diff --git a/go.mod b/go.mod index 1ba8cf7815..d8ba779415 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,7 @@ require ( github.com/openshift/api v0.0.0-20240527133614-ba11c1587003 github.com/openshift/build-machinery-go v0.0.0-20240419090851-af9c868bcf52 github.com/openshift/client-go v0.0.0-20240528061634-b054aa794d87 - github.com/openshift/library-go v0.0.0-20240619120114-0c65da30ad30 + github.com/openshift/library-go v0.0.0-20240816092752-e21e7889fd1a github.com/pkg/profile v1.5.0 // indirect github.com/prometheus/client_golang v1.16.0 github.com/spf13/cobra v1.7.0 diff --git a/go.sum b/go.sum index f329379a57..54ce862766 100644 --- a/go.sum +++ b/go.sum @@ -156,8 +156,8 @@ github.com/openshift/build-machinery-go v0.0.0-20240419090851-af9c868bcf52 h1:bq github.com/openshift/build-machinery-go v0.0.0-20240419090851-af9c868bcf52/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/client-go v0.0.0-20240528061634-b054aa794d87 h1:JtLhaGpSEconE+1IKmIgCOof/Len5ceG6H1pk43yv5U= github.com/openshift/client-go v0.0.0-20240528061634-b054aa794d87/go.mod h1:3IPD4U0qyovZS4EFady2kqY32m8lGcbs/Wx+yprg9z8= -github.com/openshift/library-go v0.0.0-20240619120114-0c65da30ad30 h1:c9PNqAVBbnsR4Ro+P2e2Ih3aacnq5l1IfGX5985Rd7c= -github.com/openshift/library-go v0.0.0-20240619120114-0c65da30ad30/go.mod h1:PdASVamWinll2BPxiUpXajTwZxV8A1pQbWEsCN1od7I= +github.com/openshift/library-go v0.0.0-20240816092752-e21e7889fd1a h1:9FpF0oGwE+ENdD4z0yWIxg04b/Ej3APWJRXO4z/b9bM= +github.com/openshift/library-go v0.0.0-20240816092752-e21e7889fd1a/go.mod h1:PdASVamWinll2BPxiUpXajTwZxV8A1pQbWEsCN1od7I= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/profile v1.5.0 h1:042Buzk+NhDI+DeSAA62RwJL8VAuZUMQZUjCsRz1Mug= diff --git a/vendor/github.com/openshift/library-go/pkg/controller/factory/controller_context.go b/vendor/github.com/openshift/library-go/pkg/controller/factory/controller_context.go index 15b8bdf706..88436c9f10 100644 --- a/vendor/github.com/openshift/library-go/pkg/controller/factory/controller_context.go +++ b/vendor/github.com/openshift/library-go/pkg/controller/factory/controller_context.go @@ -96,6 +96,7 @@ func (c syncContext) enqueueKeys(keys ...string) { // (or its tombstone) is a namespace and it matches a name of any namespaces // that we are interested in func namespaceChecker(interestingNamespaces []string) func(obj interface{}) bool { + // This is used for quick lookups in informers interestingNamespacesSet := sets.New(interestingNamespaces...) return func(obj interface{}) bool { diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/cabundle.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/cabundle.go index 7ec91f7863..1cb4685b1f 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/cabundle.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/cabundle.go @@ -21,7 +21,7 @@ import ( "github.com/openshift/library-go/pkg/certs" "github.com/openshift/library-go/pkg/crypto" "github.com/openshift/library-go/pkg/operator/events" - "github.com/openshift/library-go/pkg/operator/resource/resourceapply" + "github.com/openshift/library-go/pkg/operator/resource/resourcehelper" ) // CABundleConfigMap maintains a CA bundle config map, by adding new CA certs coming from RotatedSigningCASecret, and by removing expired old ones. @@ -41,9 +41,12 @@ type CABundleConfigMap struct { EventRecorder events.Recorder } -func (c CABundleConfigMap) EnsureConfigMapCABundle(ctx context.Context, signingCertKeyPair *crypto.CA) ([]*x509.Certificate, error) { +func (c CABundleConfigMap) EnsureConfigMapCABundle(ctx context.Context, signingCertKeyPair *crypto.CA, signingCertKeyPairLocation string) ([]*x509.Certificate, error) { // by this point we have current signing cert/key pair. We now need to make sure that the ca-bundle configmap has this cert and // doesn't have any expired certs + updateRequired := false + creationRequired := false + originalCABundleConfigMap, err := c.Lister.ConfigMaps(c.Namespace).Get(c.Name) if err != nil && !apierrors.IsNotFound(err) { return nil, err @@ -56,36 +59,50 @@ func (c CABundleConfigMap) EnsureConfigMapCABundle(ctx context.Context, signingC c.Namespace, c.AdditionalAnnotations, )} + creationRequired = true } - needsMetadataUpdate := false + needsOwnerUpdate := false if c.Owner != nil { - needsMetadataUpdate = ensureOwnerReference(&caBundleConfigMap.ObjectMeta, c.Owner) - } - needsMetadataUpdate = c.AdditionalAnnotations.EnsureTLSMetadataUpdate(&caBundleConfigMap.ObjectMeta) || needsMetadataUpdate - if needsMetadataUpdate && len(caBundleConfigMap.ResourceVersion) > 0 { - _, _, err := resourceapply.ApplyConfigMap(ctx, c.Client, c.EventRecorder, caBundleConfigMap) - if err != nil { - return nil, err - } + needsOwnerUpdate = ensureOwnerReference(&caBundleConfigMap.ObjectMeta, c.Owner) } + needsMetadataUpdate := c.AdditionalAnnotations.EnsureTLSMetadataUpdate(&caBundleConfigMap.ObjectMeta) + updateRequired = needsOwnerUpdate || needsMetadataUpdate updatedCerts, err := manageCABundleConfigMap(caBundleConfigMap, signingCertKeyPair.Config.Certs[0]) if err != nil { return nil, err } if originalCABundleConfigMap == nil || originalCABundleConfigMap.Data == nil || !equality.Semantic.DeepEqual(originalCABundleConfigMap.Data, caBundleConfigMap.Data) { - c.EventRecorder.Eventf("CABundleUpdateRequired", "%q in %q requires a new cert", c.Name, c.Namespace) + reason := "" + if creationRequired { + reason = "configmap doesn't exist" + } else if originalCABundleConfigMap.Data == nil { + reason = "configmap is empty" + } else if !equality.Semantic.DeepEqual(originalCABundleConfigMap.Data, caBundleConfigMap.Data) { + reason = fmt.Sprintf("signer update %s", signingCertKeyPairLocation) + } + c.EventRecorder.Eventf("CABundleUpdateRequired", "%q in %q requires a new cert: %s", c.Name, c.Namespace, reason) LabelAsManagedConfigMap(caBundleConfigMap, CertificateTypeCABundle) - actualCABundleConfigMap, modified, err := resourceapply.ApplyConfigMap(ctx, c.Client, c.EventRecorder, caBundleConfigMap) + updateRequired = true + } + + if creationRequired { + actualCABundleConfigMap, err := c.Client.ConfigMaps(c.Namespace).Create(ctx, caBundleConfigMap, metav1.CreateOptions{}) + resourcehelper.ReportCreateEvent(c.EventRecorder, actualCABundleConfigMap, err) if err != nil { return nil, err } - if modified { - klog.V(2).Infof("Updated ca-bundle.crt configmap %s/%s with:\n%s", certs.CertificateBundleToString(updatedCerts), caBundleConfigMap.Namespace, caBundleConfigMap.Name) + klog.V(2).Infof("Created ca-bundle.crt configmap %s/%s with:\n%s", certs.CertificateBundleToString(updatedCerts), caBundleConfigMap.Namespace, caBundleConfigMap.Name) + caBundleConfigMap = actualCABundleConfigMap + } else if updateRequired { + actualCABundleConfigMap, err := c.Client.ConfigMaps(c.Namespace).Update(ctx, caBundleConfigMap, metav1.UpdateOptions{}) + resourcehelper.ReportUpdateEvent(c.EventRecorder, actualCABundleConfigMap, err) + if err != nil { + return nil, err } - + klog.V(2).Infof("Updated ca-bundle.crt configmap %s/%s with:\n%s", certs.CertificateBundleToString(updatedCerts), caBundleConfigMap.Namespace, caBundleConfigMap.Name) caBundleConfigMap = actualCABundleConfigMap } diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go index 5159f562a3..71ae47ff1f 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go @@ -121,13 +121,17 @@ func (c CertRotationController) Sync(ctx context.Context, syncCtx factory.SyncCo return syncErr } +func (c CertRotationController) getSigningCertKeyPairLocation() string { + return fmt.Sprintf("%s/%s", c.RotatedSelfSignedCertKeySecret.Namespace, c.RotatedSelfSignedCertKeySecret.Name) +} + func (c CertRotationController) SyncWorker(ctx context.Context) error { signingCertKeyPair, _, err := c.RotatedSigningCASecret.EnsureSigningCertKeyPair(ctx) if err != nil { return err } - cabundleCerts, err := c.CABundleConfigMap.EnsureConfigMapCABundle(ctx, signingCertKeyPair) + cabundleCerts, err := c.CABundleConfigMap.EnsureConfigMapCABundle(ctx, signingCertKeyPair, c.getSigningCertKeyPairLocation()) if err != nil { return err } diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go index 4cf805bb7b..2eb761bbb3 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go @@ -8,13 +8,14 @@ import ( "github.com/openshift/library-go/pkg/crypto" "github.com/openshift/library-go/pkg/operator/events" - "github.com/openshift/library-go/pkg/operator/resource/resourceapply" + "github.com/openshift/library-go/pkg/operator/resource/resourcehelper" corev1 "k8s.io/api/core/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" corev1informers "k8s.io/client-go/informers/core/v1" corev1client "k8s.io/client-go/kubernetes/typed/core/v1" corev1listers "k8s.io/client-go/listers/core/v1" + "k8s.io/klog/v2" ) // RotatedSigningCASecret rotates a self-signed signing CA stored in a secret. It creates a new one when @@ -52,17 +53,13 @@ type RotatedSigningCASecret struct { Lister corev1listers.SecretLister Client corev1client.SecretsGetter EventRecorder events.Recorder - - // Deprecated: DO NOT enable, it is intended as a short term hack for a very specific use case, - // and it works in tandem with a particular carry patch applied to the openshift kube-apiserver. - // we will remove this when we migrate all of the affected secret - // objects to their intended type: https://issues.redhat.com/browse/API-1800 - UseSecretUpdateOnly bool } // EnsureSigningCertKeyPair manages the entire lifecycle of a signer cert as a secret, from creation to continued rotation. // It always returns the currently used CA pair, a bool indicating whether it was created/updated within this function call and an error. func (c RotatedSigningCASecret) EnsureSigningCertKeyPair(ctx context.Context) (*crypto.CA, bool, error) { + creationRequired := false + updateRequired := false originalSigningCertKeyPairSecret, err := c.Lister.Secrets(c.Namespace).Get(c.Name) if err != nil && !apierrors.IsNotFound(err) { return nil, false, err @@ -78,25 +75,20 @@ func (c RotatedSigningCASecret) EnsureSigningCertKeyPair(ctx context.Context) (* ), Type: corev1.SecretTypeTLS, } + creationRequired = true } - applyFn := resourceapply.ApplySecret - if c.UseSecretUpdateOnly { - applyFn = resourceapply.ApplySecretDoNotUse - } - - // apply necessary metadata (possibly via delete+recreate) if secret exists - // this is done before content update to prevent unexpected rollouts - if ensureMetadataUpdate(signingCertKeyPairSecret, c.Owner, c.AdditionalAnnotations) && ensureSecretTLSTypeSet(signingCertKeyPairSecret) { - actualSigningCertKeyPairSecret, _, err := applyFn(ctx, c.Client, c.EventRecorder, signingCertKeyPairSecret) - if err != nil { - return nil, false, err - } - signingCertKeyPairSecret = actualSigningCertKeyPairSecret - } + // run Update if metadata needs changing + needsMetadataUpdate := ensureMetadataUpdate(signingCertKeyPairSecret, c.Owner, c.AdditionalAnnotations) + needsTypeChange := ensureSecretTLSTypeSet(signingCertKeyPairSecret) + updateRequired = needsMetadataUpdate || needsTypeChange + // run Update if signer content needs changing signerUpdated := false - if needed, reason := needNewSigningCertKeyPair(signingCertKeyPairSecret.Annotations, c.Refresh, c.RefreshOnlyWhenExpired); needed { + if needed, reason := needNewSigningCertKeyPair(signingCertKeyPairSecret, c.Refresh, c.RefreshOnlyWhenExpired); needed || creationRequired { + if creationRequired { + reason = "secret doesn't exist" + } c.EventRecorder.Eventf("SignerUpdateRequired", "%q in %q requires a new signing cert/key pair: %v", c.Name, c.Namespace, reason) if err := setSigningCertKeyPairSecret(signingCertKeyPairSecret, c.Validity); err != nil { return nil, false, err @@ -104,13 +96,28 @@ func (c RotatedSigningCASecret) EnsureSigningCertKeyPair(ctx context.Context) (* LabelAsManagedSecret(signingCertKeyPairSecret, CertificateTypeSigner) - actualSigningCertKeyPairSecret, _, err := applyFn(ctx, c.Client, c.EventRecorder, signingCertKeyPairSecret) + updateRequired = true + signerUpdated = true + } + + if creationRequired { + actualSigningCertKeyPairSecret, err := c.Client.Secrets(c.Namespace).Create(ctx, signingCertKeyPairSecret, metav1.CreateOptions{}) + resourcehelper.ReportCreateEvent(c.EventRecorder, actualSigningCertKeyPairSecret, err) if err != nil { return nil, false, err } + klog.V(2).Infof("Created secret %s/%s", actualSigningCertKeyPairSecret.Namespace, actualSigningCertKeyPairSecret.Name) + signingCertKeyPairSecret = actualSigningCertKeyPairSecret + } else if updateRequired { + actualSigningCertKeyPairSecret, err := c.Client.Secrets(c.Namespace).Update(ctx, signingCertKeyPairSecret, metav1.UpdateOptions{}) + resourcehelper.ReportUpdateEvent(c.EventRecorder, actualSigningCertKeyPairSecret, err) + if err != nil { + return nil, false, err + } + klog.V(2).Infof("Updated secret %s/%s", actualSigningCertKeyPairSecret.Namespace, actualSigningCertKeyPairSecret.Name) signingCertKeyPairSecret = actualSigningCertKeyPairSecret - signerUpdated = true } + // at this point, the secret has the correct signer, so we should read that signer to be able to sign signingCertKeyPair, err := crypto.GetCAFromBytes(signingCertKeyPairSecret.Data["tls.crt"], signingCertKeyPairSecret.Data["tls.key"]) if err != nil { @@ -136,7 +143,8 @@ func ensureOwnerReference(meta *metav1.ObjectMeta, owner *metav1.OwnerReference) return false } -func needNewSigningCertKeyPair(annotations map[string]string, refresh time.Duration, refreshOnlyWhenExpired bool) (bool, string) { +func needNewSigningCertKeyPair(secret *corev1.Secret, refresh time.Duration, refreshOnlyWhenExpired bool) (bool, string) { + annotations := secret.Annotations notBefore, notAfter, reason := getValidityFromAnnotations(annotations) if len(reason) > 0 { return true, reason @@ -153,7 +161,7 @@ func needNewSigningCertKeyPair(annotations map[string]string, refresh time.Durat validity := notAfter.Sub(notBefore) at80Percent := notAfter.Add(-validity / 5) if time.Now().After(at80Percent) { - return true, fmt.Sprintf("past its latest possible time %v", at80Percent) + return true, fmt.Sprintf("past refresh time (80%% of validity): %v", at80Percent) } developerSpecifiedRefresh := notBefore.Add(refresh) diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go index 99bdc93bea..b68aea1633 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go @@ -12,11 +12,12 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apiserver/pkg/authentication/user" + "k8s.io/klog/v2" "github.com/openshift/library-go/pkg/certs" "github.com/openshift/library-go/pkg/crypto" "github.com/openshift/library-go/pkg/operator/events" - "github.com/openshift/library-go/pkg/operator/resource/resourceapply" + "github.com/openshift/library-go/pkg/operator/resource/resourcehelper" corev1informers "k8s.io/client-go/informers/core/v1" corev1client "k8s.io/client-go/kubernetes/typed/core/v1" corev1listers "k8s.io/client-go/listers/core/v1" @@ -68,19 +69,13 @@ type RotatedSelfSignedCertKeySecret struct { Lister corev1listers.SecretLister Client corev1client.SecretsGetter EventRecorder events.Recorder - - // Deprecated: DO NOT eanble, it is intended as a short term hack for a very specific use case, - // and it works in tandem with a particular carry patch applied to the openshift kube-apiserver. - // we will remove this when we migrate all of the affected secret - // objects to their intended type: https://issues.redhat.com/browse/API-1800 - UseSecretUpdateOnly bool } type TargetCertCreator interface { // NewCertificate creates a new key-cert pair with the given signer. NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error) // NeedNewTargetCertKeyPair decides whether a new cert-key pair is needed. It returns a non-empty reason if it is the case. - NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired bool) string + NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired, creationRequired bool) string // SetAnnotations gives an option to override or set additional annotations SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string } @@ -96,6 +91,9 @@ func (c RotatedSelfSignedCertKeySecret) EnsureTargetCertKeyPair(ctx context.Cont // validity percentage. We always check to see if we need to sign. Often we are signing with an old key or we have no target // and need to mint one // TODO do the cross signing thing, but this shows the API consumers want and a very simple impl. + + creationRequired := false + updateRequired := false originalTargetCertKeyPairSecret, err := c.Lister.Secrets(c.Namespace).Get(c.Name) if err != nil && !apierrors.IsNotFound(err) { return nil, err @@ -111,24 +109,14 @@ func (c RotatedSelfSignedCertKeySecret) EnsureTargetCertKeyPair(ctx context.Cont ), Type: corev1.SecretTypeTLS, } + creationRequired = true } - applyFn := resourceapply.ApplySecret - if c.UseSecretUpdateOnly { - applyFn = resourceapply.ApplySecretDoNotUse - } - - // apply necessary metadata (possibly via delete+recreate) if secret exists - // this is done before content update to prevent unexpected rollouts - if ensureMetadataUpdate(targetCertKeyPairSecret, c.Owner, c.AdditionalAnnotations) && ensureSecretTLSTypeSet(targetCertKeyPairSecret) { - actualTargetCertKeyPairSecret, _, err := applyFn(ctx, c.Client, c.EventRecorder, targetCertKeyPairSecret) - if err != nil { - return nil, err - } - targetCertKeyPairSecret = actualTargetCertKeyPairSecret - } + needsMetadataUpdate := ensureMetadataUpdate(targetCertKeyPairSecret, c.Owner, c.AdditionalAnnotations) + needsTypeChange := ensureSecretTLSTypeSet(targetCertKeyPairSecret) + updateRequired = needsMetadataUpdate || needsTypeChange - if reason := c.CertCreator.NeedNewTargetCertKeyPair(targetCertKeyPairSecret, signingCertKeyPair, caBundleCerts, c.Refresh, c.RefreshOnlyWhenExpired); len(reason) > 0 { + if reason := c.CertCreator.NeedNewTargetCertKeyPair(targetCertKeyPairSecret, signingCertKeyPair, caBundleCerts, c.Refresh, c.RefreshOnlyWhenExpired, creationRequired); len(reason) > 0 { c.EventRecorder.Eventf("TargetUpdateRequired", "%q in %q requires a new target cert/key pair: %v", c.Name, c.Namespace, reason) if err := setTargetCertKeyPairSecret(targetCertKeyPairSecret, c.Validity, signingCertKeyPair, c.CertCreator, c.AdditionalAnnotations); err != nil { return nil, err @@ -136,17 +124,35 @@ func (c RotatedSelfSignedCertKeySecret) EnsureTargetCertKeyPair(ctx context.Cont LabelAsManagedSecret(targetCertKeyPairSecret, CertificateTypeTarget) - actualTargetCertKeyPairSecret, _, err := applyFn(ctx, c.Client, c.EventRecorder, targetCertKeyPairSecret) + updateRequired = true + } + if creationRequired { + actualTargetCertKeyPairSecret, err := c.Client.Secrets(c.Namespace).Create(ctx, targetCertKeyPairSecret, metav1.CreateOptions{}) + resourcehelper.ReportCreateEvent(c.EventRecorder, actualTargetCertKeyPairSecret, err) + if err != nil { + return nil, err + } + klog.V(2).Infof("Created secret %s/%s", actualTargetCertKeyPairSecret.Namespace, actualTargetCertKeyPairSecret.Name) + targetCertKeyPairSecret = actualTargetCertKeyPairSecret + } else if updateRequired { + actualTargetCertKeyPairSecret, err := c.Client.Secrets(c.Namespace).Update(ctx, targetCertKeyPairSecret, metav1.UpdateOptions{}) + resourcehelper.ReportUpdateEvent(c.EventRecorder, actualTargetCertKeyPairSecret, err) if err != nil { return nil, err } + klog.V(2).Infof("Updated secret %s/%s", actualTargetCertKeyPairSecret.Namespace, actualTargetCertKeyPairSecret.Name) targetCertKeyPairSecret = actualTargetCertKeyPairSecret } return targetCertKeyPairSecret, nil } -func needNewTargetCertKeyPair(annotations map[string]string, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired bool) string { +func needNewTargetCertKeyPair(secret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired, creationRequired bool) string { + if creationRequired { + return "secret doesn't exist" + } + + annotations := secret.Annotations if reason := needNewTargetCertKeyPairForTime(annotations, signer, refresh, refreshOnlyWhenExpired); len(reason) > 0 { return reason } @@ -203,7 +209,7 @@ func needNewTargetCertKeyPairForTime(annotations map[string]string, signer *cryp validity := notAfter.Sub(notBefore) at80Percent := notAfter.Add(-validity / 5) if time.Now().After(at80Percent) { - return fmt.Sprintf("past its latest possible time %v", at80Percent) + return fmt.Sprintf("past refresh time (80%% of validity): %v", at80Percent) } // If Certificate is past its refresh time, we may have action to take. We only do this if the signer is old enough. @@ -263,8 +269,8 @@ func (r *ClientRotation) NewCertificate(signer *crypto.CA, validity time.Duratio return signer.MakeClientCertificateForDuration(r.UserInfo, validity) } -func (r *ClientRotation) NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired bool) string { - return needNewTargetCertKeyPair(currentCertSecret.Annotations, signer, caBundleCerts, refresh, refreshOnlyWhenExpired) +func (r *ClientRotation) NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired, exists bool) string { + return needNewTargetCertKeyPair(currentCertSecret, signer, caBundleCerts, refresh, refreshOnlyWhenExpired, exists) } func (r *ClientRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string { @@ -288,8 +294,8 @@ func (r *ServingRotation) RecheckChannel() <-chan struct{} { return r.HostnamesChanged } -func (r *ServingRotation) NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired bool) string { - reason := needNewTargetCertKeyPair(currentCertSecret.Annotations, signer, caBundleCerts, refresh, refreshOnlyWhenExpired) +func (r *ServingRotation) NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired, creationRequired bool) string { + reason := needNewTargetCertKeyPair(currentCertSecret, signer, caBundleCerts, refresh, refreshOnlyWhenExpired, creationRequired) if len(reason) > 0 { return reason } @@ -334,8 +340,8 @@ func (r *SignerRotation) NewCertificate(signer *crypto.CA, validity time.Duratio return crypto.MakeCAConfigForDuration(signerName, validity, signer) } -func (r *SignerRotation) NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired bool) string { - return needNewTargetCertKeyPair(currentCertSecret.Annotations, signer, caBundleCerts, refresh, refreshOnlyWhenExpired) +func (r *SignerRotation) NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired, exists bool) string { + return needNewTargetCertKeyPair(currentCertSecret, signer, caBundleCerts, refresh, refreshOnlyWhenExpired, exists) } func (r *SignerRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string { diff --git a/vendor/github.com/openshift/library-go/pkg/operator/configobserver/featuregates/featuregate.go b/vendor/github.com/openshift/library-go/pkg/operator/configobserver/featuregates/featuregate.go index 33275e0ec0..5792ada3a5 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/configobserver/featuregates/featuregate.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/configobserver/featuregates/featuregate.go @@ -2,9 +2,9 @@ package featuregates import ( "fmt" + "slices" configv1 "github.com/openshift/api/config/v1" - "k8s.io/apimachinery/pkg/util/sets" ) // FeatureGate indicates whether a given feature is enabled or not @@ -17,22 +17,22 @@ type FeatureGate interface { } type featureGate struct { - enabled sets.Set[configv1.FeatureGateName] - disabled sets.Set[configv1.FeatureGateName] + enabled []configv1.FeatureGateName + disabled []configv1.FeatureGateName } func NewFeatureGate(enabled, disabled []configv1.FeatureGateName) FeatureGate { return &featureGate{ - enabled: sets.New[configv1.FeatureGateName](enabled...), - disabled: sets.New[configv1.FeatureGateName](disabled...), + enabled: enabled, + disabled: disabled, } } func (f *featureGate) Enabled(key configv1.FeatureGateName) bool { - if f.enabled.Has(key) { + if slices.Contains(f.enabled, key) { return true } - if f.disabled.Has(key) { + if slices.Contains(f.disabled, key) { return false } @@ -40,9 +40,9 @@ func (f *featureGate) Enabled(key configv1.FeatureGateName) bool { } func (f *featureGate) KnownFeatures() []configv1.FeatureGateName { - allKnown := sets.New[string]() - allKnown.Insert(FeatureGateNamesToStrings(f.enabled.UnsortedList())...) - allKnown.Insert(FeatureGateNamesToStrings(f.disabled.UnsortedList())...) + allKnown := make([]configv1.FeatureGateName, 0, len(f.enabled)+len(f.disabled)) + allKnown = append(allKnown, f.enabled...) + allKnown = append(allKnown, f.disabled...) - return StringsToFeatureGateNames(sets.List(allKnown)) + return allKnown } diff --git a/vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/prune_controller.go b/vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/prune_controller.go index e11282f50e..5042812c26 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/prune_controller.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/prune_controller.go @@ -2,6 +2,7 @@ package controllers import ( "context" + "slices" "sort" "time" @@ -10,7 +11,6 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" utilerrors "k8s.io/apimachinery/pkg/util/errors" - "k8s.io/apimachinery/pkg/util/sets" corev1client "k8s.io/client-go/kubernetes/typed/core/v1" "k8s.io/klog/v2" @@ -160,9 +160,9 @@ NextEncryptionSecret: // remove our finalizer if it is present secret := s.DeepCopy() - if finalizers := sets.New(secret.Finalizers...); finalizers.Has(secrets.EncryptionSecretFinalizer) { - delete(finalizers, secrets.EncryptionSecretFinalizer) - secret.Finalizers = sets.List(finalizers) + idx := slices.Index(secret.Finalizers, secrets.EncryptionSecretFinalizer) + if idx > -1 { + secret.Finalizers = slices.Delete(secret.Finalizers, idx, idx+1) var updateErr error secret, updateErr = c.secretClient.Secrets("openshift-config-managed").Update(ctx, secret, metav1.UpdateOptions{}) deleteErrs = append(deleteErrs, updateErr) diff --git a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/admissionregistration.go b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/admissionregistration.go index 335f571357..88bd00b251 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/admissionregistration.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/admissionregistration.go @@ -5,6 +5,7 @@ import ( "fmt" "github.com/openshift/library-go/pkg/operator/events" + "github.com/openshift/library-go/pkg/operator/resource/resourcehelper" "github.com/openshift/library-go/pkg/operator/resource/resourcemerge" admissionregistrationv1 "k8s.io/api/admissionregistration/v1" admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1" @@ -34,7 +35,7 @@ func ApplyMutatingWebhookConfigurationImproved(ctx context.Context, client admis required := requiredOriginal.DeepCopy() actual, err := client.MutatingWebhookConfigurations().Create( ctx, resourcemerge.WithCleanLabelsAndAnnotations(required).(*admissionregistrationv1.MutatingWebhookConfiguration), metav1.CreateOptions{}) - reportCreateEvent(recorder, required, err) + resourcehelper.ReportCreateEvent(recorder, required, err) if err != nil { return nil, false, err } @@ -68,7 +69,7 @@ func ApplyMutatingWebhookConfigurationImproved(ctx context.Context, client admis klog.V(2).Infof("MutatingWebhookConfiguration %q changes: %v", required.GetNamespace()+"/"+required.GetName(), JSONPatchNoError(existing, toWrite)) actual, err := client.MutatingWebhookConfigurations().Update(ctx, toWrite, metav1.UpdateOptions{}) - reportUpdateEvent(recorder, required, err) + resourcehelper.ReportUpdateEvent(recorder, required, err) if err != nil { return nil, false, err } @@ -109,7 +110,7 @@ func ApplyValidatingWebhookConfigurationImproved(ctx context.Context, client adm required := requiredOriginal.DeepCopy() actual, err := client.ValidatingWebhookConfigurations().Create( ctx, resourcemerge.WithCleanLabelsAndAnnotations(required).(*admissionregistrationv1.ValidatingWebhookConfiguration), metav1.CreateOptions{}) - reportCreateEvent(recorder, required, err) + resourcehelper.ReportCreateEvent(recorder, required, err) if err != nil { return nil, false, err } @@ -143,7 +144,7 @@ func ApplyValidatingWebhookConfigurationImproved(ctx context.Context, client adm klog.V(2).Infof("ValidatingWebhookConfiguration %q changes: %v", required.GetNamespace()+"/"+required.GetName(), JSONPatchNoError(existing, toWrite)) actual, err := client.ValidatingWebhookConfigurations().Update(ctx, toWrite, metav1.UpdateOptions{}) - reportUpdateEvent(recorder, required, err) + resourcehelper.ReportUpdateEvent(recorder, required, err) if err != nil { return nil, false, err } @@ -152,6 +153,18 @@ func ApplyValidatingWebhookConfigurationImproved(ctx context.Context, client adm return actual, true, nil } +func DeleteValidatingWebhookConfiguration(ctx context.Context, client admissionregistrationclientv1.ValidatingWebhookConfigurationsGetter, recorder events.Recorder, required *admissionregistrationv1.ValidatingWebhookConfiguration) (*admissionregistrationv1.ValidatingWebhookConfiguration, bool, error) { + err := client.ValidatingWebhookConfigurations().Delete(ctx, required.Name, metav1.DeleteOptions{}) + if err != nil && apierrors.IsNotFound(err) { + return nil, false, nil + } + if err != nil { + return nil, false, err + } + resourcehelper.ReportDeleteEvent(recorder, required, err) + return nil, true, nil +} + // copyValidatingWebhookCABundle populates webhooks[].clientConfig.caBundle fields from existing resource if it was set before // and is not set in present. This provides upgrade compatibility with service-ca-bundle operator. func copyValidatingWebhookCABundle(from, to *admissionregistrationv1.ValidatingWebhookConfiguration) { @@ -184,7 +197,7 @@ func ApplyValidatingAdmissionPolicyV1beta1(ctx context.Context, client admission required := requiredOriginal.DeepCopy() actual, err := client.ValidatingAdmissionPolicies().Create( ctx, resourcemerge.WithCleanLabelsAndAnnotations(required).(*admissionregistrationv1beta1.ValidatingAdmissionPolicy), metav1.CreateOptions{}) - reportCreateEvent(recorder, required, err) + resourcehelper.ReportCreateEvent(recorder, required, err) if err != nil { return nil, false, err } @@ -217,7 +230,66 @@ func ApplyValidatingAdmissionPolicyV1beta1(ctx context.Context, client admission klog.V(2).Infof("ValidatingAdmissionPolicyConfigurationV1beta1 %q changes: %v", required.GetNamespace()+"/"+required.GetName(), JSONPatchNoError(existing, toWrite)) actual, err := client.ValidatingAdmissionPolicies().Update(ctx, toWrite, metav1.UpdateOptions{}) - reportUpdateEvent(recorder, required, err) + resourcehelper.ReportUpdateEvent(recorder, required, err) + if err != nil { + return nil, false, err + } + // need to store the original so that the early comparison of hashes is done based on the original, not a mutated copy + cache.UpdateCachedResourceMetadata(requiredOriginal, actual) + return actual, true, nil +} + +// ApplyValidatingAdmissionPolicyV1 ensures the form of the specified +// validatingadmissionpolicyconfiguration is present in the API. If it does not exist, +// it will be created. If it does exist, the metadata of the required +// validatingadmissionpolicyconfiguration will be merged with the existing validatingadmissionpolicyconfiguration +// and an update performed if the validatingadmissionpolicyconfiguration spec and metadata differ from +// the previously required spec and metadata based on generation change. +func ApplyValidatingAdmissionPolicyV1(ctx context.Context, client admissionregistrationclientv1.ValidatingAdmissionPoliciesGetter, recorder events.Recorder, + requiredOriginal *admissionregistrationv1.ValidatingAdmissionPolicy, cache ResourceCache) (*admissionregistrationv1.ValidatingAdmissionPolicy, bool, error) { + if requiredOriginal == nil { + return nil, false, fmt.Errorf("Unexpected nil instead of an object") + } + + existing, err := client.ValidatingAdmissionPolicies().Get(ctx, requiredOriginal.GetName(), metav1.GetOptions{}) + if apierrors.IsNotFound(err) { + required := requiredOriginal.DeepCopy() + actual, err := client.ValidatingAdmissionPolicies().Create( + ctx, resourcemerge.WithCleanLabelsAndAnnotations(required).(*admissionregistrationv1.ValidatingAdmissionPolicy), metav1.CreateOptions{}) + resourcehelper.ReportCreateEvent(recorder, required, err) + if err != nil { + return nil, false, err + } + // need to store the original so that the early comparison of hashes is done based on the original, not a mutated copy + cache.UpdateCachedResourceMetadata(requiredOriginal, actual) + return actual, true, nil + } else if err != nil { + return nil, false, err + } + + if cache.SafeToSkipApply(requiredOriginal, existing) { + return existing, false, nil + } + + required := requiredOriginal.DeepCopy() + modified := false + existingCopy := existing.DeepCopy() + + resourcemerge.EnsureObjectMeta(&modified, &existingCopy.ObjectMeta, required.ObjectMeta) + specEquivalent := equality.Semantic.DeepEqual(existingCopy.Spec, required.Spec) + if specEquivalent && !modified { + // need to store the original so that the early comparison of hashes is done based on the original, not a mutated copy + cache.UpdateCachedResourceMetadata(requiredOriginal, existingCopy) + return existingCopy, false, nil + } + // at this point we know that we're going to perform a write. We're just trying to get the object correct + toWrite := existingCopy // shallow copy so the code reads easier + toWrite.Spec = required.Spec + + klog.V(2).Infof("ValidatingAdmissionPolicyConfigurationV1 %q changes: %v", required.GetNamespace()+"/"+required.GetName(), JSONPatchNoError(existing, toWrite)) + + actual, err := client.ValidatingAdmissionPolicies().Update(ctx, toWrite, metav1.UpdateOptions{}) + resourcehelper.ReportUpdateEvent(recorder, required, err) if err != nil { return nil, false, err } @@ -243,7 +315,7 @@ func ApplyValidatingAdmissionPolicyBindingV1beta1(ctx context.Context, client ad required := requiredOriginal.DeepCopy() actual, err := client.ValidatingAdmissionPolicyBindings().Create( ctx, resourcemerge.WithCleanLabelsAndAnnotations(required).(*admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding), metav1.CreateOptions{}) - reportCreateEvent(recorder, required, err) + resourcehelper.ReportCreateEvent(recorder, required, err) if err != nil { return nil, false, err } @@ -276,7 +348,66 @@ func ApplyValidatingAdmissionPolicyBindingV1beta1(ctx context.Context, client ad klog.V(2).Infof("ValidatingAdmissionPolicyBindingConfigurationV1beta1 %q changes: %v", required.GetNamespace()+"/"+required.GetName(), JSONPatchNoError(existing, toWrite)) actual, err := client.ValidatingAdmissionPolicyBindings().Update(ctx, toWrite, metav1.UpdateOptions{}) - reportUpdateEvent(recorder, required, err) + resourcehelper.ReportUpdateEvent(recorder, required, err) + if err != nil { + return nil, false, err + } + // need to store the original so that the early comparison of hashes is done based on the original, not a mutated copy + cache.UpdateCachedResourceMetadata(requiredOriginal, actual) + return actual, true, nil +} + +// ApplyValidatingAdmissionPolicyBindingV1 ensures the form of the specified +// validatingadmissionpolicybindingconfiguration is present in the API. If it does not exist, +// it will be created. If it does exist, the metadata of the required +// validatingadmissionpolicybindingconfiguration will be merged with the existing validatingadmissionpolicybindingconfiguration +// and an update performed if the validatingadmissionpolicybindingconfiguration spec and metadata differ from +// the previously required spec and metadata based on generation change. +func ApplyValidatingAdmissionPolicyBindingV1(ctx context.Context, client admissionregistrationclientv1.ValidatingAdmissionPolicyBindingsGetter, recorder events.Recorder, + requiredOriginal *admissionregistrationv1.ValidatingAdmissionPolicyBinding, cache ResourceCache) (*admissionregistrationv1.ValidatingAdmissionPolicyBinding, bool, error) { + if requiredOriginal == nil { + return nil, false, fmt.Errorf("Unexpected nil instead of an object") + } + + existing, err := client.ValidatingAdmissionPolicyBindings().Get(ctx, requiredOriginal.GetName(), metav1.GetOptions{}) + if apierrors.IsNotFound(err) { + required := requiredOriginal.DeepCopy() + actual, err := client.ValidatingAdmissionPolicyBindings().Create( + ctx, resourcemerge.WithCleanLabelsAndAnnotations(required).(*admissionregistrationv1.ValidatingAdmissionPolicyBinding), metav1.CreateOptions{}) + resourcehelper.ReportCreateEvent(recorder, required, err) + if err != nil { + return nil, false, err + } + // need to store the original so that the early comparison of hashes is done based on the original, not a mutated copy + cache.UpdateCachedResourceMetadata(requiredOriginal, actual) + return actual, true, nil + } else if err != nil { + return nil, false, err + } + + if cache.SafeToSkipApply(requiredOriginal, existing) { + return existing, false, nil + } + + required := requiredOriginal.DeepCopy() + modified := false + existingCopy := existing.DeepCopy() + + resourcemerge.EnsureObjectMeta(&modified, &existingCopy.ObjectMeta, required.ObjectMeta) + specEquivalent := equality.Semantic.DeepEqual(existingCopy.Spec, required.Spec) + if specEquivalent && !modified { + // need to store the original so that the early comparison of hashes is done based on the original, not a mutated copy + cache.UpdateCachedResourceMetadata(requiredOriginal, existingCopy) + return existingCopy, false, nil + } + // at this point we know that we're going to perform a write. We're just trying to get the object correct + toWrite := existingCopy // shallow copy so the code reads easier + toWrite.Spec = required.Spec + + klog.V(2).Infof("ValidatingAdmissionPolicyBindingConfigurationV1 %q changes: %v", required.GetNamespace()+"/"+required.GetName(), JSONPatchNoError(existing, toWrite)) + + actual, err := client.ValidatingAdmissionPolicyBindings().Update(ctx, toWrite, metav1.UpdateOptions{}) + resourcehelper.ReportUpdateEvent(recorder, required, err) if err != nil { return nil, false, err } diff --git a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/apiextensions.go b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/apiextensions.go index 587c9bd556..0e76cf8341 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/apiextensions.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/apiextensions.go @@ -4,6 +4,7 @@ import ( "context" "github.com/openshift/library-go/pkg/operator/events" + "github.com/openshift/library-go/pkg/operator/resource/resourcehelper" "github.com/openshift/library-go/pkg/operator/resource/resourcemerge" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" apiextclientv1 "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1" @@ -19,7 +20,7 @@ func ApplyCustomResourceDefinitionV1(ctx context.Context, client apiextclientv1. requiredCopy := required.DeepCopy() actual, err := client.CustomResourceDefinitions().Create( ctx, resourcemerge.WithCleanLabelsAndAnnotations(requiredCopy).(*apiextensionsv1.CustomResourceDefinition), metav1.CreateOptions{}) - reportCreateEvent(recorder, required, err) + resourcehelper.ReportCreateEvent(recorder, required, err) return actual, true, err } if err != nil { @@ -38,7 +39,7 @@ func ApplyCustomResourceDefinitionV1(ctx context.Context, client apiextclientv1. } actual, err := client.CustomResourceDefinitions().Update(ctx, existingCopy, metav1.UpdateOptions{}) - reportUpdateEvent(recorder, required, err) + resourcehelper.ReportUpdateEvent(recorder, required, err) return actual, true, err } @@ -51,6 +52,6 @@ func DeleteCustomResourceDefinitionV1(ctx context.Context, client apiextclientv1 if err != nil { return nil, false, err } - reportDeleteEvent(recorder, required, err) + resourcehelper.ReportDeleteEvent(recorder, required, err) return nil, true, nil } diff --git a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/apiregistration.go b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/apiregistration.go index 931a6c0e1b..e465438f6b 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/apiregistration.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/apiregistration.go @@ -11,6 +11,7 @@ import ( apiregistrationv1client "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/typed/apiregistration/v1" "github.com/openshift/library-go/pkg/operator/events" + "github.com/openshift/library-go/pkg/operator/resource/resourcehelper" "github.com/openshift/library-go/pkg/operator/resource/resourcemerge" ) @@ -21,7 +22,7 @@ func ApplyAPIService(ctx context.Context, client apiregistrationv1client.APIServ requiredCopy := required.DeepCopy() actual, err := client.APIServices().Create( ctx, resourcemerge.WithCleanLabelsAndAnnotations(requiredCopy).(*apiregistrationv1.APIService), metav1.CreateOptions{}) - reportCreateEvent(recorder, required, err) + resourcehelper.ReportCreateEvent(recorder, required, err) return actual, true, err } if err != nil { @@ -46,6 +47,6 @@ func ApplyAPIService(ctx context.Context, client apiregistrationv1client.APIServ klog.Infof("APIService %q changes: %s", existing.Name, JSONPatchNoError(existing, existingCopy)) } actual, err := client.APIServices().Update(ctx, existingCopy, metav1.UpdateOptions{}) - reportUpdateEvent(recorder, required, err) + resourcehelper.ReportUpdateEvent(recorder, required, err) return actual, true, err } diff --git a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/apps.go b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/apps.go index 0560c66abc..650cf9b4f8 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/apps.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/apps.go @@ -15,6 +15,7 @@ import ( appsclientv1 "k8s.io/client-go/kubernetes/typed/apps/v1" "github.com/openshift/library-go/pkg/operator/events" + "github.com/openshift/library-go/pkg/operator/resource/resourcehelper" "github.com/openshift/library-go/pkg/operator/resource/resourcemerge" ) @@ -118,7 +119,7 @@ func ApplyDeploymentWithForce(ctx context.Context, client appsclientv1.Deploymen existing, err := client.Deployments(required.Namespace).Get(ctx, required.Name, metav1.GetOptions{}) if apierrors.IsNotFound(err) { actual, err := client.Deployments(required.Namespace).Create(ctx, required, metav1.CreateOptions{}) - reportCreateEvent(recorder, required, err) + resourcehelper.ReportCreateEvent(recorder, required, err) return actual, true, err } if err != nil { @@ -155,7 +156,7 @@ func ApplyDeploymentWithForce(ctx context.Context, client appsclientv1.Deploymen } actual, err := client.Deployments(required.Namespace).Update(ctx, toWrite, metav1.UpdateOptions{}) - reportUpdateEvent(recorder, required, err) + resourcehelper.ReportUpdateEvent(recorder, required, err) return actual, true, err } @@ -205,7 +206,7 @@ func ApplyDaemonSetWithForce(ctx context.Context, client appsclientv1.DaemonSets existing, err := client.DaemonSets(required.Namespace).Get(ctx, required.Name, metav1.GetOptions{}) if apierrors.IsNotFound(err) { actual, err := client.DaemonSets(required.Namespace).Create(ctx, required, metav1.CreateOptions{}) - reportCreateEvent(recorder, required, err) + resourcehelper.ReportCreateEvent(recorder, required, err) return actual, true, err } if err != nil { @@ -241,6 +242,6 @@ func ApplyDaemonSetWithForce(ctx context.Context, client appsclientv1.DaemonSets klog.Infof("DaemonSet %q changes: %v", required.Namespace+"/"+required.Name, JSONPatchNoError(existing, toWrite)) } actual, err := client.DaemonSets(required.Namespace).Update(ctx, toWrite, metav1.UpdateOptions{}) - reportUpdateEvent(recorder, required, err) + resourcehelper.ReportUpdateEvent(recorder, required, err) return actual, true, err } diff --git a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/core.go b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/core.go index ba20f7b1c8..f954d48cc6 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/core.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/core.go @@ -8,6 +8,7 @@ import ( "strings" "github.com/openshift/library-go/pkg/operator/events" + "github.com/openshift/library-go/pkg/operator/resource/resourcehelper" "github.com/openshift/library-go/pkg/operator/resource/resourcemerge" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/equality" @@ -85,15 +86,7 @@ func ApplyConfigMap(ctx context.Context, client coreclientv1.ConfigMapsGetter, r // ApplySecret merges objectmeta, requires data func ApplySecret(ctx context.Context, client coreclientv1.SecretsGetter, recorder events.Recorder, required *corev1.Secret) (*corev1.Secret, bool, error) { - return applySecretImproved(ctx, client, recorder, required, noCache, false) -} - -// ApplySecretDoNotUse is depreated and will be removed -// Deprecated: DO NOT USE, it is intended as a short term hack for a very specific use case, -// and it works in tandem with a particular carry patch applied to the openshift kube-apiserver. -// Use ApplySecret instead. -func ApplySecretDoNotUse(ctx context.Context, client coreclientv1.SecretsGetter, recorder events.Recorder, required *corev1.Secret) (*corev1.Secret, bool, error) { - return applySecretImproved(ctx, client, recorder, required, noCache, true) + return ApplySecretImproved(ctx, client, recorder, required, noCache) } // ApplyNamespace merges objectmeta, does not worry about anything else @@ -103,7 +96,7 @@ func ApplyNamespaceImproved(ctx context.Context, client coreclientv1.NamespacesG requiredCopy := required.DeepCopy() actual, err := client.Namespaces(). Create(ctx, resourcemerge.WithCleanLabelsAndAnnotations(requiredCopy).(*corev1.Namespace), metav1.CreateOptions{}) - reportCreateEvent(recorder, requiredCopy, err) + resourcehelper.ReportCreateEvent(recorder, requiredCopy, err) cache.UpdateCachedResourceMetadata(required, actual) return actual, true, err } @@ -129,7 +122,7 @@ func ApplyNamespaceImproved(ctx context.Context, client coreclientv1.NamespacesG } actual, err := client.Namespaces().Update(ctx, existingCopy, metav1.UpdateOptions{}) - reportUpdateEvent(recorder, required, err) + resourcehelper.ReportUpdateEvent(recorder, required, err) cache.UpdateCachedResourceMetadata(required, actual) return actual, true, err } @@ -150,7 +143,7 @@ func ApplyServiceImproved(ctx context.Context, client coreclientv1.ServicesGette requiredCopy := required.DeepCopy() actual, err := client.Services(requiredCopy.Namespace). Create(ctx, resourcemerge.WithCleanLabelsAndAnnotations(requiredCopy).(*corev1.Service), metav1.CreateOptions{}) - reportCreateEvent(recorder, requiredCopy, err) + resourcehelper.ReportCreateEvent(recorder, requiredCopy, err) cache.UpdateCachedResourceMetadata(required, actual) return actual, true, err } @@ -190,7 +183,7 @@ func ApplyServiceImproved(ctx context.Context, client coreclientv1.ServicesGette } actual, err := client.Services(required.Namespace).Update(ctx, existingCopy, metav1.UpdateOptions{}) - reportUpdateEvent(recorder, required, err) + resourcehelper.ReportUpdateEvent(recorder, required, err) cache.UpdateCachedResourceMetadata(required, actual) return actual, true, err } @@ -202,7 +195,7 @@ func ApplyPodImproved(ctx context.Context, client coreclientv1.PodsGetter, recor requiredCopy := required.DeepCopy() actual, err := client.Pods(requiredCopy.Namespace). Create(ctx, resourcemerge.WithCleanLabelsAndAnnotations(requiredCopy).(*corev1.Pod), metav1.CreateOptions{}) - reportCreateEvent(recorder, requiredCopy, err) + resourcehelper.ReportCreateEvent(recorder, requiredCopy, err) cache.UpdateCachedResourceMetadata(required, actual) return actual, true, err } @@ -228,7 +221,7 @@ func ApplyPodImproved(ctx context.Context, client coreclientv1.PodsGetter, recor } actual, err := client.Pods(required.Namespace).Update(ctx, existingCopy, metav1.UpdateOptions{}) - reportUpdateEvent(recorder, required, err) + resourcehelper.ReportUpdateEvent(recorder, required, err) cache.UpdateCachedResourceMetadata(required, actual) return actual, true, err } @@ -240,7 +233,7 @@ func ApplyServiceAccountImproved(ctx context.Context, client coreclientv1.Servic requiredCopy := required.DeepCopy() actual, err := client.ServiceAccounts(requiredCopy.Namespace). Create(ctx, resourcemerge.WithCleanLabelsAndAnnotations(requiredCopy).(*corev1.ServiceAccount), metav1.CreateOptions{}) - reportCreateEvent(recorder, requiredCopy, err) + resourcehelper.ReportCreateEvent(recorder, requiredCopy, err) cache.UpdateCachedResourceMetadata(required, actual) return actual, true, err } @@ -264,7 +257,7 @@ func ApplyServiceAccountImproved(ctx context.Context, client coreclientv1.Servic klog.Infof("ServiceAccount %q changes: %v", required.Namespace+"/"+required.Name, JSONPatchNoError(existing, required)) } actual, err := client.ServiceAccounts(required.Namespace).Update(ctx, existingCopy, metav1.UpdateOptions{}) - reportUpdateEvent(recorder, required, err) + resourcehelper.ReportUpdateEvent(recorder, required, err) cache.UpdateCachedResourceMetadata(required, actual) return actual, true, err } @@ -276,7 +269,7 @@ func ApplyConfigMapImproved(ctx context.Context, client coreclientv1.ConfigMapsG requiredCopy := required.DeepCopy() actual, err := client.ConfigMaps(requiredCopy.Namespace). Create(ctx, resourcemerge.WithCleanLabelsAndAnnotations(requiredCopy).(*corev1.ConfigMap), metav1.CreateOptions{}) - reportCreateEvent(recorder, requiredCopy, err) + resourcehelper.ReportCreateEvent(recorder, requiredCopy, err) cache.UpdateCachedResourceMetadata(required, actual) return actual, true, err } @@ -358,17 +351,13 @@ func ApplyConfigMapImproved(ctx context.Context, client coreclientv1.ConfigMapsG if klog.V(2).Enabled() { klog.Infof("ConfigMap %q changes: %v", required.Namespace+"/"+required.Name, JSONPatchNoError(existing, required)) } - reportUpdateEvent(recorder, required, err, details) + resourcehelper.ReportUpdateEvent(recorder, required, err, details) cache.UpdateCachedResourceMetadata(required, actual) return actual, true, err } // ApplySecret merges objectmeta, requires data func ApplySecretImproved(ctx context.Context, client coreclientv1.SecretsGetter, recorder events.Recorder, requiredInput *corev1.Secret, cache ResourceCache) (*corev1.Secret, bool, error) { - return applySecretImproved(ctx, client, recorder, requiredInput, cache, false) -} - -func applySecretImproved(ctx context.Context, client coreclientv1.SecretsGetter, recorder events.Recorder, requiredInput *corev1.Secret, cache ResourceCache, updateOnly bool) (*corev1.Secret, bool, error) { // copy the stringData to data. Error on a data content conflict inside required. This is usually a bug. existing, err := client.Secrets(requiredInput.Namespace).Get(ctx, requiredInput.Name, metav1.GetOptions{}) @@ -398,7 +387,7 @@ func applySecretImproved(ctx context.Context, client coreclientv1.SecretsGetter, requiredCopy := required.DeepCopy() actual, err := client.Secrets(requiredCopy.Namespace). Create(ctx, resourcemerge.WithCleanLabelsAndAnnotations(requiredCopy).(*corev1.Secret), metav1.CreateOptions{}) - reportCreateEvent(recorder, requiredCopy, err) + resourcehelper.ReportCreateEvent(recorder, requiredCopy, err) cache.UpdateCachedResourceMetadata(requiredInput, actual) return actual, true, err } @@ -448,15 +437,9 @@ func applySecretImproved(ctx context.Context, client coreclientv1.SecretsGetter, * https://github.com/kubernetes/kubernetes/blob/98e65951dccfd40d3b4f31949c2ab8df5912d93e/pkg/apis/core/validation/validation.go#L5048 * We need to explicitly opt for delete+create in that case. */ - if updateOnly { - actual, err = client.Secrets(required.Namespace).Update(ctx, existingCopy, metav1.UpdateOptions{}) - reportUpdateEvent(recorder, existingCopy, err) - return actual, err == nil, err - } - if existingCopy.Type == existing.Type { actual, err = client.Secrets(required.Namespace).Update(ctx, existingCopy, metav1.UpdateOptions{}) - reportUpdateEvent(recorder, existingCopy, err) + resourcehelper.ReportUpdateEvent(recorder, existingCopy, err) if err == nil { return actual, true, err @@ -468,12 +451,12 @@ func applySecretImproved(ctx context.Context, client coreclientv1.SecretsGetter, // if the field was immutable on a secret, we're going to be stuck until we delete it. Try to delete and then create deleteErr := client.Secrets(required.Namespace).Delete(ctx, existingCopy.Name, metav1.DeleteOptions{}) - reportDeleteEvent(recorder, existingCopy, deleteErr) + resourcehelper.ReportDeleteEvent(recorder, existingCopy, deleteErr) // clear the RV and track the original actual and error for the return like our create value. existingCopy.ResourceVersion = "" actual, err = client.Secrets(required.Namespace).Create(ctx, existingCopy, metav1.CreateOptions{}) - reportCreateEvent(recorder, existingCopy, err) + resourcehelper.ReportCreateEvent(recorder, existingCopy, err) cache.UpdateCachedResourceMetadata(requiredInput, actual) return actual, true, err } @@ -620,7 +603,7 @@ func DeleteNamespace(ctx context.Context, client coreclientv1.NamespacesGetter, if err != nil { return nil, false, err } - reportDeleteEvent(recorder, required, err) + resourcehelper.ReportDeleteEvent(recorder, required, err) return nil, true, nil } @@ -632,7 +615,7 @@ func DeleteService(ctx context.Context, client coreclientv1.ServicesGetter, reco if err != nil { return nil, false, err } - reportDeleteEvent(recorder, required, err) + resourcehelper.ReportDeleteEvent(recorder, required, err) return nil, true, nil } @@ -644,7 +627,7 @@ func DeletePod(ctx context.Context, client coreclientv1.PodsGetter, recorder eve if err != nil { return nil, false, err } - reportDeleteEvent(recorder, required, err) + resourcehelper.ReportDeleteEvent(recorder, required, err) return nil, true, nil } @@ -656,7 +639,7 @@ func DeleteServiceAccount(ctx context.Context, client coreclientv1.ServiceAccoun if err != nil { return nil, false, err } - reportDeleteEvent(recorder, required, err) + resourcehelper.ReportDeleteEvent(recorder, required, err) return nil, true, nil } @@ -668,7 +651,7 @@ func DeleteConfigMap(ctx context.Context, client coreclientv1.ConfigMapsGetter, if err != nil { return nil, false, err } - reportDeleteEvent(recorder, required, err) + resourcehelper.ReportDeleteEvent(recorder, required, err) return nil, true, nil } @@ -680,6 +663,6 @@ func DeleteSecret(ctx context.Context, client coreclientv1.SecretsGetter, record if err != nil { return nil, false, err } - reportDeleteEvent(recorder, required, err) + resourcehelper.ReportDeleteEvent(recorder, required, err) return nil, true, nil } diff --git a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/event_helpers.go b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/event_helpers.go deleted file mode 100644 index af598993f9..0000000000 --- a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/event_helpers.go +++ /dev/null @@ -1,56 +0,0 @@ -package resourceapply - -import ( - "fmt" - "strings" - - "k8s.io/apimachinery/pkg/runtime" - - openshiftapi "github.com/openshift/api" - - "github.com/openshift/library-go/pkg/operator/events" - "github.com/openshift/library-go/pkg/operator/resource/resourcehelper" -) - -var ( - openshiftScheme = runtime.NewScheme() -) - -func init() { - if err := openshiftapi.Install(openshiftScheme); err != nil { - panic(err) - } -} - -func reportCreateEvent(recorder events.Recorder, obj runtime.Object, originalErr error) { - gvk := resourcehelper.GuessObjectGroupVersionKind(obj) - if originalErr == nil { - recorder.Eventf(fmt.Sprintf("%sCreated", gvk.Kind), "Created %s because it was missing", resourcehelper.FormatResourceForCLIWithNamespace(obj)) - return - } - recorder.Warningf(fmt.Sprintf("%sCreateFailed", gvk.Kind), "Failed to create %s: %v", resourcehelper.FormatResourceForCLIWithNamespace(obj), originalErr) -} - -func reportUpdateEvent(recorder events.Recorder, obj runtime.Object, originalErr error, details ...string) { - gvk := resourcehelper.GuessObjectGroupVersionKind(obj) - switch { - case originalErr != nil: - recorder.Warningf(fmt.Sprintf("%sUpdateFailed", gvk.Kind), "Failed to update %s: %v", resourcehelper.FormatResourceForCLIWithNamespace(obj), originalErr) - case len(details) == 0: - recorder.Eventf(fmt.Sprintf("%sUpdated", gvk.Kind), "Updated %s because it changed", resourcehelper.FormatResourceForCLIWithNamespace(obj)) - default: - recorder.Eventf(fmt.Sprintf("%sUpdated", gvk.Kind), "Updated %s:\n%s", resourcehelper.FormatResourceForCLIWithNamespace(obj), strings.Join(details, "\n")) - } -} - -func reportDeleteEvent(recorder events.Recorder, obj runtime.Object, originalErr error, details ...string) { - gvk := resourcehelper.GuessObjectGroupVersionKind(obj) - switch { - case originalErr != nil: - recorder.Warningf(fmt.Sprintf("%sDeleteFailed", gvk.Kind), "Failed to delete %s: %v", resourcehelper.FormatResourceForCLIWithNamespace(obj), originalErr) - case len(details) == 0: - recorder.Eventf(fmt.Sprintf("%sDeleted", gvk.Kind), "Deleted %s", resourcehelper.FormatResourceForCLIWithNamespace(obj)) - default: - recorder.Eventf(fmt.Sprintf("%sDeleted", gvk.Kind), "Deleted %s:\n%s", resourcehelper.FormatResourceForCLIWithNamespace(obj), strings.Join(details, "\n")) - } -} diff --git a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/generic.go b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/generic.go index 087893e029..d812254dc7 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/generic.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/generic.go @@ -335,6 +335,12 @@ func DeleteAll(ctx context.Context, clients *ClientHolder, recorder events.Recor } else { _, result.Changed, result.Error = DeleteStorageClass(ctx, clients.kubeClient.StorageV1(), recorder, t) } + case *admissionregistrationv1.ValidatingWebhookConfiguration: + if clients.kubeClient == nil { + result.Error = fmt.Errorf("missing kubeClient") + } else { + _, result.Changed, result.Error = DeleteValidatingWebhookConfiguration(ctx, clients.kubeClient.AdmissionregistrationV1(), recorder, t) + } case *storagev1.CSIDriver: if clients.kubeClient == nil { result.Error = fmt.Errorf("missing kubeClient") diff --git a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/migration.go b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/migration.go index 7c0dcf6051..2bf3d74b6c 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/migration.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/migration.go @@ -5,6 +5,7 @@ import ( "reflect" "github.com/openshift/library-go/pkg/operator/events" + "github.com/openshift/library-go/pkg/operator/resource/resourcehelper" "github.com/openshift/library-go/pkg/operator/resource/resourcemerge" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -21,7 +22,7 @@ func ApplyStorageVersionMigration(ctx context.Context, client migrationclientv1a if apierrors.IsNotFound(err) { requiredCopy := required.DeepCopy() actual, err := clientInterface.Create(ctx, resourcemerge.WithCleanLabelsAndAnnotations(requiredCopy).(*v1alpha1.StorageVersionMigration), metav1.CreateOptions{}) - reportCreateEvent(recorder, requiredCopy, err) + resourcehelper.ReportCreateEvent(recorder, requiredCopy, err) return actual, true, err } if err != nil { @@ -41,7 +42,7 @@ func ApplyStorageVersionMigration(ctx context.Context, client migrationclientv1a required.Spec.Resource.DeepCopyInto(&existingCopy.Spec.Resource) actual, err := clientInterface.Update(ctx, existingCopy, metav1.UpdateOptions{}) - reportUpdateEvent(recorder, required, err) + resourcehelper.ReportUpdateEvent(recorder, required, err) return actual, true, err } @@ -54,6 +55,6 @@ func DeleteStorageVersionMigration(ctx context.Context, client migrationclientv1 if err != nil { return nil, false, err } - reportDeleteEvent(recorder, required, err) + resourcehelper.ReportDeleteEvent(recorder, required, err) return nil, true, nil } diff --git a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/monitoring.go b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/monitoring.go index 555f7a3821..8b64f23b72 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/monitoring.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/monitoring.go @@ -4,6 +4,7 @@ import ( "context" "github.com/openshift/library-go/pkg/operator/events" + "github.com/openshift/library-go/pkg/operator/resource/resourcehelper" "k8s.io/apimachinery/pkg/api/equality" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -150,7 +151,7 @@ func DeletePrometheusRule(ctx context.Context, client dynamic.Interface, recorde if err != nil { return nil, false, err } - reportDeleteEvent(recorder, required, err) + resourcehelper.ReportDeleteEvent(recorder, required, err) return nil, true, nil } @@ -163,6 +164,6 @@ func DeleteServiceMonitor(ctx context.Context, client dynamic.Interface, recorde if err != nil { return nil, false, err } - reportDeleteEvent(recorder, required, err) + resourcehelper.ReportDeleteEvent(recorder, required, err) return nil, true, nil } diff --git a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/policy.go b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/policy.go index 6cf4793253..86d45fad08 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/policy.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/policy.go @@ -11,6 +11,7 @@ import ( "k8s.io/klog/v2" "github.com/openshift/library-go/pkg/operator/events" + "github.com/openshift/library-go/pkg/operator/resource/resourcehelper" "github.com/openshift/library-go/pkg/operator/resource/resourcemerge" ) @@ -20,7 +21,7 @@ func ApplyPodDisruptionBudget(ctx context.Context, client policyclientv1.PodDisr requiredCopy := required.DeepCopy() actual, err := client.PodDisruptionBudgets(required.Namespace).Create( ctx, resourcemerge.WithCleanLabelsAndAnnotations(requiredCopy).(*policyv1.PodDisruptionBudget), metav1.CreateOptions{}) - reportCreateEvent(recorder, required, err) + resourcehelper.ReportCreateEvent(recorder, required, err) return actual, true, err } if err != nil { @@ -43,7 +44,7 @@ func ApplyPodDisruptionBudget(ctx context.Context, client policyclientv1.PodDisr } actual, err := client.PodDisruptionBudgets(required.Namespace).Update(ctx, existingCopy, metav1.UpdateOptions{}) - reportUpdateEvent(recorder, required, err) + resourcehelper.ReportUpdateEvent(recorder, required, err) return actual, true, err } @@ -55,6 +56,6 @@ func DeletePodDisruptionBudget(ctx context.Context, client policyclientv1.PodDis if err != nil { return nil, false, err } - reportDeleteEvent(recorder, required, err) + resourcehelper.ReportDeleteEvent(recorder, required, err) return nil, true, nil } diff --git a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/rbac.go b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/rbac.go index 4b45c8818e..223c64d4f8 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/rbac.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/rbac.go @@ -11,6 +11,7 @@ import ( "k8s.io/klog/v2" "github.com/openshift/library-go/pkg/operator/events" + "github.com/openshift/library-go/pkg/operator/resource/resourcehelper" "github.com/openshift/library-go/pkg/operator/resource/resourcemerge" ) @@ -21,7 +22,7 @@ func ApplyClusterRole(ctx context.Context, client rbacclientv1.ClusterRolesGette requiredCopy := required.DeepCopy() actual, err := client.ClusterRoles().Create( ctx, resourcemerge.WithCleanLabelsAndAnnotations(requiredCopy).(*rbacv1.ClusterRole), metav1.CreateOptions{}) - reportCreateEvent(recorder, required, err) + resourcehelper.ReportCreateEvent(recorder, required, err) return actual, true, err } if err != nil { @@ -55,7 +56,7 @@ func ApplyClusterRole(ctx context.Context, client rbacclientv1.ClusterRolesGette } actual, err := client.ClusterRoles().Update(ctx, existingCopy, metav1.UpdateOptions{}) - reportUpdateEvent(recorder, required, err) + resourcehelper.ReportUpdateEvent(recorder, required, err) return actual, true, err } @@ -67,7 +68,7 @@ func ApplyClusterRoleBinding(ctx context.Context, client rbacclientv1.ClusterRol requiredCopy := required.DeepCopy() actual, err := client.ClusterRoleBindings().Create( ctx, resourcemerge.WithCleanLabelsAndAnnotations(requiredCopy).(*rbacv1.ClusterRoleBinding), metav1.CreateOptions{}) - reportCreateEvent(recorder, required, err) + resourcehelper.ReportCreateEvent(recorder, required, err) return actual, true, err } if err != nil { @@ -110,7 +111,7 @@ func ApplyClusterRoleBinding(ctx context.Context, client rbacclientv1.ClusterRol } actual, err := client.ClusterRoleBindings().Update(ctx, existingCopy, metav1.UpdateOptions{}) - reportUpdateEvent(recorder, requiredCopy, err) + resourcehelper.ReportUpdateEvent(recorder, requiredCopy, err) return actual, true, err } @@ -121,7 +122,7 @@ func ApplyRole(ctx context.Context, client rbacclientv1.RolesGetter, recorder ev requiredCopy := required.DeepCopy() actual, err := client.Roles(required.Namespace).Create( ctx, resourcemerge.WithCleanLabelsAndAnnotations(requiredCopy).(*rbacv1.Role), metav1.CreateOptions{}) - reportCreateEvent(recorder, required, err) + resourcehelper.ReportCreateEvent(recorder, required, err) return actual, true, err } if err != nil { @@ -143,7 +144,7 @@ func ApplyRole(ctx context.Context, client rbacclientv1.RolesGetter, recorder ev klog.Infof("Role %q changes: %v", required.Namespace+"/"+required.Name, JSONPatchNoError(existing, existingCopy)) } actual, err := client.Roles(required.Namespace).Update(ctx, existingCopy, metav1.UpdateOptions{}) - reportUpdateEvent(recorder, required, err) + resourcehelper.ReportUpdateEvent(recorder, required, err) return actual, true, err } @@ -155,7 +156,7 @@ func ApplyRoleBinding(ctx context.Context, client rbacclientv1.RoleBindingsGette requiredCopy := required.DeepCopy() actual, err := client.RoleBindings(required.Namespace).Create( ctx, resourcemerge.WithCleanLabelsAndAnnotations(requiredCopy).(*rbacv1.RoleBinding), metav1.CreateOptions{}) - reportCreateEvent(recorder, required, err) + resourcehelper.ReportCreateEvent(recorder, required, err) return actual, true, err } if err != nil { @@ -198,7 +199,7 @@ func ApplyRoleBinding(ctx context.Context, client rbacclientv1.RoleBindingsGette } actual, err := client.RoleBindings(requiredCopy.Namespace).Update(ctx, existingCopy, metav1.UpdateOptions{}) - reportUpdateEvent(recorder, requiredCopy, err) + resourcehelper.ReportUpdateEvent(recorder, requiredCopy, err) return actual, true, err } @@ -210,7 +211,7 @@ func DeleteClusterRole(ctx context.Context, client rbacclientv1.ClusterRolesGett if err != nil { return nil, false, err } - reportDeleteEvent(recorder, required, err) + resourcehelper.ReportDeleteEvent(recorder, required, err) return nil, true, nil } @@ -222,7 +223,7 @@ func DeleteClusterRoleBinding(ctx context.Context, client rbacclientv1.ClusterRo if err != nil { return nil, false, err } - reportDeleteEvent(recorder, required, err) + resourcehelper.ReportDeleteEvent(recorder, required, err) return nil, true, nil } @@ -234,7 +235,7 @@ func DeleteRole(ctx context.Context, client rbacclientv1.RolesGetter, recorder e if err != nil { return nil, false, err } - reportDeleteEvent(recorder, required, err) + resourcehelper.ReportDeleteEvent(recorder, required, err) return nil, true, nil } @@ -246,6 +247,6 @@ func DeleteRoleBinding(ctx context.Context, client rbacclientv1.RoleBindingsGett if err != nil { return nil, false, err } - reportDeleteEvent(recorder, required, err) + resourcehelper.ReportDeleteEvent(recorder, required, err) return nil, true, nil } diff --git a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/storage.go b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/storage.go index 1d08e4cca2..3199d2db05 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/storage.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/storage.go @@ -12,6 +12,7 @@ import ( "k8s.io/klog/v2" "github.com/openshift/library-go/pkg/operator/events" + "github.com/openshift/library-go/pkg/operator/resource/resourcehelper" "github.com/openshift/library-go/pkg/operator/resource/resourcemerge" ) @@ -37,7 +38,7 @@ func ApplyStorageClass(ctx context.Context, client storageclientv1.StorageClasse requiredCopy := required.DeepCopy() actual, err := client.StorageClasses().Create( ctx, resourcemerge.WithCleanLabelsAndAnnotations(requiredCopy).(*storagev1.StorageClass), metav1.CreateOptions{}) - reportCreateEvent(recorder, required, err) + resourcehelper.ReportCreateEvent(recorder, required, err) return actual, true, err } if err != nil { @@ -84,7 +85,7 @@ func ApplyStorageClass(ctx context.Context, client storageclientv1.StorageClasse if storageClassNeedsRecreate(existingCopy, requiredCopy) { requiredCopy.ObjectMeta.ResourceVersion = "" err = client.StorageClasses().Delete(ctx, existingCopy.Name, metav1.DeleteOptions{}) - reportDeleteEvent(recorder, requiredCopy, err, "Deleting StorageClass to re-create it with updated parameters") + resourcehelper.ReportDeleteEvent(recorder, requiredCopy, err, "Deleting StorageClass to re-create it with updated parameters") if err != nil && !apierrors.IsNotFound(err) { return existing, false, err } @@ -99,13 +100,13 @@ func ApplyStorageClass(ctx context.Context, client storageclientv1.StorageClasse } else if err != nil { err = fmt.Errorf("failed to re-create StorageClass %s: %s", existingCopy.Name, err) } - reportCreateEvent(recorder, actual, err) + resourcehelper.ReportCreateEvent(recorder, actual, err) return actual, true, err } // Only mutable fields need a change actual, err := client.StorageClasses().Update(ctx, requiredCopy, metav1.UpdateOptions{}) - reportUpdateEvent(recorder, required, err) + resourcehelper.ReportUpdateEvent(recorder, required, err) return actual, true, err } @@ -153,7 +154,7 @@ func ApplyCSIDriver(ctx context.Context, client storageclientv1.CSIDriversGetter requiredCopy := required.DeepCopy() actual, err := client.CSIDrivers().Create( ctx, resourcemerge.WithCleanLabelsAndAnnotations(requiredCopy).(*storagev1.CSIDriver), metav1.CreateOptions{}) - reportCreateEvent(recorder, required, err) + resourcehelper.ReportCreateEvent(recorder, required, err) return actual, true, err } if err != nil { @@ -187,7 +188,7 @@ func ApplyCSIDriver(ctx context.Context, client storageclientv1.CSIDriversGetter if sameSpec { // Update metadata by a simple Update call actual, err := client.CSIDrivers().Update(ctx, existingCopy, metav1.UpdateOptions{}) - reportUpdateEvent(recorder, required, err) + resourcehelper.ReportUpdateEvent(recorder, required, err) return actual, true, err } @@ -195,7 +196,7 @@ func ApplyCSIDriver(ctx context.Context, client storageclientv1.CSIDriversGetter existingCopy.ObjectMeta.ResourceVersion = "" // Spec is read-only after creation. Delete and re-create the object err = client.CSIDrivers().Delete(ctx, existingCopy.Name, metav1.DeleteOptions{}) - reportDeleteEvent(recorder, existingCopy, err, "Deleting CSIDriver to re-create it with updated parameters") + resourcehelper.ReportDeleteEvent(recorder, existingCopy, err, "Deleting CSIDriver to re-create it with updated parameters") if err != nil && !apierrors.IsNotFound(err) { return existing, false, err } @@ -210,7 +211,7 @@ func ApplyCSIDriver(ctx context.Context, client storageclientv1.CSIDriversGetter } else if err != nil { err = fmt.Errorf("failed to re-create CSIDriver %s: %s", existingCopy.Name, err) } - reportCreateEvent(recorder, existingCopy, err) + resourcehelper.ReportCreateEvent(recorder, existingCopy, err) return actual, true, err } @@ -242,7 +243,7 @@ func DeleteStorageClass(ctx context.Context, client storageclientv1.StorageClass if err != nil { return nil, false, err } - reportDeleteEvent(recorder, required, err) + resourcehelper.ReportDeleteEvent(recorder, required, err) return nil, true, nil } @@ -254,6 +255,6 @@ func DeleteCSIDriver(ctx context.Context, client storageclientv1.CSIDriversGette if err != nil { return nil, false, err } - reportDeleteEvent(recorder, required, err) + resourcehelper.ReportDeleteEvent(recorder, required, err) return nil, true, nil } diff --git a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/volumesnapshotclass.go b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/volumesnapshotclass.go index 4c89e65291..763e03d5d5 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/volumesnapshotclass.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/volumesnapshotclass.go @@ -13,6 +13,7 @@ import ( "k8s.io/client-go/dynamic" "github.com/openshift/library-go/pkg/operator/events" + "github.com/openshift/library-go/pkg/operator/resource/resourcehelper" ) const ( @@ -124,6 +125,6 @@ func DeleteVolumeSnapshotClass(ctx context.Context, client dynamic.Interface, re if err != nil { return nil, false, err } - reportDeleteEvent(recorder, required, err) + resourcehelper.ReportDeleteEvent(recorder, required, err) return nil, true, nil } diff --git a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourcehelper/event_helpers.go b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourcehelper/event_helpers.go new file mode 100644 index 0000000000..8e8ebbe96a --- /dev/null +++ b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourcehelper/event_helpers.go @@ -0,0 +1,43 @@ +package resourcehelper + +import ( + "fmt" + "strings" + + "k8s.io/apimachinery/pkg/runtime" + + "github.com/openshift/library-go/pkg/operator/events" +) + +func ReportCreateEvent(recorder events.Recorder, obj runtime.Object, originalErr error) { + gvk := GuessObjectGroupVersionKind(obj) + if originalErr == nil { + recorder.Eventf(fmt.Sprintf("%sCreated", gvk.Kind), "Created %s because it was missing", FormatResourceForCLIWithNamespace(obj)) + return + } + recorder.Warningf(fmt.Sprintf("%sCreateFailed", gvk.Kind), "Failed to create %s: %v", FormatResourceForCLIWithNamespace(obj), originalErr) +} + +func ReportUpdateEvent(recorder events.Recorder, obj runtime.Object, originalErr error, details ...string) { + gvk := GuessObjectGroupVersionKind(obj) + switch { + case originalErr != nil: + recorder.Warningf(fmt.Sprintf("%sUpdateFailed", gvk.Kind), "Failed to update %s: %v", FormatResourceForCLIWithNamespace(obj), originalErr) + case len(details) == 0: + recorder.Eventf(fmt.Sprintf("%sUpdated", gvk.Kind), "Updated %s because it changed", FormatResourceForCLIWithNamespace(obj)) + default: + recorder.Eventf(fmt.Sprintf("%sUpdated", gvk.Kind), "Updated %s:\n%s", FormatResourceForCLIWithNamespace(obj), strings.Join(details, "\n")) + } +} + +func ReportDeleteEvent(recorder events.Recorder, obj runtime.Object, originalErr error, details ...string) { + gvk := GuessObjectGroupVersionKind(obj) + switch { + case originalErr != nil: + recorder.Warningf(fmt.Sprintf("%sDeleteFailed", gvk.Kind), "Failed to delete %s: %v", FormatResourceForCLIWithNamespace(obj), originalErr) + case len(details) == 0: + recorder.Eventf(fmt.Sprintf("%sDeleted", gvk.Kind), "Deleted %s", FormatResourceForCLIWithNamespace(obj)) + default: + recorder.Eventf(fmt.Sprintf("%sDeleted", gvk.Kind), "Deleted %s:\n%s", FormatResourceForCLIWithNamespace(obj), strings.Join(details, "\n")) + } +} diff --git a/vendor/github.com/openshift/library-go/pkg/operator/staticpod/prune/cmd.go b/vendor/github.com/openshift/library-go/pkg/operator/staticpod/prune/cmd.go index 6fbf7a06b8..b029b74619 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/staticpod/prune/cmd.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/staticpod/prune/cmd.go @@ -5,6 +5,7 @@ import ( "os" "path" "path/filepath" + "slices" "strconv" "strings" "time" @@ -13,8 +14,6 @@ import ( "github.com/spf13/cobra" "github.com/spf13/pflag" "k8s.io/klog/v2" - - "k8s.io/apimachinery/pkg/util/sets" ) type PruneOptions struct { @@ -77,8 +76,6 @@ func (o *PruneOptions) Validate() error { } func (o *PruneOptions) Run() error { - protectedIDs := sets.New(o.ProtectedRevisions...) - files, err := os.ReadDir(o.ResourceDir) if err != nil { return err @@ -102,7 +99,7 @@ func (o *PruneOptions) Run() error { } // And is not protected... - if protected := protectedIDs.Has(revisionID); protected { + if protected := slices.Contains(o.ProtectedRevisions, revisionID); protected { continue } // And is less than or equal to the maxEligibleRevisionID diff --git a/vendor/modules.txt b/vendor/modules.txt index a36e7ddb3c..8ebb6f7ea2 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -343,7 +343,7 @@ github.com/openshift/client-go/security/informers/externalversions/internalinter github.com/openshift/client-go/security/informers/externalversions/security github.com/openshift/client-go/security/informers/externalversions/security/v1 github.com/openshift/client-go/security/listers/security/v1 -# github.com/openshift/library-go v0.0.0-20240619120114-0c65da30ad30 +# github.com/openshift/library-go v0.0.0-20240816092752-e21e7889fd1a ## explicit; go 1.22.0 github.com/openshift/library-go/pkg/assets github.com/openshift/library-go/pkg/authorization/hardcodedauthorizer