From 4cb8c15e972f121a43bba25245844fbd6aec2dda Mon Sep 17 00:00:00 2001 From: Maxim Patlasov Date: Thu, 10 Aug 2023 14:29:51 -0700 Subject: [PATCH] STOR-1442: Restart node Pods if webhook-serving-cert changed The secret `shared-resource-csi-driver-webhook-serving-cert` is bound to the CA cert by annotation `service.beta.openshift.io/serving-cert-secret-name`. This means that if CA cert is rotated, the secret `shared-resource-csi-driver-webhook-serving-cert` will be automatically updated too. This secret keeps TLS cert and key which are used to secure HTTP connection to webhook server which is started by OpenShift Shared Resource CSI Driver. If cert and key are updated, we need to restart CSI driver Pod to re-read new keys. Otherwise, clients coming with new cert won't be able to communicate with the server running with older key/cert. --- pkg/deploymentcontroller/deployment.go | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/pkg/deploymentcontroller/deployment.go b/pkg/deploymentcontroller/deployment.go index 0d70fe3b..769da22d 100644 --- a/pkg/deploymentcontroller/deployment.go +++ b/pkg/deploymentcontroller/deployment.go @@ -19,6 +19,7 @@ const ( defaultNamespace = "openshift-cluster-csi-drivers" envSharedResourceDriverWebhookImage = "WEBHOOK_IMAGE" infraConfigName = "cluster" + webhookSecretName = "shared-resource-csi-driver-webhook-serving-cert" ) func NewWebHookDeploymentController(kubeClient kubernetes.Interface, @@ -28,6 +29,7 @@ func NewWebHookDeploymentController(kubeClient kubernetes.Interface, recorder events.Recorder) factory.Controller { nodeLister := kubeInformersForNamespaces.InformersFor("").Core().V1().Nodes().Lister() + secretInformer := kubeInformersForNamespaces.InformersFor(defaultNamespace).Core().V1().Secrets() return deploymentcontroller.NewDeploymentController( "SharedResourceCSIDriverWebhookController", @@ -36,12 +38,20 @@ func NewWebHookDeploymentController(kubeClient kubernetes.Interface, operatorClient, kubeClient, kubeInformersForNamespaces.InformersFor(defaultNamespace).Apps().V1().Deployments(), - []factory.Informer{configInformer.Config().V1().Infrastructures().Informer()}, + []factory.Informer{ + secretInformer.Informer(), + configInformer.Config().V1().Infrastructures().Informer(), + }, []deploymentcontroller.ManifestHookFunc{ replaceAll("${WEBHOOK_IMAGE}", os.Getenv(envSharedResourceDriverWebhookImage)), }, csidrivercontrollerservicecontroller.WithControlPlaneTopologyHook(configInformer), csidrivercontrollerservicecontroller.WithReplicasHook(nodeLister), + csidrivercontrollerservicecontroller.WithSecretHashAnnotationHook( + defaultNamespace, + webhookSecretName, + secretInformer, + ), ) }