OCPBUGS-26983: rollout monitoring plugin on TLS rotation

pkg/manifests/manifests.go

@@ -45,6 +45,7 @@ import (
 	policyv1 "k8s.io/api/policy/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
 	auditv1 "k8s.io/apiserver/pkg/apis/audit/v1"
 	apiregistrationv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1"
 	"k8s.io/utils/ptr"
@@ -2881,7 +2882,7 @@ func (f *Factory) MonitoringPlugin() (*consolev1.ConsolePlugin, error) {
 	return f.NewConsolePlugin(f.assets.MustNewAssetSlice(MonitoringPlugin))
 }
 
-func (f *Factory) MonitoringPluginDeployment() (*appsv1.Deployment, error) {
+func (f *Factory) MonitoringPluginDeployment(tlsSecret *v1.Secret) (*appsv1.Deployment, error) {
 	d, err := f.NewDeployment(f.assets.MustNewAssetSlice(MonitoringPluginDeployment))
 	if err != nil {
 		return nil, err
@@ -2900,6 +2901,11 @@ func (f *Factory) MonitoringPluginDeployment() (*appsv1.Deployment, error) {
 
 	containers[idx].Image = f.config.Images.MonitoringPlugin
 
+	// Hash the TLS secret and propagate it as an annotation to the
+	// deployment's pods to trigger a new rollout when the TLS certificate/key
+	// are rotated.
+	d.Spec.Template.Annotations["monitoring.openshift.io/hash"] = hashSecretData(tlsSecret)
+
 	cfg := f.config.ClusterMonitoringConfiguration.MonitoringPluginConfig
 	if cfg == nil {
 		return d, nil
@@ -3694,3 +3700,15 @@ func containerNameEquals(name string) func(corev1.Container) bool {
 		return c.Name == name
 	}
 }
+
+// hashSecretData hashes the secret's data and returns the hash value as a string.
+func hashSecretData(s *v1.Secret) string {
+	h := fnv.New64()
+	// The data's keys need to be sorted in a predictable order to always
+	// produce the same hash.
+	for _, k := range sets.StringKeySet[[]byte](s.Data).List() {
+		h.Write(s.Data[k])
+	}
+
+	return strconv.FormatUint(h.Sum64(), 32)
+}

pkg/manifests/manifests_test.go

@@ -29,6 +29,7 @@ import (
 	configv1 "github.com/openshift/api/config/v1"
 	"github.com/openshift/library-go/pkg/crypto"
 	monv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
+	"github.com/stretchr/testify/require"
 	v1 "k8s.io/api/core/v1"
 	policyv1 "k8s.io/api/policy/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
@@ -4717,3 +4718,18 @@ func volumeMountsConfigured(volumeMounts []v1.VolumeMount, volumeName string) bo
 	}
 	return false
 }
+
+func TestHashSecretData(t *testing.T) {
+	s := v1.Secret{
+		Data: map[string][]byte{
+			"key1": []byte("value1"),
+			"key2": []byte("value2"),
+			"key3": []byte("value3"),
+		},
+	}
+
+	h := hashSecretData(&s)
+	for i := 0; i < 100; i++ {
+		require.Equal(t, h, hashSecretData(&s), "hashing not stable")
+	}
+}

pkg/tasks/monitoring_plugin.go

@@ -18,6 +18,7 @@ import (
 	"context"
 	"fmt"
 
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/klog/v2"
 
 	"github.com/openshift/cluster-monitoring-operator/pkg/client"
@@ -93,7 +94,7 @@ func (t *MonitoringPluginTask) Run(ctx context.Context) error {
 		}
 	}
 
-	{ // service
+	{
 		svc, err := t.factory.MonitoringPluginService()
 		if err != nil {
 			return fmt.Errorf("initializing Console Plugin Service failed: %w", err)
@@ -102,10 +103,19 @@ func (t *MonitoringPluginTask) Run(ctx context.Context) error {
 		if err = t.client.CreateOrUpdateService(ctx, svc); err != nil {
 			return fmt.Errorf("reconciling Console Plugin Service failed: %w", err)
 		}
-	}
 
-	{ // deployment
-		d, err := t.factory.MonitoringPluginDeployment()
+		secret, err := t.client.WaitForSecretByNsName(
+			ctx,
+			types.NamespacedName{
+				Namespace: svc.Namespace,
+				Name:      svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"],
+			},
+		)
+		if err != nil {
+			return err
+		}
+
+		d, err := t.factory.MonitoringPluginDeployment(secret)
 		if err != nil {
 			return fmt.Errorf("initializing Console Plugin Deployment failed: %w", err)
 		}