Fixed cert update race condition

Signed-off-by: Patryk Strusiewicz-Surmacki <patryk-pawel.strusiewicz-surmacki@external.telekom.de>

Author: p-strusiewiczsurmacki-mobica

pkg/rotator/rotator.go

@@ -176,6 +176,8 @@ func AddRotator(mgr manager.Manager, cr *CertRotator) error {
 		needLeaderElection:          cr.RequireLeaderElection,
 		refreshCertIfNeededDelegate: cr.refreshCertIfNeeded,
 		fieldOwner:                  cr.FieldOwner,
+		certsMounted:                cr.certsMounted,
+		enableReadinessCheck:        cr.EnableReadinessCheck,
 	}
 	if err := addController(mgr, reconciler, cr.controllerName); err != nil {
 		return err
@@ -251,6 +253,10 @@ type CertRotator struct {
 	CertName string
 	KeyName  string
 
+	// EnableReadinessCheck if true, reconcilation loop will wait for controller-runtime's
+	// runnable to finish execution.
+	EnableReadinessCheck bool
+
 	certsMounted    chan struct{}
 	certsNotMounted chan struct{}
 	wasCAInjected   *atomic.Bool
@@ -743,6 +749,8 @@ type ReconcileWH struct {
 	needLeaderElection          bool
 	refreshCertIfNeededDelegate func() (bool, error)
 	fieldOwner                  string
+	certsMounted                chan struct{}
+	enableReadinessCheck        bool
 }
 
 // Reconcile reads that state of the cluster for a validatingwebhookconfiguration
@@ -752,6 +760,10 @@ func (r *ReconcileWH) Reconcile(ctx context.Context, request reconcile.Request)
 		return reconcile.Result{}, nil
 	}
 
+	if r.enableReadinessCheck {
+		<-r.certsMounted
+	}
+
 	if !r.cache.WaitForCacheSync(ctx) {
 		return reconcile.Result{}, errors.New("cache not ready")
 	}