certrotationcontroller: use minutes instead of days when FeatureShort…

…CertRotation is enabled
openshift · Nov 7, 2024 · 7b119b5 · 7b119b5
1 parent d08ef68
commit 7b119b5
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 28 deletions.
diff --git a/pkg/cmd/certregenerationcontroller/cmd.go b/pkg/cmd/certregenerationcontroller/cmd.go
@@ -6,6 +6,7 @@ import (
 	"time"
 
 	"github.com/spf13/cobra"
+	"k8s.io/klog/v2"
 
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/utils/clock"
@@ -14,8 +15,9 @@ import (
 	configeversionedclient "github.com/openshift/client-go/config/clientset/versioned"
 	configexternalinformers "github.com/openshift/client-go/config/informers/externalversions"
 	"github.com/openshift/library-go/pkg/controller/controllercmd"
-	"github.com/openshift/library-go/pkg/operator/certrotation"
+	"github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
 	"github.com/openshift/library-go/pkg/operator/genericoperatorclient"
+	"github.com/openshift/library-go/pkg/operator/status"
 	"github.com/openshift/library-go/pkg/operator/v1helpers"
 
 	"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator"
@@ -86,6 +88,23 @@ func (o *Options) Run(ctx context.Context) error {
 
 	configInformers := configexternalinformers.NewSharedInformerFactory(configClient, 10*time.Minute)
 
+	desiredVersion := status.VersionForOperatorFromEnv()
+	missingVersion := "0.0.1-snapshot"
+	featureGateAccessor := featuregates.NewFeatureGateAccess(
+		desiredVersion, missingVersion,
+		configInformers.Config().V1().ClusterVersions(), configInformers.Config().V1().FeatureGates(),
+		o.controllerContext.EventRecorder,
+	)
+
+	select {
+	case <-featureGateAccessor.InitialFeatureGatesObserved():
+		featureGates, _ := featureGateAccessor.CurrentFeatureGates()
+		klog.Infof("FeatureGates initialized: knownFeatureGates=%v", featureGates.KnownFeatures())
+	case <-time.After(1 * time.Minute):
+		klog.Errorf("timed out waiting for FeatureGate detection")
+		return fmt.Errorf("timed out waiting for FeatureGate detection")
+	}
+
 	kubeAPIServerInformersForNamespaces := v1helpers.NewKubeInformersForNamespaces(
 		kubeClient,
 		operatorclient.GlobalMachineSpecifiedConfigNamespace,
@@ -106,18 +125,13 @@ func (o *Options) Run(ctx context.Context) error {
 		return err
 	}
 
-	certRotationScale, err := certrotation.GetCertRotationScale(ctx, kubeClient, operatorclient.GlobalUserSpecifiedConfigNamespace)
-	if err != nil {
-		return err
-	}
-
 	kubeAPIServerCertRotationController, err := certrotationcontroller.NewCertRotationControllerOnlyWhenExpired(
 		kubeClient,
 		operatorClient,
 		configInformers,
 		kubeAPIServerInformersForNamespaces,
 		o.controllerContext.EventRecorder,
-		certRotationScale,
+		featureGateAccessor,
 	)
 	if err != nil {
 		return err
@@ -148,6 +162,10 @@ func (o *Options) Run(ctx context.Context) error {
 		caBundleController.Run(ctx)
 	}()
 
+	go func() {
+		featureGateAccessor.Run(ctx)
+	}()
+
 	<-ctx.Done()
 
 	return nil

diff --git a/pkg/operator/certrotationcontroller/certrotationcontroller.go b/pkg/operator/certrotationcontroller/certrotationcontroller.go
@@ -14,12 +14,14 @@ import (
 	"k8s.io/client-go/util/workqueue"
 	"k8s.io/klog/v2"
 
+	features "github.com/openshift/api/features"
 	configinformers "github.com/openshift/client-go/config/informers/externalversions"
 	configlisterv1 "github.com/openshift/client-go/config/listers/config/v1"
 	"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/operatorclient"
-	"github.com/openshift/library-go/pkg/controller/factory"
 
+	"github.com/openshift/library-go/pkg/controller/factory"
 	"github.com/openshift/library-go/pkg/operator/certrotation"
+	"github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
 	"github.com/openshift/library-go/pkg/operator/events"
 	"github.com/openshift/library-go/pkg/operator/v1helpers"
 )
@@ -53,15 +55,15 @@ func NewCertRotationController(
 	configInformer configinformers.SharedInformerFactory,
 	kubeInformersForNamespaces v1helpers.KubeInformersForNamespaces,
 	eventRecorder events.Recorder,
-	day time.Duration,
+	featureGateAccessor featuregates.FeatureGateAccess,
 ) (*CertRotationController, error) {
 	return newCertRotationController(
 		kubeClient,
 		operatorClient,
 		configInformer,
 		kubeInformersForNamespaces,
 		eventRecorder,
-		day,
+		featureGateAccessor,
 		false,
 	)
 }
@@ -72,15 +74,15 @@ func NewCertRotationControllerOnlyWhenExpired(
 	configInformer configinformers.SharedInformerFactory,
 	kubeInformersForNamespaces v1helpers.KubeInformersForNamespaces,
 	eventRecorder events.Recorder,
-	day time.Duration,
+	featureGateAccessor featuregates.FeatureGateAccess,
 ) (*CertRotationController, error) {
 	return newCertRotationController(
 		kubeClient,
 		operatorClient,
 		configInformer,
 		kubeInformersForNamespaces,
 		eventRecorder,
-		day,
+		featureGateAccessor,
 		true,
 	)
 }
@@ -91,7 +93,7 @@ func newCertRotationController(
 	configInformer configinformers.SharedInformerFactory,
 	kubeInformersForNamespaces v1helpers.KubeInformersForNamespaces,
 	eventRecorder events.Recorder,
-	day time.Duration,
+	featureGateAccessor featuregates.FeatureGateAccess,
 	refreshOnlyWhenExpired bool,
 ) (*CertRotationController, error) {
 	ret := &CertRotationController{
@@ -118,14 +120,13 @@ func newCertRotationController(
 	configInformer.Config().V1().Infrastructures().Informer().AddEventHandler(ret.externalLoadBalancerHostnameEventHandler())
 
 	rotationDay := defaultRotationDay
-	if day != time.Duration(0) {
-		rotationDay = day
-		klog.Warningf("!!! UNSUPPORTED VALUE SET !!!")
-		klog.Warningf("Certificate rotation base set to %q", rotationDay)
-	} else {
-		// for the development cycle, make the rotation 60 times faster (every twelve hours or so).
-		// This must be reverted before we ship
-		rotationDay = rotationDay / 60
+	featureGates, err := featureGateAccessor.CurrentFeatureGates()
+	if err != nil {
+		return nil, fmt.Errorf("unable to get FeatureGates: %w", err)
+	}
+
+	if featureGates.Enabled(features.FeatureShortCertRotation) {
+		rotationDay = time.Minute
 	}
 
 	certRotator := certrotation.NewCertRotationController(

diff --git a/pkg/operator/starter.go b/pkg/operator/starter.go
@@ -43,7 +43,6 @@ import (
 	"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/webhooksupportabilitycontroller"
 	"github.com/openshift/library-go/pkg/controller/controllercmd"
 	"github.com/openshift/library-go/pkg/operator/apiserver/controller/auditpolicy"
-	"github.com/openshift/library-go/pkg/operator/certrotation"
 	"github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
 	"github.com/openshift/library-go/pkg/operator/encryption"
 	"github.com/openshift/library-go/pkg/operator/encryption/controllers/migrators"
@@ -355,18 +354,13 @@ func RunOperator(ctx context.Context, controllerContext *controllercmd.Controlle
 		controllerContext.EventRecorder,
 	)
 
-	certRotationScale, err := certrotation.GetCertRotationScale(ctx, kubeClient, operatorclient.GlobalUserSpecifiedConfigNamespace)
-	if err != nil {
-		return err
-	}
-
 	certRotationController, err := certrotationcontroller.NewCertRotationController(
 		kubeClient,
 		operatorClient,
 		configInformers,
 		kubeInformersForNamespaces,
 		controllerContext.EventRecorder.WithComponentSuffix("cert-rotation-controller"),
-		certRotationScale,
+		featureGateAccessor,
 	)
 	if err != nil {
 		return err