move cs ca issuer + adopt operand digest auto-update (#111)

IBM · Feb 18, 2021 · 07a9d55 · 07a9d55
1 parent 146cb3d
commit 07a9d55
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 19 deletions.
diff --git a/...m-cert-manager-operator/3.9.0/ibm-cert-manager-operator.v3.9.0.clusterserviceversion.yaml b/...m-cert-manager-operator/3.9.0/ibm-cert-manager-operator.v3.9.0.clusterserviceversion.yaml
@@ -454,15 +454,15 @@ spec:
                 - ibm-cert-manager-operator
                 env:
                 - name: ICP_CERT_MANAGER_CONTROLLER_IMAGE
-                  value: quay.io/opencloudio/icp-cert-manager-controller@sha256:e3a7dcf3cd3da99c3c0664832ff9d2eb3960dd5e5241f3203e74cc3257ad4479
+                  value: quay.io/opencloudio/icp-cert-manager-controller:0.11.0
                 - name: ICP_CERT_MANAGER_WEBHOOK_IMAGE
-                  value: quay.io/opencloudio/icp-cert-manager-webhook@sha256:58c973caade95c529e0b48796b9bb289be8c0c5ccead7a9861015e6f8252c4c5
+                  value: quay.io/opencloudio/icp-cert-manager-webhook:0.11.0
                 - name: ICP_CERT_MANAGER_CAINJECTOR_IMAGE
-                  value: quay.io/opencloudio/icp-cert-manager-cainjector@sha256:04f0cd6075297214675a5334b5b9cd89b5680ab81e3a82f7fb4f545d7aef5a6b
+                  value: quay.io/opencloudio/icp-cert-manager-cainjector:0.11.0
                 - name: ICP_CERT_MANAGER_ACMESOLVER_IMAGE
-                  value: quay.io/opencloudio/icp-cert-manager-acmesolver@sha256:6fee845dec5dbfeb71773774cae30cd7e71288e88ae51b004584e1f4c5a0a3f0
+                  value: quay.io/opencloudio/icp-cert-manager-acmesolver:0.11.0
                 - name: ICP_CONFIGMAP_WATCHER_IMAGE
-                  value: quay.io/opencloudio/icp-configmap-watcher@sha256:c18d7319fa0ce509adce3a5eaf9113209be003f72ab85726c668614648e4ad5e
+                  value: quay.io/opencloudio/icp-configmap-watcher:3.4.0
                 - name: WATCH_NAMESPACE
                   valueFrom:
                     fieldRef:

diff --git a/pkg/controller/certmanager/certmanager_controller.go b/pkg/controller/certmanager/certmanager_controller.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 	"reflect"
+	"strings"
 
 	certmgr "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1"
 	"k8s.io/apimachinery/pkg/types"
@@ -250,24 +251,12 @@ func (r *ReconcileCertManager) Reconcile(request reconcile.Request) (reconcile.R
 	log.Info("The namespace", "ns", r.ns)
 	r.updateEvent(instance, "Instance found", corev1.EventTypeNormal, "Initializing")
 
-	// Check if the issuer already exists; if yes, do nothing
-	if err := r.client.Get(context.TODO(), types.NamespacedName{Name: res.CSCAIssuerName, Namespace: res.DeployNamespace}, res.CSCAIssuer); err == nil {
-		log.Info(res.CSCAIssuerName + " exists")
-	} else {
-		// Create the cs-ca-issuer (This is before the RHACM check as we need this issuer to be created even in RHACM systems for other Common Services)
-		err = r.createIssuer(instance, res.CSCAIssuer)
-		if err != nil {
-			log.Error(err, "Error creating CS CA issuer")
-			return reconcile.Result{}, err
-		}
-		log.Info(res.CSCAIssuerName + " successfully created")
-	}
-
 	//Check RHACM
 	rhacmErr := checkRhacm(r.client)
 	if rhacmErr == nil {
 		// multiclusterhub found, this means RHACM exists
-		// Return and don't requeue
+
+		// create a secretshare CR to copy clusterissuer secret to the rhacm issuer ns
 		rhacmClusterIssuerNamespace := res.RhacmNamespace + "-issuer"
 
 		log.Info("RHACM exists. Copying " + res.CSCASecretName + " to namespace " + rhacmClusterIssuerNamespace)
@@ -278,6 +267,20 @@ func (r *ReconcileCertManager) Reconcile(request reconcile.Request) (reconcile.R
 			return reconcile.Result{}, err
 		}
 
+		// Check if the issuer already exists; if yes, do nothing
+		if err := r.client.Get(context.TODO(), types.NamespacedName{Name: res.CSCAIssuerName, Namespace: res.DeployNamespace}, res.CSCAIssuer); err == nil {
+			log.Info(res.CSCAIssuerName + " exists")
+		} else {
+			// Create the cs-ca-issuer
+			err = r.createIssuer(instance, res.CSCAIssuer)
+			if err != nil {
+				log.Error(err, "Error creating CS CA issuer")
+				return reconcile.Result{}, err
+			}
+			log.Info(res.CSCAIssuerName + " successfully created")
+		}
+
+		// Return and don't requeue
 		r.updateStatus(instance, "IBM Cloud Platform Common Services cert-manager not installed. Red Hat Advanced Cluster Management for Kubernetes cert-manager is already installed and is in use by Common Services")
 		return reconcile.Result{}, nil
 	}
@@ -310,6 +313,24 @@ func (r *ReconcileCertManager) Reconcile(request reconcile.Request) (reconcile.R
 		r.updateStatus(instance, "Error deploying cert-manager")
 		return reconcile.Result{Requeue: true}, nil
 	}
+
+	// Check if the issuer already exists; if yes, do nothing
+	if err := r.client.Get(context.TODO(), types.NamespacedName{Name: res.CSCAIssuerName, Namespace: res.DeployNamespace}, res.CSCAIssuer); err == nil {
+		log.Info(res.CSCAIssuerName + " exists")
+	} else {
+		// Create the cs-ca-issuer
+		err = r.createIssuer(instance, res.CSCAIssuer)
+		if err != nil {
+			if strings.Contains(err.Error(), "Internal error occurred: failed calling webhook") {
+				log.Info("Warning: Cert-manager service is coming up, cs-ca-issuer will be created once the webhook connection is set up")
+			} else {
+				log.Error(err, "Error creating CS CA issuer")
+			}
+			return reconcile.Result{}, err
+		}
+		log.Info(res.CSCAIssuerName + " successfully created")
+	}
+
 	r.updateEvent(instance, "Deployed cert-manager successfully", corev1.EventTypeNormal, "Deployed")
 	r.updateStatus(instance, "Successfully deployed cert-manager")