Support RefreshOnlyWhenExpired mode in ManageCSRCABundle

vrutkovs · vrutkovs · commit 4202b57a886d · 2025-09-24T18:49:32.000+02:00
diff --git a/pkg/cmd/recoverycontroller/csrcontroller.go b/pkg/cmd/recoverycontroller/csrcontroller.go
@@ -172,7 +172,7 @@ func (c *CSRController) sync(ctx context.Context) error {
 		klog.Info("Refreshed CSRIntermediateCABundle.")
 	}
 
-	_, changed, err = targetconfigcontroller.ManageCSRCABundle(ctx, c.configMapLister, c.kubeClient.CoreV1(), c.eventRecorder)
+	_, changed, err = targetconfigcontroller.ManageCSRCABundle(ctx, c.configMapLister, c.kubeClient.CoreV1(), c.eventRecorder, true)
 	if err != nil {
 		return err
 	}
diff --git a/pkg/operator/targetconfigcontroller/targetconfigcontroller.go b/pkg/operator/targetconfigcontroller/targetconfigcontroller.go
@@ -222,7 +222,7 @@ func createTargetConfigController(ctx context.Context, syncCtx factory.SyncConte
 	if err != nil {
 		errors = append(errors, fmt.Errorf("%q: %v", "configmap/csr-intermediate-ca", err))
 	}
-	_, _, err = ManageCSRCABundle(ctx, c.configMapLister, c.kubeClient.CoreV1(), syncCtx.Recorder())
+	_, _, err = ManageCSRCABundle(ctx, c.configMapLister, c.kubeClient.CoreV1(), syncCtx.Recorder(), false)
 	if err != nil {
 		errors = append(errors, fmt.Errorf("%q: %v", "configmap/csr-controller-ca", err))
 	}
@@ -744,7 +744,7 @@ func manageServiceAccountCABundle(ctx context.Context, lister corev1listers.Conf
 	return caBundleConfigMap, false, nil
 }
 
-func ManageCSRCABundle(ctx context.Context, lister corev1listers.ConfigMapLister, client corev1client.ConfigMapsGetter, recorder events.Recorder) (*corev1.ConfigMap, bool, error) {
+func ManageCSRCABundle(ctx context.Context, lister corev1listers.ConfigMapLister, client corev1client.ConfigMapsGetter, recorder events.Recorder, refreshOnlyWhenExpired bool) (*corev1.ConfigMap, bool, error) {
 	additionalAnnotations := certrotation.AdditionalAnnotations{
 		JiraComponent: "kube-controller-manager",
 		Description:   "CA to recognize the CSRs (both serving and client) signed by the kube-controller-manager.",
@@ -788,7 +788,7 @@ func ManageCSRCABundle(ctx context.Context, lister corev1listers.ConfigMapLister
 		}
 		klog.V(2).Infof("Created CSR CA bundle configmap %s/%s", caBundleConfigMap.Namespace, caBundleConfigMap.Name)
 		return caBundleConfigMap, true, nil
-	} else if updateRequired {
+	} else if updateRequired && !refreshOnlyWhenExpired {
 		caBundleConfigMap, err = client.ConfigMaps(operatorclient.OperatorNamespace).Update(ctx, requiredConfigMap, metav1.UpdateOptions{})
 		resourcehelper.ReportUpdateEvent(recorder, caBundleConfigMap, err)
 		if err != nil {
diff --git a/pkg/operator/targetconfigcontroller/targetconfigcontroller_test.go b/pkg/operator/targetconfigcontroller/targetconfigcontroller_test.go
@@ -1049,7 +1049,7 @@ func TestManageCSRCABundle(t *testing.T) {
 			recorder := events.NewInMemoryRecorder("test", clock.RealClock{})
 
 			// Call the function under test
-			resultConfigMap, changed, err := ManageCSRCABundle(context.Background(), lister, client.CoreV1(), recorder)
+			resultConfigMap, changed, err := ManageCSRCABundle(context.Background(), lister, client.CoreV1(), recorder, false)
 
 			// Assert error expectations
 			require.NoError(t, err)

Original file line number	Diff line number	Diff line change
`@@ -172,7 +172,7 @@ func (c *CSRController) sync(ctx context.Context) error {`
`172`	`172`	`klog.Info("Refreshed CSRIntermediateCABundle.")`
`173`	`173`	`}`
`174`	`174`
`175`		`- _, changed, err = targetconfigcontroller.ManageCSRCABundle(ctx, c.configMapLister, c.kubeClient.CoreV1(), c.eventRecorder)`
	`175`	`+ _, changed, err = targetconfigcontroller.ManageCSRCABundle(ctx, c.configMapLister, c.kubeClient.CoreV1(), c.eventRecorder, true)`
`176`	`176`	`if err != nil {`
`177`	`177`	`return err`
`178`	`178`	`}`
Original file line number	Diff line number	Diff line change
`@@ -222,7 +222,7 @@ func createTargetConfigController(ctx context.Context, syncCtx factory.SyncConte`
`222`	`222`	`if err != nil {`
`223`	`223`	`errors = append(errors, fmt.Errorf("%q: %v", "configmap/csr-intermediate-ca", err))`
`224`	`224`	`}`
`225`		`- _, _, err = ManageCSRCABundle(ctx, c.configMapLister, c.kubeClient.CoreV1(), syncCtx.Recorder())`
	`225`	`+ _, _, err = ManageCSRCABundle(ctx, c.configMapLister, c.kubeClient.CoreV1(), syncCtx.Recorder(), false)`
`226`	`226`	`if err != nil {`
`227`	`227`	`errors = append(errors, fmt.Errorf("%q: %v", "configmap/csr-controller-ca", err))`
`228`	`228`	`}`
`@@ -744,7 +744,7 @@ func manageServiceAccountCABundle(ctx context.Context, lister corev1listers.Conf`
`744`	`744`	`return caBundleConfigMap, false, nil`
`745`	`745`	`}`
`746`	`746`
`747`		`-func ManageCSRCABundle(ctx context.Context, lister corev1listers.ConfigMapLister, client corev1client.ConfigMapsGetter, recorder events.Recorder) (*corev1.ConfigMap, bool, error) {`
	`747`	`+func ManageCSRCABundle(ctx context.Context, lister corev1listers.ConfigMapLister, client corev1client.ConfigMapsGetter, recorder events.Recorder, refreshOnlyWhenExpired bool) (*corev1.ConfigMap, bool, error) {`
`748`	`748`	`additionalAnnotations := certrotation.AdditionalAnnotations{`
`749`	`749`	`JiraComponent: "kube-controller-manager",`
`750`	`750`	`Description: "CA to recognize the CSRs (both serving and client) signed by the kube-controller-manager.",`
`@@ -788,7 +788,7 @@ func ManageCSRCABundle(ctx context.Context, lister corev1listers.ConfigMapLister`
`788`	`788`	`}`
`789`	`789`	`klog.V(2).Infof("Created CSR CA bundle configmap %s/%s", caBundleConfigMap.Namespace, caBundleConfigMap.Name)`
`790`	`790`	`return caBundleConfigMap, true, nil`
`791`		`- } else if updateRequired {`
	`791`	`+ } else if updateRequired && !refreshOnlyWhenExpired {`
`792`	`792`	`caBundleConfigMap, err = client.ConfigMaps(operatorclient.OperatorNamespace).Update(ctx, requiredConfigMap, metav1.UpdateOptions{})`
`793`	`793`	`resourcehelper.ReportUpdateEvent(recorder, caBundleConfigMap, err)`
`794`	`794`	`if err != nil {`