openshift · chiragkyal · Jan 21, 2026 · Jan 21, 2026 · Jan 21, 2026 · Jan 22, 2026
diff --git a/Makefile b/Makefile
@@ -227,10 +227,14 @@ manifests: $(CONTROLLER_GEN) ## Generate WebhookConfiguration, ClusterRole and C
 		output:rbac:artifacts:config=$(PROJECT_ROOT)/config/rbac
 
 .PHONY: generate
-generate: $(CONTROLLER_GEN) ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
+generate: generate-fakes $(CONTROLLER_GEN) ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
 	$(CONTROLLER_GEN) object:headerFile="$(PROJECT_ROOT)/hack/boilerplate.go.txt" paths="$(PROJECT_ROOT)/api/..."
 	hack/update-clientgen.sh
 
+.PHONY: generate-fakes
+generate-fakes: ## Generate fake implementations for testing using counterfeiter.
+	go generate ./...
+
 # Targets that need Go workspace mode (CI sets GOFLAGS=-mod=vendor which conflicts with go.work)
 fmt vet test test-e2e run update-vendor update-dep: GOFLAGS=
 

diff --git a/api/operator/v1alpha1/features.go b/api/operator/v1alpha1/features.go
@@ -13,8 +13,17 @@ var (
 	// For more details,
 	// https://github.com/openshift/enhancements/blob/master/enhancements/cert-manager/istio-csr-controller.md
 	FeatureIstioCSR featuregate.Feature = "IstioCSR"
+
+	// TrustManager enables the controller for trustmanagers.operator.openshift.io resource,
+	// which extends cert-manager-operator to deploy and manage the trust-manager operand.
+	// trust-manager provides a way to manage trust bundles in OpenShift clusters.
+	//
+	// For more details,
+	// https://github.com/openshift/enhancements/blob/master/enhancements/cert-manager/trust-manager-controller.md
+	FeatureTrustManager featuregate.Feature = "TrustManager"
 )
 
 var OperatorFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
-	FeatureIstioCSR: {Default: true, PreRelease: featuregate.GA},
+	FeatureIstioCSR:     {Default: true, PreRelease: featuregate.GA},
+	FeatureTrustManager: {Default: false, PreRelease: "TechPreview"},
 }
diff --git a/bundle/manifests/cert-manager-operator.clusterserviceversion.yaml b/bundle/manifests/cert-manager-operator.clusterserviceversion.yaml
@@ -629,13 +629,15 @@ spec:
           resources:
           - certmanagers/finalizers
           - istiocsrs/finalizers
+          - trustmanagers/finalizers
           verbs:
           - update
         - apiGroups:
           - operator.openshift.io
           resources:
           - certmanagers/status
           - istiocsrs/status
+          - trustmanagers/status
           verbs:
           - get
           - patch
@@ -644,6 +646,7 @@ spec:
           - operator.openshift.io
           resources:
           - istiocsrs
+          - trustmanagers
           verbs:
           - get
           - list

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -226,13 +226,15 @@ rules:
   resources:
   - certmanagers/finalizers
   - istiocsrs/finalizers
+  - trustmanagers/finalizers
   verbs:
   - update
 - apiGroups:
   - operator.openshift.io
   resources:
   - certmanagers/status
   - istiocsrs/status
+  - trustmanagers/status
   verbs:
   - get
   - patch
@@ -241,6 +243,7 @@ rules:
   - operator.openshift.io
   resources:
   - istiocsrs
+  - trustmanagers
   verbs:
   - get
   - list

diff --git a/go.work.sum b/go.work.sum
diff --git a/pkg/controller/istiocsr/client.go → pkg/controller/common/client.go b/pkg/controller/istiocsr/client.go → pkg/controller/common/client.go
@@ -1,4 +1,4 @@
-package istiocsr
+package common
 
 import (
 	"context"
@@ -12,13 +12,16 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 )
 
+// ctrlClientImpl implements the CtrlClient interface using the manager's client.
 type ctrlClientImpl struct {
 	client.Client
 }
 
+// CtrlClient defines the interface for controller client operations.
+//
 //go:generate go run github.com/maxbrunsfeld/counterfeiter/v6 -generate
-//counterfeiter:generate -o fakes . ctrlClient
-type ctrlClient interface {
+//counterfeiter:generate -o fakes . CtrlClient
+type CtrlClient interface {
 	Get(context.Context, client.ObjectKey, client.Object) error
 	List(context.Context, client.ObjectList, ...client.ListOption) error
 	StatusUpdate(context.Context, client.Object, ...client.SubResourceUpdateOption) error
@@ -30,11 +33,12 @@ type ctrlClient interface {
 	Exists(context.Context, client.ObjectKey, client.Object) (bool, error)
 }
 
-func NewClient(m manager.Manager) (ctrlClient, error) {
-	// Use the manager's client directly instead of creating a custom client.
-	// The manager's client uses the manager's cache, which ensures the reconciler
-	// reads from the same cache that the controller's watches use, preventing
-	// cache mismatch issues.
+// NewClient creates a new controller client from the manager.
+// Use the manager's client directly instead of creating a custom client.
+// The manager's client uses the manager's cache, which ensures the reconciler
+// reads from the same cache that the controller's watches use, preventing
+// cache mismatch issues.
+func NewClient(m manager.Manager) (CtrlClient, error) {
 	return &ctrlClientImpl{
 		Client: m.GetClient(),
 	}, nil

diff --git a/pkg/controller/common/constants.go b/pkg/controller/common/constants.go
@@ -0,0 +1,6 @@
+package common
+
+// ManagedResourceLabelKey is the common label key used by all operand controllers
+// to identify resources they manage. Each controller uses a different value
+// to distinguish its resources.
+const ManagedResourceLabelKey = "app"
diff --git a/pkg/controller/istiocsr/errors.go → pkg/controller/common/errors.go b/pkg/controller/istiocsr/errors.go → pkg/controller/common/errors.go
@@ -1,4 +1,4 @@
-package istiocsr
+package common
 
 import (
 	"errors"
@@ -7,16 +7,21 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 )
 
+// ErrorReason represents the reason for a reconciliation error.
 type ErrorReason string
 
 const (
+	// IrrecoverableError indicates an error that cannot be recovered by retrying.
 	IrrecoverableError ErrorReason = "IrrecoverableError"
 
+	// RetryRequiredError indicates an error that may be recovered by retrying.
 	RetryRequiredError ErrorReason = "RetryRequiredError"
 
+	// MultipleInstanceError indicates that multiple singleton instances exist.
 	MultipleInstanceError ErrorReason = "MultipleInstanceError"
 )
 
+// ReconcileError represents an error that occurred during reconciliation.
 type ReconcileError struct {
 	Reason  ErrorReason `json:"reason,omitempty"`
 	Message string      `json:"message,omitempty"`
@@ -25,6 +30,7 @@ type ReconcileError struct {
 
 var _ error = &ReconcileError{}
 
+// NewIrrecoverableError creates a new irrecoverable error.
 func NewIrrecoverableError(err error, message string, args ...any) *ReconcileError {
 	if err == nil {
 		return nil
@@ -36,6 +42,7 @@ func NewIrrecoverableError(err error, message string, args ...any) *ReconcileErr
 	}
 }
 
+// NewMultipleInstanceError creates a new multiple instance error.
 func NewMultipleInstanceError(err error) *ReconcileError {
 	if err == nil {
 		return nil
@@ -47,6 +54,7 @@ func NewMultipleInstanceError(err error) *ReconcileError {
 	}
 }
 
+// NewRetryRequiredError creates a new error that requires retry.
 func NewRetryRequiredError(err error, message string, args ...any) *ReconcileError {
 	if err == nil {
 		return nil
@@ -58,6 +66,7 @@ func NewRetryRequiredError(err error, message string, args ...any) *ReconcileErr
 	}
 }
 
+// FromClientError creates a ReconcileError from a Kubernetes client error.
 func FromClientError(err error, message string, args ...any) *ReconcileError {
 	if err == nil {
 		return nil
@@ -70,6 +79,7 @@ func FromClientError(err error, message string, args ...any) *ReconcileError {
 	return NewRetryRequiredError(err, message, args...)
 }
 
+// FromError creates a ReconcileError from a generic error.
 func FromError(err error, message string, args ...any) *ReconcileError {
 	if err == nil {
 		return nil
@@ -80,6 +90,7 @@ func FromError(err error, message string, args ...any) *ReconcileError {
 	return NewRetryRequiredError(err, message, args...)
 }
 
+// IsIrrecoverableError checks if the error is an irrecoverable error.
 func IsIrrecoverableError(err error) bool {
 	rerr := &ReconcileError{}
 	if errors.As(err, &rerr) {
@@ -88,6 +99,7 @@ func IsIrrecoverableError(err error) bool {
 	return false
 }
 
+// IsRetryRequiredError checks if the error requires retry.
 func IsRetryRequiredError(err error) bool {
 	rerr := &ReconcileError{}
 	if errors.As(err, &rerr) {
@@ -96,6 +108,7 @@ func IsRetryRequiredError(err error) bool {
 	return false
 }
 
+// IsMultipleInstanceError checks if the error is a multiple instance error.
 func IsMultipleInstanceError(err error) bool {
 	rerr := &ReconcileError{}
 	if errors.As(err, &rerr) {
@@ -104,7 +117,7 @@ func IsMultipleInstanceError(err error) bool {
 	return false
 }
 
-// ReconcileError implements the ReconcileError interface.
+// Error implements the error interface.
 func (e *ReconcileError) Error() string {
 	return fmt.Sprintf("%s: %s", e.Message, e.Err)
 }
diff --git a/...roller/istiocsr/fakes/fake_ctrl_client.go → ...ntroller/common/fakes/fake_ctrl_client.go b/...roller/istiocsr/fakes/fake_ctrl_client.go → ...ntroller/common/fakes/fake_ctrl_client.go