From a96dc55e1e26266ed4dce2e16773846206f468ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ma=C3=ABl=20Valais?= <mael@vls.dev>
Date: Tue, 20 Jul 2021 09:54:18 +0200
Subject: [PATCH 1/2] data race: fix concurrent read and write of secret
 annotations
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This bug can be reproduced using "go run -race" and by creating many
Certificates and renewing them continuously. With 5000 Certificate
objects, a data race is found in less than a minute.

Signed-off-by: Maël Valais <mael@vls.dev>
---
 pkg/controller/certificates/internal/secretsmanager/secret.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkg/controller/certificates/internal/secretsmanager/secret.go b/pkg/controller/certificates/internal/secretsmanager/secret.go
index 6e388cab1..019413513 100644
--- a/pkg/controller/certificates/internal/secretsmanager/secret.go
+++ b/pkg/controller/certificates/internal/secretsmanager/secret.go
@@ -102,6 +102,7 @@ func (s *SecretsManager) UpdateData(ctx context.Context, crt *cmapi.Certificate,
 		secret.OwnerReferences = []metav1.OwnerReference{*metav1.NewControllerRef(crt, certificateGvk)}
 	}
 
+	secret = secret.DeepCopy()
 	err = s.setValues(crt, secret, data)
 	if err != nil {
 		return err

From af9a1e434f5c885ba9e6d65723dd34bde5230db1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ma=C3=ABl=20Valais?= <mael@vls.dev>
Date: Tue, 20 Jul 2021 16:04:27 +0200
Subject: [PATCH 2/2] data race: fix certificate requests in cache being
 mutated
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Maël Valais <mael@vls.dev>
---
 pkg/controller/certificaterequests/approver/sync.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkg/controller/certificaterequests/approver/sync.go b/pkg/controller/certificaterequests/approver/sync.go
index 7824793fb..221740a6f 100644
--- a/pkg/controller/certificaterequests/approver/sync.go
+++ b/pkg/controller/certificaterequests/approver/sync.go
@@ -53,6 +53,7 @@ func (c *Controller) Sync(ctx context.Context, cr *cmapi.CertificateRequest) (er
 	}
 
 	// Update the CertificateRequest approved condition to true.
+	cr = cr.DeepCopy()
 	apiutil.SetCertificateRequestCondition(cr,
 		cmapi.CertificateRequestConditionApproved,
 		cmmeta.ConditionTrue,