certrotation: exit when received cabundle is empty

When different controllers update the same CA bundle a conflict may occur. In that case we return an
empty set of certificates and empty error.

The sync procedure should exit if either non-empty error received or cabundle is empty, as this ca
bundle is later used to detemine whether target cert can be verified. If conflict occurred during CA
bundle update we should restart the sync worker again - otherwise this may lead to target
certificate unexpectedly regenerated. When service network target certificate is being updated it
may be fatal, as the operator will lose its connection to API server and won't be able to receive an
updated certificate.

Co-Authored-By: Masaki Hatada <[email protected]>

Author: vrutkovs

pkg/operator/certrotation/client_cert_rotation_controller.go

@@ -138,14 +138,22 @@ func (c CertRotationController) getSigningCertKeyPairLocation() string {
 
 func (c CertRotationController) SyncWorker(ctx context.Context) error {
 	signingCertKeyPair, _, err := c.RotatedSigningCASecret.EnsureSigningCertKeyPair(ctx)
-	if err != nil || signingCertKeyPair == nil {
+	if err != nil {
 		return err
 	}
+	// If no signingCertKeyPair returned due to update conflict or otherwise, return an error
+	if signingCertKeyPair == nil {
+		return fmt.Errorf("signingCertKeyPair is nil")
+	}
 
 	cabundleCerts, err := c.CABundleConfigMap.EnsureConfigMapCABundle(ctx, signingCertKeyPair, c.getSigningCertKeyPairLocation())
 	if err != nil {
 		return err
 	}
+	// If no ca bundle returned due to update conflict or otherwise, return an error
+	if cabundleCerts == nil {
+		return fmt.Errorf("cabundleCerts is nil")
+	}
 
 	if _, err := c.RotatedSelfSignedCertKeySecret.EnsureTargetCertKeyPair(ctx, signingCertKeyPair, cabundleCerts); err != nil {
 		return err