diff --git a/go.mod b/go.mod index e92e9dad9b..21f074467c 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,7 @@ require ( github.com/openshift/api v0.0.0-20231219140051-ddc590a81acb github.com/openshift/build-machinery-go v0.0.0-20230228230858-4cd708338479 github.com/openshift/client-go v0.0.0-20231218155125-ff7d9f9bf415 - github.com/openshift/library-go v0.0.0-20240229145526-d26b0b6227e4 + github.com/openshift/library-go v0.0.0-20240305144041-18ee8279b4e3 github.com/pkg/profile v1.5.0 // indirect github.com/prometheus/client_golang v1.16.0 github.com/spf13/cobra v1.7.0 diff --git a/go.sum b/go.sum index cc793e6d74..c5d0fd51b6 100644 --- a/go.sum +++ b/go.sum @@ -163,8 +163,8 @@ github.com/openshift/build-machinery-go v0.0.0-20230228230858-4cd708338479 h1:IU github.com/openshift/build-machinery-go v0.0.0-20230228230858-4cd708338479/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/client-go v0.0.0-20231218155125-ff7d9f9bf415 h1:wfnn3E0Z62bB3wYM5eO1AZ9EYZpFd7M1p4PclcIyVv0= github.com/openshift/client-go v0.0.0-20231218155125-ff7d9f9bf415/go.mod h1:5W+xoimHjRdZ0dI/yeQR0ANRNLK9mPmXMzUWPAIPADo= -github.com/openshift/library-go v0.0.0-20240229145526-d26b0b6227e4 h1:hq03auh9Y8Q7ejKOUhfVG0pDTDFRVuj8DuqOolIXiBs= -github.com/openshift/library-go v0.0.0-20240229145526-d26b0b6227e4/go.mod h1:ePlaOqUiPplRc++6aYdMe+2FmXb2xTNS9Nz5laG2YmI= +github.com/openshift/library-go v0.0.0-20240305144041-18ee8279b4e3 h1:9ReQNVTyhFwcMfLROKhpmry74ge+urWixmR/EMQajhY= +github.com/openshift/library-go v0.0.0-20240305144041-18ee8279b4e3/go.mod h1:ePlaOqUiPplRc++6aYdMe+2FmXb2xTNS9Nz5laG2YmI= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/metadata.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/metadata.go new file mode 100644 index 0000000000..f64bde8fe0 --- /dev/null +++ b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/metadata.go @@ -0,0 +1,36 @@ +package certrotation + +import ( + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func ensureMetadataUpdate(secret *corev1.Secret, owner *metav1.OwnerReference, additionalAnnotations AdditionalAnnotations) bool { + needsMetadataUpdate := false + // no ownerReference set + if owner != nil { + needsMetadataUpdate = ensureOwnerReference(&secret.ObjectMeta, owner) + } + // ownership annotations not set + return additionalAnnotations.EnsureTLSMetadataUpdate(&secret.ObjectMeta) || needsMetadataUpdate +} + +func ensureSecretTLSTypeSet(secret *corev1.Secret) bool { + // Existing secret not found - no need to update metadata (will be done by needNewSigningCertKeyPair / NeedNewTargetCertKeyPair) + if len(secret.ResourceVersion) == 0 { + return false + } + + // convert outdated secret type (created by pre 4.7 installer) + if secret.Type != corev1.SecretTypeTLS { + secret.Type = corev1.SecretTypeTLS + // wipe secret contents if tls.crt and tls.key are missing + _, certExists := secret.Data[corev1.TLSCertKey] + _, keyExists := secret.Data[corev1.TLSPrivateKeyKey] + if !certExists || !keyExists { + secret.Data = map[string][]byte{} + } + return true + } + return false +} diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go index d143dc3056..59bf926d5a 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go @@ -62,24 +62,24 @@ func (c RotatedSigningCASecret) EnsureSigningCertKeyPair(ctx context.Context) (* signingCertKeyPairSecret := originalSigningCertKeyPairSecret.DeepCopy() if apierrors.IsNotFound(err) { // create an empty one - signingCertKeyPairSecret = &corev1.Secret{ObjectMeta: NewTLSArtifactObjectMeta( - c.Name, - c.Namespace, - c.AdditionalAnnotations, - )} + signingCertKeyPairSecret = &corev1.Secret{ + ObjectMeta: NewTLSArtifactObjectMeta( + c.Name, + c.Namespace, + c.AdditionalAnnotations, + ), + Type: corev1.SecretTypeTLS, + } } - signingCertKeyPairSecret.Type = corev1.SecretTypeTLS - needsMetadataUpdate := false - if c.Owner != nil { - needsMetadataUpdate = ensureOwnerReference(&signingCertKeyPairSecret.ObjectMeta, c.Owner) - } - needsMetadataUpdate = c.AdditionalAnnotations.EnsureTLSMetadataUpdate(&signingCertKeyPairSecret.ObjectMeta) || needsMetadataUpdate - if needsMetadataUpdate && len(signingCertKeyPairSecret.ResourceVersion) > 0 { - _, _, err := resourceapply.ApplySecret(ctx, c.Client, c.EventRecorder, signingCertKeyPairSecret) + // apply necessary metadata (possibly via delete+recreate) if secret exists + // this is done before content update to prevent unexpected rollouts + if ensureMetadataUpdate(signingCertKeyPairSecret, c.Owner, c.AdditionalAnnotations) && ensureSecretTLSTypeSet(signingCertKeyPairSecret) { + actualSigningCertKeyPairSecret, _, err := resourceapply.ApplySecret(ctx, c.Client, c.EventRecorder, signingCertKeyPairSecret) if err != nil { return nil, err } + signingCertKeyPairSecret = actualSigningCertKeyPairSecret } if needed, reason := needNewSigningCertKeyPair(signingCertKeyPairSecret.Annotations, c.Refresh, c.RefreshOnlyWhenExpired); needed { diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go index ad1caa6379..f7e37f4c81 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go @@ -97,24 +97,24 @@ func (c RotatedSelfSignedCertKeySecret) EnsureTargetCertKeyPair(ctx context.Cont targetCertKeyPairSecret := originalTargetCertKeyPairSecret.DeepCopy() if apierrors.IsNotFound(err) { // create an empty one - targetCertKeyPairSecret = &corev1.Secret{ObjectMeta: NewTLSArtifactObjectMeta( - c.Name, - c.Namespace, - c.AdditionalAnnotations, - )} + targetCertKeyPairSecret = &corev1.Secret{ + ObjectMeta: NewTLSArtifactObjectMeta( + c.Name, + c.Namespace, + c.AdditionalAnnotations, + ), + Type: corev1.SecretTypeTLS, + } } - targetCertKeyPairSecret.Type = corev1.SecretTypeTLS - needsMetadataUpdate := false - if c.Owner != nil { - needsMetadataUpdate = ensureOwnerReference(&targetCertKeyPairSecret.ObjectMeta, c.Owner) - } - needsMetadataUpdate = c.AdditionalAnnotations.EnsureTLSMetadataUpdate(&targetCertKeyPairSecret.ObjectMeta) || needsMetadataUpdate - if needsMetadataUpdate && len(targetCertKeyPairSecret.ResourceVersion) > 0 { - _, _, err := resourceapply.ApplySecret(ctx, c.Client, c.EventRecorder, targetCertKeyPairSecret) + // apply necessary metadata (possibly via delete+recreate) if secret exists + // this is done before content update to prevent unexpected rollouts + if ensureMetadataUpdate(targetCertKeyPairSecret, c.Owner, c.AdditionalAnnotations) && ensureSecretTLSTypeSet(targetCertKeyPairSecret) { + actualTargetCertKeyPairSecret, _, err := resourceapply.ApplySecret(ctx, c.Client, c.EventRecorder, targetCertKeyPairSecret) if err != nil { return nil, err } + targetCertKeyPairSecret = actualTargetCertKeyPairSecret } if reason := c.CertCreator.NeedNewTargetCertKeyPair(targetCertKeyPairSecret.Annotations, signingCertKeyPair, caBundleCerts, c.Refresh, c.RefreshOnlyWhenExpired); len(reason) > 0 { diff --git a/vendor/github.com/openshift/library-go/pkg/operator/revisioncontroller/revision_controller.go b/vendor/github.com/openshift/library-go/pkg/operator/revisioncontroller/revision_controller.go index afb2e5ca94..9d1397d2df 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/revisioncontroller/revision_controller.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/revisioncontroller/revision_controller.go @@ -85,7 +85,7 @@ func NewRevisionController( // createRevisionIfNeeded takes care of creating content for the static pods to use. // returns whether or not requeue and if an error happened when updating status. Normally it updates status itself. func (c RevisionController) createRevisionIfNeeded(ctx context.Context, recorder events.Recorder, latestAvailableRevision int32, resourceVersion string) (bool, error) { - isLatestRevisionCurrent, reason := c.isLatestRevisionCurrent(ctx, latestAvailableRevision) + isLatestRevisionCurrent, requiredIsNotFound, reason := c.isLatestRevisionCurrent(ctx, latestAvailableRevision) // check to make sure that the latestRevision has the exact content we expect. No mutation here, so we start creating the next Revision only when it is required if isLatestRevisionCurrent { @@ -94,8 +94,16 @@ func (c RevisionController) createRevisionIfNeeded(ctx context.Context, recorder } nextRevision := latestAvailableRevision + 1 - recorder.Eventf("StartingNewRevision", "new revision %d triggered by %q", nextRevision, reason) - createdNewRevision, err := c.createNewRevision(ctx, recorder, nextRevision, reason) + var createdNewRevision bool + var err error + // check to make sure no new revision is created when a required object is missing + if requiredIsNotFound { + err = fmt.Errorf("%v", reason) + } else { + recorder.Eventf("StartingNewRevision", "new revision %d triggered by %q", nextRevision, reason) + createdNewRevision, err = c.createNewRevision(ctx, recorder, nextRevision, reason) + } + if err != nil { cond := operatorv1.OperatorCondition{ Type: "RevisionControllerDegraded", @@ -134,7 +142,7 @@ func nameFor(name string, revision int32) string { } // isLatestRevisionCurrent returns whether the latest revision is up to date and an optional reason -func (c RevisionController) isLatestRevisionCurrent(ctx context.Context, revision int32) (bool, string) { +func (c RevisionController) isLatestRevisionCurrent(ctx context.Context, revision int32) (bool, bool, string) { configChanges := []string{} for _, cm := range c.configMaps { requiredData := map[string]string{} @@ -142,11 +150,11 @@ func (c RevisionController) isLatestRevisionCurrent(ctx context.Context, revisio required, err := c.configMapGetter.ConfigMaps(c.targetNamespace).Get(ctx, cm.Name, metav1.GetOptions{}) if apierrors.IsNotFound(err) && !cm.Optional { - return false, err.Error() + return false, true, err.Error() } existing, err := c.configMapGetter.ConfigMaps(c.targetNamespace).Get(ctx, nameFor(cm.Name, revision), metav1.GetOptions{}) if apierrors.IsNotFound(err) && !cm.Optional { - return false, err.Error() + return false, false, err.Error() } if required != nil { requiredData = required.Data @@ -179,11 +187,11 @@ func (c RevisionController) isLatestRevisionCurrent(ctx context.Context, revisio required, err := c.secretGetter.Secrets(c.targetNamespace).Get(ctx, s.Name, metav1.GetOptions{}) if apierrors.IsNotFound(err) && !s.Optional { - return false, err.Error() + return false, true, err.Error() } existing, err := c.secretGetter.Secrets(c.targetNamespace).Get(ctx, nameFor(s.Name, revision), metav1.GetOptions{}) if apierrors.IsNotFound(err) && !s.Optional { - return false, err.Error() + return false, false, err.Error() } if required != nil { requiredData = required.Data @@ -210,10 +218,10 @@ func (c RevisionController) isLatestRevisionCurrent(ctx context.Context, revisio } if len(secretChanges) > 0 || len(configChanges) > 0 { - return false, strings.Join(append(secretChanges, configChanges...), ",") + return false, false, strings.Join(append(secretChanges, configChanges...), ",") } - return true, "" + return true, false, "" } // returns true if we created a revision diff --git a/vendor/modules.txt b/vendor/modules.txt index a997ea9436..755cda49bb 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -334,7 +334,7 @@ github.com/openshift/client-go/operatorcontrolplane/informers/externalversions/i github.com/openshift/client-go/operatorcontrolplane/informers/externalversions/operatorcontrolplane github.com/openshift/client-go/operatorcontrolplane/informers/externalversions/operatorcontrolplane/v1alpha1 github.com/openshift/client-go/operatorcontrolplane/listers/operatorcontrolplane/v1alpha1 -# github.com/openshift/library-go v0.0.0-20240229145526-d26b0b6227e4 +# github.com/openshift/library-go v0.0.0-20240305144041-18ee8279b4e3 ## explicit; go 1.21 github.com/openshift/library-go/pkg/assets github.com/openshift/library-go/pkg/authorization/hardcodedauthorizer