@@ -98,10 +98,10 @@ var (
9898 "storageclasses" ,
9999 "validatingwebhookconfigurations" ,
100100 }
101- )
102101
103- const (
104- injectedCABundleConfigMap = "injected-cabundle-stackrox-central-services"
102+ injectedCABundleConfigMapPrefix = "injected-cabundle-"
103+ injectedCABundleConfigMapCentral = injectedCABundleConfigMapPrefix + centralCrName
104+ injectedCABundleConfigMapSecuredCluster = injectedCABundleConfigMapPrefix + securedClusterCrName
105105)
106106
107107// Deployer is the base deployer for ACS
@@ -209,14 +209,13 @@ func (d *Deployer) deleteCentralResources(ctx context.Context, wait bool) error
209209 // Pause reconciliation for other controllers, not just our RHACS operator.
210210 // This is needed to ensure that there is no race causing the Cluster Network Operator
211211 // to re-create the injected-ca-bundle ConfigMap during resource deletion.
212- err := d .preventOtherControllersFromReconciling (ctx )
213- if err != nil {
214- return fmt .Errorf ("failed to prevent other controllers from reconciling: %w" , err )
212+ if err := d .preventOtherControllersFromReconciling (ctx , component .Central ); err != nil {
213+ return fmt .Errorf ("failed to prevent other controllers from reconciling Central resources: %w" , err )
215214 }
216215
217216 // Delete other resources by brute force.
218217 resourceKinds := d .filterResourceKinds (allInstallableCentralResourceKinds )
219- err = d .deleteResources (ctx , d .centralNamespace , resourceKinds , "-l=app.kubernetes.io/part-of=stackrox-central-services" )
218+ err : =d .deleteResources (ctx , d .centralNamespace , resourceKinds , "-l=app.kubernetes.io/part-of=stackrox-central-services" )
220219 if err != nil {
221220 return err
222221 }
@@ -226,9 +225,9 @@ func (d *Deployer) deleteCentralResources(ctx context.Context, wait bool) error
226225 {Name : "central-db-backup" , Kind : "pvc" , OwnerName : centralCrName },
227226 {Name : "admin-password" , Kind : "secret" },
228227 {Name : "scanner-db-password" , Kind : "secret" , OwnerName : centralCrName },
229- // In case the Cluster Network Operator has succeeded in re-creating the injectedCABundleConfigMap
228+ // In case the Cluster Network Operator has succeeded in re-creating the injected-cabundle configmap
230229 // after our operator has already deleted it.
231- {Name : injectedCABundleConfigMap , Kind : "configmap" },
230+ {Name : injectedCABundleConfigMapCentral , Kind : "configmap" },
232231 } {
233232 d .logger .Dimf ("Attempting to delete %s/%s" , resource .Kind , resource .Name )
234233 if resource .OwnerName != "" {
@@ -263,17 +262,22 @@ func (d *Deployer) deleteCentralResources(ctx context.Context, wait bool) error
263262 return nil
264263}
265264
266- func (d * Deployer ) preventOtherControllersFromReconciling (ctx context.Context ) error {
267- return d .preventCABundleInjection (ctx )
265+ func (d * Deployer ) preventOtherControllersFromReconciling (ctx context.Context , comp component.Component ) error {
266+ switch comp {
267+ case component .Central :
268+ return d .preventCABundleInjection (ctx , injectedCABundleConfigMapCentral , d .centralNamespace )
269+ case component .SecuredCluster :
270+ return d .preventCABundleInjection (ctx , injectedCABundleConfigMapSecuredCluster , d .sensorNamespace )
271+ default :
272+ return nil
273+ }
268274}
269275
270- func (d * Deployer ) preventCABundleInjection (ctx context.Context ) error {
271- configMapName := injectedCABundleConfigMap
272-
276+ func (d * Deployer ) preventCABundleInjection (ctx context.Context , configMapName , namespace string ) error {
273277 d .logger .Info ("Removing CNO label from injected-cabundle ConfigMap to prevent CNO from injecting the CA bundle during cleanup" )
274278 _ , err := d .runKubectl (ctx , k8s.KubectlOptions {
275279 Args : []string {
276- "label" , "configmap" , configMapName , "-n" , d . centralNamespace ,
280+ "label" , "configmap" , configMapName , "-n" , namespace ,
277281 "config.openshift.io/inject-trusted-cabundle-" ,
278282 },
279283 IgnoreErrors : true ,
@@ -305,6 +309,13 @@ func (d *Deployer) deleteSecuredClusterResources(ctx context.Context, wait bool)
305309 }
306310 }
307311
312+ // Pause reconciliation for other controllers, not just our RHACS operator.
313+ // This is needed to ensure that there is no race causing the Cluster Network Operator
314+ // to re-create the injected-ca-bundle ConfigMap during resource deletion.
315+ if err := d .preventOtherControllersFromReconciling (ctx , component .SecuredCluster ); err != nil {
316+ return fmt .Errorf ("failed to prevent other controllers from reconciling SecuredCluster resources: %w" , err )
317+ }
318+
308319 // In the meantime, delete other resources by brute force.
309320 resourceKinds := d .filterResourceKinds (allInstallableSecuredClusterResourceKinds )
310321 err := d .deleteResources (ctx , d .sensorNamespace , resourceKinds , "-l=app.kubernetes.io/part-of=stackrox-secured-cluster-services" )
@@ -317,6 +328,9 @@ func (d *Deployer) deleteSecuredClusterResources(ctx context.Context, wait bool)
317328 // We need to make sure that don't accidentally delete a scanner-db-password belonging to the central CR,
318329 // when both are deployed into the same namespace.
319330 {Name : "scanner-db-password" , Kind : "secret" , OwnerName : securedClusterCrName },
331+ // In case the Cluster Network Operator has succeeded in re-creating the injected-cabundle configmap
332+ // after our operator has already deleted it.
333+ {Name : injectedCABundleConfigMapSecuredCluster , Kind : "configmap" },
320334 } {
321335 d .logger .Dimf ("Attempting to delete %s/%s" , resource .Kind , resource .Name )
322336 if resource .OwnerName != "" {
0 commit comments