Skip to content

Commit 7effdda

Browse files
jhadvigjhadvig
committed
OCPBUGS-63502: Redeploy console pods upon cert rotation
1 parent 788be29 commit 7effdda

4 files changed

Lines changed: 58 additions & 25 deletions

File tree

pkg/console/operator/operator.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -250,7 +250,7 @@ func NewConsoleOperator(
250250
factory.NamesFilter(api.OAuthClientName),
251251
oauthClientSwitchedInformer.Informer(),
252252
).WithFilteredEventsInformers(
253-
util.IncludeNamesFilter(deployment.ConsoleOauthConfigName),
253+
util.IncludeNamesFilter(deployment.ConsoleOauthConfigName, api.ConsoleServingCertName),
254254
secretsInformer.Informer(),
255255
).WithFilteredEventsInformers(
256256
util.IncludeNamesFilter(telemetry.TelemetryConfigMapName),

pkg/console/operator/sync_v400.go

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -177,6 +177,12 @@ func (co *consoleOperator) sync_v400(ctx context.Context, controllerContext fact
177177
return statusHandler.FlushAndReturn(secErr)
178178
}
179179

180+
consoleServingCertSecret, servingCertErr := co.secretsLister.Secrets(api.TargetNamespace).Get(api.ConsoleServingCertName)
181+
statusHandler.AddConditions(status.HandleProgressingOrDegraded("ConsoleServingCertSecretGet", "FailedGet", servingCertErr))
182+
if servingCertErr != nil {
183+
return statusHandler.FlushAndReturn(servingCertErr)
184+
}
185+
180186
actualDeployment, depErrReason, depErr := co.SyncDeployment(
181187
ctx,
182188
set.Operator,
@@ -187,6 +193,7 @@ func (co *consoleOperator) sync_v400(ctx context.Context, controllerContext fact
187193
trustedCAConfigMap,
188194
clientSecret,
189195
sessionSecret,
196+
consoleServingCertSecret,
190197
set.Proxy,
191198
set.Infrastructure,
192199
controllerContext.Recorder(),
@@ -274,6 +281,7 @@ func (co *consoleOperator) SyncDeployment(
274281
trustedCAConfigMap *corev1.ConfigMap,
275282
sec *corev1.Secret,
276283
sessionSecret *corev1.Secret,
284+
consoleServingCertSecret *corev1.Secret,
277285
proxyConfig *configv1.Proxy,
278286
infrastructureConfig *configv1.Infrastructure,
279287
recorder events.Recorder,
@@ -288,6 +296,7 @@ func (co *consoleOperator) SyncDeployment(
288296
trustedCAConfigMap,
289297
sec,
290298
sessionSecret,
299+
consoleServingCertSecret,
291300
proxyConfig,
292301
infrastructureConfig,
293302
)

pkg/console/subresource/deployment/deployment.go

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,7 @@ const (
3939
authnConfigVersionAnnotation = "console.openshift.io/authentication-config-version"
4040
authnCATrustConfigMapResourceVersionAnnotation = "console.openshift.io/authn-ca-trust-config-version"
4141
sessionSecretRVAnnotation = "console.openshift.io/session-secret-version"
42+
servingCertSecretResourceVersionAnnotation = "console.openshift.io/serving-cert-secret-version"
4243
)
4344

4445
var (
@@ -51,6 +52,7 @@ var (
5152
trustedCAConfigMapResourceVersionAnnotation,
5253
secretResourceVersionAnnotation,
5354
consoleImageAnnotation,
55+
servingCertSecretResourceVersionAnnotation,
5456
}
5557
)
5658

@@ -73,6 +75,7 @@ func DefaultDeployment(
7375
trustedCAConfigMap *corev1.ConfigMap,
7476
oAuthClientSecret *corev1.Secret,
7577
sessionSecret *corev1.Secret,
78+
consoleServingCertSecret *corev1.Secret,
7679
proxyConfig *configv1.Proxy,
7780
infrastructureConfig *configv1.Infrastructure,
7881
) *appsv1.Deployment {
@@ -93,6 +96,7 @@ func DefaultDeployment(
9396
trustedCAConfigMap,
9497
oAuthClientSecret,
9598
sessionSecret,
99+
consoleServingCertSecret,
96100
proxyConfig,
97101
infrastructureConfig,
98102
)
@@ -200,6 +204,7 @@ func withConsoleAnnotations(
200204
trustedCAConfigMap *corev1.ConfigMap,
201205
oAuthClientSecret *corev1.Secret,
202206
sessionSecret *corev1.Secret,
207+
consoleServingCertSecret *corev1.Secret,
203208
proxyConfig *configv1.Proxy,
204209
infrastructureConfig *configv1.Infrastructure,
205210
) {
@@ -211,6 +216,7 @@ func withConsoleAnnotations(
211216
infrastructureConfigResourceVersionAnnotation: infrastructureConfig.GetResourceVersion(),
212217
secretResourceVersionAnnotation: oAuthClientSecret.GetResourceVersion(),
213218
consoleImageAnnotation: util.GetImageEnv("CONSOLE_IMAGE"),
219+
servingCertSecretResourceVersionAnnotation: consoleServingCertSecret.GetResourceVersion(),
214220
}
215221

216222
if authServerCAConfigMap != nil {

pkg/console/subresource/deployment/deployment_test.go

Lines changed: 42 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,7 @@ func TestDefaultDeployment(t *testing.T) {
4646
trustedCAConfigMap *corev1.ConfigMap
4747
oAuthClientSecret *corev1.Secret
4848
sessionSecret *corev1.Secret
49+
consoleServingCertSecret *corev1.Secret
4950
proxyConfig *configv1.Proxy
5051
infrastructureConfig *configv1.Infrastructure
5152
}
@@ -82,6 +83,7 @@ func TestDefaultDeployment(t *testing.T) {
8283
proxyConfigResourceVersionAnnotation: "",
8384
infrastructureConfigResourceVersionAnnotation: "",
8485
consoleImageAnnotation: "",
86+
servingCertSecretResourceVersionAnnotation: "",
8587
},
8688
OwnerReferences: []metav1.OwnerReference{{
8789
APIVersion: "operator.openshift.io/v1",
@@ -136,6 +138,7 @@ func TestDefaultDeployment(t *testing.T) {
136138
proxyConfigResourceVersionAnnotation: "",
137139
infrastructureConfigResourceVersionAnnotation: "",
138140
consoleImageAnnotation: "",
141+
servingCertSecretResourceVersionAnnotation: "",
139142
workloadManagementAnnotation: workloadManagementAnnotationValue,
140143
requiredSCCAnnotation: "restricted-v2",
141144
}
@@ -213,8 +216,9 @@ func TestDefaultDeployment(t *testing.T) {
213216
StringData: nil,
214217
Type: "",
215218
},
216-
proxyConfig: proxyConfig,
217-
infrastructureConfig: infrastructureConfigHighlyAvailable,
219+
consoleServingCertSecret: &corev1.Secret{},
220+
proxyConfig: proxyConfig,
221+
infrastructureConfig: infrastructureConfigHighlyAvailable,
218222
},
219223
want: &appsv1.Deployment{
220224
TypeMeta: metav1.TypeMeta{
@@ -292,6 +296,7 @@ func TestDefaultDeployment(t *testing.T) {
292296
StringData: nil,
293297
Type: "",
294298
},
299+
consoleServingCertSecret: &corev1.Secret{},
295300
proxyConfig: proxyConfig,
296301
infrastructureConfig: infrastructureConfigHighlyAvailable,
297302
},
@@ -370,8 +375,9 @@ func TestDefaultDeployment(t *testing.T) {
370375
StringData: nil,
371376
Type: "",
372377
},
373-
proxyConfig: proxyConfig,
374-
infrastructureConfig: infrastructureConfigSingleReplica,
378+
consoleServingCertSecret: &corev1.Secret{},
379+
proxyConfig: proxyConfig,
380+
infrastructureConfig: infrastructureConfigSingleReplica,
375381
},
376382
want: &appsv1.Deployment{
377383
TypeMeta: metav1.TypeMeta{
@@ -441,8 +447,9 @@ func TestDefaultDeployment(t *testing.T) {
441447
StringData: nil,
442448
Type: "",
443449
},
444-
proxyConfig: proxyConfig,
445-
infrastructureConfig: infrastructureConfigExternalTopologyMode,
450+
consoleServingCertSecret: &corev1.Secret{},
451+
proxyConfig: proxyConfig,
452+
infrastructureConfig: infrastructureConfigExternalTopologyMode,
446453
},
447454
want: &appsv1.Deployment{
448455
TypeMeta: metav1.TypeMeta{
@@ -514,6 +521,7 @@ func TestDefaultDeployment(t *testing.T) {
514521
tt.args.trustedCAConfigMap,
515522
tt.args.oAuthClientSecret,
516523
tt.args.sessionSecret,
524+
tt.args.consoleServingCertSecret,
517525
tt.args.proxyConfig,
518526
tt.args.infrastructureConfig,
519527
), tt.want); diff != nil {
@@ -525,16 +533,17 @@ func TestDefaultDeployment(t *testing.T) {
525533

526534
func TestWithConsoleAnnotations(t *testing.T) {
527535
type args struct {
528-
deployment *appsv1.Deployment
529-
consoleConfigMap *corev1.ConfigMap
530-
serviceCAConfigMap *corev1.ConfigMap
531-
authServerCAConfigMap *corev1.ConfigMap
532-
trustedCAConfigMap *corev1.ConfigMap
533-
oAuthClientSecret *corev1.Secret
534-
sessionSecret *corev1.Secret
535-
proxyConfig *configv1.Proxy
536-
infrastructureConfig *configv1.Infrastructure
537-
authnConfig *configv1.Authentication
536+
deployment *appsv1.Deployment
537+
consoleConfigMap *corev1.ConfigMap
538+
serviceCAConfigMap *corev1.ConfigMap
539+
authServerCAConfigMap *corev1.ConfigMap
540+
trustedCAConfigMap *corev1.ConfigMap
541+
oAuthClientSecret *corev1.Secret
542+
sessionSecret *corev1.Secret
543+
consoleServingCertSecret *corev1.Secret
544+
proxyConfig *configv1.Proxy
545+
infrastructureConfig *configv1.Infrastructure
546+
authnConfig *configv1.Authentication
538547
}
539548

540549
consoleConfigMap := &corev1.ConfigMap{
@@ -584,6 +593,12 @@ func TestWithConsoleAnnotations(t *testing.T) {
584593
},
585594
}
586595

596+
consoleServingCertSecret := &corev1.Secret{
597+
ObjectMeta: metav1.ObjectMeta{
598+
ResourceVersion: "202020",
599+
},
600+
}
601+
587602
tests := []struct {
588603
name string
589604
args args
@@ -606,13 +621,14 @@ func TestWithConsoleAnnotations(t *testing.T) {
606621
},
607622
},
608623
},
609-
consoleConfigMap: consoleConfigMap,
610-
serviceCAConfigMap: serviceCAConfigMap,
611-
authServerCAConfigMap: oauthServingCertConfigMap,
612-
trustedCAConfigMap: trustedCAConfigMap,
613-
oAuthClientSecret: oAuthClientSecret,
614-
proxyConfig: proxyConfig,
615-
infrastructureConfig: infrastructureConfig,
624+
consoleConfigMap: consoleConfigMap,
625+
serviceCAConfigMap: serviceCAConfigMap,
626+
authServerCAConfigMap: oauthServingCertConfigMap,
627+
trustedCAConfigMap: trustedCAConfigMap,
628+
oAuthClientSecret: oAuthClientSecret,
629+
consoleServingCertSecret: consoleServingCertSecret,
630+
proxyConfig: proxyConfig,
631+
infrastructureConfig: infrastructureConfig,
616632
},
617633
want: &appsv1.Deployment{
618634
ObjectMeta: metav1.ObjectMeta{
@@ -625,6 +641,7 @@ func TestWithConsoleAnnotations(t *testing.T) {
625641
infrastructureConfigResourceVersionAnnotation: infrastructureConfig.GetResourceVersion(),
626642
secretResourceVersionAnnotation: oAuthClientSecret.GetResourceVersion(),
627643
consoleImageAnnotation: util.GetImageEnv("CONSOLE_IMAGE"),
644+
servingCertSecretResourceVersionAnnotation: consoleServingCertSecret.GetResourceVersion(),
628645
},
629646
},
630647
Spec: appsv1.DeploymentSpec{
@@ -640,6 +657,7 @@ func TestWithConsoleAnnotations(t *testing.T) {
640657
infrastructureConfigResourceVersionAnnotation: infrastructureConfig.GetResourceVersion(),
641658
secretResourceVersionAnnotation: oAuthClientSecret.GetResourceVersion(),
642659
consoleImageAnnotation: util.GetImageEnv("CONSOLE_IMAGE"),
660+
servingCertSecretResourceVersionAnnotation: consoleServingCertSecret.GetResourceVersion(),
643661
},
644662
},
645663
},
@@ -649,7 +667,7 @@ func TestWithConsoleAnnotations(t *testing.T) {
649667
}
650668
for _, tt := range tests {
651669
t.Run(tt.name, func(t *testing.T) {
652-
withConsoleAnnotations(tt.args.deployment, tt.args.consoleConfigMap, tt.args.serviceCAConfigMap, tt.args.authServerCAConfigMap, tt.args.trustedCAConfigMap, tt.args.oAuthClientSecret, tt.args.sessionSecret, tt.args.proxyConfig, tt.args.infrastructureConfig)
670+
withConsoleAnnotations(tt.args.deployment, tt.args.consoleConfigMap, tt.args.serviceCAConfigMap, tt.args.authServerCAConfigMap, tt.args.trustedCAConfigMap, tt.args.oAuthClientSecret, tt.args.sessionSecret, tt.args.consoleServingCertSecret, tt.args.proxyConfig, tt.args.infrastructureConfig)
653671
if diff := deep.Equal(tt.args.deployment, tt.want); diff != nil {
654672
t.Error(diff)
655673
}

0 commit comments

Comments
 (0)