diff --git a/go.mod b/go.mod index e2ad28c482..4ed6083b70 100644 --- a/go.mod +++ b/go.mod @@ -133,3 +133,5 @@ require ( ) replace github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241205171354-8006f302fd12 + +replace github.com/openshift/library-go => github.com/vrutkovs/library-go v0.0.0-20250815070725-d3b7cde1e6c1 diff --git a/go.sum b/go.sum index c7c603b0bb..7cffe36991 100644 --- a/go.sum +++ b/go.sum @@ -165,8 +165,6 @@ github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee h1:+S github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE= github.com/openshift/client-go v0.0.0-20250710075018-396b36f983ee h1:tOtrrxfDEW8hK3eEsHqxsXurq/D6LcINGfprkQC3hqY= github.com/openshift/client-go v0.0.0-20250710075018-396b36f983ee/go.mod h1:zhRiYyNMk89llof2qEuGPWPD+joQPhCRUc2IK0SB510= -github.com/openshift/library-go v0.0.0-20250729191057-91376e1b394e h1:xYT+P++PSc9G+Y47pIcU9fm8IDV/tg6tMi3i+0m23pU= -github.com/openshift/library-go v0.0.0-20250729191057-91376e1b394e/go.mod h1:tptKNust9MdRI0p90DoBSPHIrBa9oh+Rok59tF0vT8c= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241205171354-8006f302fd12 h1:AKx/w1qpS8We43bsRgf8Nll3CGlDHpr/WAXvuedTNZI= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241205171354-8006f302fd12/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo= github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0= @@ -216,6 +214,8 @@ github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOf github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE= github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk= +github.com/vrutkovs/library-go v0.0.0-20250815070725-d3b7cde1e6c1 h1:aN9vJ5v85vVP2bSwSiOyd2UPyXowAfLP3mT6dAso/5k= +github.com/vrutkovs/library-go v0.0.0-20250815070725-d3b7cde1e6c1/go.mod h1:tptKNust9MdRI0p90DoBSPHIrBa9oh+Rok59tF0vT8c= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510 h1:S2dVYn90KE98chqDkyE9Z4N61UnQd+KOfgp5Iu53llk= diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/cabundle.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/cabundle.go index 447b1e0e31..38491c763a 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/cabundle.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/cabundle.go @@ -7,6 +7,7 @@ import ( "fmt" "reflect" "sort" + "strings" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/equality" @@ -67,13 +68,10 @@ func (c CABundleConfigMap) EnsureConfigMapCABundle(ctx context.Context, signingC } // run Update if metadata needs changing unless running in RefreshOnlyWhenExpired mode + updateReasons := []string{} if !c.RefreshOnlyWhenExpired { - needsOwnerUpdate := false - if c.Owner != nil { - needsOwnerUpdate = ensureOwnerReference(&caBundleConfigMap.ObjectMeta, c.Owner) - } - needsMetadataUpdate := c.AdditionalAnnotations.EnsureTLSMetadataUpdate(&caBundleConfigMap.ObjectMeta) - updateRequired = needsOwnerUpdate || needsMetadataUpdate + updateReasons = append(updateReasons, ensureOwnerRefAndTLSAnnotations(&caBundleConfigMap.ObjectMeta, c.Owner, c.AdditionalAnnotations)...) + updateRequired = len(updateReasons) > 0 } updatedCerts, err := manageCABundleConfigMap(caBundleConfigMap, signingCertKeyPair.Config.Certs[0]) @@ -90,6 +88,7 @@ func (c CABundleConfigMap) EnsureConfigMapCABundle(ctx context.Context, signingC reason = fmt.Sprintf("signer update %s", signingCertKeyPairLocation) } c.EventRecorder.Eventf("CABundleUpdateRequired", "%q in %q requires a new cert: %s", c.Name, c.Namespace, reason) + updateReasons = append(updateReasons, fmt.Sprintf("content change: %s", reason)) LabelAsManagedConfigMap(caBundleConfigMap, CertificateTypeCABundle) updateRequired = true @@ -101,7 +100,7 @@ func (c CABundleConfigMap) EnsureConfigMapCABundle(ctx context.Context, signingC if err != nil { return nil, err } - klog.V(2).Infof("Created ca-bundle.crt configmap %s/%s with:\n%s", certs.CertificateBundleToString(updatedCerts), caBundleConfigMap.Namespace, caBundleConfigMap.Name) + klog.V(2).Infof("Created ca-bundle.crt configmap %s/%s with:\n%s", caBundleConfigMap.Namespace, caBundleConfigMap.Name, certs.CertificateBundleToString(updatedCerts)) caBundleConfigMap = actualCABundleConfigMap } else if updateRequired { actualCABundleConfigMap, err := c.Client.ConfigMaps(c.Namespace).Update(ctx, caBundleConfigMap, metav1.UpdateOptions{}) @@ -109,11 +108,12 @@ func (c CABundleConfigMap) EnsureConfigMapCABundle(ctx context.Context, signingC // ignore error if its attempting to update outdated version of the configmap return nil, nil } - resourcehelper.ReportUpdateEvent(c.EventRecorder, actualCABundleConfigMap, err) + updateReasonsJoined := strings.Join(updateReasons, ", ") + resourcehelper.ReportUpdateEvent(c.EventRecorder, actualCABundleConfigMap, err, updateReasonsJoined) if err != nil { return nil, err } - klog.V(2).Infof("Updated ca-bundle.crt configmap %s/%s with:\n%s", certs.CertificateBundleToString(updatedCerts), caBundleConfigMap.Namespace, caBundleConfigMap.Name) + klog.V(2).Infof("Updated ca-bundle.crt configmap %s/%s due to %s with:\n%s", caBundleConfigMap.Namespace, caBundleConfigMap.Name, updateReasonsJoined, certs.CertificateBundleToString(updatedCerts)) caBundleConfigMap = actualCABundleConfigMap } diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go index 0d6ffe6738..06441f37e8 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go @@ -6,6 +6,7 @@ import ( "time" operatorv1 "github.com/openshift/api/operator/v1" + corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/util/wait" "github.com/openshift/library-go/pkg/controller/factory" @@ -82,7 +83,22 @@ func NewCertRotationController( return factory.New(). ResyncEvery(time.Minute). WithSync(c.Sync). - WithInformers( + WithFilteredEventsInformers( + func(obj interface{}) bool { + if cm, ok := obj.(*corev1.ConfigMap); ok { + return cm.Namespace == caBundleConfigMap.Namespace && cm.Name == caBundleConfigMap.Name + } + if secret, ok := obj.(*corev1.Secret); ok { + if secret.Namespace == rotatedSigningCASecret.Namespace && secret.Name == rotatedSigningCASecret.Name { + return true + } + if secret.Namespace == rotatedSelfSignedCertKeySecret.Namespace && secret.Name == rotatedSelfSignedCertKeySecret.Name { + return true + } + return false + } + return true + }, rotatedSigningCASecret.Informer.Informer(), caBundleConfigMap.Informer.Informer(), rotatedSelfSignedCertKeySecret.Informer.Informer(), diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/metadata.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/metadata.go index 1764a63552..0f98bb7700 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/metadata.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/metadata.go @@ -1,36 +1,20 @@ package certrotation import ( - corev1 "k8s.io/api/core/v1" + "fmt" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) -func ensureOwnerRefAndTLSAnnotations(secret *corev1.Secret, owner *metav1.OwnerReference, additionalAnnotations AdditionalAnnotations) bool { - needsMetadataUpdate := false +func ensureOwnerRefAndTLSAnnotations(meta *metav1.ObjectMeta, owner *metav1.OwnerReference, additionalAnnotations AdditionalAnnotations) []string { + updateReasons := []string{} // no ownerReference set - if owner != nil { - needsMetadataUpdate = ensureOwnerReference(&secret.ObjectMeta, owner) + if owner != nil && ensureOwnerReference(meta, owner) { + updateReasons = append(updateReasons, fmt.Sprintf("owner reference updated to %#v", owner)) } // ownership annotations not set - return additionalAnnotations.EnsureTLSMetadataUpdate(&secret.ObjectMeta) || needsMetadataUpdate -} - -func ensureSecretTLSTypeSet(secret *corev1.Secret) bool { - // Existing secret not found - no need to update metadata (will be done by needNewSigningCertKeyPair / NeedNewTargetCertKeyPair) - if len(secret.ResourceVersion) == 0 { - return false - } - - // convert outdated secret type (created by pre 4.7 installer) - if secret.Type != corev1.SecretTypeTLS { - secret.Type = corev1.SecretTypeTLS - // wipe secret contents if tls.crt and tls.key are missing - _, certExists := secret.Data[corev1.TLSCertKey] - _, keyExists := secret.Data[corev1.TLSPrivateKeyKey] - if !certExists || !keyExists { - secret.Data = map[string][]byte{} - } - return true + if additionalAnnotations.EnsureTLSMetadataUpdate(meta) { + updateReasons = append(updateReasons, fmt.Sprintf("annotations set to %#v", additionalAnnotations)) } - return false + return updateReasons } diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go index 1cb4e55542..cd0bc4d27d 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go @@ -4,6 +4,7 @@ import ( "bytes" "context" "fmt" + "strings" "time" "github.com/openshift/library-go/pkg/crypto" @@ -79,10 +80,10 @@ func (c RotatedSigningCASecret) EnsureSigningCertKeyPair(ctx context.Context) (* } // run Update if metadata needs changing unless we're in RefreshOnlyWhenExpired mode + updateReasons := []string{} if !c.RefreshOnlyWhenExpired { - needsMetadataUpdate := ensureOwnerRefAndTLSAnnotations(signingCertKeyPairSecret, c.Owner, c.AdditionalAnnotations) - needsTypeChange := ensureSecretTLSTypeSet(signingCertKeyPairSecret) - updateRequired = needsMetadataUpdate || needsTypeChange + updateReasons = append(updateReasons, ensureOwnerRefAndTLSAnnotations(&signingCertKeyPairSecret.ObjectMeta, c.Owner, c.AdditionalAnnotations)...) + updateRequired = len(updateReasons) > 0 } // run Update if signer content needs changing @@ -92,6 +93,7 @@ func (c RotatedSigningCASecret) EnsureSigningCertKeyPair(ctx context.Context) (* reason = "secret doesn't exist" } c.EventRecorder.Eventf("SignerUpdateRequired", "%q in %q requires a new signing cert/key pair: %v", c.Name, c.Namespace, reason) + updateReasons = append(updateReasons, fmt.Sprintf("signer update: %s", reason)) if err = setSigningCertKeyPairSecretAndTLSAnnotations(signingCertKeyPairSecret, c.Validity, c.Refresh, c.AdditionalAnnotations); err != nil { return nil, false, err } @@ -116,11 +118,12 @@ func (c RotatedSigningCASecret) EnsureSigningCertKeyPair(ctx context.Context) (* // ignore error if its attempting to update outdated version of the secret return nil, false, nil } - resourcehelper.ReportUpdateEvent(c.EventRecorder, actualSigningCertKeyPairSecret, err) + updateReasonsJoined := strings.Join(updateReasons, ", ") + resourcehelper.ReportUpdateEvent(c.EventRecorder, actualSigningCertKeyPairSecret, err, updateReasonsJoined) if err != nil { return nil, false, err } - klog.V(2).Infof("Updated secret %s/%s", actualSigningCertKeyPairSecret.Namespace, actualSigningCertKeyPairSecret.Name) + klog.V(2).Infof("Updated secret %s/%s, reason: %s", actualSigningCertKeyPairSecret.Namespace, actualSigningCertKeyPairSecret.Name, updateReasonsJoined) signingCertKeyPairSecret = actualSigningCertKeyPairSecret } diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go index 94ed01d7ff..c5550016f2 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go @@ -113,14 +113,15 @@ func (c RotatedSelfSignedCertKeySecret) EnsureTargetCertKeyPair(ctx context.Cont } // run Update if metadata needs changing unless we're in RefreshOnlyWhenExpired mode + updateReasons := []string{} if !c.RefreshOnlyWhenExpired { - needsMetadataUpdate := ensureOwnerRefAndTLSAnnotations(targetCertKeyPairSecret, c.Owner, c.AdditionalAnnotations) - needsTypeChange := ensureSecretTLSTypeSet(targetCertKeyPairSecret) - updateRequired = needsMetadataUpdate || needsTypeChange + updateReasons = append(updateReasons, ensureOwnerRefAndTLSAnnotations(&targetCertKeyPairSecret.ObjectMeta, c.Owner, c.AdditionalAnnotations)...) + updateRequired = len(updateReasons) > 0 } if reason := c.CertCreator.NeedNewTargetCertKeyPair(targetCertKeyPairSecret, signingCertKeyPair, caBundleCerts, c.Refresh, c.RefreshOnlyWhenExpired, creationRequired); len(reason) > 0 { c.EventRecorder.Eventf("TargetUpdateRequired", "%q in %q requires a new target cert/key pair: %v", c.Name, c.Namespace, reason) + updateReasons = append(updateReasons, fmt.Sprintf("content change: %s", reason)) if err = setTargetCertKeyPairSecretAndTLSAnnotations(targetCertKeyPairSecret, c.Validity, c.Refresh, signingCertKeyPair, c.CertCreator, c.AdditionalAnnotations); err != nil { return nil, err } @@ -143,11 +144,12 @@ func (c RotatedSelfSignedCertKeySecret) EnsureTargetCertKeyPair(ctx context.Cont // ignore error if its attempting to update outdated version of the secret return nil, nil } - resourcehelper.ReportUpdateEvent(c.EventRecorder, actualTargetCertKeyPairSecret, err) + updateReasonsJoined := strings.Join(updateReasons, ", ") + resourcehelper.ReportUpdateEvent(c.EventRecorder, actualTargetCertKeyPairSecret, err, updateReasonsJoined) if err != nil { return nil, err } - klog.V(2).Infof("Updated secret %s/%s", actualTargetCertKeyPairSecret.Namespace, actualTargetCertKeyPairSecret.Name) + klog.V(2).Infof("Updated secret %s/%s, reason: %s", actualTargetCertKeyPairSecret.Namespace, actualTargetCertKeyPairSecret.Name, updateReasonsJoined) targetCertKeyPairSecret = actualTargetCertKeyPairSecret } diff --git a/vendor/modules.txt b/vendor/modules.txt index decc79eae2..b544470b44 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -400,7 +400,7 @@ github.com/openshift/client-go/security/informers/externalversions/internalinter github.com/openshift/client-go/security/informers/externalversions/security github.com/openshift/client-go/security/informers/externalversions/security/v1 github.com/openshift/client-go/security/listers/security/v1 -# github.com/openshift/library-go v0.0.0-20250729191057-91376e1b394e +# github.com/openshift/library-go v0.0.0-20250729191057-91376e1b394e => github.com/vrutkovs/library-go v0.0.0-20250815070725-d3b7cde1e6c1 ## explicit; go 1.24.0 github.com/openshift/library-go/pkg/apiserver/jsonpatch github.com/openshift/library-go/pkg/assets @@ -1659,3 +1659,4 @@ sigs.k8s.io/structured-merge-diff/v4/value sigs.k8s.io/yaml sigs.k8s.io/yaml/goyaml.v2 # github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241205171354-8006f302fd12 +# github.com/openshift/library-go => github.com/vrutkovs/library-go v0.0.0-20250815070725-d3b7cde1e6c1