certrotationcontroller: make signers and caBunldes thread safe

openshift · Jul 3, 2024 · 20f6d16 · 20f6d16
1 parent e3cb429
commit 20f6d16
Showing 1 changed file with 81 additions and 182 deletions.
diff --git a/pkg/operator/certrotationcontroller/certrotationcontroller.go b/pkg/operator/certrotationcontroller/certrotationcontroller.go
@@ -3,6 +3,7 @@ package certrotationcontroller
 import (
 	"context"
 	"fmt"
+	"sync"
 	"time"
 
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
@@ -367,41 +368,46 @@ func newCertRotationController(
 	)
 	ret.certRotators = append(ret.certRotators, certRotator)
 
+	loadBalancerServingSigner := certrotation.RotatedSigningCASecret{
+		Namespace: operatorclient.OperatorNamespace,
+		Name:      "loadbalancer-serving-signer",
+		AdditionalAnnotations: certrotation.AdditionalAnnotations{
+			JiraComponent: "kube-apiserver",
+		},
+		Lock:     &sync.Mutex{},
+		Validity: 10 * 365 * defaultRotationDay, // this comes from the installer
+		// Refresh set to 80% of the validity.
+		// This range is consistent with most other signers defined in this pkg.
+		// Given that in this case rotation will be after 8y,
+		// it means we effectively do not rotate.
+		Refresh:                8 * 365 * defaultRotationDay,
+		RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
+		Informer:               kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(),
+		Lister:                 kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(),
+		Client:                 kubeClient.CoreV1(),
+		EventRecorder:          eventRecorder,
+
+		// we will remove this when we migrate all of the affected secret
+		// objects to their intended type: https://issues.redhat.com/browse/API-1800
+		UseSecretUpdateOnly: true,
+	}
+	loadBalancerServingCA := certrotation.CABundleConfigMap{
+		Namespace: operatorclient.OperatorNamespace,
+		Name:      "loadbalancer-serving-ca",
+		AdditionalAnnotations: certrotation.AdditionalAnnotations{
+			JiraComponent: "kube-apiserver",
+		},
+		Lock:          &sync.Mutex{},
+		Informer:      kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(),
+		Lister:        kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(),
+		Client:        kubeClient.CoreV1(),
+		EventRecorder: eventRecorder,
+	}
+
 	certRotator = certrotation.NewCertRotationController(
 		"ExternalLoadBalancerServing",
-		certrotation.RotatedSigningCASecret{
-			Namespace: operatorclient.OperatorNamespace,
-			Name:      "loadbalancer-serving-signer",
-			AdditionalAnnotations: certrotation.AdditionalAnnotations{
-				JiraComponent: "kube-apiserver",
-			},
-			Validity: 10 * 365 * defaultRotationDay, // this comes from the installer
-			// Refresh set to 80% of the validity.
-			// This range is consistent with most other signers defined in this pkg.
-			// Given that in this case rotation will be after 8y,
-			// it means we effectively do not rotate.
-			Refresh:                8 * 365 * defaultRotationDay,
-			RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
-			Informer:               kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(),
-			Lister:                 kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(),
-			Client:                 kubeClient.CoreV1(),
-			EventRecorder:          eventRecorder,
-
-			// we will remove this when we migrate all of the affected secret
-			// objects to their intended type: https://issues.redhat.com/browse/API-1800
-			UseSecretUpdateOnly: true,
-		},
-		certrotation.CABundleConfigMap{
-			Namespace: operatorclient.OperatorNamespace,
-			Name:      "loadbalancer-serving-ca",
-			AdditionalAnnotations: certrotation.AdditionalAnnotations{
-				JiraComponent: "kube-apiserver",
-			},
-			Informer:      kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(),
-			Lister:        kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(),
-			Client:        kubeClient.CoreV1(),
-			EventRecorder: eventRecorder,
-		},
+		loadBalancerServingSigner,
+		loadBalancerServingCA,
 		certrotation.RotatedSelfSignedCertKeySecret{
 			Namespace: operatorclient.TargetNamespace,
 			Name:      "external-loadbalancer-serving-certkey",
@@ -431,39 +437,8 @@ func newCertRotationController(
 
 	certRotator = certrotation.NewCertRotationController(
 		"InternalLoadBalancerServing",
-		certrotation.RotatedSigningCASecret{
-			Namespace: operatorclient.OperatorNamespace,
-			Name:      "loadbalancer-serving-signer",
-			AdditionalAnnotations: certrotation.AdditionalAnnotations{
-				JiraComponent: "kube-apiserver",
-			},
-			Validity: 10 * 365 * defaultRotationDay, // this comes from the installer
-			// Refresh set to 80% of the validity.
-			// This range is consistent with most other signers defined in this pkg.
-			// Given that in this case rotation will be after 8y,
-			// it means we effectively do not rotate.
-			Refresh:                8 * 365 * defaultRotationDay,
-			RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
-			Informer:               kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(),
-			Lister:                 kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(),
-			Client:                 kubeClient.CoreV1(),
-			EventRecorder:          eventRecorder,
-
-			// we will remove this when we migrate all of the affected secret
-			// objects to their intended type: https://issues.redhat.com/browse/API-1800
-			UseSecretUpdateOnly: true,
-		},
-		certrotation.CABundleConfigMap{
-			Namespace: operatorclient.OperatorNamespace,
-			Name:      "loadbalancer-serving-ca",
-			AdditionalAnnotations: certrotation.AdditionalAnnotations{
-				JiraComponent: "kube-apiserver",
-			},
-			Informer:      kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(),
-			Lister:        kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(),
-			Client:        kubeClient.CoreV1(),
-			EventRecorder: eventRecorder,
-		},
+		loadBalancerServingSigner,
+		loadBalancerServingCA,
 		certrotation.RotatedSelfSignedCertKeySecret{
 			Namespace: operatorclient.TargetNamespace,
 			Name:      "internal-loadbalancer-serving-certkey",
@@ -554,37 +529,42 @@ func newCertRotationController(
 	)
 	ret.certRotators = append(ret.certRotators, certRotator)
 
+	kubeControlPlaneSigner := certrotation.RotatedSigningCASecret{
+		Namespace: operatorclient.OperatorNamespace,
+		Name:      "kube-control-plane-signer",
+		AdditionalAnnotations: certrotation.AdditionalAnnotations{
+			JiraComponent: "kube-apiserver",
+		},
+		Lock:                   &sync.Mutex{},
+		Validity:               60 * defaultRotationDay,
+		Refresh:                30 * defaultRotationDay,
+		RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
+		Informer:               kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(),
+		Lister:                 kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(),
+		Client:                 kubeClient.CoreV1(),
+		EventRecorder:          eventRecorder,
+
+		// we will remove this when we migrate all of the affected secret
+		// objects to their intended type: https://issues.redhat.com/browse/API-1800
+		UseSecretUpdateOnly: true,
+	}
+	kubeControlPlaneSignerCA := certrotation.CABundleConfigMap{
+		Namespace: operatorclient.OperatorNamespace,
+		Name:      "kube-control-plane-signer-ca",
+		AdditionalAnnotations: certrotation.AdditionalAnnotations{
+			JiraComponent: "kube-apiserver",
+		},
+		Lock:          &sync.Mutex{},
+		Informer:      kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(),
+		Lister:        kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(),
+		Client:        kubeClient.CoreV1(),
+		EventRecorder: eventRecorder,
+	}
+
 	certRotator = certrotation.NewCertRotationController(
 		"KubeControllerManagerClient",
-		certrotation.RotatedSigningCASecret{
-			Namespace: operatorclient.OperatorNamespace,
-			Name:      "kube-control-plane-signer",
-			AdditionalAnnotations: certrotation.AdditionalAnnotations{
-				JiraComponent: "kube-apiserver",
-			},
-			Validity:               60 * defaultRotationDay,
-			Refresh:                30 * defaultRotationDay,
-			RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
-			Informer:               kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(),
-			Lister:                 kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(),
-			Client:                 kubeClient.CoreV1(),
-			EventRecorder:          eventRecorder,
-
-			// we will remove this when we migrate all of the affected secret
-			// objects to their intended type: https://issues.redhat.com/browse/API-1800
-			UseSecretUpdateOnly: true,
-		},
-		certrotation.CABundleConfigMap{
-			Namespace: operatorclient.OperatorNamespace,
-			Name:      "kube-control-plane-signer-ca",
-			AdditionalAnnotations: certrotation.AdditionalAnnotations{
-				JiraComponent: "kube-apiserver",
-			},
-			Informer:      kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(),
-			Lister:        kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(),
-			Client:        kubeClient.CoreV1(),
-			EventRecorder: eventRecorder,
-		},
+		kubeControlPlaneSigner,
+		kubeControlPlaneSignerCA,
 		certrotation.RotatedSelfSignedCertKeySecret{
 			Namespace: operatorclient.GlobalMachineSpecifiedConfigNamespace,
 			Name:      "kube-controller-manager-client-cert-key",
@@ -613,35 +593,8 @@ func newCertRotationController(
 
 	certRotator = certrotation.NewCertRotationController(
 		"KubeSchedulerClient",
-		certrotation.RotatedSigningCASecret{
-			Namespace: operatorclient.OperatorNamespace,
-			Name:      "kube-control-plane-signer",
-			AdditionalAnnotations: certrotation.AdditionalAnnotations{
-				JiraComponent: "kube-apiserver",
-			},
-			Validity:               60 * defaultRotationDay,
-			Refresh:                30 * defaultRotationDay,
-			RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
-			Informer:               kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(),
-			Lister:                 kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(),
-			Client:                 kubeClient.CoreV1(),
-			EventRecorder:          eventRecorder,
-
-			// we will remove this when we migrate all of the affected secret
-			// objects to their intended type: https://issues.redhat.com/browse/API-1800
-			UseSecretUpdateOnly: true,
-		},
-		certrotation.CABundleConfigMap{
-			Namespace: operatorclient.OperatorNamespace,
-			Name:      "kube-control-plane-signer-ca",
-			AdditionalAnnotations: certrotation.AdditionalAnnotations{
-				JiraComponent: "kube-apiserver",
-			},
-			Informer:      kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(),
-			Lister:        kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(),
-			Client:        kubeClient.CoreV1(),
-			EventRecorder: eventRecorder,
-		},
+		kubeControlPlaneSigner,
+		kubeControlPlaneSignerCA,
 		certrotation.RotatedSelfSignedCertKeySecret{
 			Namespace: operatorclient.GlobalMachineSpecifiedConfigNamespace,
 			Name:      "kube-scheduler-client-cert-key",
@@ -670,35 +623,8 @@ func newCertRotationController(
 
 	certRotator = certrotation.NewCertRotationController(
 		"ControlPlaneNodeAdminClient",
-		certrotation.RotatedSigningCASecret{
-			Namespace: operatorclient.OperatorNamespace,
-			Name:      "kube-control-plane-signer",
-			AdditionalAnnotations: certrotation.AdditionalAnnotations{
-				JiraComponent: "kube-apiserver",
-			},
-			Validity:               60 * defaultRotationDay,
-			Refresh:                30 * defaultRotationDay,
-			RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
-			Informer:               kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(),
-			Lister:                 kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(),
-			Client:                 kubeClient.CoreV1(),
-			EventRecorder:          eventRecorder,
-
-			// we will remove this when we migrate all of the affected secret
-			// objects to their intended type: https://issues.redhat.com/browse/API-1800
-			UseSecretUpdateOnly: true,
-		},
-		certrotation.CABundleConfigMap{
-			Namespace: operatorclient.OperatorNamespace,
-			Name:      "kube-control-plane-signer-ca",
-			AdditionalAnnotations: certrotation.AdditionalAnnotations{
-				JiraComponent: "kube-apiserver",
-			},
-			Informer:      kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(),
-			Lister:        kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(),
-			Client:        kubeClient.CoreV1(),
-			EventRecorder: eventRecorder,
-		},
+		kubeControlPlaneSigner,
+		kubeControlPlaneSignerCA,
 		certrotation.RotatedSelfSignedCertKeySecret{
 			Namespace: operatorclient.TargetNamespace,
 			Name:      "control-plane-node-admin-client-cert-key",
@@ -727,35 +653,8 @@ func newCertRotationController(
 
 	certRotator = certrotation.NewCertRotationController(
 		"CheckEndpointsClient",
-		certrotation.RotatedSigningCASecret{
-			Namespace: operatorclient.OperatorNamespace,
-			Name:      "kube-control-plane-signer",
-			AdditionalAnnotations: certrotation.AdditionalAnnotations{
-				JiraComponent: "kube-apiserver",
-			},
-			Validity:               60 * defaultRotationDay,
-			Refresh:                30 * defaultRotationDay,
-			RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
-			Informer:               kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(),
-			Lister:                 kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(),
-			Client:                 kubeClient.CoreV1(),
-			EventRecorder:          eventRecorder,
-
-			// we will remove this when we migrate all of the affected secret
-			// objects to their intended type: https://issues.redhat.com/browse/API-1800
-			UseSecretUpdateOnly: true,
-		},
-		certrotation.CABundleConfigMap{
-			Namespace: operatorclient.OperatorNamespace,
-			Name:      "kube-control-plane-signer-ca",
-			AdditionalAnnotations: certrotation.AdditionalAnnotations{
-				JiraComponent: "kube-apiserver",
-			},
-			Informer:      kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(),
-			Lister:        kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(),
-			Client:        kubeClient.CoreV1(),
-			EventRecorder: eventRecorder,
-		},
+		kubeControlPlaneSigner,
+		kubeControlPlaneSignerCA,
 		certrotation.RotatedSelfSignedCertKeySecret{
 			Namespace: operatorclient.TargetNamespace,
 			Name:      "check-endpoints-client-cert-key",