Fixes

pkg/cmd/render/certs.go

@@ -50,12 +50,12 @@ func createCertSecrets(nodes []*corev1.Node) ([]corev1.Secret, []corev1.ConfigMa
 	// create openshift-config signers first, they will remain in openshift-config and are needed for the controller sync loop to function
 	// TODO(thomas): once the rotation process is in place, we can remove that special case
 	etcdSignerCert := tlshelpers.CreateBootstrapSignerCert(secretInformer, secretLister, secretClient, recorder)
-	_, err := etcdSignerCert.EnsureSigningCertKeyPair(context.Background())
+	_, _, err := etcdSignerCert.EnsureSigningCertKeyPair(context.Background())
 	if err != nil {
 		return nil, nil, fmt.Errorf("could not create etcd signer certificate: %w", err)
 	}
 	metricsSignerCert := tlshelpers.CreateBootstrapMetricsSignerCert(secretInformer, secretLister, secretClient, recorder)
-	_, err = metricsSignerCert.EnsureSigningCertKeyPair(context.Background())
+	_, _, err = metricsSignerCert.EnsureSigningCertKeyPair(context.Background())
 	if err != nil {
 		return nil, nil, fmt.Errorf("could not create etcd metrics signer certificate: %w", err)
 	}

pkg/operator/etcdcertsigner/etcdcertsignercontroller.go

@@ -191,18 +191,19 @@ func (c *EtcdCertSignerController) syncAllMasterCertificates(ctx context.Context
 	}
 
 	// EnsureConfigMapCABundle is stateful w.r.t to the configmap it manages, so we can simply add it to the bundle before the new one
-	_, err = c.certConfig.signerCaBundle.EnsureConfigMapCABundle(ctx, signerCaPair)
+	signerName := fmt.Sprintf("%s/%s", operatorclient.GlobalUserSpecifiedConfigNamespace, tlshelpers.EtcdSignerCertSecretName)
+	_, err = c.certConfig.signerCaBundle.EnsureConfigMapCABundle(ctx, signerCaPair, signerName)
 	if err != nil {
 		return fmt.Errorf("error on ensuring signer bundle for existing pair: %w", err)
 	}
 
 	// TODO(thomas): we need to transition that new signer as a replacement for the above - today we only bundle it
-	newSignerCaPair, err := c.certConfig.signerCert.EnsureSigningCertKeyPair(ctx)
+	newSignerCaPair, _, err := c.certConfig.signerCert.EnsureSigningCertKeyPair(ctx)
 	if err != nil {
 		return fmt.Errorf("error on ensuring etcd-signer cert: %w", err)
 	}
 
-	signerBundle, err := c.certConfig.signerCaBundle.EnsureConfigMapCABundle(ctx, newSignerCaPair)
+	signerBundle, err := c.certConfig.signerCaBundle.EnsureConfigMapCABundle(ctx, newSignerCaPair, signerName)
 	if err != nil {
 		return fmt.Errorf("error on ensuring signer bundle for new pair: %w", err)
 	}
@@ -212,23 +213,24 @@ func (c *EtcdCertSignerController) syncAllMasterCertificates(ctx context.Context
 		return fmt.Errorf("error on ensuring etcd client cert: %w", err)
 	}
 
+	metricsSignerSecretName := fmt.Sprintf("%s/%s", operatorclient.GlobalUserSpecifiedConfigNamespace, tlshelpers.EtcdMetricsSignerCertSecretName)
 	metricsSignerCaPair, err := tlshelpers.ReadConfigMetricsSignerCert(ctx, c.secretClient)
 	if err != nil {
 		return err
 	}
 
-	_, err = c.certConfig.metricsSignerCaBundle.EnsureConfigMapCABundle(ctx, metricsSignerCaPair)
+	_, err = c.certConfig.metricsSignerCaBundle.EnsureConfigMapCABundle(ctx, metricsSignerCaPair, metricsSignerSecretName)
 	if err != nil {
 		return fmt.Errorf("error on ensuring metrics signer bundle for existing pair: %w", err)
 	}
 
 	// TODO(thomas): we need to transition that new signer as a replacement for the above - today we only bundle it
-	newMetricsSignerCaPair, err := c.certConfig.metricsSignerCert.EnsureSigningCertKeyPair(ctx)
+	newMetricsSignerCaPair, _, err := c.certConfig.metricsSignerCert.EnsureSigningCertKeyPair(ctx)
 	if err != nil {
 		return fmt.Errorf("error on ensuring metrics-signer cert: %w", err)
 	}
 
-	metricsSignerBundle, err := c.certConfig.metricsSignerCaBundle.EnsureConfigMapCABundle(ctx, newMetricsSignerCaPair)
+	metricsSignerBundle, err := c.certConfig.metricsSignerCaBundle.EnsureConfigMapCABundle(ctx, newMetricsSignerCaPair, metricsSignerSecretName)
 	if err != nil {
 		return fmt.Errorf("error on ensuring metrics signer bundle: %w", err)
 	}