Add redeploy on serving cert and operator pod template change

Author: stlaz

pkg/operator2/ca.go

@@ -15,18 +15,19 @@ const (
 	injectCABundleAnnotationValue = "true"
 )
 
-func (c *authOperator) handleServiceCA() (*corev1.ConfigMap, error) {
+func (c *authOperator) handleServiceCA() (*corev1.ConfigMap, *corev1.Secret, error) {
 	cm := c.configMaps.ConfigMaps(targetName)
+	secret := c.secrets.Secrets(targetName)
 	serviceCA, err := cm.Get(serviceCAName, metav1.GetOptions{})
 	if errors.IsNotFound(err) {
 		serviceCA, err = cm.Create(defaultServiceCA())
 	}
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	if len(serviceCA.Data[serviceCAKey]) == 0 {
-		return nil, fmt.Errorf("config map has no service ca data: %#v", serviceCA)
+		return nil, nil, fmt.Errorf("config map has no service ca data: %#v", serviceCA)
 	}
 
 	if err := isValidServiceCA(serviceCA); err != nil {
@@ -36,10 +37,15 @@ func (c *authOperator) handleServiceCA() (*corev1.ConfigMap, error) {
 		if err := cm.Delete(serviceCA.Name, opts); err != nil && !errors.IsNotFound(err) {
 			glog.Infof("failed to delete invalid service CA config map: %v", err)
 		}
-		return nil, err
+		return nil, nil, err
 	}
 
-	return serviceCA, nil
+	servingCert, err := secret.Get(servingCertName, metav1.GetOptions{})
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return serviceCA, servingCert, nil
 }
 
 func isValidServiceCA(ca *corev1.ConfigMap) error {

pkg/operator2/operator.go

@@ -28,8 +28,9 @@ import (
 )
 
 const (
-	targetName       = "openshift-authentication"
-	globalConfigName = "cluster"
+	targetName         = "openshift-authentication"
+	targetNameOperator = "openshift-authentication-operator"
+	globalConfigName   = "cluster"
 
 	machineConfigNamespace = "openshift-config-managed"
 	userConfigNamespace    = "openshift-config"
@@ -176,11 +177,11 @@ func (c *authOperator) handleSync(operatorConfig *operatorv1.Authentication) err
 	}
 	resourceVersions = append(resourceVersions, route.GetResourceVersion())
 
-	serviceCA, err := c.handleServiceCA()
+	serviceCA, servingCert, err := c.handleServiceCA()
 	if err != nil {
 		return err
 	}
-	resourceVersions = append(resourceVersions, serviceCA.GetResourceVersion())
+	resourceVersions = append(resourceVersions, serviceCA.GetResourceVersion(), servingCert.GetResourceVersion())
 
 	metadata, _, err := resourceapply.ApplyConfigMap(c.configMaps, c.recorder, getMetadataConfigMap(route))
 	if err != nil {
@@ -231,9 +232,14 @@ func (c *authOperator) handleSync(operatorConfig *operatorv1.Authentication) err
 	}
 	resourceVersions = append(resourceVersions, cliConfig.GetResourceVersion())
 
+	operatorDeploymentRV, err := c.getOperatorDeploymentResourceVersion()
+	if err != nil {
+		return err
+	}
+	resourceVersions = append(resourceVersions, operatorDeploymentRV)
+
 	// deployment, have RV of all resources
 	// TODO use ExpectedDeploymentGeneration func
-	// TODO we also need the RV for the serving-cert secret (servingCertName)
 	expectedDeployment := defaultDeployment(
 		operatorConfig,
 		syncData,
@@ -280,3 +286,13 @@ func getPrefixFilter() controller.Filter {
 		DeleteFunc: prefix,
 	}
 }
+
+func (c *authOperator) getOperatorDeploymentResourceVersion() (string, error) {
+	deployments := c.deployments.Deployments(targetNameOperator)
+	operator, err := deployments.Get(targetNameOperator, metav1.GetOptions{})
+	if err != nil {
+		return "", err
+	}
+
+	return operator.GetResourceVersion(), nil
+}