From d1bfdcad2d4c2c347cfb1014f2483e83ab469916 Mon Sep 17 00:00:00 2001
From: ajanikow <12255597+ajanikow@users.noreply.github.com>
Date: Wed, 28 Jul 2021 13:13:11 +0000
Subject: [PATCH] Reconcile after TLS secret recreation

---
 go.mod                                       |  2 +-
 pkg/deployment/resources/certificates_tls.go | 14 +++++++-------
 pkg/deployment/resources/pod_creator.go      |  2 +-
 pkg/deployment/resources/secrets.go          |  5 +++--
 4 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/go.mod b/go.mod
index 186261aa6..3ce5416ac 100644
--- a/go.mod
+++ b/go.mod
@@ -35,8 +35,8 @@ require (
 	github.com/ghodss/yaml v1.0.0
 	github.com/gin-gonic/gin v1.7.2
 	github.com/github-release/github-release v0.10.0 // indirect
-	github.com/golang-jwt/jwt v3.2.1+incompatible
 	github.com/go-playground/validator/v10 v10.8.0 // indirect
+	github.com/golang-jwt/jwt v3.2.1+incompatible
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/addlicense v0.0.0-20210428195630-6d92264d7170 // indirect
 	github.com/hashicorp/golang-lru v0.5.3 // indirect
diff --git a/pkg/deployment/resources/certificates_tls.go b/pkg/deployment/resources/certificates_tls.go
index b4c54ebc1..37e045e6d 100644
--- a/pkg/deployment/resources/certificates_tls.go
+++ b/pkg/deployment/resources/certificates_tls.go
@@ -78,14 +78,14 @@ func createTLSCACertificate(ctx context.Context, log zerolog.Logger, secrets k8s
 // createTLSServerCertificate creates a TLS certificate for a specific server and stores
 // it in a secret with the given name.
 func createTLSServerCertificate(ctx context.Context, log zerolog.Logger, secrets v1.SecretInterface, serverNames []string, spec api.TLSSpec,
-	secretName string, ownerRef *metav1.OwnerReference) error {
+	secretName string, ownerRef *metav1.OwnerReference) (bool, error) {
 
 	log = log.With().Str("secret", secretName).Logger()
 	// Load alt names
 	dnsNames, ipAddresses, emailAddress, err := spec.GetParsedAltNames()
 	if err != nil {
 		log.Debug().Err(err).Msg("Failed to get alternate names")
-		return errors.WithStack(err)
+		return false, errors.WithStack(err)
 	}
 
 	// Load CA certificate
@@ -94,12 +94,12 @@ func createTLSServerCertificate(ctx context.Context, log zerolog.Logger, secrets
 	caCert, caKey, _, err := k8sutil.GetCASecret(ctxChild, secrets, spec.GetCASecretName(), nil)
 	if err != nil {
 		log.Debug().Err(err).Msg("Failed to load CA certificate")
-		return errors.WithStack(err)
+		return false, errors.WithStack(err)
 	}
 	ca, err := certificates.LoadCAFromPEM(caCert, caKey)
 	if err != nil {
 		log.Debug().Err(err).Msg("Failed to decode CA certificate")
-		return errors.WithStack(err)
+		return false, errors.WithStack(err)
 	}
 
 	options := certificates.CreateCertificateOptions{
@@ -114,7 +114,7 @@ func createTLSServerCertificate(ctx context.Context, log zerolog.Logger, secrets
 	cert, priv, err := certificates.CreateCertificate(options, &ca)
 	if err != nil {
 		log.Debug().Err(err).Msg("Failed to create server certificate")
-		return errors.WithStack(err)
+		return false, errors.WithStack(err)
 	}
 	keyfile := strings.TrimSpace(cert) + "\n" +
 		strings.TrimSpace(priv)
@@ -128,8 +128,8 @@ func createTLSServerCertificate(ctx context.Context, log zerolog.Logger, secrets
 		} else {
 			log.Debug().Err(err).Msg("Failed to create server Secret")
 		}
-		return errors.WithStack(err)
+		return false, errors.WithStack(err)
 	}
 	log.Debug().Msg("Created server Secret")
-	return nil
+	return true, nil
 }
diff --git a/pkg/deployment/resources/pod_creator.go b/pkg/deployment/resources/pod_creator.go
index aa55ad46c..683df1963 100644
--- a/pkg/deployment/resources/pod_creator.go
+++ b/pkg/deployment/resources/pod_creator.go
@@ -570,7 +570,7 @@ func (r *Resources) createPodForMember(ctx context.Context, spec api.DeploymentS
 				}
 			}
 			owner := apiObject.AsOwner()
-			err := createTLSServerCertificate(ctx, log, secrets, serverNames, spec.Sync.TLS, tlsKeyfileSecretName, &owner)
+			_, err := createTLSServerCertificate(ctx, log, secrets, serverNames, spec.Sync.TLS, tlsKeyfileSecretName, &owner)
 			if err != nil && !k8sutil.IsAlreadyExists(err) {
 				return errors.WithStack(errors.Wrapf(err, "Failed to create TLS keyfile secret"))
 			}
diff --git a/pkg/deployment/resources/secrets.go b/pkg/deployment/resources/secrets.go
index 2df7adb1a..1c3c7a2d2 100644
--- a/pkg/deployment/resources/secrets.go
+++ b/pkg/deployment/resources/secrets.go
@@ -166,9 +166,10 @@ func (r *Resources) EnsureSecrets(ctx context.Context, log zerolog.Logger, cache
 						serverNames = append(serverNames, ip)
 					}
 					owner := member.AsOwner()
-					errCert := createTLSServerCertificate(ctx, log, secrets, serverNames, spec.TLS, tlsKeyfileSecretName, &owner)
-					if err := reconcileRequired.WithError(errCert); err != nil && !k8sutil.IsAlreadyExists(err) {
+					if created, err := createTLSServerCertificate(ctx, log, secrets, serverNames, spec.TLS, tlsKeyfileSecretName, &owner); err != nil && !k8sutil.IsAlreadyExists(err) {
 						return errors.WithStack(errors.Wrapf(err, "Failed to create TLS keyfile secret"))
+					} else if created {
+						reconcileRequired.Required()
 					}
 				}
 			}