Don't update certicate secret if exists to prevent multiple updates i…

…f having multiple replicas ```improvement operator The certificate secrets stored by webhooks are no longer updated if they have not been found. This prevents that multiple pods are mutually overwritten each others freshly generated certificates and start serving an different ones. ```
gardener-attic · Aug 13, 2019 · f41e114 · f41e114
1 parent 715b35a
commit f41e114
Showing 1 changed file with 8 additions and 11 deletions.
diff --git a/pkg/webhook/certificates.go b/pkg/webhook/certificates.go
@@ -30,7 +30,6 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/kubernetes/scheme"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 )
 
@@ -86,16 +85,14 @@ func GenerateCertificates(ctx context.Context, mgr manager.Manager, certDir, nam
 		}
 
 		secret.ObjectMeta = metav1.ObjectMeta{Namespace: namespace, Name: certSecretName}
-		if _, err := controllerutil.CreateOrUpdate(ctx, c, secret, func() error {
-			secret.Type = corev1.SecretTypeOpaque
-			secret.Data = map[string][]byte{
-				secrets.DataKeyCertificateCA: caCert.CertificatePEM,
-				secrets.DataKeyPrivateKeyCA:  caCert.PrivateKeyPEM,
-				secrets.DataKeyCertificate:   serverCert.CertificatePEM,
-				secrets.DataKeyPrivateKey:    serverCert.PrivateKeyPEM,
-			}
-			return nil
-		}); err != nil {
+		secret.Type = corev1.SecretTypeOpaque
+		secret.Data = map[string][]byte{
+			secrets.DataKeyCertificateCA: caCert.CertificatePEM,
+			secrets.DataKeyPrivateKeyCA:  caCert.PrivateKeyPEM,
+			secrets.DataKeyCertificate:   serverCert.CertificatePEM,
+			secrets.DataKeyPrivateKey:    serverCert.PrivateKeyPEM,
+		}
+		if err := c.Create(ctx, secret); err != nil {
 			return nil, err
 		}