openservicemesh
diff --git a/‎cmd/osm-bootstrap/osm-bootstrap.go
+6-7 b/‎cmd/osm-bootstrap/osm-bootstrap.go
+6-7
diff --git a/‎cmd/osm-controller/osm-controller.go
+3-6 b/‎cmd/osm-controller/osm-controller.go
+3-6
diff --git a/‎cmd/osm-injector/osm-injector.go
+4-7 b/‎cmd/osm-injector/osm-injector.go
+4-7
diff --git a/‎pkg/catalog/fake/fake.go
+2-1 b/‎pkg/catalog/fake/fake.go
+2-1
diff --git a/‎pkg/catalog/helpers_test.go
+1-1 b/‎pkg/catalog/helpers_test.go
+1-1
diff --git a/‎pkg/certificate/fake_manager.go
+45-1 b/‎pkg/certificate/fake_manager.go
+45-1
diff --git a/‎pkg/certificate/manager.go
+110-22 b/‎pkg/certificate/manager.go
+110-22
@@ -182,9 +182,8 @@ func main() {
 		log.Fatal().Err(err).Msg("Error initializing Kubernetes events recorder")
 	}
 
-	stop := signals.RegisterExitHandlers()
-	_, cancel := context.WithCancel(context.Background())
-	defer cancel()
+	ctx, cancel := context.WithCancel(context.Background())
+	stop := signals.RegisterExitHandlers(cancel)
 
 	// Start the default metrics store
 	metricsstore.DefaultMetricsStore.Start(
@@ -214,14 +213,11 @@ func main() {
 		log.Fatal().Err(err).Msg("Error getting certificate options")
 	}
 
-	// Intitialize certificate manager/provider
-	certManager, err := providers.NewCertificateManager(kubeClient, kubeConfig, cfg, osmNamespace, certOpts, msgBroker)
+	certManager, err := providers.NewCertificateManager(ctx, kubeClient, kubeConfig, cfg, osmNamespace, certOpts, msgBroker, informerCollection, 5*time.Second)
 	if err != nil {
 		events.GenericEventRecorder().FatalEvent(err, events.InvalidCertificateManager,
 			"Error initializing certificate manager of kind %s", certProviderKind)
 	}
-	// watch for certificate rotation
-	certManager.Start(5*time.Second, stop)
 
 	// Initialize the crd conversion webhook server to support the conversion of OSM's CRDs
 	crdConverterConfig.ListenPort = constants.CRDConversionWebhookPort
@@ -427,6 +423,9 @@ func buildMeshRootCertificate(presetMeshRootCertificateConfigMap *corev1.ConfigM
 		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name: meshRootCertificateName,
+			Annotations: map[string]string{
+				constants.MRCVersionAnnotation: "0",
+			},
 		},
 		Spec: presetMeshRootCertificateSpec,
 		Status: configv1alpha2.MeshRootCertificateStatus{
 
@@ -172,9 +172,8 @@ func main() {
 		events.GenericEventRecorder().FatalEvent(err, events.InvalidCLIParameters, "Error validating CLI parameters")
 	}
 
-	stop := signals.RegisterExitHandlers()
 	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
+	stop := signals.RegisterExitHandlers(cancel)
 
 	// Start the default metrics store
 	startMetricsStore()
@@ -208,15 +207,13 @@ func main() {
 	}
 
 	// Intitialize certificate manager/provider
-	certManager, err := providers.NewCertificateManager(kubeClient, kubeConfig, cfg, osmNamespace,
-		certOpts, msgBroker)
+	certManager, err := providers.NewCertificateManager(ctx, kubeClient, kubeConfig, cfg, osmNamespace,
+		certOpts, msgBroker, informerCollection, 5*time.Second)
 
 	if err != nil {
 		events.GenericEventRecorder().FatalEvent(err, events.InvalidCertificateManager,
 			"Error fetching certificate manager of kind %s", certProviderKind)
 	}
-	// watch for certificate rotation
-	certManager.Start(5*time.Second, stop)
 
 	kubeProvider := kube.NewClient(k8sClient, cfg)
 
 
@@ -160,9 +160,8 @@ func main() {
 		events.GenericEventRecorder().FatalEvent(err, events.InvalidCLIParameters, "Error validating CLI parameters")
 	}
 
-	stop := signals.RegisterExitHandlers()
-	_, cancel := context.WithCancel(context.Background())
-	defer cancel()
+	ctx, cancel := context.WithCancel(context.Background())
+	stop := signals.RegisterExitHandlers(cancel)
 
 	// Start the default metrics store
 	metricsstore.DefaultMetricsStore.Start(
@@ -203,14 +202,12 @@ func main() {
 		log.Fatal().Err(err).Msg("Error getting certificate options")
 	}
 	// Intitialize certificate manager/provider
-	certManager, err := providers.NewCertificateManager(kubeClient, kubeConfig, cfg, osmNamespace,
-		certOpts, msgBroker)
+	certManager, err := providers.NewCertificateManager(ctx, kubeClient, kubeConfig, cfg, osmNamespace,
+		certOpts, msgBroker, informerCollection, 5*time.Second)
 	if err != nil {
 		events.GenericEventRecorder().FatalEvent(err, events.InvalidCertificateManager,
 			"Error initializing certificate manager of kind %s", certProviderKind)
 	}
-	// watch for certificate rotation
-	certManager.Start(5*time.Second, stop)
 
 	// Initialize the sidecar injector webhook
 	if err := injector.NewMutatingWebhook(injectorConfig, kubeClient, certManager, kubeController, meshName, osmNamespace, webhookConfigName, osmVersion, webhookTimeout, enableReconciler, stop, cfg, corev1.PullPolicy(osmContainerPullPolicy)); err != nil {
 
@@ -2,6 +2,7 @@ package fake
 
 import (
 	"context"
+	"time"
 
 	"github.com/golang/mock/gomock"
 	"github.com/onsi/ginkgo"
@@ -54,7 +55,7 @@ func NewFakeMeshCatalog(kubeClient kubernetes.Interface, meshConfigClient config
 
 	cfg := configurator.NewConfigurator(ic, osmNamespace, osmMeshConfigName, nil)
 
-	certManager := tresorFake.NewFake(nil)
+	certManager := tresorFake.NewFake(nil, 1*time.Hour)
 
 	// #1683 tracks potential improvements to the following dynamic mocks
 	mockKubeController.EXPECT().ListServices().DoAndReturn(func() []*corev1.Service {
 
@@ -50,7 +50,7 @@ func newFakeMeshCatalogForRoutes(t *testing.T, testParams testParams) *MeshCatal
 
 	stop := make(chan struct{})
 
-	certManager := tresorFake.NewFake(nil)
+	certManager := tresorFake.NewFake(nil, 1*time.Hour)
 
 	// Create a bookstoreV1 pod
 	bookstoreV1Pod := tests.NewPodFixture(tests.BookstoreV1Service.Namespace, tests.BookstoreV1Service.Name, tests.BookstoreServiceAccountName, tests.PodLabels)
 
@@ -1,11 +1,17 @@
 package certificate
 
 import (
+	"context"
 	"fmt"
-	time "time"
+	"time"
+
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"github.com/openservicemesh/osm/pkg/apis/config/v1alpha2"
+
 	"github.com/openservicemesh/osm/pkg/certificate/pem"
+	"github.com/openservicemesh/osm/pkg/constants"
 )
 
 var (
@@ -28,6 +34,42 @@ func (c *fakeMRCClient) List() ([]*v1alpha2.MeshRootCertificate, error) {
 	}}, nil
 }
 
+func (c *fakeMRCClient) Watch(ctx context.Context) (<-chan MRCEvent, error) {
+	ch := make(chan MRCEvent)
+	go func() {
+		ch <- MRCEvent{
+			Type: MRCEventAdded,
+			MRC: &v1alpha2.MeshRootCertificate{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "osm-mesh-root-certificate",
+					Namespace: "osm-system",
+					Annotations: map[string]string{
+						constants.MRCVersionAnnotation: "0",
+					},
+				},
+				Spec: v1alpha2.MeshRootCertificateSpec{
+					Provider: v1alpha2.ProviderSpec{
+						Tresor: &v1alpha2.TresorProviderSpec{
+							CA: v1alpha2.TresorCASpec{
+								SecretRef: v1.SecretReference{
+									Name:      "osm-ca-bundle",
+									Namespace: "osm-system",
+								},
+							},
+						},
+					},
+				},
+				Status: v1alpha2.MeshRootCertificateStatus{
+					State: constants.MRCStateActive,
+				},
+			},
+		}
+		close(ch)
+	}()
+
+	return ch, nil
+}
+
 type fakeIssuer struct {
 	err bool
 	id  string
@@ -51,9 +93,11 @@ func (i *fakeIssuer) IssueCertificate(cn CommonName, validityPeriod time.Duratio
 // FakeCertManager is a testing helper that returns a *certificate.Manager
 func FakeCertManager() (*Manager, error) {
 	cm, err := NewManager(
+		context.Background(),
 		&fakeMRCClient{},
 		validity,
 		nil,
+		1*time.Hour,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("error creating fakeCertManager, err: %w", err)
 
@@ -1,52 +1,43 @@
 package certificate
 
 import (
+	"context"
+	"errors"
+	"sync"
 	"time"
 
 	"github.com/rs/zerolog/log"
 
 	"github.com/openservicemesh/osm/pkg/announcements"
+	"github.com/openservicemesh/osm/pkg/constants"
 	"github.com/openservicemesh/osm/pkg/errcode"
 	"github.com/openservicemesh/osm/pkg/k8s/events"
 	"github.com/openservicemesh/osm/pkg/messaging"
 )
 
-// NewManager creates a new CertManager with the passed CA and CA Private Key
-func NewManager(mrcClient MRCClient, serviceCertValidityDuration time.Duration, msgBroker *messaging.Broker) (*Manager, error) {
-	// TODO(#4502): transition this call to a watch function that knows how to handle multiple MRC and can react to changes.
-	mrcs, err := mrcClient.List()
-	if err != nil {
-		return nil, err
+// NewManager creates a new CertificateManager with the passed MRCClient and options
+func NewManager(ctx context.Context, mrcClient MRCClient, serviceCertValidityDuration time.Duration, msgBroker *messaging.Broker, checkInterval time.Duration) (*Manager, error) {
+	m := &Manager{
+		serviceCertValidityDuration: serviceCertValidityDuration,
+		msgBroker:                   msgBroker,
 	}
 
-	client, ca, clientID, err := mrcClient.GetCertIssuerForMRC(mrcs[0])
+	err := m.start(ctx, mrcClient)
 	if err != nil {
 		return nil, err
 	}
 
-	c := &issuer{Issuer: client, ID: clientID, CertificateAuthority: ca, TrustDomain: mrcs[0].Spec.TrustDomain}
-
-	m := &Manager{
-		// The signingIssuer is responsible for signing all newly issued certificates
-		// The validatingIssuer is the issuer that issued existing certificates.
-		// its underlying cert is still in the validating trust store
-		signingIssuer:               c,
-		validatingIssuer:            c,
-		serviceCertValidityDuration: serviceCertValidityDuration,
-		msgBroker:                   msgBroker,
-	}
+	m.startRotationTicker(ctx, checkInterval)
 	return m, nil
 }
 
-// Start takes an interval to check if the certificate
-// needs to be rotated
-func (m *Manager) Start(checkInterval time.Duration, stop <-chan struct{}) {
+func (m *Manager) startRotationTicker(ctx context.Context, checkInterval time.Duration) {
 	ticker := time.NewTicker(checkInterval)
 	go func() {
 		m.checkAndRotate()
 		for {
 			select {
-			case <-stop:
+			case <-ctx.Done():
 				ticker.Stop()
 				return
 			case <-ticker.C:
@@ -56,6 +47,103 @@ func (m *Manager) Start(checkInterval time.Duration, stop <-chan struct{}) {
 	}()
 }
 
+func (m *Manager) start(ctx context.Context, mrcClient MRCClient) error {
+	// start a watch and we wait until the manager is initialized so that
+	// the caller gets a manager that's ready to be used
+	var once sync.Once
+	var wg sync.WaitGroup
+	mrcEvents, err := mrcClient.Watch(ctx)
+	if err != nil {
+		return err
+	}
+
+	wg.Add(1)
+
+	go func(wg *sync.WaitGroup, once *sync.Once) {
+		for {
+			select {
+			case <-ctx.Done():
+				if err := ctx.Err(); err != nil {
+					log.Error().Err(err).Msg("context canceled with error. stopping MRC watch...")
+					return
+				}
+
+				log.Info().Msg("context canceled. stopping MRC watch...")
+				return
+			case event, open := <-mrcEvents:
+				if !open {
+					// channel was closed; return
+					log.Info().Msg("stopping MRC watch...")
+					return
+				}
+
+				err = m.handleMRCEvent(mrcClient, event)
+				if err != nil {
+					log.Error().Err(err).Msgf("error encountered processing MRCEvent")
+					continue
+				}
+			}
+
+			if m.signingIssuer != nil && m.validatingIssuer != nil {
+				once.Do(func() {
+					wg.Done()
+				})
+			}
+		}
+	}(&wg, &once)
+
+	done := make(chan struct{})
+
+	// Wait for WaitGroup to finish and notify select when it does
+	go func() {
+		wg.Wait()
+		close(done)
+	}()
+
+	select {
+	case <-time.After(10 * time.Second):
+		// We timed out
+		return errors.New("manager initialization timed out. Make sure your MeshRootCertificate(s) are valid")
+	case <-done:
+	}
+
+	return nil
+}
+
+func (m *Manager) handleMRCEvent(mrcClient MRCClient, event MRCEvent) error {
+	switch event.Type {
+	case MRCEventAdded:
+		mrc := event.MRC
+		if mrc.Status.State == constants.MRCStateError {
+			log.Debug().Msgf("skipping MRC with error state %s", mrc.GetName())
+			return nil
+		}
+
+		client, ca, clientID, err := mrcClient.GetCertIssuerForMRC(mrc)
+		if err != nil {
+			return err
+		}
+
+		c := &issuer{Issuer: client, ID: clientID, CertificateAuthority: ca}
+		switch {
+		case mrc.Status.State == constants.MRCStateActive:
+			m.signingIssuer = c
+			m.validatingIssuer = c
+		case mrc.Status.State == constants.MRCStateIssuingRollback || mrc.Status.State == constants.MRCStateIssuingRollout:
+			m.signingIssuer = c
+		case mrc.Status.State == constants.MRCStateValidatingRollback || mrc.Status.State == constants.MRCStateValidatingRollout:
+			m.validatingIssuer = c
+		default:
+			m.signingIssuer = c
+			m.validatingIssuer = c
+		}
+	case MRCEventUpdated:
+		// TODO
+	}
+
+	return nil
+}
+
 // GetTrustDomain returns the trust domain from the configured signingkey issuer.
 // Note that the CRD uses a default, so this value will always be set.
 func (m *Manager) GetTrustDomain() string {