pkg/operator/targetconfigcontroller: wait for kcm-o to generate certs…

… before rollout

Signed-off-by: Sam Batschelet <sbatsche@redhat.com>

pkg/operator/targetconfigcontroller/targetconfigcontroller.go

@@ -114,7 +114,9 @@ func createTargetConfig(c TargetConfigController, recorder events.Recorder, oper
 	if err != nil {
 		return false, err
 	}
-
+	if err := checkExternalDependencies(context.TODO(), c.configMapLister, recorder); err != nil {
+		errors = append(errors, err)
+	}
 	_, _, err = c.manageStandardPod(contentReplacer, c.kubeClient.CoreV1(), recorder, operatorSpec)
 	if err != nil {
 		errors = append(errors, fmt.Errorf("%q: %v", "configmap/etcd-pod", err))
@@ -246,3 +248,32 @@ func (c *TargetConfigController) namespaceEventHandler() cache.ResourceEventHand
 		},
 	}
 }
+
+// checkExternalDependencies ensures that resources critical to cluster stability are valid before possible disruptive rollout.
+func checkExternalDependencies(ctx context.Context, lister corev1listers.ConfigMapLister, recorder events.Recorder) error {
+	csrControllerCAConfigMap, err := lister.ConfigMaps(operatorclient.GlobalMachineSpecifiedConfigNamespace).Get("csr-controller-ca")
+	if err != nil {
+		return err
+	}
+	if err := checkCSRControllerCAConfigMap(csrControllerCAConfigMap); err != nil {
+		return err
+	}
+	return nil
+}
+
+// checkCSRControllerCA validates that the openshift-config-managed configmap csr-controller-ca contains a
+// CA generated by kube-controller-manager-operator.
+func checkCSRControllerCAConfigMap(csrControllerCAConfigMap *corev1.ConfigMap) error {
+	var isCAManagerExpected bool
+	for _, managedField := range csrControllerCAConfigMap.ManagedFields {
+		if managedField.Manager == "cluster-kube-controller-manager-operator" {
+			isCAManagerExpected = true
+		}
+	}
+
+	if !isCAManagerExpected {
+		return fmt.Errorf("configmap openshift-config-managed/csr-controller-ca field manager is not valid")
+	}
+
+	return nil
+}

pkg/operator/targetconfigcontroller/targetconfigcontroller_test.go

@@ -0,0 +1,52 @@
+package targetconfigcontroller
+
+import (
+	"testing"
+
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func Test_checkCSRControllerCAConfigMap(t *testing.T) {
+	scenarios := []struct {
+		name      string
+		configMap *v1.ConfigMap
+		wantErr   bool
+	}{
+		{
+			name:      "happy path: cluster-kube-controller-manager-operator has generated cert",
+			configMap: csrControllerCAConfigMap("cluster-kube-controller-manager-operator"),
+		},
+		{
+			name:      "cert missing managed fields",
+			configMap: &v1.ConfigMap{},
+			wantErr:   true,
+		},
+		{
+			name:      "unexpected manager",
+			configMap: csrControllerCAConfigMap("foobar"),
+			wantErr:   true,
+		},
+	}
+	for _, scenario := range scenarios {
+		t.Run(scenario.name, func(t *testing.T) {
+			gotErr := checkCSRControllerCAConfigMap(scenario.configMap)
+			if gotErr != nil && !scenario.wantErr {
+				t.Errorf("unexpected expected error %v", gotErr)
+			}
+			if gotErr == nil && scenario.wantErr {
+				t.Errorf("expected error got nil")
+			}
+		})
+	}
+}
+
+func csrControllerCAConfigMap(manager string) *v1.ConfigMap {
+	return &v1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:          "csr-controller-ca",
+			Namespace:     "openshift-config-managed",
+			ManagedFields: []metav1.ManagedFieldsEntry{{Manager: manager}},
+		},
+	}
+}