DONOTMERGE: break tests to make fuzzer fail

pkg/operator/certrotation/annotations.go

@@ -1,8 +1,14 @@
 package certrotation
 
 import (
+	"context"
+
 	"github.com/openshift/api/annotations"
+	"github.com/openshift/library-go/pkg/operator/events"
+	"github.com/openshift/library-go/pkg/operator/resource/resourceapply"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 )
 
 const (
@@ -47,3 +53,33 @@ func NewTLSArtifactObjectMeta(name, namespace string, annotations AdditionalAnno
 	_ = annotations.EnsureTLSMetadataUpdate(&meta)
 	return meta
 }
+
+const secretLeaseAnnotation = "openshift.io/do-not-use"
+
+func hasLeaseAnnotationSet(secret *corev1.Secret) bool {
+	if len(secret.Annotations) == 0 {
+		return false
+	}
+	_, ok := secret.Annotations[secretLeaseAnnotation]
+	return ok
+}
+
+func setLeaseAnnotation(ctx context.Context, client corev1client.SecretsGetter, recorder events.Recorder, secret *corev1.Secret) error {
+	if len(secret.Annotations) == 0 {
+		secret.Annotations = map[string]string{}
+	}
+	secret.Annotations[secretLeaseAnnotation] = "true"
+
+	_, _, err := resourceapply.ApplySecret(ctx, client, recorder, secret)
+	return err
+}
+
+func removeLeaseAnnotation(ctx context.Context, client corev1client.SecretsGetter, recorder events.Recorder, secret *corev1.Secret) error {
+	if len(secret.Annotations) == 0 {
+		return nil
+	}
+	delete(secret.Annotations, secretLeaseAnnotation)
+
+	_, _, err := resourceapply.ApplySecret(ctx, client, recorder, secret)
+	return err
+}

pkg/operator/certrotation/signer.go

@@ -88,11 +88,25 @@ func (c RotatedSigningCASecret) EnsureSigningCertKeyPair(ctx context.Context) (*
 	// apply necessary metadata (possibly via delete+recreate) if secret exists
 	// this is done before content update to prevent unexpected rollouts
 	if ensureMetadataUpdate(signingCertKeyPairSecret, c.Owner, c.AdditionalAnnotations) && ensureSecretTLSTypeSet(signingCertKeyPairSecret) {
-		actualSigningCertKeyPairSecret, _, err := applyFn(ctx, c.Client, c.EventRecorder, signingCertKeyPairSecret)
-		if err != nil {
-			return nil, false, err
+
+		copySigningCertKeyPairSecret := originalSigningCertKeyPairSecret.DeepCopy()
+		if !hasLeaseAnnotationSet(copySigningCertKeyPairSecret) {
+			if setLeaseAnnotation(ctx, c.Client, c.EventRecorder, copySigningCertKeyPairSecret) != nil {
+				return nil, false, err
+			}
+
+			actualSigningCertKeyPairSecret, _, err := applyFn(ctx, c.Client, c.EventRecorder, signingCertKeyPairSecret)
+			if err != nil {
+				return nil, false, err
+			}
+			signingCertKeyPairSecret = actualSigningCertKeyPairSecret
+
+			if removeLeaseAnnotation(ctx, c.Client, c.EventRecorder, copySigningCertKeyPairSecret) != nil {
+				return nil, false, err
+			}
+
 		}
-		signingCertKeyPairSecret = actualSigningCertKeyPairSecret
+
 	}
 
 	signerUpdated := false

pkg/operator/certrotation/signer_test.go

@@ -745,7 +745,7 @@ func FuzzEnsureSigningCertKeyPair(f *testing.F) {
 	// and also unique not-after, and not-before values
 	<-time.After(2 * time.Second)
 
-	f.Fuzz(func(t *testing.T, seed int64) {
+	f.Fuzz(func(t *testing.T, seed int64, useSecretUpdateOnly bool) {
 		d := &dispatcher{
 			t:        t,
 			source:   rand.NewSource(seed),
@@ -765,11 +765,9 @@ func FuzzEnsureSigningCertKeyPair(f *testing.F) {
 		if !ok || len(tlsKeyWant) == 0 {
 			t.Fatalf("missing data in 'tls.key' key of Data: %#v", existing.Data)
 		}
-
 		secretWant := existing.DeepCopy()
 
 		clientset := kubefake.NewSimpleClientset(existing)
-
 		options := events.RecommendedClusterSingletonCorrelatorOptions()
 		client := clientset.CoreV1().Secrets(SecretNamespace)
 
@@ -802,6 +800,7 @@ func FuzzEnsureSigningCertKeyPair(f *testing.F) {
 					AdditionalAnnotations: AdditionalAnnotations{JiraComponent: "test"},
 					Owner:                 &metav1.OwnerReference{Name: "operator"},
 					EventRecorder:         recorder,
+					UseSecretUpdateOnly:   useSecretUpdateOnly,
 				}
 
 				d.Sequence(controllerName, "begin")