Skip to content

Commit 37e7ae2

Browse files
vrutkovsvrutkovs
committed
Optimistically update Kube Server and Client CA bundles
1 parent fe4a4b6 commit 37e7ae2

File tree

1 file changed

+76
-19
lines changed

1 file changed

+76
-19
lines changed

pkg/operator/targetconfigcontroller/targetconfigcontroller.go

+76-19
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,6 @@ import (
1313

1414
"github.com/ghodss/yaml"
1515

16-
"github.com/openshift/api/annotations"
1716
kubecontrolplanev1 "github.com/openshift/api/kubecontrolplane/v1"
1817
operatorv1 "github.com/openshift/api/operator/v1"
1918
"github.com/openshift/cluster-kube-apiserver-operator/bindata"
@@ -23,6 +22,7 @@ import (
2322
"github.com/openshift/library-go/pkg/operator/certrotation"
2423
"github.com/openshift/library-go/pkg/operator/events"
2524
"github.com/openshift/library-go/pkg/operator/resource/resourceapply"
25+
"github.com/openshift/library-go/pkg/operator/resource/resourcehelper"
2626
"github.com/openshift/library-go/pkg/operator/resource/resourcemerge"
2727
"github.com/openshift/library-go/pkg/operator/resource/resourceread"
2828
"github.com/openshift/library-go/pkg/operator/resourcesynccontroller"
@@ -37,6 +37,7 @@ import (
3737
"k8s.io/client-go/kubernetes"
3838
coreclientv1 "k8s.io/client-go/kubernetes/typed/core/v1"
3939
corev1listers "k8s.io/client-go/listers/core/v1"
40+
"k8s.io/klog/v2"
4041
)
4142

4243
type TargetConfigController struct {
@@ -296,12 +297,26 @@ func generateOptionalStartupMonitorPod(isStartupMonitorEnabledFn func() (bool, e
296297
}
297298

298299
func ManageClientCABundle(ctx context.Context, lister corev1listers.ConfigMapLister, client coreclientv1.ConfigMapsGetter, recorder events.Recorder) (*corev1.ConfigMap, bool, error) {
299-
requiredConfigMap, err := resourcesynccontroller.CombineCABundleConfigMaps(
300-
resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "client-ca"},
300+
301+
additionalAnnotations := certrotation.AdditionalAnnotations{
302+
JiraComponent: "kube-apiserver",
303+
}
304+
305+
caBundleConfigMap, err := lister.ConfigMaps(operatorclient.TargetNamespace).Get("client-ca")
306+
if err != nil && !apierrors.IsNotFound(err) {
307+
return nil, false, err
308+
}
309+
310+
creationRequired := false
311+
updateRequired := false
312+
if apierrors.IsNotFound(err) {
313+
creationRequired = true
314+
}
315+
316+
requiredConfigMap, updateRequired, err := resourcesynccontroller.CombineCABundleConfigMaps(
317+
caBundleConfigMap,
301318
lister,
302-
certrotation.AdditionalAnnotations{
303-
JiraComponent: "kube-apiserver",
304-
},
319+
additionalAnnotations,
305320
// this is from the installer and contains the value to verify the admin.kubeconfig user
306321
resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalUserSpecifiedConfigNamespace, Name: "admin-kubeconfig-client-ca"},
307322
// this is from the installer and contains the value to verify the node bootstrapping cert that is baked into images
@@ -321,21 +336,49 @@ func ManageClientCABundle(ctx context.Context, lister corev1listers.ConfigMapLis
321336
if err != nil {
322337
return nil, false, err
323338
}
324-
if requiredConfigMap.Annotations == nil {
325-
requiredConfigMap.Annotations = map[string]string{}
339+
340+
if creationRequired {
341+
caBundleConfigMap, err := client.ConfigMaps(operatorclient.TargetNamespace).Create(ctx, requiredConfigMap, metav1.CreateOptions{})
342+
resourcehelper.ReportCreateEvent(recorder, caBundleConfigMap, err)
343+
if err != nil {
344+
return nil, false, err
345+
}
346+
klog.V(2).Infof("Created client CA bundle configmap %s/%s", caBundleConfigMap.Namespace, caBundleConfigMap.Name)
347+
return caBundleConfigMap, true, nil
348+
} else if updateRequired {
349+
caBundleConfigMap, err := client.ConfigMaps(operatorclient.TargetNamespace).Update(ctx, requiredConfigMap, metav1.UpdateOptions{})
350+
resourcehelper.ReportUpdateEvent(recorder, caBundleConfigMap, err)
351+
if err != nil {
352+
return nil, false, err
353+
}
354+
klog.V(2).Infof("Updated client CA bundle configmap %s/%s", caBundleConfigMap.Namespace, caBundleConfigMap.Name)
355+
return caBundleConfigMap, true, nil
326356
}
327-
requiredConfigMap.Annotations[annotations.OpenShiftComponent] = "kube-apiserver"
328357

329-
return resourceapply.ApplyConfigMap(ctx, client, recorder, requiredConfigMap)
358+
return caBundleConfigMap, false, nil
330359
}
331360

332361
func manageKubeAPIServerCABundle(ctx context.Context, lister corev1listers.ConfigMapLister, client coreclientv1.ConfigMapsGetter, recorder events.Recorder) (*corev1.ConfigMap, bool, error) {
333-
requiredConfigMap, err := resourcesynccontroller.CombineCABundleConfigMaps(
334-
resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "kube-apiserver-server-ca"},
362+
363+
additionalAnnotations := certrotation.AdditionalAnnotations{
364+
JiraComponent: "kube-apiserver",
365+
}
366+
367+
caBundleConfigMap, err := lister.ConfigMaps(operatorclient.TargetNamespace).Get("client-ca")
368+
if err != nil && !apierrors.IsNotFound(err) {
369+
return nil, false, err
370+
}
371+
372+
creationRequired := false
373+
updateRequired := false
374+
if apierrors.IsNotFound(err) {
375+
creationRequired = true
376+
}
377+
378+
requiredConfigMap, updateRequired, err := resourcesynccontroller.CombineCABundleConfigMaps(
379+
caBundleConfigMap,
335380
lister,
336-
certrotation.AdditionalAnnotations{
337-
JiraComponent: "kube-apiserver",
338-
},
381+
additionalAnnotations,
339382
// this bundle is what this operator uses to mint loadbalancers certs
340383
resourcesynccontroller.ResourceLocation{Namespace: operatorclient.OperatorNamespace, Name: "loadbalancer-serving-ca"},
341384
// this bundle is what this operator uses to mint localhost certs
@@ -348,12 +391,26 @@ func manageKubeAPIServerCABundle(ctx context.Context, lister corev1listers.Confi
348391
if err != nil {
349392
return nil, false, err
350393
}
351-
if requiredConfigMap.Annotations == nil {
352-
requiredConfigMap.Annotations = map[string]string{}
394+
395+
if creationRequired {
396+
caBundleConfigMap, err := client.ConfigMaps(operatorclient.TargetNamespace).Create(ctx, requiredConfigMap, metav1.CreateOptions{})
397+
resourcehelper.ReportCreateEvent(recorder, caBundleConfigMap, err)
398+
if err != nil {
399+
return nil, false, err
400+
}
401+
klog.V(2).Infof("Created kube apiserver CA bundle configmap %s/%s", caBundleConfigMap.Namespace, caBundleConfigMap.Name)
402+
return caBundleConfigMap, true, nil
403+
} else if updateRequired {
404+
caBundleConfigMap, err := client.ConfigMaps(operatorclient.TargetNamespace).Update(ctx, requiredConfigMap, metav1.UpdateOptions{})
405+
resourcehelper.ReportUpdateEvent(recorder, caBundleConfigMap, err)
406+
if err != nil {
407+
return nil, false, err
408+
}
409+
klog.V(2).Infof("Updated kube apiserver CA bundle configmap %s/%s", caBundleConfigMap.Namespace, caBundleConfigMap.Name)
410+
return caBundleConfigMap, true, nil
353411
}
354-
requiredConfigMap.Annotations[annotations.OpenShiftComponent] = "kube-apiserver"
355412

356-
return resourceapply.ApplyConfigMap(ctx, client, recorder, requiredConfigMap)
413+
return caBundleConfigMap, false, nil
357414
}
358415

359416
func ensureKubeAPIServerTrustedCA(ctx context.Context, client coreclientv1.CoreV1Interface, recorder events.Recorder) error {

0 commit comments

Comments
 (0)