Run cert-rotation controller as a sidecar in the operator too

openshift · May 10, 2024 · d260b03 · d260b03
1 parent 6abd531
commit d260b03
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 20 deletions.
diff --git a/manifests/0000_20_kube-apiserver-operator_06_deployment.yaml b/manifests/0000_20_kube-apiserver-operator_06_deployment.yaml
@@ -72,6 +72,26 @@ spec:
             fieldRef:
               fieldPath: metadata.name
         terminationMessagePolicy: FallbackToLogsOnError
+      - name: cert-regeneration-controller
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
+        image: docker.io/openshift/origin-cluster-kube-apiserver-operator:v4.0
+        imagePullPolicy: IfNotPresent
+        terminationMessagePolicy: FallbackToLogsOnError
+        command: ["cluster-kube-apiserver-operator", "cert-regeneration-controller"]
+        args:
+          - --namespace=openshift-kube-apiserver
+          - -v=2
+        resources:
+          requests:
+            memory: 50Mi
+            cpu: 5m
+        volumeMounts:
+        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+          name: kube-api-access
+          readOnly: true
       volumes:
       - name: serving-cert
         secret:

diff --git a/pkg/cmd/certregenerationcontroller/cmd.go b/pkg/cmd/certregenerationcontroller/cmd.go
@@ -20,6 +20,7 @@ import (
 
 	"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/certrotationcontroller"
 	"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/operatorclient"
+	"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/resourcesynccontroller"
 	"github.com/openshift/cluster-kube-apiserver-operator/pkg/version"
 )
 
@@ -124,6 +125,16 @@ func (o *Options) Run(ctx context.Context) error {
 		return err
 	}
 
+	resourceSyncController, err := resourcesynccontroller.NewResourceSyncController(
+		operatorClient,
+		kubeAPIServerInformersForNamespaces,
+		kubeClient,
+		o.controllerContext.EventRecorder,
+	)
+	if err != nil {
+		return err
+	}
+
 	// We can't start informers until after the resources have been requested. Now is the time.
 	configInformers.Start(ctx.Done())
 	kubeAPIServerInformersForNamespaces.Start(ctx.Done())
@@ -140,6 +151,10 @@ func (o *Options) Run(ctx context.Context) error {
 		caBundleController.Run(ctx)
 	}()
 
+	go func() {
+		resourceSyncController.Run(ctx, 1)
+	}()
+
 	<-ctx.Done()
 
 	return nil

diff --git a/pkg/operator/starter.go b/pkg/operator/starter.go
@@ -17,7 +17,6 @@ import (
 	operatorcontrolplaneclient "github.com/openshift/client-go/operatorcontrolplane/clientset/versioned"
 	"github.com/openshift/cluster-kube-apiserver-operator/bindata"
 	"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/boundsatokensignercontroller"
-	"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/certrotationcontroller"
 	"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/certrotationtimeupgradeablecontroller"
 	"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/configmetrics"
 	"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/configobservation/configobservercontroller"
@@ -35,7 +34,6 @@ import (
 	"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/webhooksupportabilitycontroller"
 	"github.com/openshift/library-go/pkg/controller/controllercmd"
 	"github.com/openshift/library-go/pkg/operator/apiserver/controller/auditpolicy"
-	"github.com/openshift/library-go/pkg/operator/certrotation"
 	"github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
 	"github.com/openshift/library-go/pkg/operator/encryption"
 	"github.com/openshift/library-go/pkg/operator/encryption/controllers/migrators"
@@ -308,23 +306,6 @@ func RunOperator(ctx context.Context, controllerContext *controllercmd.Controlle
 		controllerContext.EventRecorder,
 	)
 
-	certRotationScale, err := certrotation.GetCertRotationScale(ctx, kubeClient, operatorclient.GlobalUserSpecifiedConfigNamespace)
-	if err != nil {
-		return err
-	}
-
-	certRotationController, err := certrotationcontroller.NewCertRotationController(
-		kubeClient,
-		operatorClient,
-		configInformers,
-		kubeInformersForNamespaces,
-		controllerContext.EventRecorder.WithComponentSuffix("cert-rotation-controller"),
-		certRotationScale,
-	)
-	if err != nil {
-		return err
-	}
-
 	staticPodNodeProvider := encryptiondeployer.StaticPodNodeProvider{OperatorClient: operatorClient}
 	deployer, err := encryptiondeployer.NewRevisionLabelPodDeployer("revision", operatorclient.TargetNamespace, kubeInformersForNamespaces, kubeClient.CoreV1(), kubeClient.CoreV1(), staticPodNodeProvider)
 	if err != nil {
@@ -456,7 +437,6 @@ func RunOperator(ctx context.Context, controllerContext *controllercmd.Controlle
 	go nodeKubeconfigController.Run(ctx, 1)
 	go configObserver.Run(ctx, 1)
 	go clusterOperatorStatus.Run(ctx, 1)
-	go certRotationController.Run(ctx, 1)
 	go encryptionControllers.Run(ctx, 1)
 	go certRotationTimeUpgradeableController.Run(ctx, 1)
 	go terminationObserver.Run(ctx, 1)