Skip to content

Commit 088b03d

Browse files
vrutkovsvrutkovs
committed
certrotationcontroller: ensure secrets/configmaps are unique
Collect a list of secrets/configmaps tracked in controllers to make sure any secret/configmap is not being declared twice to avoid races when updating it
1 parent 882c3d1 commit 088b03d

File tree

2 files changed

+54
-8
lines changed

2 files changed

+54
-8
lines changed

pkg/operator/certrotation/client_cert_rotation_controller.go

+30
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import (
66
"time"
77

88
operatorv1 "github.com/openshift/api/operator/v1"
9+
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
910
"k8s.io/apimachinery/pkg/util/errors"
1011
"k8s.io/apimachinery/pkg/util/sets"
1112
"k8s.io/apimachinery/pkg/util/wait"
@@ -80,6 +81,8 @@ func NewCertRotationController(
8081
rotatedSelfSignedCertKeySecret RotatedSelfSignedCertKeySecret,
8182
recorder events.Recorder,
8283
reporter StatusReporter,
84+
controlledSecrets *[]metav1.ObjectMeta,
85+
controlledConfigMaps *[]metav1.ObjectMeta,
8386
) factory.Controller {
8487
c := &CertRotationController{
8588
Name: name,
@@ -88,6 +91,19 @@ func NewCertRotationController(
8891
RotatedTargetSecrets: []RotatedSelfSignedCertKeySecret{rotatedSelfSignedCertKeySecret},
8992
StatusReporter: reporter,
9093
}
94+
*controlledSecrets = append(*controlledSecrets, metav1.ObjectMeta{
95+
Name: rotatedSigningCASecret.Name,
96+
Namespace: rotatedSigningCASecret.Namespace,
97+
})
98+
*controlledConfigMaps = append(*controlledConfigMaps, metav1.ObjectMeta{
99+
Name: caBundleConfigMap.Name,
100+
Namespace: caBundleConfigMap.Namespace,
101+
})
102+
*controlledSecrets = append(*controlledSecrets, metav1.ObjectMeta{
103+
Name: rotatedSelfSignedCertKeySecret.Name,
104+
Namespace: rotatedSelfSignedCertKeySecret.Namespace,
105+
})
106+
91107
return factory.New().
92108
ResyncEvery(time.Minute).
93109
WithSync(c.Sync).
@@ -112,14 +128,28 @@ func NewCertRotationControllerMultipleTargets(
112128
rotatedTargetSecrets []RotatedSelfSignedCertKeySecret,
113129
recorder events.Recorder,
114130
reporter StatusReporter,
131+
controlledSecrets *[]metav1.ObjectMeta,
132+
controlledConfigMaps *[]metav1.ObjectMeta,
115133
) factory.Controller {
116134
informers := sets.New[factory.Informer](
117135
rotatedSigningCASecret.Informer.Informer(),
118136
caBundleConfigMap.Informer.Informer(),
119137
)
120138

139+
*controlledSecrets = append(*controlledSecrets, metav1.ObjectMeta{
140+
Name: rotatedSigningCASecret.Name,
141+
Namespace: rotatedSigningCASecret.Namespace,
142+
})
143+
*controlledConfigMaps = append(*controlledConfigMaps, metav1.ObjectMeta{
144+
Name: caBundleConfigMap.Name,
145+
Namespace: caBundleConfigMap.Namespace,
146+
})
121147
for _, target := range rotatedTargetSecrets {
122148
informers = informers.Insert(target.Informer.Informer())
149+
*controlledSecrets = append(*controlledSecrets, metav1.ObjectMeta{
150+
Name: target.Name,
151+
Namespace: target.Namespace,
152+
})
123153
}
124154

125155
c := &CertRotationController{

pkg/operator/certrotation/client_cert_rotation_controller_test.go

+24-8
Original file line numberDiff line numberDiff line change
@@ -121,7 +121,9 @@ func TestCertRotationController(t *testing.T) {
121121
UseSecretUpdateOnly: true,
122122
}
123123

124-
c := NewCertRotationController("operator", signerSecret, caBundleConfigMap, targetSecret, eventRecorder, &fakeStatusReporter{})
124+
controlledSecrets := []metav1.ObjectMeta{}
125+
controlledConfigMaps := []metav1.ObjectMeta{}
126+
c := NewCertRotationController("operator", signerSecret, caBundleConfigMap, targetSecret, eventRecorder, &fakeStatusReporter{}, &controlledSecrets, &controlledConfigMaps)
125127

126128
time.AfterFunc(1*time.Second, func() {
127129
cancel()
@@ -233,8 +235,10 @@ func TestCertRotationControllerIdempotent(t *testing.T) {
233235
UseSecretUpdateOnly: true,
234236
}
235237

238+
controlledSecrets := []metav1.ObjectMeta{}
239+
controlledConfigMaps := []metav1.ObjectMeta{}
236240
// Run sync once to get signer / cabundle / target filled up
237-
c := NewCertRotationController("operator", signerSecret, caBundleConfigMap, targetSecret, eventRecorder, &fakeStatusReporter{})
241+
c := NewCertRotationController("operator", signerSecret, caBundleConfigMap, targetSecret, eventRecorder, &fakeStatusReporter{}, &controlledSecrets, &controlledConfigMaps)
238242
syncCtx := factory.NewSyncContext("test", eventstesting.NewTestingEventRecorder(t))
239243
err := c.Sync(controllerCtx, syncCtx)
240244
if err != nil {
@@ -334,8 +338,10 @@ func TestCertRotationControllerSignerUpdate(t *testing.T) {
334338
UseSecretUpdateOnly: true,
335339
}
336340

341+
controlledSecrets := []metav1.ObjectMeta{}
342+
controlledConfigMaps := []metav1.ObjectMeta{}
337343
// Run sync once to get signer / cabundle / target filled up
338-
c := NewCertRotationController("operator", signerSecret, caBundleConfigMap, targetSecret, eventRecorder, &fakeStatusReporter{})
344+
c := NewCertRotationController("operator", signerSecret, caBundleConfigMap, targetSecret, eventRecorder, &fakeStatusReporter{}, &controlledSecrets, &controlledConfigMaps)
339345
syncCtx := factory.NewSyncContext("test", eventstesting.NewTestingEventRecorder(t))
340346
err := c.Sync(controllerCtx, syncCtx)
341347
if err != nil {
@@ -472,8 +478,10 @@ func TestCertRotationControllerFilterExpiredSigners(t *testing.T) {
472478
UseSecretUpdateOnly: true,
473479
}
474480

481+
controlledSecrets := []metav1.ObjectMeta{}
482+
controlledConfigMaps := []metav1.ObjectMeta{}
475483
// Run sync once to get signer / cabundle / target filled up
476-
c := NewCertRotationController("operator", signerSecret, caBundleConfigMap, targetSecret, eventRecorder, &fakeStatusReporter{})
484+
c := NewCertRotationController("operator", signerSecret, caBundleConfigMap, targetSecret, eventRecorder, &fakeStatusReporter{}, &controlledSecrets, &controlledConfigMaps)
477485
syncCtx := factory.NewSyncContext("test", eventstesting.NewTestingEventRecorder(t))
478486
err := c.Sync(controllerCtx, syncCtx)
479487
if err != nil {
@@ -624,8 +632,10 @@ func TestCertRotationControllerParallelUpdate(t *testing.T) {
624632
UseSecretUpdateOnly: false,
625633
}
626634

635+
controlledSecrets := []metav1.ObjectMeta{}
636+
controlledConfigMaps := []metav1.ObjectMeta{}
627637
syncCtx := factory.NewSyncContext("test", eventstesting.NewTestingEventRecorder(t))
628-
c1 := NewCertRotationController("c1", signerSecret, caBundleConfigMap, targetSecret, eventRecorder, &fakeStatusReporter{})
638+
c1 := NewCertRotationController("c1", signerSecret, caBundleConfigMap, targetSecret, eventRecorder, &fakeStatusReporter{}, &controlledSecrets, &controlledConfigMaps)
629639

630640
// Sync first controller to get first copy of signer/cabundle
631641
err := c1.Sync(controllerCtx, syncCtx)
@@ -684,7 +694,9 @@ func TestCertRotationControllerParallelUpdate(t *testing.T) {
684694
UseSecretUpdateOnly: true,
685695
}
686696
name := fmt.Sprintf("c%d", i)
687-
ctrl := NewCertRotationController(name, signerSecret, caBundleConfigMap, targetNewSecret, eventRecorder, &fakeStatusReporter{})
697+
controlledSecrets := []metav1.ObjectMeta{}
698+
controlledConfigMaps := []metav1.ObjectMeta{}
699+
ctrl := NewCertRotationController(name, signerSecret, caBundleConfigMap, targetNewSecret, eventRecorder, &fakeStatusReporter{}, &controlledSecrets, &controlledConfigMaps)
688700
controllers[name] = ctrl
689701
}
690702

@@ -812,7 +824,9 @@ func TestCertRotationControllerMultipleTargets(t *testing.T) {
812824
UseSecretUpdateOnly: true,
813825
}
814826

815-
c := NewCertRotationControllerMultipleTargets("operator", signerSecret, caBundleConfigMap, []RotatedSelfSignedCertKeySecret{targetFirstSecret, targetSecondSecret}, eventRecorder, &fakeStatusReporter{})
827+
controlledSecrets := []metav1.ObjectMeta{}
828+
controlledConfigMaps := []metav1.ObjectMeta{}
829+
c := NewCertRotationControllerMultipleTargets("operator", signerSecret, caBundleConfigMap, []RotatedSelfSignedCertKeySecret{targetFirstSecret, targetSecondSecret}, eventRecorder, &fakeStatusReporter{}, &controlledSecrets, &controlledConfigMaps)
816830

817831
time.AfterFunc(1*time.Second, func() {
818832
cancel()
@@ -954,7 +968,9 @@ func TestCertRotationControllerMultipleTargetsPostRunHooks(t *testing.T) {
954968
// Ensure we don't leak goroutines
955969
initialNumGoroutine := runtime.NumGoroutine()
956970

957-
c := NewCertRotationControllerMultipleTargets("operator", signerSecret, caBundleConfigMap, []RotatedSelfSignedCertKeySecret{targetFirstSecret, targetSecondSecret}, eventRecorder, &fakeStatusReporter{})
971+
controlledSecrets := []metav1.ObjectMeta{}
972+
controlledConfigMaps := []metav1.ObjectMeta{}
973+
c := NewCertRotationControllerMultipleTargets("operator", signerSecret, caBundleConfigMap, []RotatedSelfSignedCertKeySecret{targetFirstSecret, targetSecondSecret}, eventRecorder, &fakeStatusReporter{}, &controlledSecrets, &controlledConfigMaps)
958974

959975
informerFactory.Start(controllerCtx.Done())
960976
hasSecretSynced := cache.WaitForCacheSync(controllerCtx.Done(), informerFactory.Core().V1().Secrets().Informer().HasSynced)

0 commit comments

Comments
 (0)