Add redeploy on serving cert and operator pod template change

Author: stlaz

pkg/operator2/ca.go

@@ -15,18 +15,19 @@ const (
 	injectCABundleAnnotationValue = "true"
 )
 
-func (c *authOperator) handleServiceCA() (*corev1.ConfigMap, error) {
+func (c *authOperator) handleServiceCA() (*corev1.ConfigMap, *corev1.Secret, error) {
 	cm := c.configMaps.ConfigMaps(targetName)
+	sscsSecrets := c.secrets.Secrets("openshift-service-cert-signer")
 	serviceCA, err := cm.Get(serviceCAName, metav1.GetOptions{})
 	if errors.IsNotFound(err) {
 		serviceCA, err = cm.Create(defaultServiceCA())
 	}
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	if len(serviceCA.Data[serviceCAKey]) == 0 {
-		return nil, fmt.Errorf("config map has no service ca data: %#v", serviceCA)
+		return nil, nil, fmt.Errorf("config map has no service ca data: %#v", serviceCA)
 	}
 
 	if err := isValidServiceCA(serviceCA); err != nil {
@@ -36,10 +37,15 @@ func (c *authOperator) handleServiceCA() (*corev1.ConfigMap, error) {
 		if err := cm.Delete(serviceCA.Name, opts); err != nil && !errors.IsNotFound(err) {
 			glog.Infof("failed to delete invalid service CA config map: %v", err)
 		}
-		return nil, err
+		return nil, nil, err
 	}
 
-	return serviceCA, nil
+	servingCert, err := sscsSecrets.Get("service-serving-cert-signer-serving-cert", metav1.GetOptions{})
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return serviceCA, servingCert, nil
 }
 
 func isValidServiceCA(ca *corev1.ConfigMap) error {

pkg/operator2/operator.go

@@ -1,6 +1,8 @@
 package operator2
 
 import (
+	"crypto/sha512"
+	"encoding/base64"
 	"strings"
 
 	"github.com/golang/glog"
@@ -176,11 +178,12 @@ func (c *authOperator) handleSync(operatorConfig *operatorv1.Authentication) err
 	}
 	resourceVersions = append(resourceVersions, route.GetResourceVersion())
 
-	serviceCA, err := c.handleServiceCA()
+	serviceCA, servingCert, err := c.handleServiceCA()
 	if err != nil {
 		return err
 	}
 	resourceVersions = append(resourceVersions, serviceCA.GetResourceVersion())
+	resourceVersions = append(resourceVersions, servingCert.GetResourceVersion())
 
 	metadata, _, err := resourceapply.ApplyConfigMap(c.configMaps, c.recorder, getMetadataConfigMap(route))
 	if err != nil {
@@ -231,9 +234,14 @@ func (c *authOperator) handleSync(operatorConfig *operatorv1.Authentication) err
 	}
 	resourceVersions = append(resourceVersions, cliConfig.GetResourceVersion())
 
+	operatorPodTemplateHash, err := c.getOperatorDeploymentPodTemplateHash()
+	if err != nil {
+		return err
+	}
+	resourceVersions = append(resourceVersions, operatorPodTemplateHash)
+
 	// deployment, have RV of all resources
 	// TODO use ExpectedDeploymentGeneration func
-	// TODO we also need the RV for the serving-cert secret (servingCertName)
 	expectedDeployment := defaultDeployment(
 		operatorConfig,
 		syncData,
@@ -280,3 +288,14 @@ func getPrefixFilter() controller.Filter {
 		DeleteFunc: prefix,
 	}
 }
+
+func (c *authOperator) getOperatorDeploymentPodTemplateHash() (string, error) {
+	deployments := c.deployments.Deployments(operatorNamespace)
+	operator, err := deployments.Get("openshift-authentication-operator", metav1.GetOptions{})
+	if err != nil {
+		return "", err
+	}
+
+	templateHash := sha512.Sum512([]byte(operator.Spec.Template.String()))
+	return base64.RawURLEncoding.EncodeToString(templateHash[:]), nil
+}