Skip to content

Commit 42120ad

Browse files
vrutkovsvrutkovs
committed
Optimistically update Kube Server and Client CA bundles
1 parent 249eed0 commit 42120ad

File tree

1 file changed

+76
-19
lines changed

1 file changed

+76
-19
lines changed

pkg/operator/targetconfigcontroller/targetconfigcontroller.go

+76-19
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,6 @@ import (
1313

1414
"github.com/ghodss/yaml"
1515

16-
"github.com/openshift/api/annotations"
1716
kubecontrolplanev1 "github.com/openshift/api/kubecontrolplane/v1"
1817
operatorv1 "github.com/openshift/api/operator/v1"
1918
"github.com/openshift/cluster-kube-apiserver-operator/bindata"
@@ -24,6 +23,7 @@ import (
2423
"github.com/openshift/library-go/pkg/operator/certrotation"
2524
"github.com/openshift/library-go/pkg/operator/events"
2625
"github.com/openshift/library-go/pkg/operator/resource/resourceapply"
26+
"github.com/openshift/library-go/pkg/operator/resource/resourcehelper"
2727
"github.com/openshift/library-go/pkg/operator/resource/resourcemerge"
2828
"github.com/openshift/library-go/pkg/operator/resource/resourceread"
2929
"github.com/openshift/library-go/pkg/operator/resourcesynccontroller"
@@ -38,6 +38,7 @@ import (
3838
"k8s.io/client-go/kubernetes"
3939
coreclientv1 "k8s.io/client-go/kubernetes/typed/core/v1"
4040
corev1listers "k8s.io/client-go/listers/core/v1"
41+
"k8s.io/klog/v2"
4142
)
4243

4344
const (
@@ -347,12 +348,26 @@ func generateOptionalStartupMonitorPod(isStartupMonitorEnabledFn func() (bool, e
347348
}
348349

349350
func ManageClientCABundle(ctx context.Context, lister corev1listers.ConfigMapLister, client coreclientv1.ConfigMapsGetter, recorder events.Recorder) (*corev1.ConfigMap, bool, error) {
350-
requiredConfigMap, err := resourcesynccontroller.CombineCABundleConfigMaps(
351-
resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "client-ca"},
351+
352+
additionalAnnotations := certrotation.AdditionalAnnotations{
353+
JiraComponent: "kube-apiserver",
354+
}
355+
356+
caBundleConfigMap, err := lister.ConfigMaps(operatorclient.TargetNamespace).Get("client-ca")
357+
if err != nil && !apierrors.IsNotFound(err) {
358+
return nil, false, err
359+
}
360+
361+
creationRequired := false
362+
updateRequired := false
363+
if apierrors.IsNotFound(err) {
364+
creationRequired = true
365+
}
366+
367+
requiredConfigMap, updateRequired, err := resourcesynccontroller.CombineCABundleConfigMaps(
368+
caBundleConfigMap,
352369
lister,
353-
certrotation.AdditionalAnnotations{
354-
JiraComponent: "kube-apiserver",
355-
},
370+
additionalAnnotations,
356371
// this is from the installer and contains the value to verify the admin.kubeconfig user
357372
resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalUserSpecifiedConfigNamespace, Name: "admin-kubeconfig-client-ca"},
358373
// this is from the installer and contains the value to verify the node bootstrapping cert that is baked into images
@@ -372,21 +387,49 @@ func ManageClientCABundle(ctx context.Context, lister corev1listers.ConfigMapLis
372387
if err != nil {
373388
return nil, false, err
374389
}
375-
if requiredConfigMap.Annotations == nil {
376-
requiredConfigMap.Annotations = map[string]string{}
390+
391+
if creationRequired {
392+
caBundleConfigMap, err := client.ConfigMaps(operatorclient.TargetNamespace).Create(ctx, requiredConfigMap, metav1.CreateOptions{})
393+
resourcehelper.ReportCreateEvent(recorder, caBundleConfigMap, err)
394+
if err != nil {
395+
return nil, false, err
396+
}
397+
klog.V(2).Infof("Created client CA bundle configmap %s/%s", caBundleConfigMap.Namespace, caBundleConfigMap.Name)
398+
return caBundleConfigMap, true, nil
399+
} else if updateRequired {
400+
caBundleConfigMap, err := client.ConfigMaps(operatorclient.TargetNamespace).Update(ctx, requiredConfigMap, metav1.UpdateOptions{})
401+
resourcehelper.ReportUpdateEvent(recorder, caBundleConfigMap, err)
402+
if err != nil {
403+
return nil, false, err
404+
}
405+
klog.V(2).Infof("Updated client CA bundle configmap %s/%s", caBundleConfigMap.Namespace, caBundleConfigMap.Name)
406+
return caBundleConfigMap, true, nil
377407
}
378-
requiredConfigMap.Annotations[annotations.OpenShiftComponent] = "kube-apiserver"
379408

380-
return resourceapply.ApplyConfigMap(ctx, client, recorder, requiredConfigMap)
409+
return caBundleConfigMap, false, nil
381410
}
382411

383412
func manageKubeAPIServerCABundle(ctx context.Context, lister corev1listers.ConfigMapLister, client coreclientv1.ConfigMapsGetter, recorder events.Recorder) (*corev1.ConfigMap, bool, error) {
384-
requiredConfigMap, err := resourcesynccontroller.CombineCABundleConfigMaps(
385-
resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "kube-apiserver-server-ca"},
413+
414+
additionalAnnotations := certrotation.AdditionalAnnotations{
415+
JiraComponent: "kube-apiserver",
416+
}
417+
418+
caBundleConfigMap, err := lister.ConfigMaps(operatorclient.TargetNamespace).Get("client-ca")
419+
if err != nil && !apierrors.IsNotFound(err) {
420+
return nil, false, err
421+
}
422+
423+
creationRequired := false
424+
updateRequired := false
425+
if apierrors.IsNotFound(err) {
426+
creationRequired = true
427+
}
428+
429+
requiredConfigMap, updateRequired, err := resourcesynccontroller.CombineCABundleConfigMaps(
430+
caBundleConfigMap,
386431
lister,
387-
certrotation.AdditionalAnnotations{
388-
JiraComponent: "kube-apiserver",
389-
},
432+
additionalAnnotations,
390433
// this bundle is what this operator uses to mint loadbalancers certs
391434
resourcesynccontroller.ResourceLocation{Namespace: operatorclient.OperatorNamespace, Name: "loadbalancer-serving-ca"},
392435
// this bundle is what this operator uses to mint localhost certs
@@ -399,12 +442,26 @@ func manageKubeAPIServerCABundle(ctx context.Context, lister corev1listers.Confi
399442
if err != nil {
400443
return nil, false, err
401444
}
402-
if requiredConfigMap.Annotations == nil {
403-
requiredConfigMap.Annotations = map[string]string{}
445+
446+
if creationRequired {
447+
caBundleConfigMap, err := client.ConfigMaps(operatorclient.TargetNamespace).Create(ctx, requiredConfigMap, metav1.CreateOptions{})
448+
resourcehelper.ReportCreateEvent(recorder, caBundleConfigMap, err)
449+
if err != nil {
450+
return nil, false, err
451+
}
452+
klog.V(2).Infof("Created kube apiserver CA bundle configmap %s/%s", caBundleConfigMap.Namespace, caBundleConfigMap.Name)
453+
return caBundleConfigMap, true, nil
454+
} else if updateRequired {
455+
caBundleConfigMap, err := client.ConfigMaps(operatorclient.TargetNamespace).Update(ctx, requiredConfigMap, metav1.UpdateOptions{})
456+
resourcehelper.ReportUpdateEvent(recorder, caBundleConfigMap, err)
457+
if err != nil {
458+
return nil, false, err
459+
}
460+
klog.V(2).Infof("Updated kube apiserver CA bundle configmap %s/%s", caBundleConfigMap.Namespace, caBundleConfigMap.Name)
461+
return caBundleConfigMap, true, nil
404462
}
405-
requiredConfigMap.Annotations[annotations.OpenShiftComponent] = "kube-apiserver"
406463

407-
return resourceapply.ApplyConfigMap(ctx, client, recorder, requiredConfigMap)
464+
return caBundleConfigMap, false, nil
408465
}
409466

410467
func ensureKubeAPIServerTrustedCA(ctx context.Context, client coreclientv1.CoreV1Interface, recorder events.Recorder) error {

0 commit comments

Comments
 (0)