Support RefreshOnlyWhenExpired mode in ManageCSRCABundle

openshift · vrutkovs · Sep 24, 2025 · Sep 24, 2025 · Sep 24, 2025 · Sep 25, 2025
commit f835f28b2d0b6888abde2a44a8f96ea7a6bf95bd
diff --git a/pkg/cmd/recoverycontroller/csrcontroller.go b/pkg/cmd/recoverycontroller/csrcontroller.go
@@ -172,7 +172,7 @@ func (c *CSRController) sync(ctx context.Context) error {
 		klog.Info("Refreshed CSRIntermediateCABundle.")
 	}
 
-	_, changed, err = targetconfigcontroller.ManageCSRCABundle(ctx, c.configMapLister, c.kubeClient.CoreV1(), c.eventRecorder)
+	_, changed, err = targetconfigcontroller.ManageCSRCABundle(ctx, c.configMapLister, c.kubeClient.CoreV1(), c.eventRecorder, true)
 	if err != nil {
 		return err
 	}

diff --git a/pkg/operator/targetconfigcontroller/targetconfigcontroller.go b/pkg/operator/targetconfigcontroller/targetconfigcontroller.go
@@ -222,7 +222,7 @@ func createTargetConfigController(ctx context.Context, syncCtx factory.SyncConte
 	if err != nil {
 		errors = append(errors, fmt.Errorf("%q: %v", "configmap/csr-intermediate-ca", err))
 	}
-	_, _, err = ManageCSRCABundle(ctx, c.configMapLister, c.kubeClient.CoreV1(), syncCtx.Recorder())
+	_, _, err = ManageCSRCABundle(ctx, c.configMapLister, c.kubeClient.CoreV1(), syncCtx.Recorder(), false)
 	if err != nil {
 		errors = append(errors, fmt.Errorf("%q: %v", "configmap/csr-controller-ca", err))
 	}
@@ -744,7 +744,7 @@ func manageServiceAccountCABundle(ctx context.Context, lister corev1listers.Conf
 	return caBundleConfigMap, false, nil
 }
 
-func ManageCSRCABundle(ctx context.Context, lister corev1listers.ConfigMapLister, client corev1client.ConfigMapsGetter, recorder events.Recorder) (*corev1.ConfigMap, bool, error) {
+func ManageCSRCABundle(ctx context.Context, lister corev1listers.ConfigMapLister, client corev1client.ConfigMapsGetter, recorder events.Recorder, refreshOnlyWhenExpired bool) (*corev1.ConfigMap, bool, error) {
 	additionalAnnotations := certrotation.AdditionalAnnotations{
 		JiraComponent: "kube-controller-manager",
 		Description:   "CA to recognize the CSRs (both serving and client) signed by the kube-controller-manager.",
@@ -788,7 +788,7 @@ func ManageCSRCABundle(ctx context.Context, lister corev1listers.ConfigMapLister
 		}
 		klog.V(2).Infof("Created CSR CA bundle configmap %s/%s", caBundleConfigMap.Namespace, caBundleConfigMap.Name)
 		return caBundleConfigMap, true, nil
-	} else if updateRequired {
+	} else if updateRequired && !refreshOnlyWhenExpired {
 		caBundleConfigMap, err = client.ConfigMaps(operatorclient.OperatorNamespace).Update(ctx, requiredConfigMap, metav1.UpdateOptions{})
 		resourcehelper.ReportUpdateEvent(recorder, caBundleConfigMap, err)
 		if err != nil {

diff --git a/pkg/operator/targetconfigcontroller/targetconfigcontroller_test.go b/pkg/operator/targetconfigcontroller/targetconfigcontroller_test.go
@@ -1049,7 +1049,7 @@ func TestManageCSRCABundle(t *testing.T) {
 			recorder := events.NewInMemoryRecorder("test", clock.RealClock{})
 
 			// Call the function under test
-			resultConfigMap, changed, err := ManageCSRCABundle(context.Background(), lister, client.CoreV1(), recorder)
+			resultConfigMap, changed, err := ManageCSRCABundle(context.Background(), lister, client.CoreV1(), recorder, false)
 
 			// Assert error expectations
 			require.NoError(t, err)

diff --git a/...b.com/openshift/library-go/pkg/operator/resourcesynccontroller/resourcesync_controller.go b/...b.com/openshift/library-go/pkg/operator/resourcesynccontroller/resourcesync_controller.go