fix: fix operator race condition (#6929)

Signed-off-by: Julien Mancuso <jmancuso@nvidia.com>

fix: fix operator race condition (#6929)
Signed-off-by: Julien Mancuso <jmancuso@nvidia.com>
7f1f3076 · Julien Mancuso · GitHub · 876c9761 · 7f1f3076 · 7f1f3076
Unverified Commit 7f1f3076 authored Mar 05, 2026 by Julien Mancuso Committed by GitHub Mar 05, 2026
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 4 deletions

deploy/operator/internal/cert/cert.go deploy/operator/internal/cert/cert.go +7 -2

deploy/operator/internal/cert/cert_test.go deploy/operator/internal/cert/cert_test.go +1 -2

No files found.
--- a/deploy/operator/internal/cert/cert.go
+++ b/deploy/operator/internal/cert/cert.go
@@ -131,8 +131,13 @@ func (cm *CertManager) setupAutoProvisioning(ctx context.Context, mgr ctrl.Manag
 			fmt.Sprintf("%s.%s", cm.cfg.ServiceName, cm.namespace),
 			fmt.Sprintf("%s.%s.svc.cluster.local", cm.cfg.ServiceName, cm.namespace),
 		},
-		EnableReadinessCheck:   true,
-		RestartOnSecretRefresh: true,
+		EnableReadinessCheck: true,
+		// RestartOnSecretRefresh is intentionally false (default). The rotator's
+		// ensureCertsMounted goroutine polls CertDir until the kubelet projects
+		// the updated secret, then closes IsReady. The webhook server is only
+		// started after IsReady fires, so the files are guaranteed to exist.
+		// Setting this to true would call os.Exit immediately after writing the
+		// secret, racing the kubelet volume projection on restart.
 	}
 	return cm.provisioner.AddRotator(mgr, rotator)
 }

--- a/deploy/operator/internal/cert/cert_test.go
+++ b/deploy/operator/internal/cert/cert_test.go
@@ -185,8 +185,7 @@ func TestCertManager_AutoModeConfiguresRotator(t *testing.T) {
 			fmt.Sprintf("%s.%s", testServiceName, testNamespace),
 			fmt.Sprintf("%s.%s.svc.cluster.local", testServiceName, testNamespace),
 		},
-		EnableReadinessCheck:   true,
-		RestartOnSecretRefresh: true,
+		EnableReadinessCheck: true,
 	}

 	if !reflect.DeepEqual(prov.capturedArgs, expected) {