OCPBUGS-26983: rollout monitoring plugin on TLS rotation

This commit ensures that the monitoring plugin's pods get redeployed when the TLS serving certificate is rotated. Signed-off-by: Simon Pasquier <spasquie@redhat.com>
openshift · Jan 15, 2024 · 826fb20 · 826fb20
1 parent 8b449ad
commit 826fb20
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 5 deletions.
diff --git a/pkg/manifests/manifests.go b/pkg/manifests/manifests.go
@@ -45,6 +45,7 @@ import (
 	policyv1 "k8s.io/api/policy/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
 	auditv1 "k8s.io/apiserver/pkg/apis/audit/v1"
 	apiregistrationv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1"
 	"k8s.io/utils/ptr"
@@ -2881,7 +2882,7 @@ func (f *Factory) MonitoringPlugin() (*consolev1.ConsolePlugin, error) {
 	return f.NewConsolePlugin(f.assets.MustNewAssetSlice(MonitoringPlugin))
 }
 
-func (f *Factory) MonitoringPluginDeployment() (*appsv1.Deployment, error) {
+func (f *Factory) MonitoringPluginDeployment(tlsSecret *v1.Secret) (*appsv1.Deployment, error) {
 	d, err := f.NewDeployment(f.assets.MustNewAssetSlice(MonitoringPluginDeployment))
 	if err != nil {
 		return nil, err
@@ -2900,6 +2901,15 @@ func (f *Factory) MonitoringPluginDeployment() (*appsv1.Deployment, error) {
 
 	containers[idx].Image = f.config.Images.MonitoringPlugin
 
+	// Hash the TLS secret and propagate it as an annotation to the
+	// deployment's pods to trigger a new rollout when the TLS certificate/key
+	// are rotated.
+	h := fnv.New64()
+	for _, k := range sets.StringKeySet[[]byte](tlsSecret.Data).List() {
+		h.Write(tlsSecret.Data[k])
+	}
+	d.Spec.Template.Annotations["monitoring.openshift.io/hash"] = strconv.FormatUint(h.Sum64(), 32)
+
 	cfg := f.config.ClusterMonitoringConfiguration.MonitoringPluginConfig
 	if cfg == nil {
 		return d, nil

diff --git a/pkg/tasks/monitoring_plugin.go b/pkg/tasks/monitoring_plugin.go
@@ -18,6 +18,7 @@ import (
 	"context"
 	"fmt"
 
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/klog/v2"
 
 	"github.com/openshift/cluster-monitoring-operator/pkg/client"
@@ -93,7 +94,7 @@ func (t *MonitoringPluginTask) Run(ctx context.Context) error {
 		}
 	}
 
-	{ // service
+	{
 		svc, err := t.factory.MonitoringPluginService()
 		if err != nil {
 			return fmt.Errorf("initializing Console Plugin Service failed: %w", err)
@@ -102,10 +103,19 @@ func (t *MonitoringPluginTask) Run(ctx context.Context) error {
 		if err = t.client.CreateOrUpdateService(ctx, svc); err != nil {
 			return fmt.Errorf("reconciling Console Plugin Service failed: %w", err)
 		}
-	}
 
-	{ // deployment
-		d, err := t.factory.MonitoringPluginDeployment()
+		secret, err := t.client.WaitForSecretByNsName(
+			ctx,
+			types.NamespacedName{
+				Namespace: svc.Namespace,
+				Name:      svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"],
+			},
+		)
+		if err != nil {
+			return err
+		}
+
+		d, err := t.factory.MonitoringPluginDeployment(secret)
 		if err != nil {
 			return fmt.Errorf("initializing Console Plugin Deployment failed: %w", err)
 		}