Skip to content

Commit

Permalink
use update only secret-apply for cert rotation logic
Browse files Browse the repository at this point in the history
  • Loading branch information
@tkashem @p0lyn0mial
tkashem authored and p0lyn0mial committed Apr 5, 2024
1 parent 3e3d5f9 commit 8b97229
Show file tree
Hide file tree
Showing 5 changed files with 568 additions and 190 deletions.
15 changes: 13 additions & 2 deletions pkg/operator/certrotation/signer.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,12 @@ type RotatedSigningCASecret struct {
Lister corev1listers.SecretLister
Client corev1client.SecretsGetter
EventRecorder events.Recorder

// Deprecated: DO NOT eanble, it is intended as a short term hack for a very specific use case,
// and it works in tandem with a particular carry patch applied to the openshift kube-apiserver.
// we will remove this when we migrate all of the affected secret
// objects to their intended type: https://issues.redhat.com/browse/API-1800
UseSecretUpdateOnly bool
}

func (c RotatedSigningCASecret) ensureSigningCertKeyPair(ctx context.Context) (*crypto.CA, error) {
Expand All @@ -72,10 +78,15 @@ func (c RotatedSigningCASecret) ensureSigningCertKeyPair(ctx context.Context) (*
}
}

applyFn := resourceapply.ApplySecret
if c.UseSecretUpdateOnly {
applyFn = resourceapply.ApplySecretDoNotUse
}

// apply necessary metadata (possibly via delete+recreate) if secret exists
// this is done before content update to prevent unexpected rollouts
if ensureMetadataUpdate(signingCertKeyPairSecret, c.Owner, c.AdditionalAnnotations) && ensureSecretTLSTypeSet(signingCertKeyPairSecret) {
actualSigningCertKeyPairSecret, _, err := resourceapply.ApplySecret(ctx, c.Client, c.EventRecorder, signingCertKeyPairSecret)
actualSigningCertKeyPairSecret, _, err := applyFn(ctx, c.Client, c.EventRecorder, signingCertKeyPairSecret)
if err != nil {
return nil, err
}
Expand All @@ -90,7 +101,7 @@ func (c RotatedSigningCASecret) ensureSigningCertKeyPair(ctx context.Context) (*

LabelAsManagedSecret(signingCertKeyPairSecret, CertificateTypeSigner)

actualSigningCertKeyPairSecret, _, err := resourceapply.ApplySecret(ctx, c.Client, c.EventRecorder, signingCertKeyPairSecret)
actualSigningCertKeyPairSecret, _, err := applyFn(ctx, c.Client, c.EventRecorder, signingCertKeyPairSecret)
if err != nil {
return nil, err
}
Expand Down
Loading

0 comments on commit 8b97229

Please sign in to comment.