Merge branch 'master' into set-insecure

pkg/rotator/rotator.go

@@ -51,13 +51,13 @@ var crLog = logf.Log.WithName("cert-rotation")
 type WebhookType int
 
 const (
-	// ValidatingWebhook indicates the webhook is a ValidatingWebhook.
+	// Validating indicates the webhook is a ValidatingWebhook.
 	Validating WebhookType = iota
-	// MutingWebhook indicates the webhook is a MutatingWebhook.
+	// Mutating indicates the webhook is a MutatingWebhook.
 	Mutating
-	// CRDConversionWebhook indicates the webhook is a conversion webhook.
+	// CRDConversion indicates the webhook is a conversion webhook.
 	CRDConversion
-	// APIServiceWebhook indicates the webhook is an extension API server.
+	// APIService indicates the webhook is an extension API server.
 	APIService
 	// ExternalDataProvider indicates the webhook is a Gatekeeper External Data Provider.
 	ExternalDataProvider
@@ -68,6 +68,8 @@ var (
 	_ manager.LeaderElectionRunnable = &CertRotator{}
 	_ manager.Runnable               = controllerWrapper{}
 	_ manager.LeaderElectionRunnable = controllerWrapper{}
+	_ manager.Runnable               = &cacheWrapper{}
+	_ manager.LeaderElectionRunnable = &cacheWrapper{}
 )
 
 type controllerWrapper struct {
@@ -79,6 +81,15 @@ func (cw controllerWrapper) NeedLeaderElection() bool {
 	return cw.needLeaderElection
 }
 
+type cacheWrapper struct {
+	cache.Cache
+	needLeaderElection bool
+}
+
+func (cw *cacheWrapper) NeedLeaderElection() bool {
+	return cw.needLeaderElection
+}
+
 // WebhookInfo is used by the rotator to receive info about resources to be updated with certificates.
 type WebhookInfo struct {
 	// Name is the name of the webhook for a validating or mutating webhook, or the CRD name in case of a CRD conversion webhook
@@ -106,7 +117,7 @@ func AddRotator(mgr manager.Manager, cr *CertRotator) error {
 	if ns == "" {
 		return fmt.Errorf("invalid namespace for secret")
 	}
-	cache, err := addNamespacedCache(mgr, ns)
+	cache, err := addNamespacedCache(mgr, cr, ns)
 	if err != nil {
 		return fmt.Errorf("creating namespaced cache: %w", err)
 	}
@@ -174,7 +185,7 @@ func AddRotator(mgr manager.Manager, cr *CertRotator) error {
 // but will still have cluster-wide visibility into cluster-scoped resources.
 // The cache will be started by the manager when it starts, and consumers should synchronize on
 // it using WaitForCacheSync().
-func addNamespacedCache(mgr manager.Manager, namespace string) (cache.Cache, error) {
+func addNamespacedCache(mgr manager.Manager, cr *CertRotator, namespace string) (cache.Cache, error) {
 	var namespaces map[string]cache.Config
 	if namespace != "" {
 		namespaces = map[string]cache.Config{
@@ -191,13 +202,15 @@ func addNamespacedCache(mgr manager.Manager, namespace string) (cache.Cache, err
 	if err != nil {
 		return nil, err
 	}
-	if err := mgr.Add(c); err != nil {
+	// Wrapping the cache to make sure it's also started when the manager
+	// hasn't been leader elected and CertRotator.RequireLeaderElection is false.
+	if err := mgr.Add(&cacheWrapper{Cache: c, needLeaderElection: cr.RequireLeaderElection}); err != nil {
 		return nil, fmt.Errorf("registering namespaced cache: %w", err)
 	}
 	return c, nil
 }
 
-// SyncingSource is a reader that needs syncing prior to being usable.
+// SyncingReader is a reader that needs syncing prior to being usable.
 type SyncingReader interface {
 	client.Reader
 	WaitForCacheSync(ctx context.Context) bool
@@ -688,9 +701,6 @@ func addController(mgr manager.Manager, r *ReconcileWH) error {
 	if err != nil {
 		return err
 	}
-	if err := mgr.Add(controllerWrapper{c, r.needLeaderElection}); err != nil {
-		return err
-	}
 
 	err = c.Watch(
 		source.Kind(r.cache, &corev1.Secret{}),
@@ -712,7 +722,7 @@ func addController(mgr manager.Manager, r *ReconcileWH) error {
 		}
 	}
 
-	return nil
+	return mgr.Add(controllerWrapper{c, r.needLeaderElection})
 }
 
 var _ reconcile.Reconciler = &ReconcileWH{}