feat(csv): add succeeded to pending transition on cert refresh

Author: njhale

pkg/api/apis/operators/v1alpha1/clusterserviceversion_types.go

@@ -201,6 +201,7 @@ const (
 	CSVReasonComponentUnhealthy  ConditionReason = "ComponentUnhealthy"
 	CSVReasonBeingReplaced       ConditionReason = "BeingReplaced"
 	CSVReasonReplaced            ConditionReason = "Replaced"
+	CSVReasonNeedCertRefresh     ConditionReason = "NeedCertRefresh"
 )
 
 // Conditions appear in the status as a record of state transitions on the ClusterServiceVersion
@@ -288,7 +289,7 @@ type ClusterServiceVersionStatus struct {
 	RequirementStatus []RequirementStatus `json:"requirementStatus,omitempty"`
 	// Time to refresh generated owned APIService certs
 	// +optional
-	CertRefresh metav1.Time `json:"requirementStatus,omitempty"`
+	CertRefresh metav1.Time `json:"certRefresh,omitempty"`
 }
 
 // ClusterServiceVersion is a Custom Resource of type `ClusterServiceVersionSpec`.

pkg/controller/operators/olm/apiservices.go

@@ -22,13 +22,13 @@ import (
 )
 
 const (
-	// Minimum number of seconds that a min-fresh value can be
+	// CertMinFreshSecondsThreshold is the minimum number of seconds that a min-fresh value can be
 	CertMinFreshSecondsThreshold = 10
-	// Default min-fresh value
+	// DefaultCertMinFreshSeconds is the default min-fresh value
 	DefaultCertMinFreshSeconds = 300
-	// Minimum number of days that a cert can be valid for
+	// CertValidForDaysThreshold is the minimum number of days that a cert can be valid for
 	CertValidForDaysThreshold = 1
-	// Default number of days a cert can be valid for
+	// DefaultCertValidForDays is the default number of days a cert can be valid for
 	DefaultCertValidForDays = 730
 )
 
@@ -47,6 +47,15 @@ func (a *Operator) syncAPIServices(obj interface{}) (syncError error) {
 	return nil
 }
 
+func (a *Operator) shouldRefreshCerts(csv *v1alpha1.ClusterServiceVersion) bool {
+	now := metav1.Now()
+	if !csv.Status.CertRefresh.IsZero() && csv.Status.CertRefresh.Before(&now) {
+		return true
+	}
+
+	return false
+}
+
 func (a *Operator) isAPIServiceAvailable(apiService *apiregistrationv1.APIService) bool {
 	for _, c := range apiService.Status.Conditions {
 		if c.Type == apiregistrationv1.Available && c.Status == apiregistrationv1.ConditionTrue {

pkg/controller/operators/olm/operator.go

@@ -335,7 +335,6 @@ func (a *Operator) transitionCSVState(in v1alpha1.ClusterServiceVersion) (out *v
 		logger.Info("scheduling ClusterServiceVersion for install")
 		out.SetPhaseWithEvent(v1alpha1.CSVPhaseInstallReady, v1alpha1.CSVReasonRequirementsMet, "all requirements found, attempting install", a.recorder)
 	case v1alpha1.CSVPhaseInstallReady:
-
 		installer, strategy, _ := a.parseStrategiesAndUpdateStatus(out)
 		if strategy == nil {
 			// parseStrategiesAndUpdateStatus sets CSV status
@@ -373,9 +372,16 @@ func (a *Operator) transitionCSVState(in v1alpha1.ClusterServiceVersion) (out *v
 			// parseStrategiesAndUpdateStatus sets CSV status
 			return
 		}
+
 		if installErr := a.updateInstallStatus(out, installer, strategy, v1alpha1.CSVReasonComponentUnhealthy); installErr != nil {
 			logger.WithField("strategy", out.Spec.InstallStrategy.StrategyName).Infof("unhealthy component: %s", installErr)
 		}
+
+		// Check if it's time to refresh owned APIService certs
+		if a.shouldRefreshCerts(out) {
+			out.SetPhase(v1alpha1.CSVPhasePending, v1alpha1.CSVReasonInstallSuccessful, "owned APIServices need cert refresh")
+			return
+		}
 	case v1alpha1.CSVPhaseReplacing:
 		// determine CSVs that are safe to delete by finding a replacement chain to a CSV that's running
 		// since we don't know what order we'll process replacements, we have to guard against breaking that chain