fix: skip injecting service and cert if conversion is disabled (#4362)

hack/helm.generate.sh

@@ -19,6 +19,13 @@ yq e -Ns "\"${HELM_DIR}/templates/crds/\" + .spec.names.singular" ${BUNDLE_DIR}/
 for i in "${HELM_DIR}"/templates/crds/*.yml; do
   export CRDS_FLAG_NAME="create$(yq e '.spec.names.kind' $i)"
   cp "$i" "$i.bkp"
+  if [[ "$CRDS_FLAG_NAME" == *"ExternalSecret"* || "$CRDS_FLAG_NAME" == *"SecretStore"* ]]; then
+    yq e '(.spec.versions[] | select(.name == "v1alpha1")) |= ("{{- if .Values.crds.conversion.enabled }}\n \(.)\n {{- end }}")' -i "$i.bkp" || true
+    $SEDPRG -i '/- |-/d' "$i.bkp"
+    # Indent the remaining additionalPrinterColumn property right
+    $SEDPRG -i 's/       additionalPrinterColumns:/    - additionalPrinterColumns:/' "$i.bkp"
+  fi
+
   if [[ "$CRDS_FLAG_NAME" == *"Cluster"* ]]; then
     echo "{{- if and (.Values.installCRDs) (.Values.crds.$CRDS_FLAG_NAME) }}" > "$i"
   elif [[ "$CRDS_FLAG_NAME" == *"PushSecret"* ]]; then
@@ -29,6 +36,7 @@ for i in "${HELM_DIR}"/templates/crds/*.yml; do
   cat "$i.bkp" >> "$i"
   echo "{{- end }}" >> "$i"
   rm "$i.bkp"
+
   $SEDPRG -i 's/name: kubernetes/name: {{ include "external-secrets.fullname" . }}-webhook/g' "$i"
   $SEDPRG -i 's/namespace: default/namespace: {{ .Release.Namespace | quote }}/g' "$i"
   $SEDPRG -i '0,/annotations/!b;//a\    {{- with .Values.crds.annotations }}\n    {{- toYaml . | nindent 4}}\n    {{- end }}\n    {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}\n    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook\n    {{- end }}' "$i"
@@ -36,4 +44,4 @@ for i in "${HELM_DIR}"/templates/crds/*.yml; do
   $SEDPRG -i '/  conversion:/i{{- if .Values.crds.conversion.enabled }}' "$i"
   echo "{{- end }}" >> "$i"
   mv "$i" "${i%.yml}.yaml"
-done
+done

pkg/controllers/crds/crds_controller.go

@@ -205,6 +205,7 @@ func (r *Reconciler) updateCRD(ctx context.Context, req ctrl.Request) error {
 	if err := r.Get(ctx, req.NamespacedName, &updatedResource); err != nil {
 		return err
 	}
+
 	svc := types.NamespacedName{
 		Name:      r.SvcName,
 		Namespace: r.SvcNamespace,
@@ -230,6 +231,10 @@ func (r *Reconciler) updateCRD(ctx context.Context, req ctrl.Request) error {
 }
 
 func injectService(crd *apiext.CustomResourceDefinition, svc types.NamespacedName) error {
+	if crd.Spec.Conversion != nil && crd.Spec.Conversion.Strategy == apiext.NoneConverter {
+		return nil
+	}
+
 	if crd.Spec.Conversion == nil ||
 		crd.Spec.Conversion.Webhook == nil ||
 		crd.Spec.Conversion.Webhook.ClientConfig == nil ||
@@ -242,6 +247,10 @@ func injectService(crd *apiext.CustomResourceDefinition, svc types.NamespacedNam
 }
 
 func injectCert(crd *apiext.CustomResourceDefinition, certPem []byte) error {
+	if crd.Spec.Conversion != nil && crd.Spec.Conversion.Strategy == apiext.NoneConverter {
+		return nil
+	}
+
 	if crd.Spec.Conversion == nil ||
 		crd.Spec.Conversion.Webhook == nil ||
 		crd.Spec.Conversion.Webhook.ClientConfig == nil {