certrotation: issue more specific update events

When secret/configmap is being update an event is being emitted. This event should include a more
specific reason why this resource was updated: content change, new annotation etc.

This ensures duplicate events are not being issued by the controller

Author: vrutkovs

pkg/operator/certrotation/cabundle.go

@@ -67,8 +67,12 @@ func (c CABundleConfigMap) EnsureConfigMapCABundle(ctx context.Context, signingC
 	}
 
 	// run Update if metadata needs changing unless running in RefreshOnlyWhenExpired mode
+	updateDetail := ""
 	if !c.RefreshOnlyWhenExpired {
 		updateRequired = ensureOwnerRefAndTLSAnnotationsForConfigMap(caBundleConfigMap, c.Owner, c.AdditionalAnnotations)
+		if updateRequired {
+			updateDetail = fmt.Sprintf("annotations set to %#v", c.AdditionalAnnotations)
+		}
 	}
 
 	updatedCerts, err := manageCABundleConfigMap(caBundleConfigMap, signingCertKeyPair.Config.Certs[0])
@@ -85,6 +89,7 @@ func (c CABundleConfigMap) EnsureConfigMapCABundle(ctx context.Context, signingC
 			reason = fmt.Sprintf("signer update %s", signingCertKeyPairLocation)
 		}
 		c.EventRecorder.Eventf("CABundleUpdateRequired", "%q in %q requires a new cert: %s", c.Name, c.Namespace, reason)
+		updateDetail = fmt.Sprintf("content change: %s", reason)
 		LabelAsManagedConfigMap(caBundleConfigMap, CertificateTypeCABundle)
 
 		updateRequired = true
@@ -96,19 +101,19 @@ func (c CABundleConfigMap) EnsureConfigMapCABundle(ctx context.Context, signingC
 		if err != nil {
 			return nil, err
 		}
-		klog.V(2).Infof("Created ca-bundle.crt configmap %s/%s with:\n%s", certs.CertificateBundleToString(updatedCerts), caBundleConfigMap.Namespace, caBundleConfigMap.Name)
+		klog.V(2).Infof("Created ca-bundle.crt configmap %s/%s with:\n%s", caBundleConfigMap.Namespace, caBundleConfigMap.Name, certs.CertificateBundleToString(updatedCerts))
 		caBundleConfigMap = actualCABundleConfigMap
 	} else if updateRequired {
 		actualCABundleConfigMap, err := c.Client.ConfigMaps(c.Namespace).Update(ctx, caBundleConfigMap, metav1.UpdateOptions{})
 		if apierrors.IsConflict(err) {
 			// ignore error if its attempting to update outdated version of the configmap
 			return nil, nil
 		}
-		resourcehelper.ReportUpdateEvent(c.EventRecorder, actualCABundleConfigMap, err)
+		resourcehelper.ReportUpdateEvent(c.EventRecorder, actualCABundleConfigMap, err, updateDetail)
 		if err != nil {
 			return nil, err
 		}
-		klog.V(2).Infof("Updated ca-bundle.crt configmap %s/%s with:\n%s", certs.CertificateBundleToString(updatedCerts), caBundleConfigMap.Namespace, caBundleConfigMap.Name)
+		klog.V(2).Infof("Updated ca-bundle.crt configmap %s/%s due to %s with:\n%s", caBundleConfigMap.Namespace, caBundleConfigMap.Name, updateDetail, certs.CertificateBundleToString(updatedCerts))
 		caBundleConfigMap = actualCABundleConfigMap
 	}
 

pkg/operator/certrotation/signer.go

@@ -79,9 +79,16 @@ func (c RotatedSigningCASecret) EnsureSigningCertKeyPair(ctx context.Context) (*
 	}
 
 	// run Update if metadata needs changing unless we're in RefreshOnlyWhenExpired mode
+	updateDetail := ""
 	if !c.RefreshOnlyWhenExpired {
 		needsMetadataUpdate := ensureOwnerRefAndTLSAnnotationsForSecret(signingCertKeyPairSecret, c.Owner, c.AdditionalAnnotations)
+		if needsMetadataUpdate {
+			updateDetail = fmt.Sprintf("annotations set to %#v", c.AdditionalAnnotations)
+		}
 		needsTypeChange := ensureSecretTLSTypeSet(signingCertKeyPairSecret)
+		if needsTypeChange {
+			updateDetail = "updated secret type"
+		}
 		updateRequired = needsMetadataUpdate || needsTypeChange
 	}
 
@@ -92,6 +99,7 @@ func (c RotatedSigningCASecret) EnsureSigningCertKeyPair(ctx context.Context) (*
 			reason = "secret doesn't exist"
 		}
 		c.EventRecorder.Eventf("SignerUpdateRequired", "%q in %q requires a new signing cert/key pair: %v", c.Name, c.Namespace, reason)
+		updateDetail = fmt.Sprintf("signer updated: %s", reason)
 		if err = setSigningCertKeyPairSecretAndTLSAnnotations(signingCertKeyPairSecret, c.Validity, c.Refresh, c.AdditionalAnnotations); err != nil {
 			return nil, false, err
 		}
@@ -116,11 +124,11 @@ func (c RotatedSigningCASecret) EnsureSigningCertKeyPair(ctx context.Context) (*
 			// ignore error if its attempting to update outdated version of the secret
 			return nil, false, nil
 		}
-		resourcehelper.ReportUpdateEvent(c.EventRecorder, actualSigningCertKeyPairSecret, err)
+		resourcehelper.ReportUpdateEvent(c.EventRecorder, actualSigningCertKeyPairSecret, err, updateDetail)
 		if err != nil {
 			return nil, false, err
 		}
-		klog.V(2).Infof("Updated secret %s/%s", actualSigningCertKeyPairSecret.Namespace, actualSigningCertKeyPairSecret.Name)
+		klog.V(2).Infof("Updated secret %s/%s, reason: %s", actualSigningCertKeyPairSecret.Namespace, actualSigningCertKeyPairSecret.Name, updateDetail)
 		signingCertKeyPairSecret = actualSigningCertKeyPairSecret
 	}
 

pkg/operator/certrotation/target.go

@@ -113,14 +113,22 @@ func (c RotatedSelfSignedCertKeySecret) EnsureTargetCertKeyPair(ctx context.Cont
 	}
 
 	// run Update if metadata needs changing unless we're in RefreshOnlyWhenExpired mode
+	updateDetail := ""
 	if !c.RefreshOnlyWhenExpired {
 		needsMetadataUpdate := ensureOwnerRefAndTLSAnnotationsForSecret(targetCertKeyPairSecret, c.Owner, c.AdditionalAnnotations)
+		if needsMetadataUpdate {
+			updateDetail = fmt.Sprintf("annotations set to %#v", c.AdditionalAnnotations)
+		}
 		needsTypeChange := ensureSecretTLSTypeSet(targetCertKeyPairSecret)
+		if needsTypeChange {
+			updateDetail = "updated secret type"
+		}
 		updateRequired = needsMetadataUpdate || needsTypeChange
 	}
 
 	if reason := c.CertCreator.NeedNewTargetCertKeyPair(targetCertKeyPairSecret, signingCertKeyPair, caBundleCerts, c.Refresh, c.RefreshOnlyWhenExpired, creationRequired); len(reason) > 0 {
 		c.EventRecorder.Eventf("TargetUpdateRequired", "%q in %q requires a new target cert/key pair: %v", c.Name, c.Namespace, reason)
+		updateDetail = fmt.Sprintf("content change: %s", reason)
 		if err = setTargetCertKeyPairSecretAndTLSAnnotations(targetCertKeyPairSecret, c.Validity, c.Refresh, signingCertKeyPair, c.CertCreator, c.AdditionalAnnotations); err != nil {
 			return nil, err
 		}
@@ -143,11 +151,11 @@ func (c RotatedSelfSignedCertKeySecret) EnsureTargetCertKeyPair(ctx context.Cont
 			// ignore error if its attempting to update outdated version of the secret
 			return nil, nil
 		}
-		resourcehelper.ReportUpdateEvent(c.EventRecorder, actualTargetCertKeyPairSecret, err)
+		resourcehelper.ReportUpdateEvent(c.EventRecorder, actualTargetCertKeyPairSecret, err, updateDetail)
 		if err != nil {
 			return nil, err
 		}
-		klog.V(2).Infof("Updated secret %s/%s", actualTargetCertKeyPairSecret.Namespace, actualTargetCertKeyPairSecret.Name)
+		klog.V(2).Infof("Updated secret %s/%s, reason: %s", actualTargetCertKeyPairSecret.Namespace, actualTargetCertKeyPairSecret.Name, updateDetail)
 		targetCertKeyPairSecret = actualTargetCertKeyPairSecret
 	}