🐛 crs: use separate cache for partial metadata watches on secrets to include all secrets #10633
Conversation
k8s-ci-robot
added
area/clusterresourceset
chrischdi
changed the title
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
exp/addons/internal/controllers/clusterresourceset_controller.go
Outdated
Show resolved
Hide resolved
exp/addons/internal/controllers/clusterresourceset_controller.go
Outdated
Show resolved
Hide resolved
exp/addons/internal/controllers/clusterresourceset_controller.go
Outdated
Show resolved
Hide resolved
exp/addons/internal/controllers/clusterresourceset_controller.go
Outdated
Show resolved
Hide resolved
exp/addons/internal/controllers/predicates/resource_predicates.go
Outdated
Show resolved
Hide resolved
|
Very nice! |
chrischdi
force-pushed
the
pr-crs-watch-partial-all-secrets
branch
from
9fde0e2
to
4f90185
Compare
chrischdi
added
the
tide/merge-method-squash
|
@chrischdi can you please check the unit tests? |
|
/test pull-cluster-api-e2e-main |
|
/test pull-cluster-api-e2e-main |
| // secretToExtensionConfigFunc returns a func which maps a secret to ExtensionConfigs with the corresponding | ||
| // InjectCAFromSecretAnnotation to reconcile them on updates of the secrets. | ||
| func (r *Reconciler) secretToExtensionConfigFunc(ctx context.Context, o *metav1.PartialObjectMetadata) []reconcile.Request { |
There was a problem hiding this comment.
Can we revert this (func name + godoc) entirely to what is on main? I think the godoc is not correct anymore (+ the func name is a bit inconsistent now with how we usually call these funcs)
|
Last nit from my side /assign @fabriziopandini |
|
/test pull-cluster-api-e2e-main |
|
Thank you very much! Let's get some additional reviews if possible, just in case I'm missing something |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: fd0b933f00763538f0332835600823f4a8a7933d
|
| // Setup a separate cache for the metadata watches to secrets. | ||
| // This way the watch does not use the LabelSelector defined at the cache which | ||
| // would filter to secrets having the cluster label, because secrets referred | ||
| // by ClusterResourceSet or ExtensionConfig are not specific to a single cluster. |
There was a problem hiding this comment.
| // Setup a separate cache for the metadata watches to secrets. | |
| // This way the watch does not use the LabelSelector defined at the cache which | |
| // would filter to secrets having the cluster label, because secrets referred | |
| // by ClusterResourceSet or ExtensionConfig are not specific to a single cluster. | |
| // Setup a separate cache without label selector for secrets, to be used | |
| // when we need to watch for secrets that are not specific to a single cluster (e.g. ClusterResourceSet or ExtensionConfig controllers). |
| // This way the watch does not use the LabelSelector defined at the cache which | ||
| // would filter to secrets having the cluster label, because secrets referred | ||
| // by ClusterResourceSet or ExtensionConfig are not specific to a single cluster. | ||
| partialSecretCache, err := cache.New(mgr.GetConfig(), cache.Options{ |
There was a problem hiding this comment.
q: should this be allSecretCache instead of partialSecretCache (nothing in the definition points to partial)
q: is there a way to make sure this cache is used only for Secrets (I think not, but might be we can enforce this with a DefaultTransformerFunc that always returns error)
q: should we use TransformStripManagedFields for secrets? (not necessary, but it doesn't hurt)
cc @sbueringer
There was a problem hiding this comment.
the intention why I named it partialSecretCache is that we tend to only use it for PartialObjectMetadata watches/objects. Maybe I should add that information to the comment?
There was a problem hiding this comment.
I like the idea of adding a DefaultTransformerFunc and implemented it.
This way we can make sure to not mis-use the cache 👍
k8s-ci-robot
added
needs-rebase
|
New changes are detected. LGTM label has been removed. |
chrischdi
force-pushed
the
pr-crs-watch-partial-all-secrets
branch
from
53006e4
to
1dd1d9e
Compare
k8s-ci-robot
removed
the
needs-rebase
|
@chrischdi: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/test pull-cluster-api-e2e-main |
|
Cosmetics: /override pull-cluster-api-apidiff-main |
|
@chrischdi: chrischdi unauthorized: /override is restricted to Repo administrators. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
What this PR does / why we need it:
This PR introduces a separate cache which is used in the clusterresourceset_controller for watching secrets.
Previously the
WatchesMetadatafor secrets inclusterresourcesset_controllerdid inherit the LabelSelector configured inmain.go:https://github.com/kubernetes-sigs/cluster-api/blob/main/main.go#L322-L329
This label selector gets passed through in controller-runtime for the informer which gets created for the watch.
Secrets for clusterresourcesets may apply for multiple clusters, so the label selector may not even exist at the secrets referred by clusterresourcesets.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #10557
/area clusterresourceset