Updates to the secret that occurred before the controller was done
syncing were not being written to Kubernetes. Subsequent updates to the
secret would eventually get it written, but Rancher requires that the
cert be written immediately. This was probably an unnecessary
optimization anyway, so back it out in favor of just checking to see if
the secrets controller is available.
Also fixed improper handling of multiple goroutines attempting to create
the Kubernetes secret at the same time; this was also handled eventually
but caused an unnecessary round of extra writes to the secret.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Refreshing the cert should force renewal as opposed to returning
early if the SANs aren't changing. This is currently breaking refresh
of expired certs as per:
https://github.com/rancher/k3s/issues/1621#issuecomment-669464318
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
On the start of a new server we do not want to blindly save the
cert because that will change the TLS key. Instead only write
to k8s on start if there is no secret in k8s. On start of the
controller it will sync up if the local file and k8s secret aren't
the same
