certrotation: issue more specific update events

pkg/operator/certrotation/cabundle.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"reflect"
 	"sort"
+	"strings"
 
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
@@ -67,13 +68,10 @@ func (c CABundleConfigMap) EnsureConfigMapCABundle(ctx context.Context, signingC
 	}
 
 	// run Update if metadata needs changing unless running in RefreshOnlyWhenExpired mode
+	updateReasons := []string{}
 	if !c.RefreshOnlyWhenExpired {
-		needsOwnerUpdate := false
-		if c.Owner != nil {
-			needsOwnerUpdate = ensureOwnerReference(&caBundleConfigMap.ObjectMeta, c.Owner)
-		}
-		needsMetadataUpdate := c.AdditionalAnnotations.EnsureTLSMetadataUpdate(&caBundleConfigMap.ObjectMeta)
-		updateRequired = needsOwnerUpdate || needsMetadataUpdate
+		updateReasons = append(updateReasons, ensureOwnerRefAndTLSAnnotations(&caBundleConfigMap.ObjectMeta, c.Owner, c.AdditionalAnnotations)...)
+		updateRequired = len(updateReasons) > 0
 	}
 
 	updatedCerts, err := manageCABundleConfigMap(caBundleConfigMap, signingCertKeyPair.Config.Certs[0])
@@ -90,6 +88,7 @@ func (c CABundleConfigMap) EnsureConfigMapCABundle(ctx context.Context, signingC
 			reason = fmt.Sprintf("signer update %s", signingCertKeyPairLocation)
 		}
 		c.EventRecorder.Eventf("CABundleUpdateRequired", "%q in %q requires a new cert: %s", c.Name, c.Namespace, reason)
+		updateReasons = append(updateReasons, fmt.Sprintf("content change: %s", reason))
 		LabelAsManagedConfigMap(caBundleConfigMap, CertificateTypeCABundle)
 
 		updateRequired = true
@@ -101,19 +100,20 @@ func (c CABundleConfigMap) EnsureConfigMapCABundle(ctx context.Context, signingC
 		if err != nil {
 			return nil, err
 		}
-		klog.V(2).Infof("Created ca-bundle.crt configmap %s/%s with:\n%s", certs.CertificateBundleToString(updatedCerts), caBundleConfigMap.Namespace, caBundleConfigMap.Name)
+		klog.V(2).Infof("Created ca-bundle.crt configmap %s/%s with:\n%s", caBundleConfigMap.Namespace, caBundleConfigMap.Name, certs.CertificateBundleToString(updatedCerts))
 		caBundleConfigMap = actualCABundleConfigMap
 	} else if updateRequired {
 		actualCABundleConfigMap, err := c.Client.ConfigMaps(c.Namespace).Update(ctx, caBundleConfigMap, metav1.UpdateOptions{})
 		if apierrors.IsConflict(err) {
 			// ignore error if its attempting to update outdated version of the configmap
 			return nil, nil
 		}
-		resourcehelper.ReportUpdateEvent(c.EventRecorder, actualCABundleConfigMap, err)
+		updateReasonsJoined := strings.Join(updateReasons, ", ")
+		resourcehelper.ReportUpdateEvent(c.EventRecorder, actualCABundleConfigMap, err, updateReasonsJoined)
 		if err != nil {
 			return nil, err
 		}
-		klog.V(2).Infof("Updated ca-bundle.crt configmap %s/%s with:\n%s", certs.CertificateBundleToString(updatedCerts), caBundleConfigMap.Namespace, caBundleConfigMap.Name)
+		klog.V(2).Infof("Updated ca-bundle.crt configmap %s/%s due to %s with:\n%s", caBundleConfigMap.Namespace, caBundleConfigMap.Name, updateReasonsJoined, certs.CertificateBundleToString(updatedCerts))
 		caBundleConfigMap = actualCABundleConfigMap
 	}
 

pkg/operator/certrotation/cabundle_test.go

@@ -204,12 +204,12 @@ func TestEnsureConfigMapCABundle(t *testing.T) {
 			}
 
 			c := &CABundleConfigMap{
-				Namespace: "ns",
-				Name:      "trust-bundle",
-
-				Client:        client.CoreV1(),
-				Lister:        corev1listers.NewConfigMapLister(indexer),
-				EventRecorder: events.NewInMemoryRecorder("test", clocktesting.NewFakePassiveClock(time.Now())),
+				Namespace:              "ns",
+				Name:                   "trust-bundle",
+				RefreshOnlyWhenExpired: test.RefreshOnlyWhenExpired,
+				Client:                 client.CoreV1(),
+				Lister:                 corev1listers.NewConfigMapLister(indexer),
+				EventRecorder:          events.NewInMemoryRecorder("test", clocktesting.NewFakePassiveClock(time.Now())),
 			}
 
 			newCA, err := test.caFn()

pkg/operator/certrotation/metadata.go

@@ -1,24 +1,29 @@
 package certrotation
 
 import (
+	"fmt"
+
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-func ensureOwnerRefAndTLSAnnotations(secret *corev1.Secret, owner *metav1.OwnerReference, additionalAnnotations AdditionalAnnotations) bool {
-	needsMetadataUpdate := false
+func ensureOwnerRefAndTLSAnnotations(meta *metav1.ObjectMeta, owner *metav1.OwnerReference, additionalAnnotations AdditionalAnnotations) []string {
+	updateReasons := []string{}
 	// no ownerReference set
-	if owner != nil {
-		needsMetadataUpdate = ensureOwnerReference(&secret.ObjectMeta, owner)
+	if owner != nil && ensureOwnerReference(meta, owner) {
+		updateReasons = append(updateReasons, fmt.Sprintf("owner reference updated to %#v", owner))
 	}
 	// ownership annotations not set
-	return additionalAnnotations.EnsureTLSMetadataUpdate(&secret.ObjectMeta) || needsMetadataUpdate
+	if additionalAnnotations.EnsureTLSMetadataUpdate(meta) {
+		updateReasons = append(updateReasons, fmt.Sprintf("annotations set to %#v", additionalAnnotations))
+	}
+	return updateReasons
 }
 
-func ensureSecretTLSTypeSet(secret *corev1.Secret) bool {
+func ensureSecretTLSTypeSet(secret *corev1.Secret) string {
 	// Existing secret not found - no need to update metadata (will be done by needNewSigningCertKeyPair / NeedNewTargetCertKeyPair)
 	if len(secret.ResourceVersion) == 0 {
-		return false
+		return ""
 	}
 
 	// convert outdated secret type (created by pre 4.7 installer)
@@ -30,7 +35,8 @@ func ensureSecretTLSTypeSet(secret *corev1.Secret) bool {
 		if !certExists || !keyExists {
 			secret.Data = map[string][]byte{}
 		}
-		return true
+		return fmt.Sprintf("changed type to %s", string(corev1.SecretTypeTLS))
 	}
-	return false
+	return ""
+
 }