From 3915c83ba5e7a62518b906c35ffccad57676797d Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slaznick@redhat.com>
Date: Fri, 13 Sep 2019 16:09:27 +0200
Subject: [PATCH] operator: restart the operator pod on trusted-ca-bundle
 change

Introduces the watchdog for operator deployment so that there is
a mechanism which guards changes to the trusted-ca-bundle CM and
these are refetched by having the operator pod restart.
---
 cmd/authentication-operator/main.go |  3 ++
 manifests/07_deployment.yaml        | 45 +++++++++++++++++++++++++++++
 pkg/operator2/operator.go           |  4 ++-
 3 files changed, 51 insertions(+), 1 deletion(-)

diff --git a/cmd/authentication-operator/main.go b/cmd/authentication-operator/main.go
index 0cfd99f029..24d6ed6975 100644
--- a/cmd/authentication-operator/main.go
+++ b/cmd/authentication-operator/main.go
@@ -13,6 +13,8 @@ import (
 	utilflag "k8s.io/component-base/cli/flag"
 	"k8s.io/component-base/logs"
 
+	"github.com/openshift/library-go/pkg/operator/watchdog"
+
 	"github.com/openshift/cluster-authentication-operator/pkg/cmd/operator2"
 )
 
@@ -43,6 +45,7 @@ func NewAuthenticationOperatorCommand() *cobra.Command {
 	}
 
 	cmd.AddCommand(operator2.NewOperator())
+	cmd.AddCommand(watchdog.NewFileWatcherWatchdog())
 
 	return cmd
 }
diff --git a/manifests/07_deployment.yaml b/manifests/07_deployment.yaml
index eb50a67f79..6dadfffbbc 100644
--- a/manifests/07_deployment.yaml
+++ b/manifests/07_deployment.yaml
@@ -18,6 +18,7 @@ spec:
       labels:
         app: authentication-operator
     spec:
+      shareProcessNamespace: true
       serviceAccountName: authentication-operator
       containers:
       - name: operator
@@ -26,6 +27,13 @@ spec:
         command: ["/bin/bash", "-ec"]
         args:
         - |
+          echo $$$$ > /var/run/watchdog/pid
+          echo -n "Waiting for watchdog..."
+          while [ ! -f /var/run/watchdog/ready ]; do
+            echo -n "."
+            sleep 1
+          done
+          echo
           if [ -s /var/run/configmaps/trusted-ca-bundle/ca-bundle.crt ]; then
               echo "Copying system trust bundle"
               cp -f /var/run/configmaps/trusted-ca-bundle/ca-bundle.crt /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
@@ -43,6 +51,8 @@ spec:
         - mountPath: /var/run/configmaps/trusted-ca-bundle
           name: trusted-ca-bundle
           readOnly: true
+        - mountPath: /var/run/watchdog
+          name: watchdog-dir
         env:
         - name: IMAGE
           value: quay.io/openshift/origin-oauth-server:v4.2
@@ -55,6 +65,39 @@ spec:
             fieldRef:
               fieldPath: metadata.name
         terminationMessagePolicy: FallbackToLogsOnError
+      - name: authentication-operator-watchdog
+        command: ["authentication-operator", "file-watcher-watchdog"]
+        args:
+          - --namespace=$(POD_NAMESPACE)
+          - --termination-grace-period=60s
+          - --files=/var/run/configmaps/trusted-ca-bundle/ca-bundle.crt
+          - --pid-file=/var/run/watchdog/pid
+          - --ready-file=/var/run/watchdog/ready
+        securityContext:
+          capabilities:
+            add:
+              - SYS_PTRACE
+        env:
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+        image: quay.io/openshift/origin-cluster-authentication-operator:v4.0
+        imagePullPolicy: IfNotPresent
+        volumeMounts:
+          - mountPath: /var/run/configmaps/trusted-ca-bundle/
+            name: trusted-ca-bundle
+          - mountPath: /var/run/watchdog
+            name: watchdog-dir
+        terminationMessagePolicy: FallbackToLogsOnError
+        resources:
+          requests:
+            memory: 50Mi
+            cpu: 10m
       volumes:
       - name: config
         configMap:
@@ -68,6 +111,8 @@ spec:
         secret:
           secretName: serving-cert
           optional: true
+      - emptyDir: {}
+        name: watchdog-dir
       nodeSelector:
         node-role.kubernetes.io/master: ""
       priorityClassName: "system-cluster-critical"
diff --git a/pkg/operator2/operator.go b/pkg/operator2/operator.go
index 4b59cb651e..63f976659f 100644
--- a/pkg/operator2/operator.go
+++ b/pkg/operator2/operator.go
@@ -530,7 +530,9 @@ func (c *authOperator) checkDeploymentReady(deployment *appsv1.Deployment, opera
 func (c *authOperator) checkRouteHealthy(route *routev1.Route, routerSecret *corev1.Secret, ingress *configv1.Ingress) (ready bool, msg, reason string, err error) {
 	caData := routerSecretToCA(route, routerSecret, ingress)
 
-	rt, err := transportFor("", caData, nil, nil)
+	// FIXME: this reads too often, either always merge system-trust store in transportForInner or keep this in memory
+	systemCaData, _ := ioutil.ReadFile("/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem")
+	rt, err := transportFor("", append(caData, systemCaData...), nil, nil)
 	if err != nil {
 		return false, "", "FailedTransport", fmt.Errorf("failed to build transport for route: %v", err)
 	}