diff --git a/pkg/cmd/certregenerationcontroller/cmd.go b/pkg/cmd/certregenerationcontroller/cmd.go index bd2ffa1493..37fec2ff0c 100644 --- a/pkg/cmd/certregenerationcontroller/cmd.go +++ b/pkg/cmd/certregenerationcontroller/cmd.go @@ -6,6 +6,7 @@ import ( "time" "github.com/spf13/cobra" + "k8s.io/klog/v2" "k8s.io/client-go/kubernetes" "k8s.io/utils/clock" @@ -14,8 +15,9 @@ import ( configeversionedclient "github.com/openshift/client-go/config/clientset/versioned" configexternalinformers "github.com/openshift/client-go/config/informers/externalversions" "github.com/openshift/library-go/pkg/controller/controllercmd" - "github.com/openshift/library-go/pkg/operator/certrotation" + "github.com/openshift/library-go/pkg/operator/configobserver/featuregates" "github.com/openshift/library-go/pkg/operator/genericoperatorclient" + "github.com/openshift/library-go/pkg/operator/status" "github.com/openshift/library-go/pkg/operator/v1helpers" "github.com/openshift/cluster-kube-apiserver-operator/pkg/operator" @@ -86,6 +88,23 @@ func (o *Options) Run(ctx context.Context) error { configInformers := configexternalinformers.NewSharedInformerFactory(configClient, 10*time.Minute) + desiredVersion := status.VersionForOperatorFromEnv() + missingVersion := "0.0.1-snapshot" + featureGateAccessor := featuregates.NewFeatureGateAccess( + desiredVersion, missingVersion, + configInformers.Config().V1().ClusterVersions(), configInformers.Config().V1().FeatureGates(), + o.controllerContext.EventRecorder, + ) + + select { + case <-featureGateAccessor.InitialFeatureGatesObserved(): + featureGates, _ := featureGateAccessor.CurrentFeatureGates() + klog.Infof("FeatureGates initialized: knownFeatureGates=%v", featureGates.KnownFeatures()) + case <-time.After(1 * time.Minute): + klog.Errorf("timed out waiting for FeatureGate detection") + return fmt.Errorf("timed out waiting for FeatureGate detection") + } + kubeAPIServerInformersForNamespaces := v1helpers.NewKubeInformersForNamespaces( kubeClient, operatorclient.GlobalMachineSpecifiedConfigNamespace, @@ -106,18 +125,13 @@ func (o *Options) Run(ctx context.Context) error { return err } - certRotationScale, err := certrotation.GetCertRotationScale(ctx, kubeClient, operatorclient.GlobalUserSpecifiedConfigNamespace) - if err != nil { - return err - } - kubeAPIServerCertRotationController, err := certrotationcontroller.NewCertRotationControllerOnlyWhenExpired( kubeClient, operatorClient, configInformers, kubeAPIServerInformersForNamespaces, o.controllerContext.EventRecorder, - certRotationScale, + featureGateAccessor, ) if err != nil { return err @@ -148,6 +162,10 @@ func (o *Options) Run(ctx context.Context) error { caBundleController.Run(ctx) }() + go func() { + featureGateAccessor.Run(ctx) + }() + <-ctx.Done() return nil diff --git a/pkg/operator/certrotationcontroller/certrotationcontroller.go b/pkg/operator/certrotationcontroller/certrotationcontroller.go index 53e330ecc1..c100e7b686 100644 --- a/pkg/operator/certrotationcontroller/certrotationcontroller.go +++ b/pkg/operator/certrotationcontroller/certrotationcontroller.go @@ -14,12 +14,14 @@ import ( "k8s.io/client-go/util/workqueue" "k8s.io/klog/v2" + features "github.com/openshift/api/features" configinformers "github.com/openshift/client-go/config/informers/externalversions" configlisterv1 "github.com/openshift/client-go/config/listers/config/v1" "github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/operatorclient" - "github.com/openshift/library-go/pkg/controller/factory" + "github.com/openshift/library-go/pkg/controller/factory" "github.com/openshift/library-go/pkg/operator/certrotation" + "github.com/openshift/library-go/pkg/operator/configobserver/featuregates" "github.com/openshift/library-go/pkg/operator/events" "github.com/openshift/library-go/pkg/operator/v1helpers" ) @@ -53,7 +55,7 @@ func NewCertRotationController( configInformer configinformers.SharedInformerFactory, kubeInformersForNamespaces v1helpers.KubeInformersForNamespaces, eventRecorder events.Recorder, - day time.Duration, + featureGateAccessor featuregates.FeatureGateAccess, ) (*CertRotationController, error) { return newCertRotationController( kubeClient, @@ -61,7 +63,7 @@ func NewCertRotationController( configInformer, kubeInformersForNamespaces, eventRecorder, - day, + featureGateAccessor, false, ) } @@ -72,7 +74,7 @@ func NewCertRotationControllerOnlyWhenExpired( configInformer configinformers.SharedInformerFactory, kubeInformersForNamespaces v1helpers.KubeInformersForNamespaces, eventRecorder events.Recorder, - day time.Duration, + featureGateAccessor featuregates.FeatureGateAccess, ) (*CertRotationController, error) { return newCertRotationController( kubeClient, @@ -80,7 +82,7 @@ func NewCertRotationControllerOnlyWhenExpired( configInformer, kubeInformersForNamespaces, eventRecorder, - day, + featureGateAccessor, true, ) } @@ -91,7 +93,7 @@ func newCertRotationController( configInformer configinformers.SharedInformerFactory, kubeInformersForNamespaces v1helpers.KubeInformersForNamespaces, eventRecorder events.Recorder, - day time.Duration, + featureGateAccessor featuregates.FeatureGateAccess, refreshOnlyWhenExpired bool, ) (*CertRotationController, error) { ret := &CertRotationController{ @@ -118,14 +120,13 @@ func newCertRotationController( configInformer.Config().V1().Infrastructures().Informer().AddEventHandler(ret.externalLoadBalancerHostnameEventHandler()) rotationDay := defaultRotationDay - if day != time.Duration(0) { - rotationDay = day - klog.Warningf("!!! UNSUPPORTED VALUE SET !!!") - klog.Warningf("Certificate rotation base set to %q", rotationDay) - } else { - // for the development cycle, make the rotation 60 times faster (every twelve hours or so). - // This must be reverted before we ship - rotationDay = rotationDay / 60 + featureGates, err := featureGateAccessor.CurrentFeatureGates() + if err != nil { + return nil, fmt.Errorf("unable to get FeatureGates: %w", err) + } + + if featureGates.Enabled(features.FeatureShortCertRotation) { + rotationDay = time.Minute } certRotator := certrotation.NewCertRotationController( diff --git a/pkg/operator/starter.go b/pkg/operator/starter.go index 26140c01c6..efe33e3ffa 100644 --- a/pkg/operator/starter.go +++ b/pkg/operator/starter.go @@ -43,7 +43,6 @@ import ( "github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/webhooksupportabilitycontroller" "github.com/openshift/library-go/pkg/controller/controllercmd" "github.com/openshift/library-go/pkg/operator/apiserver/controller/auditpolicy" - "github.com/openshift/library-go/pkg/operator/certrotation" "github.com/openshift/library-go/pkg/operator/configobserver/featuregates" "github.com/openshift/library-go/pkg/operator/encryption" "github.com/openshift/library-go/pkg/operator/encryption/controllers/migrators" @@ -355,18 +354,13 @@ func RunOperator(ctx context.Context, controllerContext *controllercmd.Controlle controllerContext.EventRecorder, ) - certRotationScale, err := certrotation.GetCertRotationScale(ctx, kubeClient, operatorclient.GlobalUserSpecifiedConfigNamespace) - if err != nil { - return err - } - certRotationController, err := certrotationcontroller.NewCertRotationController( kubeClient, operatorClient, configInformers, kubeInformersForNamespaces, controllerContext.EventRecorder.WithComponentSuffix("cert-rotation-controller"), - certRotationScale, + featureGateAccessor, ) if err != nil { return err