Ensure removal of 4.4-only resources on downgrade to 4.3

pkg/operator/starter.go

@@ -4,9 +4,13 @@ import (
 	"fmt"
 	"time"
 
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
+	"k8s.io/klog"
 
 	configv1 "github.com/openshift/api/config/v1"
 	operatorv1 "github.com/openshift/api/operator/v1"
@@ -114,6 +118,19 @@ func RunOperator(ctx *controllercmd.ControllerContext) error {
 	kubeInformersNamespaced.Start(ctx.Done())
 	kubeInformersForNamespaces.Start(ctx.Done())
 
+	// Poll every minute to ensure removal of the 4.4 deployment in case of downgrade
+	// to minimize resource usage and the opportunity for contention.
+	deployClient := kubeClient.AppsV1().Deployments(operatorclient.TargetNamespace)
+	deployName := "service-ca"
+	go wait.PollUntil(time.Minute, func() (bool, error) {
+		err := deployClient.Delete(deployName, &metav1.DeleteOptions{})
+		if err == nil || apierrors.IsNotFound(err) {
+			return true, nil
+		}
+		klog.Warningf("Failed to delete 4.4 deployment: %v", err)
+		return false, nil
+	}, ctx.Done())
+
 	go operator.Run(ctx.Done())
 	go clusterOperatorStatus.Run(1, ctx.Done())
 	go resourceSyncController.Run(1, ctx.Done())

pkg/operator/sync.go

@@ -1,11 +1,33 @@
 package operator
 
 import (
+	"sync"
+
 	"k8s.io/klog"
 
 	operatorv1 "github.com/openshift/api/operator/v1"
 )
 
+type TryOnce struct {
+	lock      sync.Mutex
+	succeeded bool
+}
+
+func (o *TryOnce) Do(f func() error) error {
+	o.lock.Lock()
+	defer o.lock.Unlock()
+
+	if o.succeeded {
+		return nil
+	}
+
+	err := f()
+	o.succeeded = err == nil
+	return err
+}
+
+var once = TryOnce{}
+
 func syncControllers(c serviceCAOperator, operatorConfig *operatorv1.ServiceCA) error {
 	// Any modification of resource we want to trickle down to force deploy all of the controllers.
 	// Sync the controller NS and the other resources. These should be mostly static.
@@ -14,6 +36,16 @@ func syncControllers(c serviceCAOperator, operatorConfig *operatorv1.ServiceCA)
 		return err
 	}
 
+	// Remove resources related to the 4.4 controller deployment at most once. These
+	// resources don't constitute an operational concern, so it is not necessarily to
+	// monitor for their presence.
+	//
+	// The 4.4 deployment does have an operational impact, and is continually monitored
+	// for removal via a goroutine started in RunOperator.
+	if err := once.Do(func() error { return cleanupUnifiedDeployment(c) }); err != nil {
+		return err
+	}
+
 	err = manageSignerControllerResources(c, &needsDeploy)
 	if err != nil {
 		return err

pkg/operator/sync_common.go

@@ -23,6 +23,7 @@ import (
 	"github.com/openshift/library-go/pkg/operator/resource/resourcemerge"
 	"github.com/openshift/library-go/pkg/operator/resource/resourceread"
 	"github.com/openshift/service-ca-operator/pkg/controller/api"
+	"github.com/openshift/service-ca-operator/pkg/operator/operatorclient"
 	"github.com/openshift/service-ca-operator/pkg/operator/v4_00_assets"
 )
 
@@ -248,3 +249,41 @@ func manageDeployment(client appsclientv1.AppsV1Interface, eventRecorder events.
 func serviceServingCertSignerName() string {
 	return fmt.Sprintf("%s@%d", "openshift-service-serving-signer", time.Now().Unix())
 }
+
+// cleanupUnifiedDeployment removes resources associated with the unified service ca
+// controller deployment created by the 4.4 operator. This is intended to remove the
+// possibility of contention between the 4.4 deployment and the multiple deployments
+// managed by the 4.3 operator in the event of a downgrade from 4.4 to 4.3.
+func cleanupUnifiedDeployment(c serviceCAOperator) error {
+	klog.V(4).Infof("attempting removal of the unified service ca controller created by the 4.4 operator in namespace %q", operatorclient.TargetNamespace)
+	controllerName := "service-ca"
+	namespace := operatorclient.TargetNamespace
+	configName := fmt.Sprintf("%s-config", controllerName)
+	lockName := fmt.Sprintf("%s-lock", controllerName)
+	saName := fmt.Sprintf("%s-sa", controllerName)
+	roleAndBindingName := fmt.Sprintf("system:openshift:controller:%s", controllerName)
+	delOpts := &metav1.DeleteOptions{}
+	deletionFuncs := []func() error{
+		// Delete ClusterRole system:openshift:controller:{controller name}
+		func() error { return c.rbacv1Client.ClusterRoles().Delete(roleAndBindingName, delOpts) },
+		// Delete ClusterRoleBinding system:openshift:controller:{controller name}
+		func() error { return c.rbacv1Client.ClusterRoleBindings().Delete(roleAndBindingName, delOpts) },
+		// Delete ConfigMap openshift-service-ca/{controller name}-config
+		func() error { return c.corev1Client.ConfigMaps(namespace).Delete(configName, delOpts) },
+		// Delete ConfigMap openshift-service-ca/{controller name}-lock
+		func() error { return c.corev1Client.ConfigMaps(namespace).Delete(lockName, delOpts) },
+		// Delete Role openshift-service-ca/system:openshift:controller:{controller name}
+		func() error { return c.rbacv1Client.Roles(namespace).Delete(roleAndBindingName, delOpts) },
+		// Delete RoleBinding openshift-service-ca/system:openshift:controller:{controller name}
+		func() error { return c.rbacv1Client.RoleBindings(namespace).Delete(roleAndBindingName, delOpts) },
+		// Delete ServiceAccount openshift-service-ca/{controller name}-sa
+		func() error { return c.corev1Client.ServiceAccounts(namespace).Delete(saName, delOpts) },
+	}
+	for _, deletionFunc := range deletionFuncs {
+		err := deletionFunc()
+		if err != nil && !apierrors.IsNotFound(err) {
+			return err
+		}
+	}
+	return nil
+}