Fix empty lister for API server

hongkailiu · hongkailiu · commit a040ae49acf0 · 2026-06-07T17:05:43.000-04:00
Follow up the issue from #1338 (comment): The right way to call things out for `InformerFactory`: e.g., [processInitialFeatureGate](https://github.com/openshift/cluster-version-operator/blob/c1dc3e8f0b7c366d45177af391c4f888059b446d/pkg/start/start.go#L269-L280), * `Lister()` such as `configInformerFactory.Config().V1().FeatureGates().Lister()` * `Start()` such as `configInformerFactory.Start(ctx.Done())` * `WaitForCacheSync*()` such as `configInformerFactory.WaitForCacheSync(ctx.Done())` The lister is then ready to retrieve instance, e.g., via `Get()`. ```console $ git --no-pager log --pretty=oneline -1 6a8c607 (HEAD -> pr1338-e2e-6a8c6072b2f4e45fe5ab9269b4efa96d4608b0d0) make update ``` The issue with the commit above: ``` start.go: Line 190 func (o *Options) Run(ctx context.Context) error * Line 216 o.NewControllerContext() * Line 650 cvo, err := cvo.New() where Lister() and cvotls.NewProfileManager(apiServerInformer, tlsOverrides) are called where apiServerInformer.Lister().Get(tlsprofile.APIServerName) is called * Line 221 o.run() * start and sync ``` The issue is that `Get()` is called in the wrong order: `Lister()`, `Get()`, `Start()` and `Sync()`. It explains `apiserver.config.openshift.io "cluster" not found` from #1338 (comment). In short, we need the informer factory is ready before initializing the TLS profile manager. The fix is moving `NewProfileManager()` from `cvo.go` to `start.go` and the instance passes to `cvo.go`. Note that the same `configInformerFactory` instance is started and synced in `o.processInitialFeatureGate`. The only thing missing is invoking its `List()` ahead of it. Once it is done, we do not need to do those again in `cvo.go`. I prefer the current fix over the reverted one because the code is simpler this way. `cvo` does not need to have the fields such as the informer and the overrides that actually belong to the TLS profile manager.
diff --git a/pkg/cvo/cvo.go b/pkg/cvo/cvo.go
@@ -65,7 +65,6 @@ import (
 	overridesrisk "github.com/openshift/cluster-version-operator/pkg/risk/overrides"
 	updatingrisk "github.com/openshift/cluster-version-operator/pkg/risk/updating"
 	upgradeablerisk "github.com/openshift/cluster-version-operator/pkg/risk/upgradeable"
-	cvotls "github.com/openshift/cluster-version-operator/pkg/tls"
 )
 
 const (
@@ -135,10 +134,9 @@ type Operator struct {
 	cmConfigManagedLister listerscorev1.ConfigMapNamespaceLister
 	proxyLister           configlistersv1.ProxyLister
 	featureGateLister     configlistersv1.FeatureGateLister
-	apiServerLister       configlistersv1.APIServerLister
 	cacheSynced           []cache.InformerSynced
 
-	profileMgr *cvotls.ProfileManager
+	applyTLSSettings func(config *tls.Config)
 
 	// queue tracks applying updates to a cluster.
 	queue workqueue.TypedRateLimitingInterface[any]
@@ -238,8 +236,7 @@ func New(
 	proxyInformer configinformersv1.ProxyInformer,
 	operatorInformerFactory operatorexternalversions.SharedInformerFactory,
 	featureGateInformer configinformersv1.FeatureGateInformer,
-	apiServerInformer configinformersv1.APIServerInformer,
-	overrides *cvotls.Settings,
+	applyTLSSettings func(config *tls.Config),
 	client clientset.Interface,
 	kubeClient kubernetes.Interface,
 	operatorClient operatorclientset.Interface,
@@ -290,6 +287,8 @@ func New(
 		enabledManifestFeatureGates: startingEnabledManifestFeatureGates,
 
 		alwaysEnableCapabilities: alwaysEnableCapabilities,
+
+		applyTLSSettings: applyTLSSettings,
 	}
 
 	if _, err := cvInformer.Informer().AddEventHandler(optr.clusterVersionEventHandler()); err != nil {
@@ -317,9 +316,6 @@ func New(
 	optr.featureGateLister = featureGateInformer.Lister()
 	optr.cacheSynced = append(optr.cacheSynced, featureGateInformer.Informer().HasSynced)
 
-	optr.apiServerLister = apiServerInformer.Lister()
-	optr.cacheSynced = append(optr.cacheSynced, apiServerInformer.Informer().HasSynced)
-
 	// make sure this is initialized after all the listers are initialized
 	riskSourceCallback := func() { optr.availableUpdatesQueue.Add(optr.queueKey()) }
 
@@ -373,12 +369,6 @@ func New(
 		},
 	)
 
-	profileMgr, err := cvotls.NewProfileManager(apiServerInformer, overrides)
-	if err != nil {
-		return nil, fmt.Errorf("failed to initialize TLS profile manager: %w", err)
-	}
-	optr.profileMgr = profileMgr
-
 	return optr, nil
 }
 
@@ -1234,7 +1224,7 @@ func (optr *Operator) shouldEnableProposalController() bool {
 	return optr.requiredFeatureSet == configv1.TechPreviewNoUpgrade
 }
 
-// ApplySettings returns the ApplySettings function of the TLS profile manager
-func (optr *Operator) ApplySettings() func(config *tls.Config) {
-	return optr.profileMgr.ApplySettings
+// ApplyTLSSettings returns the function that applies TLS settings to the TLS config
+func (optr *Operator) ApplyTLSSettings() func(config *tls.Config) {
+	return optr.applyTLSSettings
 }
diff --git a/pkg/start/start.go b/pkg/start/start.go
@@ -207,6 +207,9 @@ func (o *Options) Run(ctx context.Context) error {
 	}
 
 	clusterVersionConfigInformerFactory, configInformerFactory := o.prepareConfigInformerFactories(cb)
+	// This is to ensure that APIServers get loaded when configInformerFactory is started and synced in o.processInitialFeatureGate().
+	// It is important when creating TLS profile manager later.
+	configInformerFactory.Config().V1().APIServers().Lister()
 	startingFeatureSet, startingCvoGates, startingEnabledManifestFeatureGates, err := o.processInitialFeatureGate(ctx, configInformerFactory)
 	if err != nil {
 		return fmt.Errorf("error processing feature gates: %w", err)
@@ -357,13 +360,6 @@ func (o *Options) run(ctx context.Context, controllerCtx *Context, lock resource
 		}
 	}
 
-	configSynced := controllerCtx.ConfigInformerFactory.WaitForCacheSync(informersDone)
-	for _, synced := range configSynced {
-		if !synced {
-			klog.Fatalf("Caches never synchronized: %v", postMainContext.Err())
-		}
-	}
-
 	resultChannelCount++
 	go func() {
 		defer utilruntime.HandleCrash()
@@ -381,7 +377,7 @@ func (o *Options) run(ctx context.Context, controllerCtx *Context, lock resource
 						resultChannelCount++
 						go func() {
 							defer utilruntime.HandleCrash()
-							err := cvo.RunMetrics(postMainContext, shutdownContext, restConfig, controllerCtx.CVO.ApplySettings(), o.MetricsOptions)
+							err := cvo.RunMetrics(postMainContext, shutdownContext, restConfig, controllerCtx.CVO.ApplyTLSSettings(), o.MetricsOptions)
 							resultChannel <- asyncResult{name: "metrics server", error: err}
 						}()
 					}
@@ -647,6 +643,11 @@ func (o *Options) NewControllerContext(
 	}
 	rtClient := cb.RuntimeControllerClientOrDie("runtime-controller-client")
 
+	tlsProfileMgr, err := tls.NewProfileManager(configInformerFactory.Config().V1().APIServers(), o.TLSOptions.GetOverrides())
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize TLS profile manager: %w", err)
+	}
+
 	cvo, err := cvo.New(
 		o.NodeName,
 		o.Namespace, o.Name,
@@ -660,8 +661,7 @@ func (o *Options) NewControllerContext(
 		configInformerFactory.Config().V1().Proxies(),
 		operatorInformerFactory,
 		configInformerFactory.Config().V1().FeatureGates(),
-		configInformerFactory.Config().V1().APIServers(),
-		o.TLSOptions.GetOverrides(),
+		tlsProfileMgr.ApplySettings,
 		cb.ClientOrDie(o.Namespace),
 		cvoKubeClient,
 		operatorClient,
