Skip to content

Commit baea7a2

Browse files
vrutkovsvrutkovs
committed
targetconfigcontroller: optimistically update CA bundles
Instead of re-creating configmap from scratch every time this function should attempt to use existing configmap and replace the contents only. This would prevent extra configmap updates when metadata changes.
1 parent 5b376c6 commit baea7a2

File tree

2 files changed

+736
-13
lines changed

2 files changed

+736
-13
lines changed

pkg/operator/targetconfigcontroller/targetconfigcontroller.go

Lines changed: 91 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@ import (
3737
"github.com/openshift/library-go/pkg/operator/events"
3838
"github.com/openshift/library-go/pkg/operator/management"
3939
"github.com/openshift/library-go/pkg/operator/resource/resourceapply"
40+
"github.com/openshift/library-go/pkg/operator/resource/resourcehelper"
4041
"github.com/openshift/library-go/pkg/operator/resource/resourcemerge"
4142
"github.com/openshift/library-go/pkg/operator/resource/resourceread"
4243
"github.com/openshift/library-go/pkg/operator/resourcesynccontroller"
@@ -686,12 +687,32 @@ func GetKubeControllerManagerArgs(config map[string]interface{}) []string {
686687
}
687688

688689
func manageServiceAccountCABundle(ctx context.Context, lister corev1listers.ConfigMapLister, client corev1client.ConfigMapsGetter, recorder events.Recorder) (*corev1.ConfigMap, bool, error) {
689-
requiredConfigMap, err := resourcesynccontroller.CombineCABundleConfigMaps(
690-
resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "serviceaccount-ca"},
690+
additionalAnnotations := certrotation.AdditionalAnnotations{
691+
JiraComponent: "kube-controller-manager",
692+
}
693+
caBundleConfigMapName := "serviceaccount-ca"
694+
695+
creationRequired := false
696+
updateRequired := false
697+
698+
caBundleConfigMap, err := lister.ConfigMaps(operatorclient.TargetNamespace).Get(caBundleConfigMapName)
699+
switch {
700+
case apierrors.IsNotFound(err):
701+
creationRequired = true
702+
caBundleConfigMap = &corev1.ConfigMap{
703+
ObjectMeta: metav1.ObjectMeta{
704+
Name: caBundleConfigMapName,
705+
Namespace: operatorclient.TargetNamespace,
706+
},
707+
}
708+
case err != nil:
709+
return nil, false, err
710+
}
711+
712+
requiredConfigMap, updateRequired, err := resourcesynccontroller.CombineCABundleConfigMapsOptimistically(
713+
caBundleConfigMap,
691714
lister,
692-
certrotation.AdditionalAnnotations{
693-
JiraComponent: "kube-controller-manager",
694-
},
715+
additionalAnnotations,
695716
// include the ca bundle needed to recognize the server
696717
resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalMachineSpecifiedConfigNamespace, Name: "kube-apiserver-server-ca"},
697718
// include the ca bundle needed to recognize default
@@ -701,17 +722,56 @@ func manageServiceAccountCABundle(ctx context.Context, lister corev1listers.Conf
701722
if err != nil {
702723
return nil, false, err
703724
}
704-
return resourceapply.ApplyConfigMap(ctx, client, recorder, requiredConfigMap)
725+
726+
if creationRequired {
727+
caBundleConfigMap, err = client.ConfigMaps(operatorclient.TargetNamespace).Create(ctx, requiredConfigMap, metav1.CreateOptions{})
728+
resourcehelper.ReportCreateEvent(recorder, caBundleConfigMap, err)
729+
if err != nil {
730+
return nil, false, err
731+
}
732+
klog.V(2).Infof("Created serviceaccount CA bundle configmap %s/%s", caBundleConfigMap.Namespace, caBundleConfigMap.Name)
733+
return caBundleConfigMap, true, nil
734+
} else if updateRequired {
735+
caBundleConfigMap, err = client.ConfigMaps(operatorclient.TargetNamespace).Update(ctx, requiredConfigMap, metav1.UpdateOptions{})
736+
resourcehelper.ReportUpdateEvent(recorder, caBundleConfigMap, err)
737+
if err != nil {
738+
return nil, false, err
739+
}
740+
klog.V(2).Infof("Updated serviceaccount CA bundle configmap %s/%s", caBundleConfigMap.Namespace, caBundleConfigMap.Name)
741+
return caBundleConfigMap, true, nil
742+
}
743+
744+
return caBundleConfigMap, false, nil
705745
}
706746

707747
func ManageCSRCABundle(ctx context.Context, lister corev1listers.ConfigMapLister, client corev1client.ConfigMapsGetter, recorder events.Recorder) (*corev1.ConfigMap, bool, error) {
708-
requiredConfigMap, err := resourcesynccontroller.CombineCABundleConfigMaps(
709-
resourcesynccontroller.ResourceLocation{Namespace: operatorclient.OperatorNamespace, Name: "csr-controller-ca"},
748+
additionalAnnotations := certrotation.AdditionalAnnotations{
749+
JiraComponent: "kube-controller-manager",
750+
Description: "CA to recognize the CSRs (both serving and client) signed by the kube-controller-manager.",
751+
}
752+
caBundleConfigMapName := "csr-controller-ca"
753+
754+
creationRequired := false
755+
updateRequired := false
756+
757+
caBundleConfigMap, err := lister.ConfigMaps(operatorclient.OperatorNamespace).Get(caBundleConfigMapName)
758+
switch {
759+
case apierrors.IsNotFound(err):
760+
creationRequired = true
761+
caBundleConfigMap = &corev1.ConfigMap{
762+
ObjectMeta: metav1.ObjectMeta{
763+
Name: caBundleConfigMapName,
764+
Namespace: operatorclient.OperatorNamespace,
765+
},
766+
}
767+
case err != nil:
768+
return nil, false, err
769+
}
770+
771+
requiredConfigMap, updateRequired, err := resourcesynccontroller.CombineCABundleConfigMapsOptimistically(
772+
caBundleConfigMap,
710773
lister,
711-
certrotation.AdditionalAnnotations{
712-
JiraComponent: "kube-controller-manager",
713-
Description: "CA to recognize the CSRs (both serving and client) signed by the kube-controller-manager.",
714-
},
774+
additionalAnnotations,
715775
// include the CA we use to sign CSRs
716776
resourcesynccontroller.ResourceLocation{Namespace: operatorclient.OperatorNamespace, Name: "csr-signer-ca"},
717777
// include the CA we use to sign the cert key pairs from from csr-signer
@@ -720,7 +780,25 @@ func ManageCSRCABundle(ctx context.Context, lister corev1listers.ConfigMapLister
720780
if err != nil {
721781
return nil, false, err
722782
}
723-
return resourceapply.ApplyConfigMap(ctx, client, recorder, requiredConfigMap)
783+
if creationRequired {
784+
caBundleConfigMap, err = client.ConfigMaps(operatorclient.OperatorNamespace).Create(ctx, requiredConfigMap, metav1.CreateOptions{})
785+
resourcehelper.ReportCreateEvent(recorder, caBundleConfigMap, err)
786+
if err != nil {
787+
return nil, false, err
788+
}
789+
klog.V(2).Infof("Created CSR CA bundle configmap %s/%s", caBundleConfigMap.Namespace, caBundleConfigMap.Name)
790+
return caBundleConfigMap, true, nil
791+
} else if updateRequired {
792+
caBundleConfigMap, err = client.ConfigMaps(operatorclient.OperatorNamespace).Update(ctx, requiredConfigMap, metav1.UpdateOptions{})
793+
resourcehelper.ReportUpdateEvent(recorder, caBundleConfigMap, err)
794+
if err != nil {
795+
return nil, false, err
796+
}
797+
klog.V(2).Infof("Updated CSR CA bundle configmap %s/%s", caBundleConfigMap.Namespace, caBundleConfigMap.Name)
798+
return caBundleConfigMap, true, nil
799+
}
800+
801+
return caBundleConfigMap, false, nil
724802
}
725803

726804
func ManageCSRSigner(ctx context.Context, lister corev1listers.SecretLister, client corev1client.SecretsGetter, recorder events.Recorder) (*corev1.Secret, time.Duration, bool, error) {

0 commit comments

Comments
 (0)