-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🐛 crs: use separate cache for partial metadata watches on secrets to include all secrets #10633
base: main
Are you sure you want to change the base?
🐛 crs: use separate cache for partial metadata watches on secrets to include all secrets #10633
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
exp/addons/internal/controllers/clusterresourceset_controller.go
Outdated
Show resolved
Hide resolved
exp/addons/internal/controllers/clusterresourceset_controller.go
Outdated
Show resolved
Hide resolved
exp/addons/internal/controllers/clusterresourceset_controller.go
Outdated
Show resolved
Hide resolved
exp/addons/internal/controllers/clusterresourceset_controller.go
Outdated
Show resolved
Hide resolved
exp/addons/internal/controllers/predicates/resource_predicates.go
Outdated
Show resolved
Hide resolved
Very nice! |
9fde0e2
to
4f90185
Compare
@chrischdi can you please check the unit tests? |
/test pull-cluster-api-e2e-main |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a few nits. Sorry for the nitpicking, just playing around a bit with generics and trying to find the simplest implementation
Otherwise all good, also tested it and it works perfectly (inspected the caches at runtime)
/test pull-cluster-api-e2e-main |
// secretToExtensionConfigFunc returns a func which maps a secret to ExtensionConfigs with the corresponding | ||
// InjectCAFromSecretAnnotation to reconcile them on updates of the secrets. | ||
func (r *Reconciler) secretToExtensionConfigFunc(ctx context.Context, o *metav1.PartialObjectMetadata) []reconcile.Request { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we revert this (func name + godoc) entirely to what is on main? I think the godoc is not correct anymore (+ the func name is a bit inconsistent now with how we usually call these funcs)
Last nit from my side /assign @fabriziopandini |
/test pull-cluster-api-e2e-main |
Thank you very much! Let's get some additional reviews if possible, just in case I'm missing something |
LGTM label has been added. Git tree hash: fd0b933f00763538f0332835600823f4a8a7933d
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice change!
// Setup a separate cache for the metadata watches to secrets. | ||
// This way the watch does not use the LabelSelector defined at the cache which | ||
// would filter to secrets having the cluster label, because secrets referred | ||
// by ClusterResourceSet or ExtensionConfig are not specific to a single cluster. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// Setup a separate cache for the metadata watches to secrets. | |
// This way the watch does not use the LabelSelector defined at the cache which | |
// would filter to secrets having the cluster label, because secrets referred | |
// by ClusterResourceSet or ExtensionConfig are not specific to a single cluster. | |
// Setup a separate cache without label selector for secrets, to be used | |
// when we need to watch for secrets that are not specific to a single cluster (e.g. ClusterResourceSet or ExtensionConfig controllers). |
// This way the watch does not use the LabelSelector defined at the cache which | ||
// would filter to secrets having the cluster label, because secrets referred | ||
// by ClusterResourceSet or ExtensionConfig are not specific to a single cluster. | ||
partialSecretCache, err := cache.New(mgr.GetConfig(), cache.Options{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
q: should this be allSecretCache
instead of partialSecretCache
(nothing in the definition points to partial)
q: is there a way to make sure this cache is used only for Secrets (I think not, but might be we can enforce this with a DefaultTransformerFunc that always returns error)
q: should we use TransformStripManagedFields for secrets? (not necessary, but it doesn't hurt)
cc @sbueringer
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the intention why I named it partialSecretCache
is that we tend to only use it for PartialObjectMetadata
watches/objects. Maybe I should add that information to the comment?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the idea of adding a DefaultTransformerFunc and implemented it.
This way we can make sure to not mis-use the cache 👍
New changes are detected. LGTM label has been removed. |
53006e4
to
1dd1d9e
Compare
@chrischdi: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
/test pull-cluster-api-e2e-main |
Cosmetics: /override pull-cluster-api-apidiff-main |
@chrischdi: chrischdi unauthorized: /override is restricted to Repo administrators. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
What this PR does / why we need it:
This PR introduces a separate cache which is used in the clusterresourceset_controller for watching secrets.
Previously the
WatchesMetadata
for secrets inclusterresourcesset_controller
did inherit the LabelSelector configured inmain.go
:https://github.com/kubernetes-sigs/cluster-api/blob/main/main.go#L322-L329
This label selector gets passed through in controller-runtime for the informer which gets created for the watch.
Secrets for clusterresourcesets may apply for multiple clusters, so the label selector may not even exist at the secrets referred by clusterresourcesets.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #10557
/area clusterresourceset