fix listener call

storage/kubernetes/controller.go

@@ -14,7 +14,6 @@ import (
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/util/retry"
 )
 
@@ -26,7 +25,6 @@ func Load(ctx context.Context, secrets v1controller.SecretController, namespace,
 		namespace: namespace,
 		storage:   backing,
 		ctx:       ctx,
-		initSync:  &sync.Once{},
 	}
 	storage.init(secrets)
 	return storage
@@ -38,18 +36,23 @@ func New(ctx context.Context, core CoreGetter, namespace, name string, backing d
 		namespace: namespace,
 		storage:   backing,
 		ctx:       ctx,
-		initSync:  &sync.Once{},
 	}
 
 	// lazy init
 	go func() {
-		wait.PollImmediateUntilWithContext(ctx, time.Second, func(cxt context.Context) (bool, error) {
+		for {
 			if coreFactory := core(); coreFactory != nil {
 				storage.init(coreFactory.Core().V1().Secret())
-				return true, start.All(ctx, 5, coreFactory)
+				_ = start.All(ctx, 5, coreFactory)
+				return
 			}
-			return false, nil
-		})
+
+			select {
+			case <-ctx.Done():
+				return
+			case <-time.After(time.Second):
+			}
+		}
 	}()
 
 	return storage
@@ -63,8 +66,6 @@ type storage struct {
 	secrets         v1controller.SecretController
 	ctx             context.Context
 	tls             dynamiclistener.TLSFactory
-	initialized     bool
-	initSync        *sync.Once
 }
 
 func (s *storage) SetFactory(tls dynamiclistener.TLSFactory) {
@@ -91,17 +92,7 @@ func (s *storage) init(secrets v1controller.SecretController) {
 	})
 	s.secrets = secrets
 
-	// Asynchronously sync the backing storage to the Kubernetes secret, as doing so inline may
-	// block the listener from accepting new connections if the apiserver becomes unavailable
-	// after the Secrets controller has been initialized. We're not passing around any contexts
-	// here, nor does the controller accept any, so there's no good way to soft-fail with a
-	// reasonable timeout.
-	go s.syncStorage()
-}
-
-func (s *storage) syncStorage() {
-	var updateStorage bool
-	secret, err := s.Get()
+	secret, err := s.storage.Get()
 	if err == nil && cert.IsValidTLSSecret(secret) {
 		// local storage had a cached secret, ensure that it exists in Kubernetes
 		_, err := s.secrets.Create(&v1.Secret{
@@ -118,20 +109,14 @@ func (s *storage) syncStorage() {
 		}
 	} else {
 		// local storage was empty, try to populate it
-		secret, err = s.secrets.Get(s.namespace, s.name, metav1.GetOptions{})
+		secret, err := s.secrets.Get(s.namespace, s.name, metav1.GetOptions{})
 		if err != nil {
 			if !errors.IsNotFound(err) {
 				logrus.Warnf("Failed to init Kubernetes secret: %v", err)
 			}
-		} else {
-			updateStorage = true
+			return
 		}
-	}
 
-	s.Lock()
-	defer s.Unlock()
-	s.initialized = true
-	if updateStorage {
 		if err := s.storage.Update(secret); err != nil {
 			logrus.Warnf("Failed to init backing storage secret: %v", err)
 		}
@@ -164,20 +149,6 @@ func (s *storage) targetSecret() (*v1.Secret, error) {
 
 func (s *storage) saveInK8s(secret *v1.Secret) (*v1.Secret, error) {
 	if !s.initComplete() {
-		// Start a goroutine to attempt to save the secret later, once init is complete.
-		// If this was already handled by initComplete, it should be a no-op, or at worst get
-		// merged with the Kubernetes secret.
-		go s.initSync.Do(func() {
-			if err := wait.Poll(100*time.Millisecond, 15*time.Minute, func() (bool, error) {
-				if !s.initComplete() {
-					return false, nil
-				}
-				_, err := s.saveInK8s(secret)
-				return true, err
-			}); err != nil {
-				logrus.Errorf("Failed to save TLS secret after controller init: %v", err)
-			}
-		})
 		return secret, nil
 	}
 
@@ -263,5 +234,5 @@ func (s *storage) update(secret *v1.Secret) (err error) {
 func (s *storage) initComplete() bool {
 	s.RLock()
 	defer s.RUnlock()
-	return s.initialized
+	return s.secrets != nil
 }