certrotation: remove UseSecretUpdateOnly

All SecretTypeTLS secrets were migrated in 4.15
openshift · Aug 9, 2024 · 287516d · 287516d
1 parent b830a52
commit 287516d
Show file tree

Hide file tree

Showing 5 changed files with 175 additions and 411 deletions.
diff --git a/pkg/operator/certrotation/cabundle_test.go b/pkg/operator/certrotation/cabundle_test.go
@@ -46,18 +46,14 @@ func TestEnsureConfigMapCABundle(t *testing.T) {
 			initialConfigMapFn: func() *corev1.ConfigMap { return nil },
 			verifyActions: func(t *testing.T, client *kubefake.Clientset) {
 				actions := client.Actions()
-				if len(actions) != 2 {
+				if len(actions) != 1 {
 					t.Fatal(spew.Sdump(actions))
 				}
-
-				if !actions[0].Matches("get", "configmaps") {
+				if !actions[0].Matches("create", "configmaps") {
 					t.Error(actions[0])
 				}
-				if !actions[1].Matches("create", "configmaps") {
-					t.Error(actions[1])
-				}
 
-				actual := actions[1].(clienttesting.CreateAction).GetObject().(*corev1.ConfigMap)
+				actual := actions[0].(clienttesting.CreateAction).GetObject().(*corev1.ConfigMap)
 				if certType, _ := CertificateTypeFromObject(actual); certType != CertificateTypeCABundle {
 					t.Errorf("expected certificate type 'ca-bundle', got: %v", certType)
 				}
@@ -73,7 +69,7 @@ func TestEnsureConfigMapCABundle(t *testing.T) {
 			},
 			initialConfigMapFn: func() *corev1.ConfigMap {
 				caBundleConfigMap := &corev1.ConfigMap{
-					ObjectMeta: metav1.ObjectMeta{Namespace: "ns", Name: "trust-bundle"},
+					ObjectMeta: metav1.ObjectMeta{Namespace: "ns", Name: "trust-bundle", ResourceVersion: "10"},
 					Data:       map[string]string{},
 				}
 				certs, err := newTestCACertificate(pkix.Name{CommonName: "signer-tests"}, int64(1), metav1.Duration{Duration: time.Hour * 24 * 60}, time.Now)
@@ -89,15 +85,15 @@ func TestEnsureConfigMapCABundle(t *testing.T) {
 			},
 			verifyActions: func(t *testing.T, client *kubefake.Clientset) {
 				actions := client.Actions()
-				if len(actions) != 2 {
+				if len(actions) != 1 {
 					t.Fatal(spew.Sdump(actions))
 				}
 
-				if !actions[1].Matches("update", "configmaps") {
+				if !actions[0].Matches("update", "configmaps") {
 					t.Error(actions[1])
 				}
 
-				actual := actions[1].(clienttesting.UpdateAction).GetObject().(*corev1.ConfigMap)
+				actual := actions[0].(clienttesting.UpdateAction).GetObject().(*corev1.ConfigMap)
 				if len(actual.Data["ca-bundle.crt"]) == 0 {
 					t.Error(actual.Data)
 				}
@@ -120,7 +116,7 @@ func TestEnsureConfigMapCABundle(t *testing.T) {
 			},
 			initialConfigMapFn: func() *corev1.ConfigMap {
 				caBundleConfigMap := &corev1.ConfigMap{
-					ObjectMeta: metav1.ObjectMeta{Namespace: "ns", Name: "trust-bundle"},
+					ObjectMeta: metav1.ObjectMeta{Namespace: "ns", Name: "trust-bundle", ResourceVersion: "10"},
 					Data:       map[string]string{},
 				}
 				certs, err := newTestCACertificate(pkix.Name{CommonName: "signer-tests"}, int64(1), metav1.Duration{Duration: time.Hour * 24 * 60}, time.Now)
@@ -136,15 +132,15 @@ func TestEnsureConfigMapCABundle(t *testing.T) {
 			},
 			verifyActions: func(t *testing.T, client *kubefake.Clientset) {
 				actions := client.Actions()
-				if len(actions) != 2 {
+				if len(actions) != 1 {
 					t.Fatal(spew.Sdump(actions))
 				}
 
-				if !actions[1].Matches("update", "configmaps") {
-					t.Error(actions[1])
+				if !actions[0].Matches("update", "configmaps") {
+					t.Error(actions[0])
 				}
 
-				actual := actions[1].(clienttesting.UpdateAction).GetObject().(*corev1.ConfigMap)
+				actual := actions[0].(clienttesting.UpdateAction).GetObject().(*corev1.ConfigMap)
 				if len(actual.Data["ca-bundle.crt"]) == 0 {
 					t.Error(actual.Data)
 				}
@@ -167,7 +163,7 @@ func TestEnsureConfigMapCABundle(t *testing.T) {
 			},
 			initialConfigMapFn: func() *corev1.ConfigMap {
 				caBundleConfigMap := &corev1.ConfigMap{
-					ObjectMeta: metav1.ObjectMeta{Namespace: "ns", Name: "trust-bundle"},
+					ObjectMeta: metav1.ObjectMeta{Namespace: "ns", Name: "trust-bundle", ResourceVersion: "10"},
 					Data:       map[string]string{},
 				}
 				certBytes, err := os.ReadFile("./testfiles/tls-expired.crt")
@@ -187,15 +183,15 @@ func TestEnsureConfigMapCABundle(t *testing.T) {
 			},
 			verifyActions: func(t *testing.T, client *kubefake.Clientset) {
 				actions := client.Actions()
-				if len(actions) != 2 {
+				if len(actions) != 1 {
 					t.Fatal(spew.Sdump(actions))
 				}
 
-				if !actions[1].Matches("update", "configmaps") {
-					t.Error(actions[1])
+				if !actions[0].Matches("update", "configmaps") {
+					t.Error(actions[0])
 				}
 
-				actual := actions[1].(clienttesting.UpdateAction).GetObject().(*corev1.ConfigMap)
+				actual := actions[0].(clienttesting.UpdateAction).GetObject().(*corev1.ConfigMap)
 				if len(actual.Data["ca-bundle.crt"]) == 0 {
 					t.Error(actual.Data)
 				}

diff --git a/pkg/operator/certrotation/signer.go b/pkg/operator/certrotation/signer.go
@@ -51,12 +51,6 @@ type RotatedSigningCASecret struct {
 	Lister        corev1listers.SecretLister
 	Client        corev1client.SecretsGetter
 	EventRecorder events.Recorder
-
-	// Deprecated: DO NOT enable, it is intended as a short term hack for a very specific use case,
-	// and it works in tandem with a particular carry patch applied to the openshift kube-apiserver.
-	// we will remove this when we migrate all of the affected secret
-	// objects to their intended type: https://issues.redhat.com/browse/API-1800
-	UseSecretUpdateOnly bool
 }
 
 // EnsureSigningCertKeyPair manages the entire lifecycle of a signer cert as a secret, from creation to continued rotation.