/apps/v1/deployment"
 	"knative.dev/pkg/client/injection/kube/informers/core/v1/service"
 
-	cmclient "knative.dev/eventing/pkg/client/certmanager/injection/client"
-	cmcertinformer "knative.dev/eventing/pkg/client/certmanager/injection/informers/certmanager/v1/certificate"
-
 	integrationsinkreconciler "knative.dev/eventing/pkg/client/injection/reconciler/sinks/v1alpha1/integrationsink"
 	kubeclient "knative.dev/pkg/client/injection/kube/client"
 	secretinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/secret/filtered"
@@ -51,8 +50,6 @@ func NewController(
 	eventPolicyInformer := eventpolicy.Get(ctx)
 	deploymentInformer := deploymentinformer.Get(ctx)
 
-	cmCertificateInformer := cmcertinformer.Get(ctx)
-
 	serviceInformer := service.Get(ctx)
 
 	r := &Reconciler{
@@ -61,12 +58,12 @@ func NewController(
 		deploymentLister: deploymentInformer.Lister(),
 		serviceLister:    serviceInformer.Lister(),
 
-		secretLister:        secretInformer.Lister(),
-		eventPolicyLister:   eventPolicyInformer.Lister(),
-		cmCertificateLister: cmCertificateInformer.Lister(),
-		certManagerClient:   cmclient.Get(ctx),
+		secretLister:      secretInformer.Lister(),
+		eventPolicyLister: eventPolicyInformer.Lister(),
 	}
 
+	//	featureFlags := feature.FromContext(ctx)
+
 	var globalResync func(obj interface{})
 
 	featureStore := feature.NewStore(logging.FromContext(ctx).Named("feature-config-store"), func(name string, value interface{}) {
@@ -76,6 +73,13 @@ func NewController(
 	})
 	featureStore.WatchConfigs(cmw)
 
+	// If not enabled, it is disable, strict or Permissive
+	if featureStore.Load().IsPermissiveTransportEncryption() || featureStore.Load().IsStrictTransportEncryption() {
+		cmCertificateInformer := cmcertinformer.Get(ctx)
+		r.cmCertificateLister = cmCertificateInformer.Lister()
+		r.certManagerClient = cmclient.Get(ctx)
+	}
+
 	impl := integrationsinkreconciler.NewImpl(ctx, r, func(impl *controller.Impl) controller.Options {
 		return controller.Options{
 			ConfigStore: featureStore,