waits for requestheader-client-ca-file in extension-apiserver-authent…

…ication before rolling out a new version

pkg/operator/starter.go

@@ -76,6 +76,7 @@ func RunOperator(ctx context.Context, controllerConfig *controllercmd.Controller
 		operatorclient.OperatorNamespace,
 		operatorclient.TargetNamespace,
 		etcdobserver.EtcdEndpointNamespace,
+		metav1.NamespaceSystem,
 	)
 	apiregistrationInformers := apiregistrationinformers.NewSharedInformerFactory(apiregistrationv1Client, 10*time.Minute)
 	configInformers := configinformers.NewSharedInformerFactory(configClient, 10*time.Minute)
@@ -146,6 +147,7 @@ func RunOperator(ctx context.Context, controllerConfig *controllercmd.Controller
 		kubeInformersForNamespaces.InformersFor(operatorclient.TargetNamespace),
 		kubeInformersForNamespaces.InformersFor(operatorclient.GlobalUserSpecifiedConfigNamespace),
 		kubeInformersForNamespaces.InformersFor(operatorclient.GlobalUserSpecifiedConfigNamespace),
+		kubeInformersForNamespaces.InformersFor(metav1.NamespaceSystem),
 		apiregistrationInformers,
 		configInformers,
 		nodeInformer,

pkg/operator/workloadcontroller/workload_controller.go

@@ -72,6 +72,7 @@ func NewWorkloadController(
 	kubeInformersForOpenShiftAPIServerNamespace kubeinformers.SharedInformerFactory,
 	kubeInformersForEtcdNamespace kubeinformers.SharedInformerFactory,
 	kubeInformersForOpenShiftConfigNamespace kubeinformers.SharedInformerFactory,
+	kubeInformersForKubeSystemNamespace kubeinformers.SharedInformerFactory,
 	apiregistrationInformers apiregistrationinformers.SharedInformerFactory,
 	configInformers configinformers.SharedInformerFactory,
 	nodeInformer corev1informers.NodeInformer,
@@ -105,6 +106,7 @@ func NewWorkloadController(
 	kubeInformersForOpenShiftAPIServerNamespace.Core().V1().ServiceAccounts().Informer().AddEventHandler(c.eventHandler())
 	kubeInformersForOpenShiftAPIServerNamespace.Core().V1().Services().Informer().AddEventHandler(c.eventHandler())
 	kubeInformersForOpenShiftAPIServerNamespace.Apps().V1().Deployments().Informer().AddEventHandler(c.eventHandler())
+	kubeInformersForKubeSystemNamespace.Core().V1().ConfigMaps().Informer().AddEventHandler(c.eventHandler())
 	kubeInformersForOpenShiftConfigNamespace.Core().V1().ConfigMaps().Informer().AddEventHandler(c.eventHandler())
 	configInformers.Config().V1().Images().Informer().AddEventHandler(c.eventHandler())
 	apiregistrationInformers.Apiregistration().V1().APIServices().Informer().AddEventHandler(c.eventHandler())
@@ -160,18 +162,25 @@ func (c OpenShiftAPIServerOperator) sync() error {
 		return nil
 	}
 
-	// block until extension-apiserver-authentication configmap is available
-	// see https://bugzilla.redhat.com/show_bug.cgi?id=1795163#c19 to check why we have to wait for it
+	// block until extension-apiserver-authentication configmap is fully populated to avoid
+	// that openshift-apiserver starts up with request header setting (which are not dynamically reloaded).
 	// in the future we need to change upstream code to be more dynamic
+	// see https://bugzilla.redhat.com/show_bug.cgi?id=1795163#c19 for more details.
 	if !c.haveObservedExtensionConfigMap {
-		_, err = c.kubeClient.CoreV1().ConfigMaps(metav1.NamespaceSystem).Get("extension-apiserver-authentication", metav1.GetOptions{})
+		authConfigMap, err := c.kubeClient.CoreV1().ConfigMaps(metav1.NamespaceSystem).Get("extension-apiserver-authentication", metav1.GetOptions{})
 		if apierrors.IsNotFound(err) {
 			klog.Infof("Waiting for %q configmap in %q namespace to be available", "extension-apiserver-authentication", metav1.NamespaceSystem)
 			return nil
 		}
 		if err != nil {
 			return err
 		}
+
+		if len(authConfigMap.Data["requestheader-client-ca-file"]) == 0 {
+			klog.Infof("missing requestheader-client-ca-file filed in %q configmap", "extension-apiserver-authentication")
+			// will be requeued by kubeInformersForKubeSystemNamespace informer
+			return nil
+		}
 		c.haveObservedExtensionConfigMap = true
 	}