STOR-1442: Restart node Pods if webhook-serving-cert changed

The secret `shared-resource-csi-driver-webhook-serving-cert` is bound to the CA cert by annotation `service.beta.openshift.io/serving-cert-secret-name`. This means that if CA cert is rotated, the secret `shared-resource-csi-driver-webhook-serving-cert` will be automatically updated too. This secret keeps TLS cert and key which are used to secure HTTP connection to webhook server which is started by OpenShift Shared Resource CSI Driver. If cert and key are updated, we need to restart CSI driver Pod to re-read new keys. Otherwise, clients coming with new cert won't be able to communicate with the server running with older key/cert.
openshift · Aug 10, 2023 · 4cb8c15 · 4cb8c15
1 parent c1368dc
commit 4cb8c15
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/pkg/deploymentcontroller/deployment.go b/pkg/deploymentcontroller/deployment.go
@@ -19,6 +19,7 @@ const (
 	defaultNamespace                    = "openshift-cluster-csi-drivers"
 	envSharedResourceDriverWebhookImage = "WEBHOOK_IMAGE"
 	infraConfigName                     = "cluster"
+	webhookSecretName                   = "shared-resource-csi-driver-webhook-serving-cert"
 )
 
 func NewWebHookDeploymentController(kubeClient kubernetes.Interface,
@@ -28,6 +29,7 @@ func NewWebHookDeploymentController(kubeClient kubernetes.Interface,
 	recorder events.Recorder) factory.Controller {
 
 	nodeLister := kubeInformersForNamespaces.InformersFor("").Core().V1().Nodes().Lister()
+	secretInformer := kubeInformersForNamespaces.InformersFor(defaultNamespace).Core().V1().Secrets()
 
 	return deploymentcontroller.NewDeploymentController(
 		"SharedResourceCSIDriverWebhookController",
@@ -36,12 +38,20 @@ func NewWebHookDeploymentController(kubeClient kubernetes.Interface,
 		operatorClient,
 		kubeClient,
 		kubeInformersForNamespaces.InformersFor(defaultNamespace).Apps().V1().Deployments(),
-		[]factory.Informer{configInformer.Config().V1().Infrastructures().Informer()},
+		[]factory.Informer{
+			secretInformer.Informer(),
+			configInformer.Config().V1().Infrastructures().Informer(),
+		},
 		[]deploymentcontroller.ManifestHookFunc{
 			replaceAll("${WEBHOOK_IMAGE}", os.Getenv(envSharedResourceDriverWebhookImage)),
 		},
 		csidrivercontrollerservicecontroller.WithControlPlaneTopologyHook(configInformer),
 		csidrivercontrollerservicecontroller.WithReplicasHook(nodeLister),
+		csidrivercontrollerservicecontroller.WithSecretHashAnnotationHook(
+			defaultNamespace,
+			webhookSecretName,
+			secretInformer,
+		),
 	)
 }