Run ensureClusterMsiCertificate during MaintenanceTaskRenewCerts (#4390)

* Run ensureClusterMsiCertificate during MaintenanceTaskRenewCerts

* use new var managedIdentityCertificateRenewalSteps in unit test to clarify intent

* Update pkg/cluster/adminupdate_test.go

Co-authored-by: Alex Chvatal <[email protected]>

* linter

---------

Co-authored-by: Alex Chvatal <[email protected]>

Author: cadenmarchese

pkg/cluster/adminupdate_test.go

@@ -85,6 +85,11 @@ func TestAdminUpdateSteps(t *testing.T) {
 		"[Action renewMDSDCertificate]",
 	}
 
+	managedIdentityCertificateRenewalSteps := append(
+		certificateRenewalSteps,
+		"[Action ensureClusterMsiCertificate]",
+	)
+
 	operatorUpdateSteps := []string{
 		"[Action startVMs]",
 		"[Condition apiServersReady, timeout 30m0s]",
@@ -262,7 +267,7 @@ func TestAdminUpdateSteps(t *testing.T) {
 				return doc, true
 			},
 			shouldRunSteps: utilgenerics.ConcatMultipleSlices(
-				zerothStepsManagedIdentity, generalFixesSteps, certificateRenewalSteps,
+				zerothStepsManagedIdentity, generalFixesSteps, managedIdentityCertificateRenewalSteps,
 				operatorUpdateSteps, updateProvisionedBySteps,
 			),
 		},

pkg/cluster/install.go

@@ -153,7 +153,7 @@ func (m *manager) getGeneralFixesSteps() []steps.Step {
 }
 
 func (m *manager) getCertificateRenewalSteps() []steps.Step {
-	steps := []steps.Step{
+	s := []steps.Step{
 		steps.Action(m.populateDatabaseIntIP),
 		steps.Action(m.correctCertificateIssuer),
 		steps.Action(m.fixMCSCert),
@@ -165,7 +165,14 @@ func (m *manager) getCertificateRenewalSteps() []steps.Step {
 
 		steps.Action(m.renewMDSDCertificate), // Dependent on initializeOperatorDeployer.
 	}
-	return utilgenerics.ConcatMultipleSlices(m.getEnsureAPIServerReadySteps(), steps)
+
+	if m.doc.OpenShiftCluster.UsesWorkloadIdentity() {
+		s = append(s,
+			steps.Action(m.ensureClusterMsiCertificate),
+		)
+	}
+
+	return utilgenerics.ConcatMultipleSlices(m.getEnsureAPIServerReadySteps(), s)
 }
 
 func (m *manager) getOperatorUpdateSteps() []steps.Step {