diff --git a/pkg/operator/certrotationcontroller/certrotationcontroller.go b/pkg/operator/certrotationcontroller/certrotationcontroller.go index 968883932a..45dd979ad6 100644 --- a/pkg/operator/certrotationcontroller/certrotationcontroller.go +++ b/pkg/operator/certrotationcontroller/certrotationcontroller.go @@ -176,10 +176,11 @@ func newCertRotationController( AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'[sig-cli] oc adm new-project [apigroup:project.openshift.io][apigroup:authorization.openshift.io] [Suite:openshift/conformance/parallel]'", Description: "CA for aggregated apiservers to recognize kube-apiserver as front-proxy.", }, - Informer: kubeInformersForNamespaces.InformersFor(operatorclient.GlobalMachineSpecifiedConfigNamespace).Core().V1().ConfigMaps(), - Lister: kubeInformersForNamespaces.InformersFor(operatorclient.GlobalMachineSpecifiedConfigNamespace).Core().V1().ConfigMaps().Lister(), - Client: kubeClient.CoreV1(), - EventRecorder: eventRecorder, + RefreshOnlyWhenExpired: refreshOnlyWhenExpired, + Informer: kubeInformersForNamespaces.InformersFor(operatorclient.GlobalMachineSpecifiedConfigNamespace).Core().V1().ConfigMaps(), + Lister: kubeInformersForNamespaces.InformersFor(operatorclient.GlobalMachineSpecifiedConfigNamespace).Core().V1().ConfigMaps().Lister(), + Client: kubeClient.CoreV1(), + EventRecorder: eventRecorder, }, certrotation.RotatedSelfSignedCertKeySecret{ Namespace: operatorclient.TargetNamespace, @@ -233,10 +234,11 @@ func newCertRotationController( AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'[sig-cli] Kubectl logs logs should be able to retrieve and filter logs [Conformance] [Suite:openshift/conformance/parallel/minimal] [Suite:k8s]'", Description: "CA for the kubelet to recognize the kube-apiserver client certificate.", }, - Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(), - Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(), - Client: kubeClient.CoreV1(), - EventRecorder: eventRecorder, + RefreshOnlyWhenExpired: refreshOnlyWhenExpired, + Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(), + Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(), + Client: kubeClient.CoreV1(), + EventRecorder: eventRecorder, }, certrotation.RotatedSelfSignedCertKeySecret{ Namespace: operatorclient.TargetNamespace, @@ -296,10 +298,11 @@ func newCertRotationController( // other signers are updated and needs to have the same metadata set AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'[Conformance][sig-api-machinery][Feature:APIServer] local kubeconfig \"localhost.kubeconfig\" should be present on all masters and work [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel/minimal]'", }, - Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(), - Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(), - Client: kubeClient.CoreV1(), - EventRecorder: eventRecorder, + RefreshOnlyWhenExpired: refreshOnlyWhenExpired, + Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(), + Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(), + Client: kubeClient.CoreV1(), + EventRecorder: eventRecorder, }, certrotation.RotatedSelfSignedCertKeySecret{ Namespace: operatorclient.TargetNamespace, @@ -359,10 +362,11 @@ func newCertRotationController( // other signers are updated and needs to have the same metadata set AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'[Conformance][sig-api-machinery][Feature:APIServer] kube-apiserver should be accessible via service network endpoint [Suite:openshift/conformance/parallel/minimal]'", }, - Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(), - Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(), - Client: kubeClient.CoreV1(), - EventRecorder: eventRecorder, + RefreshOnlyWhenExpired: refreshOnlyWhenExpired, + Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(), + Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(), + Client: kubeClient.CoreV1(), + EventRecorder: eventRecorder, }, certrotation.RotatedSelfSignedCertKeySecret{ Namespace: operatorclient.TargetNamespace, @@ -423,10 +427,11 @@ func newCertRotationController( // other signers are updated and needs to have the same metadata set AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'[Conformance][sig-api-machinery][Feature:APIServer] kube-apiserver should be accessible via api-int endpoint [Suite:openshift/conformance/parallel/minimal]'", }, - Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(), - Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(), - Client: kubeClient.CoreV1(), - EventRecorder: eventRecorder, + RefreshOnlyWhenExpired: refreshOnlyWhenExpired, + Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(), + Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(), + Client: kubeClient.CoreV1(), + EventRecorder: eventRecorder, }, certrotation.RotatedSelfSignedCertKeySecret{ Namespace: operatorclient.TargetNamespace, @@ -487,10 +492,11 @@ func newCertRotationController( // other signers are updated and needs to have the same metadata set AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'[Conformance][sig-api-machinery][Feature:APIServer] kube-apiserver should be accessible via api-int endpoint [Suite:openshift/conformance/parallel/minimal]'", }, - Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(), - Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(), - Client: kubeClient.CoreV1(), - EventRecorder: eventRecorder, + RefreshOnlyWhenExpired: refreshOnlyWhenExpired, + Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(), + Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(), + Client: kubeClient.CoreV1(), + EventRecorder: eventRecorder, }, certrotation.RotatedSelfSignedCertKeySecret{ Namespace: operatorclient.TargetNamespace, @@ -529,7 +535,8 @@ func newCertRotationController( // other signers are updated and needs to have the same metadata set AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'[Conformance][sig-api-machinery][Feature:APIServer] local kubeconfig \"localhost-recovery.kubeconfig\" should be present on all masters and work [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel/minimal]'", }, - Validity: foreverPeriod, // this comes from the installer + RefreshOnlyWhenExpired: refreshOnlyWhenExpired, + Validity: foreverPeriod, // this comes from the installer // Refresh set to 80% of the validity. // This range is consistent with most other signers defined in this pkg. // Given that in this case rotation will be after 8y, @@ -550,10 +557,11 @@ func newCertRotationController( // other signers are updated and needs to have the same metadata set AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'[Conformance][sig-api-machinery][Feature:APIServer] local kubeconfig \"localhost-recovery.kubeconfig\" should be present on all masters and work [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel/minimal]'", }, - Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(), - Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(), - Client: kubeClient.CoreV1(), - EventRecorder: eventRecorder, + RefreshOnlyWhenExpired: refreshOnlyWhenExpired, + Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(), + Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(), + Client: kubeClient.CoreV1(), + EventRecorder: eventRecorder, }, certrotation.RotatedSelfSignedCertKeySecret{ Namespace: operatorclient.TargetNamespace, @@ -573,10 +581,11 @@ func newCertRotationController( CertCreator: &certrotation.ServingRotation{ Hostnames: func() []string { return []string{"localhost-recovery"} }, }, - Informer: kubeInformersForNamespaces.InformersFor(operatorclient.TargetNamespace).Core().V1().Secrets(), - Lister: kubeInformersForNamespaces.InformersFor(operatorclient.TargetNamespace).Core().V1().Secrets().Lister(), - Client: kubeClient.CoreV1(), - EventRecorder: eventRecorder, + RefreshOnlyWhenExpired: refreshOnlyWhenExpired, + Informer: kubeInformersForNamespaces.InformersFor(operatorclient.TargetNamespace).Core().V1().Secrets(), + Lister: kubeInformersForNamespaces.InformersFor(operatorclient.TargetNamespace).Core().V1().Secrets().Lister(), + Client: kubeClient.CoreV1(), + EventRecorder: eventRecorder, }, eventRecorder, &certrotation.StaticPodConditionStatusReporter{OperatorClient: operatorClient}, @@ -609,10 +618,11 @@ func newCertRotationController( AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'[sig-apps] Deployment RollingUpdateDeployment should delete old pods and create new ones [Conformance] [Suite:openshift/conformance/parallel/minimal] [Suite:k8s]'", Description: "CA for kube-apiserver to recognize the kube-controller-manager and kube-scheduler client certificates.", }, - Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(), - Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(), - Client: kubeClient.CoreV1(), - EventRecorder: eventRecorder, + RefreshOnlyWhenExpired: refreshOnlyWhenExpired, + Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(), + Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(), + Client: kubeClient.CoreV1(), + EventRecorder: eventRecorder, }, certrotation.RotatedSelfSignedCertKeySecret{ Namespace: operatorclient.GlobalMachineSpecifiedConfigNamespace, @@ -664,10 +674,11 @@ func newCertRotationController( AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'[sig-apps] Deployment RollingUpdateDeployment should delete old pods and create new ones [Conformance] [Suite:openshift/conformance/parallel/minimal] [Suite:k8s]'", Description: "CA for kube-apiserver to recognize the kube-controller-manager and kube-scheduler client certificates.", }, - Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(), - Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(), - Client: kubeClient.CoreV1(), - EventRecorder: eventRecorder, + RefreshOnlyWhenExpired: refreshOnlyWhenExpired, + Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(), + Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(), + Client: kubeClient.CoreV1(), + EventRecorder: eventRecorder, }, certrotation.RotatedSelfSignedCertKeySecret{ Namespace: operatorclient.GlobalMachineSpecifiedConfigNamespace, @@ -719,10 +730,11 @@ func newCertRotationController( AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'[sig-apps] Deployment RollingUpdateDeployment should delete old pods and create new ones [Conformance] [Suite:openshift/conformance/parallel/minimal] [Suite:k8s]'", Description: "CA for kube-apiserver to recognize the kube-controller-manager and kube-scheduler client certificates.", }, - Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(), - Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(), - Client: kubeClient.CoreV1(), - EventRecorder: eventRecorder, + RefreshOnlyWhenExpired: refreshOnlyWhenExpired, + Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(), + Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(), + Client: kubeClient.CoreV1(), + EventRecorder: eventRecorder, }, certrotation.RotatedSelfSignedCertKeySecret{ Namespace: operatorclient.TargetNamespace, @@ -773,10 +785,11 @@ func newCertRotationController( AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'[sig-apps] Deployment RollingUpdateDeployment should delete old pods and create new ones [Conformance] [Suite:openshift/conformance/parallel/minimal] [Suite:k8s]'", Description: "CA for kube-apiserver to recognize the kube-controller-manager and kube-scheduler client certificates.", }, - Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(), - Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(), - Client: kubeClient.CoreV1(), - EventRecorder: eventRecorder, + RefreshOnlyWhenExpired: refreshOnlyWhenExpired, + Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(), + Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(), + Client: kubeClient.CoreV1(), + EventRecorder: eventRecorder, }, certrotation.RotatedSelfSignedCertKeySecret{ Namespace: operatorclient.TargetNamespace, @@ -830,10 +843,11 @@ func newCertRotationController( AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'[Conformance][sig-api-machinery][Feature:APIServer] local kubeconfig \"localhost-recovery.kubeconfig\" should be present on all masters and work [apigroup:config.openshift.io] [Suite:openshift/conformance/parallel/minimal]'", Description: "CA for kube-apiserver to recognize local system:masters rendered to each master.", }, - Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(), - Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(), - Client: kubeClient.CoreV1(), - EventRecorder: eventRecorder, + RefreshOnlyWhenExpired: refreshOnlyWhenExpired, + Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(), + Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(), + Client: kubeClient.CoreV1(), + EventRecorder: eventRecorder, }, certrotation.RotatedSelfSignedCertKeySecret{ Namespace: operatorclient.OperatorNamespace,