Skip to content

Commit

Permalink
operator/certrotationcontroller/certrotationcontroller: make use of U…
Browse files Browse the repository at this point in the history 
…seSecretUpdateOnly

UseSecretUpdateOnly is intended as a short term hack for a very specific use case,
and it works in tandem with a particular carry patch applied to the openshift kube-apiserver.
(openshift/kubernetes#1924)

we will remove this when we migrate all of the affected secret
objects to their intended type: https://issues.redhat.com/browse/API-1800

in short tls secrets used by this operator are reconciled
by multiple controllers at the same time without any coordination.

the issue is that the secret's crypto material
can be regenerated, which has serious consequences for the platform
as it can break external clients and the cluster itself.
  • Loading branch information
@p0lyn0mial
p0lyn0mial committed Apr 2, 2024
1 parent 6052678 commit df76cf3
Showing 1 changed file with 6 additions and 4 deletions.
10 changes: 6 additions & 4 deletions pkg/operator/certrotationcontroller/certrotationcontroller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,7 @@ func newCertRotationController(
Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(),
Client: secretsGetter,
EventRecorder: eventRecorder,
UseSecretUpdateOnly: true,
},
certrotation.CABundleConfigMap{
Namespace: operatorclient.OperatorNamespace,
Expand All @@ -119,10 +120,11 @@ func newCertRotationController(
CertCreator: &certrotation.SignerRotation{
SignerName: "kube-csr-signer",
},
Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(),
Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(),
Client: secretsGetter,
EventRecorder: eventRecorder,
Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(),
Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(),
Client: secretsGetter,
EventRecorder: eventRecorder,
UseSecretUpdateOnly: true,
},
eventRecorder,
&certrotation.StaticPodConditionStatusReporter{OperatorClient: operatorClient},
Expand Down

0 comments on commit df76cf3

Please sign in to comment.