CNTRLPLANE-3212: Enable configurable PKI for cert rotation

cmd/machine-config-controller/start.go

@@ -109,6 +109,7 @@ func runStartCmd(_ *cobra.Command, _ []string) {
 			ctrlctx.KubeNamespacedInformerFactory.Core().V1().Secrets(),
 			ctrlctx.KubeNamespacedInformerFactory.Core().V1().ConfigMaps(),
 			ctrlctx.ConfigInformerFactory.Config().V1().Infrastructures(),
+			ctrlctx.ConfigInformerFactory,
 			ctrlctx.FeatureGatesHandler,
 			ctrlctx.ClientBuilder.MachineConfigClientOrDie("cert-rotation-controller"),
 		)

go.mod

@@ -39,7 +39,7 @@ require (
 	github.com/openshift-eng/openshift-tests-extension v0.0.0-20260127124016-0fed2b824818
 	github.com/openshift/api v0.0.0-20260603130340-1ad2ac3eb53d
 	github.com/openshift/client-go v0.0.0-20260603140539-6892dc3e1ffc
-	github.com/openshift/library-go v0.0.0-20260303171201-5d9eb6295ff6
+	github.com/openshift/library-go v0.0.0-20260611115129-21dd5809a4b2
 	github.com/openshift/runtime-utils v0.0.0-20230921210328-7bdb5b9c177b
 	github.com/prometheus/client_golang v1.23.2
 	github.com/rs/zerolog v1.34.0

go.sum

@@ -675,8 +675,8 @@ github.com/openshift/kubernetes/staging/src/k8s.io/pod-security-admission v0.0.0
 github.com/openshift/kubernetes/staging/src/k8s.io/pod-security-admission v0.0.0-20260305123649-d18f3f005eaa/go.mod h1:6wqqkK0+5hV+CLJ3uz9A1lkjxXRvkbq+5RnZdUZx/H8=
 github.com/openshift/kubernetes/staging/src/k8s.io/sample-apiserver v0.0.0-20260305123649-d18f3f005eaa h1:JY4k94JmDGQp2Pj94Cw2xtIjs7MpPkU9n8zNPDTbiKo=
 github.com/openshift/kubernetes/staging/src/k8s.io/sample-apiserver v0.0.0-20260305123649-d18f3f005eaa/go.mod h1:CnFDBq5NGnfOSMeOP8l4SNYJrxK6Z1kUaKdu3Qq9Uik=
-github.com/openshift/library-go v0.0.0-20260303171201-5d9eb6295ff6 h1:xjqy0OolrFdJ+ofI/aD0+2k9+MSk5anP5dXifFt539Q=
-github.com/openshift/library-go v0.0.0-20260303171201-5d9eb6295ff6/go.mod h1:D797O/ssKTNglbrGchjIguFq+DbyRYdeds5w4/VTrKM=
+github.com/openshift/library-go v0.0.0-20260611115129-21dd5809a4b2 h1:kH+vbMI//DZciIQXa6VhTX6BOH3ZJuZSN5IS8wQI76g=
+github.com/openshift/library-go v0.0.0-20260611115129-21dd5809a4b2/go.mod h1:/HBhy6jm/igWI3Y1vYFwFG3ZCcXmnNsKUT6VBpPyM9A=
 github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 h1:02E4Ttpu+7yCQLQxtY42JfcfHU7TBGnje6uB2ytBSdU=
 github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/openshift/runtime-utils v0.0.0-20230921210328-7bdb5b9c177b h1:oXzC1N6E9gw76/WH2gEA8GEHvuq09wuVQ9GoCuR8GF4=

pkg/controller/certrotation/certrotation_controller.go

@@ -33,13 +33,15 @@ import (
 	configv1 "github.com/openshift/api/config/v1"
 	"github.com/openshift/api/features"
 	configclientset "github.com/openshift/client-go/config/clientset/versioned"
+	configinformersexternal "github.com/openshift/client-go/config/informers/externalversions"
 	machineclientset "github.com/openshift/client-go/machine/clientset/versioned"
 	mcfgclientset "github.com/openshift/client-go/machineconfiguration/clientset/versioned"
 
 	"github.com/openshift/library-go/pkg/controller/factory"
 	"github.com/openshift/library-go/pkg/crypto"
 	"github.com/openshift/library-go/pkg/operator/certrotation"
 	"github.com/openshift/library-go/pkg/operator/events"
+	"github.com/openshift/library-go/pkg/pki"
 
 	aroclientset "github.com/Azure/ARO-RP/pkg/operator/clientset/versioned"
 
@@ -96,12 +98,26 @@ func New(
 	mcoSecretInformer coreinformersv1.SecretInformer,
 	mcoConfigMapInfomer coreinformersv1.ConfigMapInformer,
 	infraInformer configinformers.InfrastructureInformer,
+	configInformerFactory configinformersexternal.SharedInformerFactory,
 	featureGatesHandler ctrlcommon.FeatureGatesHandler,
 	mcfgClient mcfgclientset.Interface,
 ) (*CertRotationController, error) {
 
 	recorder := events.NewLoggingEventRecorder(componentName, clock.RealClock{})
 
+	cachesToSync := []cache.InformerSynced{
+		maoSecretInformer.Informer().HasSynced,
+		mcoSecretInformer.Informer().HasSynced,
+		mcoConfigMapInfomer.Informer().HasSynced,
+		infraInformer.Informer().HasSynced,
+	}
+
+	var pkiProfileProvider pki.PKIProfileProvider
+	if configInformerFactory != nil && featureGatesHandler != nil && featureGatesHandler.Enabled(features.FeatureGateConfigurablePKI) {
+		pkiProfileProvider = pki.NewClusterPKIProfileProvider(configInformerFactory.Config().V1alpha1().PKIs().Lister())
+		cachesToSync = append(cachesToSync, configInformerFactory.Config().V1alpha1().PKIs().Informer().HasSynced)
+	}
+
 	c := &CertRotationController{
 		kubeClient:          kubeClient,
 		configClient:        configClient,
@@ -112,12 +128,7 @@ func New(
 		mcoConfigMapInfomer: mcoConfigMapInfomer,
 		mcoSecretLister:     mcoSecretInformer.Lister(),
 		maoSecretLister:     maoSecretInformer.Lister(),
-		cachesToSync: []cache.InformerSynced{
-			maoSecretInformer.Informer().HasSynced,
-			mcoSecretInformer.Informer().HasSynced,
-			mcoConfigMapInfomer.Informer().HasSynced,
-			infraInformer.Informer().HasSynced,
-		},
+		cachesToSync:        cachesToSync,
 
 		hostnamesRotation: &DynamicServingRotation{hostnamesChanged: make(chan struct{}, 10)},
 		hostnamesQueue: workqueue.NewTypedRateLimitingQueueWithConfig(
@@ -142,12 +153,14 @@ func New(
 				JiraComponent: "Machine Config Operator",
 				Description:   "CA used to sign the MachineConfigServer TLS certificate",
 			},
-			Validity:      mcsCAExpiry,
-			Refresh:       mcsCARefresh,
-			Informer:      mcoSecretInformer,
-			Lister:        c.mcoSecretLister,
-			Client:        kubeClient.CoreV1(),
-			EventRecorder: recorder,
+			Validity:           mcsCAExpiry,
+			Refresh:            mcsCARefresh,
+			CertificateName:    "machine-config.machine-config-server-signer",
+			PKIProfileProvider: pkiProfileProvider,
+			Informer:           mcoSecretInformer,
+			Lister:             c.mcoSecretLister,
+			Client:             kubeClient.CoreV1(),
+			EventRecorder:      recorder,
 		},
 		certrotation.CABundleConfigMap{
 			Namespace: ctrlcommon.MCONamespace,
@@ -174,10 +187,12 @@ func New(
 				Hostnames:        c.hostnamesRotation.GetHostnames,
 				HostnamesChanged: c.hostnamesRotation.hostnamesChanged,
 			},
-			Informer:      mcoSecretInformer,
-			Lister:        c.mcoSecretLister,
-			Client:        kubeClient.CoreV1(),
-			EventRecorder: recorder,
+			CertificateName:    "machine-config.machine-config-server-serving",
+			PKIProfileProvider: pkiProfileProvider,
+			Informer:           mcoSecretInformer,
+			Lister:             c.mcoSecretLister,
+			Client:             kubeClient.CoreV1(),
+			EventRecorder:      recorder,
 		},
 		recorder,
 		NewCertRotationStatusReporter(),

pkg/controller/certrotation/certrotation_controller_test.go

@@ -124,7 +124,7 @@ func (f *fixture) newController() *CertRotationController {
 		[]configv1.FeatureGateName{features.FeatureGateNoRegistryClusterInstall},
 		nil,
 	)
-	c, err := New(f.kubeClient, f.configClient, f.machineClient, f.aroClient, f.k8sI.Core().V1().Secrets(), f.k8sI.Core().V1().Secrets(), f.k8sI.Core().V1().ConfigMaps(), f.infraInformer.Config().V1().Infrastructures(), fgHandler, f.mcfgClient)
+	c, err := New(f.kubeClient, f.configClient, f.machineClient, f.aroClient, f.k8sI.Core().V1().Secrets(), f.k8sI.Core().V1().Secrets(), f.k8sI.Core().V1().ConfigMaps(), f.infraInformer.Config().V1().Infrastructures(), nil, fgHandler, f.mcfgClient)
 	require.NoError(f.t, err)
 
 	c.StartInformers()
@@ -464,7 +464,7 @@ func TestIRICertificateReconcileSkippedWhenFeatureGateDisabled(t *testing.T) {
 	c, err := New(f.kubeClient, f.configClient, f.machineClient, f.aroClient,
 		f.k8sI.Core().V1().Secrets(), f.k8sI.Core().V1().Secrets(),
 		f.k8sI.Core().V1().ConfigMaps(), f.infraInformer.Config().V1().Infrastructures(),
-		fgHandler, f.mcfgClient)
+		nil, fgHandler, f.mcfgClient)
 	require.NoError(t, err)
 
 	// reconcileIRICertificate must be a no-op when the feature gate is disabled.