kyma-project · LeelaChacha · Feb 24, 2025 · Jan 31, 2025 · Jan 31, 2025 · Jan 31, 2025
@@ -80,9 +80,28 @@ runs:
         cat requeue-interval-patch.yaml
         kustomize edit add patch --path requeue-interval-patch.yaml --kind Deployment
         popd
+    - name: Patch KLM deployment for watcher zero downtime
+      if: ${{matrix.e2e-test == 'watcher-zero-downtime'}}
+      working-directory: lifecycle-manager
+      shell: bash
+      run: |
+        pushd config/watcher_local_test
+        echo \
+        "- op: replace
+          path: /spec/template/spec/containers/0/args/16
+          value: --kyma-requeue-success-interval=10s
+        - op: add
+          path: /spec/template/spec/containers/0/args/-
+          value: --istio-gateway-cert-switch-before-expiration-time=58m30s
+        - op: add
+          path: /spec/template/spec/containers/0/args/-
+          value: --istio-gateway-secret-requeue-success-interval=6s" >> requeue-interval-patch.yaml
+        cat requeue-interval-patch.yaml
+        kustomize edit add patch --path requeue-interval-patch.yaml --kind Deployment
+        popd
     - name: Patch CA certificate renewBefore
-      if: ${{matrix.e2e-test == 'ca-certificate-rotation' ||
-        matrix.e2e-test == 'istio-gateway-secret-rotation'}}
+      if: ${{matrix.e2e-test == 'legacy-istio-gateway-secret-rotation' ||
+        matrix.e2e-test == 'watcher-zero-downtime'}}
       working-directory: lifecycle-manager
       shell: bash
       run: |
@@ -97,6 +116,19 @@ runs:
         cat certificate_renewal.yaml
         kustomize edit add patch --path certificate_renewal.yaml --kind Certificate --group cert-manager.io --version v1 --name watcher-serving
         popd
+    - name: Use legacy istio gateway secret rotation strategy
+      if: ${{matrix.e2e-test == 'legacy-istio-gateway-secret-rotation'}}
+      working-directory: lifecycle-manager
+      shell: bash
+      run: |
+        pushd config/watcher_local_test
+        echo \
+        "- op: add
+          path: /spec/template/spec/containers/0/args/-
+          value: --legacy-strategy-for-istio-gateway-secret=true" >> legacy-secret-rotation.yaml
+        cat legacy-secret-rotation.yaml
+        kustomize edit add patch --path legacy-secret-rotation.yaml --kind Deployment
+        popd
     - name: Create and use maintenance window policy
       if: ${{matrix.e2e-test == 'maintenance-windows' ||
              matrix.e2e-test == 'maintenance-windows-initial-installation' ||

@@ -21,7 +21,8 @@ runs:
     - name: Create and apply Template Operator ModuleTemplate from the latest release
       working-directory: template-operator
       if: ${{ matrix.e2e-test != 'mandatory-module' &&
-        matrix.e2e-test != 'mandatory-module-metrics'
+        matrix.e2e-test != 'mandatory-module-metrics' &&
+        matrix.e2e-test != 'watcher-zero-downtime'
         }}
       shell: bash
       run: |
@@ -32,7 +33,8 @@ runs:
     - name: Create and apply Template Operator ModuleTemplate with ModuleDeploymentNameInOlderVersion
       working-directory: template-operator
       if: ${{ matrix.e2e-test != 'mandatory-module' &&
-        matrix.e2e-test != 'mandatory-module-metrics'
+        matrix.e2e-test != 'mandatory-module-metrics' &&
+        matrix.e2e-test != 'watcher-zero-downtime'
         }}
       shell: bash
       run: |
@@ -42,7 +44,8 @@ runs:
     - name: Create and apply Template Operator ModuleTemplate with ModuleDeploymentNameInNewerVersion
       working-directory: template-operator
       if: ${{ matrix.e2e-test != 'mandatory-module' &&
-        matrix.e2e-test != 'mandatory-module-metrics'
+        matrix.e2e-test != 'mandatory-module-metrics' &&
+        matrix.e2e-test != 'watcher-zero-downtime'
         }}
       shell: bash
       run: |

@@ -54,8 +54,7 @@ jobs:
           - modulereleasemeta-module-upgrade-new-version
           - unmanage-module
           - skip-manifest-reconciliation
-          - ca-certificate-rotation
-          - istio-gateway-secret-rotation
+          - legacy-istio-gateway-secret-rotation
           - self-signed-certificate-rotation
           - mandatory-module
           - mandatory-module-metrics
@@ -70,6 +69,7 @@ jobs:
           - maintenance-windows
           - maintenance-windows-initial-installation
           - maintenance-windows-skip
+          - watcher-zero-downtime
 
     runs-on: ubuntu-latest
     timeout-minutes: 20

@@ -55,8 +55,7 @@ jobs:
           - unmanage-module
           - module-install-by-version
           - skip-manifest-reconciliation
-          - ca-certificate-rotation
-          - istio-gateway-secret-rotation
+          - legacy-istio-gateway-secret-rotation
           - self-signed-certificate-rotation
           - mandatory-module-with-old-naming-pattern
           - mandatory-module-metrics-with-old-naming-pattern

@@ -134,6 +134,8 @@ linters-settings:
         alias: watcherctrl
       - pkg: github.com/kyma-project/lifecycle-manager/internal/gatewaysecret/client
         alias: gatewaysecretclient
+      - pkg: github.com/kyma-project/lifecycle-manager/internal/gatewaysecret/handler
+        alias: gatewaysecrethandler
   ireturn:
     allow:
       - anon

@@ -117,7 +117,6 @@
         "module-upgrade-new-version",
         "unmanage-module",
         "skip-manifest-reconciliation",
-        "ca-certificate-rotation",
         "self-signed-certificate-rotation",
         "mandatory-module",
         "mandatory-module-metrics",

@@ -11,6 +11,7 @@ import (
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 
 	"github.com/kyma-project/lifecycle-manager/pkg/log"
+	"github.com/kyma-project/lifecycle-manager/pkg/queue"
 )
 
 var ErrSecretNotFound = errors.New("root secret not found")
@@ -25,12 +26,14 @@ type (
 type Reconciler struct {
 	getRootSecret GetterFunc
 	handler       Handler
+	intervals     queue.RequeueIntervals
 }
 
-func NewReconciler(getSecretFunc GetterFunc, handler Handler) *Reconciler {
+func NewReconciler(getSecretFunc GetterFunc, handler Handler, intervals queue.RequeueIntervals) *Reconciler {
 	return &Reconciler{
 		getRootSecret: getSecretFunc,
 		handler:       handler,
+		intervals:     intervals,
 	}
 }
 
@@ -42,13 +45,14 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 		return ctrl.Result{}, fmt.Errorf("failed to get istio gateway root secret: %w", err)
 	}
 	if rootSecret == nil {
-		return ctrl.Result{}, ErrSecretNotFound
+		return ctrl.Result{Requeue: true, RequeueAfter: r.intervals.Error}, ErrSecretNotFound
 	}
 
 	err = r.handler.ManageGatewaySecret(ctx, rootSecret)
 	if err != nil {
-		return ctrl.Result{}, fmt.Errorf("failed to manage gateway secret: %w", err)
+		return ctrl.Result{Requeue: true, RequeueAfter: r.intervals.Error},
+			fmt.Errorf("failed to manage gateway secret: %w", err)
 	}
 
-	return ctrl.Result{}, nil
+	return ctrl.Result{Requeue: true, RequeueAfter: r.intervals.Success}, nil
 }
@@ -12,6 +12,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	"github.com/kyma-project/lifecycle-manager/internal/controller/istiogatewaysecret"
+	"github.com/kyma-project/lifecycle-manager/pkg/queue"
 )
 
 func TestReconcile_WhenGetSecretFuncReturnsError_ReturnError(t *testing.T) {
@@ -20,7 +21,7 @@ func TestReconcile_WhenGetSecretFuncReturnsError_ReturnError(t *testing.T) {
 		return nil, errors.New("some-error")
 	}
 	mockHandler := &mockHandler{}
-	reconciler := istiogatewaysecret.NewReconciler(stubGetterFunc, mockHandler)
+	reconciler := istiogatewaysecret.NewReconciler(stubGetterFunc, mockHandler, queue.RequeueIntervals{})
 
 	// ACT
 	_, err := reconciler.Reconcile(context.TODO(), ctrl.Request{})
@@ -36,7 +37,7 @@ func TestReconcile_WhenGetSecretFuncReturnsNoErrorAndSecretIsNil_ReturnError(t *
 		return nil, nil
 	}
 	mockHandler := &mockHandler{}
-	reconciler := istiogatewaysecret.NewReconciler(stubGetterFunc, mockHandler)
+	reconciler := istiogatewaysecret.NewReconciler(stubGetterFunc, mockHandler, queue.RequeueIntervals{})
 
 	// ACT
 	_, err := reconciler.Reconcile(context.TODO(), ctrl.Request{})
@@ -56,7 +57,7 @@ func TestReconcile_WhenGetSecretFuncIsCalled_IsCalledWithRequestNamespacedName(t
 		assert.Equal(t, request.Name, name.Name)
 		return nil, nil
 	}
-	reconciler := istiogatewaysecret.NewReconciler(stubGetterFunc, &mockHandler{})
+	reconciler := istiogatewaysecret.NewReconciler(stubGetterFunc, &mockHandler{}, queue.RequeueIntervals{})
 
 	// ACT
 	// ASSERT
@@ -70,7 +71,7 @@ func TestReconcile_WhenGetSecretFuncReturnsSecret_HandlerManageGatewaySecretIsCa
 		return secret, nil
 	}
 	mockHandler := &mockHandler{}
-	reconciler := istiogatewaysecret.NewReconciler(stubGetterFunc, mockHandler)
+	reconciler := istiogatewaysecret.NewReconciler(stubGetterFunc, mockHandler, queue.RequeueIntervals{})
 
 	// ACT
 	_, err := reconciler.Reconcile(context.TODO(), ctrl.Request{})
@@ -87,7 +88,7 @@ func TestReconcile_WhenHandlerManageGatewaySecretReturnsError_ReturnError(t *tes
 		return secret, nil
 	}
 	mockHandler := &mockHandler{err: errors.New("some-error")}
-	reconciler := istiogatewaysecret.NewReconciler(stubGetterFunc, mockHandler)
+	reconciler := istiogatewaysecret.NewReconciler(stubGetterFunc, mockHandler, queue.RequeueIntervals{})
 
 	// ACT
 	_, err := reconciler.Reconcile(context.TODO(), ctrl.Request{})

@@ -16,30 +16,42 @@ import (
 
 	"github.com/kyma-project/lifecycle-manager/api/shared"
 	"github.com/kyma-project/lifecycle-manager/internal/gatewaysecret"
+	"github.com/kyma-project/lifecycle-manager/internal/gatewaysecret/cabundle"
 	gatewaysecretclient "github.com/kyma-project/lifecycle-manager/internal/gatewaysecret/client"
+	"github.com/kyma-project/lifecycle-manager/internal/gatewaysecret/legacy"
 	"github.com/kyma-project/lifecycle-manager/internal/pkg/flags"
+	"github.com/kyma-project/lifecycle-manager/pkg/queue"
 )
 
 const (
 	controllerName    = "istio-controller"
 	kcpRootSecretName = "klm-watcher"
 )
 
-var errCouldNotGetLastModifiedAt = errors.New("getting lastModifiedAt time failed")
+var errCouldNotGetTimeFromAnnotation = errors.New("getting time from annotation failed")
 
 func SetupReconciler(mgr ctrl.Manager, flagVar *flags.FlagVar, options ctrlruntime.Options) error {
 	options.MaxConcurrentReconciles = flagVar.MaxConcurrentWatcherReconciles
 
 	clnt := gatewaysecretclient.NewGatewaySecretRotationClient(mgr.GetConfig())
-	var parseLastModifiedFunc gatewaysecret.TimeParserFunc = func(secret *apicorev1.Secret) (time.Time, error) {
-		if gwSecretLastModifiedAtValue, ok := secret.Annotations[shared.LastModifiedAtAnnotation]; ok {
-			if gwSecretLastModifiedAt, err := time.Parse(time.RFC3339, gwSecretLastModifiedAtValue); err == nil {
-				return gwSecretLastModifiedAt, nil
+	var parseLastModifiedFunc gatewaysecret.TimeParserFunc = func(secret *apicorev1.Secret,
+		annotation string,
+	) (time.Time, error) {
+		if strValue, ok := secret.Annotations[annotation]; ok {
+			if time, err := time.Parse(time.RFC3339, strValue); err == nil {
+				return time, nil
 			}
 		}
-		return time.Time{}, errCouldNotGetLastModifiedAt
+		return time.Time{}, fmt.Errorf("%w: %s", errCouldNotGetTimeFromAnnotation, annotation)
+	}
+
+	var handler gatewaysecret.Handler
+	if flagVar.UseLegacyStrategyForIstioGatewaySecret {
+		handler = legacy.NewGatewaySecretHandler(clnt, parseLastModifiedFunc)
+	} else {
+		handler = cabundle.NewGatewaySecretHandler(clnt, parseLastModifiedFunc,
+			flagVar.IstioGatewayCertSwitchBeforeExpirationTime)
 	}
-	handler := gatewaysecret.NewGatewaySecretHandler(clnt, parseLastModifiedFunc)
 
 	var getSecretFunc GetterFunc = func(ctx context.Context, name types.NamespacedName) (*apicorev1.Secret, error) {
 		secret := &apicorev1.Secret{}
@@ -51,7 +63,10 @@ func SetupReconciler(mgr ctrl.Manager, flagVar *flags.FlagVar, options ctrlrunti
 		return secret, nil
 	}
 
-	return NewReconciler(getSecretFunc, handler).setupWithManager(mgr, options)
+	return NewReconciler(getSecretFunc, handler, queue.RequeueIntervals{
+		Success: flagVar.IstioGatewaySecretRequeueSuccessInterval,
+		Error:   flagVar.IstioGatewaySecretRequeueErrInterval,
+	}).setupWithManager(mgr, options)
 }
 
 func (r *Reconciler) setupWithManager(mgr ctrl.Manager, opts ctrlruntime.Options) error {