From 7833346f88eafcf244d4554eab2e153769915826 Mon Sep 17 00:00:00 2001
From: Marc Barry <4965634+marc-barry@users.noreply.github.com>
Date: Tue, 5 Dec 2023 09:17:19 -0500
Subject: [PATCH 1/2] Address CA config map creation race condition.

---
 api/v1/ca.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/api/v1/ca.go b/api/v1/ca.go
index 8d952b1..5810838 100644
--- a/api/v1/ca.go
+++ b/api/v1/ca.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"net/http"
 	"os"
+	"sync"
 
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -137,6 +138,13 @@ func MutateCaInjection(pod *corev1.Pod, config *Config) error {
 }
 
 func EnsureAssetsInNamespace(config *Config) error {
+	// it is possible that many mutations are requested in succession and this can lead to an "already exists"
+	// for the create operation. Thus, synchronize around the possible creation by only allowing one of this function
+	// to execute at any given time
+	mu := sync.Mutex{}
+	mu.Lock()
+	defer mu.Unlock()
+
 	// the goal is to ensure this exists already or we'll create it
 	qtapCaBundleExists := false
 

From 6ffb68d2b94161e8a0b69960a1e2c88dc1366979 Mon Sep 17 00:00:00 2001
From: Marc Barry <4965634+marc-barry@users.noreply.github.com>
Date: Tue, 5 Dec 2023 09:22:14 -0500
Subject: [PATCH 2/2] Move synchronization to after read to reduce contention.

---
 api/v1/ca.go | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/api/v1/ca.go b/api/v1/ca.go
index 5810838..dfbd3d2 100644
--- a/api/v1/ca.go
+++ b/api/v1/ca.go
@@ -138,13 +138,6 @@ func MutateCaInjection(pod *corev1.Pod, config *Config) error {
 }
 
 func EnsureAssetsInNamespace(config *Config) error {
-	// it is possible that many mutations are requested in succession and this can lead to an "already exists"
-	// for the create operation. Thus, synchronize around the possible creation by only allowing one of this function
-	// to execute at any given time
-	mu := sync.Mutex{}
-	mu.Lock()
-	defer mu.Unlock()
-
 	// the goal is to ensure this exists already or we'll create it
 	qtapCaBundleExists := false
 
@@ -166,6 +159,13 @@ func EnsureAssetsInNamespace(config *Config) error {
 		return nil
 	}
 
+	// it is possible that many mutations are requested in succession and this can lead to an "already exists"
+	// for the create operation. Thus, synchronize around the possible creation by only allowing one of this function
+	// to execute at any given time
+	mu := sync.Mutex{}
+	mu.Lock()
+	defer mu.Unlock()
+
 	// we need to see if we have the qtap ca in the operator namespace
 	qpointRootCaConfigMap := &corev1.ConfigMap{}
 	if err := config.Client.Get(config.Ctx, client.ObjectKey{Namespace: config.OperatorNamespace, Name: QPOINT_ROOT_CA}, qpointRootCaConfigMap); err != nil {