chore: minor cleanup to reconilcer controllers (#1563)

Author: karlkfi

pkg/reconcilermanager/controllers/reconciler_base.go

@@ -19,6 +19,7 @@ import (
 	"errors"
 	"fmt"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"time"
 
@@ -31,6 +32,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/json"
 	"k8s.io/client-go/dynamic"
@@ -50,6 +52,7 @@ import (
 	webhookconfiguration "kpt.dev/configsync/pkg/webhook/configuration"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 )
 
 const (
@@ -103,8 +106,8 @@ type reconcilerBase struct {
 	githubApp               githubAppSpec
 	webhookEnabled          bool
 
-	// syncKind is the kind of the sync object: RootSync or RepoSync.
-	syncKind string
+	// syncGVK is the GroupVersionKind of the sync object: RootSync or RepoSync.
+	syncGVK schema.GroupVersionKind
 
 	// controllerName is used by tests to de-dupe controllers
 	controllerName string
@@ -601,7 +604,7 @@ func (r *reconcilerBase) setupOrTeardown(ctx context.Context, syncObj client.Obj
 			controllerutil.AddFinalizer(syncObj, metadata.ReconcilerManagerFinalizer)
 			if err := r.client.Update(ctx, syncObj, client.FieldOwner(reconcilermanager.FieldManager)); err != nil {
 				err = status.APIServerError(err,
-					fmt.Sprintf("failed to update %s to add finalizer", r.syncKind))
+					fmt.Sprintf("failed to update %s to add finalizer", r.syncGVK.Kind))
 				r.logger(ctx).Error(err, "Finalizer injection failed")
 				return err
 			}
@@ -650,7 +653,7 @@ func (r *reconcilerBase) setupOrTeardown(ctx context.Context, syncObj client.Obj
 		controllerutil.RemoveFinalizer(syncObj, metadata.ReconcilerManagerFinalizer)
 		if err := r.client.Update(ctx, syncObj, client.FieldOwner(reconcilermanager.FieldManager)); err != nil {
 			err = status.APIServerError(err,
-				fmt.Sprintf("failed to update %s to remove the reconciler-manager finalizer", r.syncKind))
+				fmt.Sprintf("failed to update %s to remove the reconciler-manager finalizer", r.syncGVK.Kind))
 			r.logger(ctx).Error(err, "Removal of reconciler-manager finalizer failed")
 			return err
 		}
@@ -686,7 +689,7 @@ func (r *reconcilerBase) updateRBACBinding(ctx context.Context, reconcilerRef, r
 	} else if rb, ok := binding.(*rbacv1.RoleBinding); ok {
 		rb.Subjects = subjects
 	}
-	core.AddLabels(binding, ManagedObjectLabelMap(r.syncKind, rsRef))
+	core.AddLabels(binding, ManagedObjectLabelMap(r.syncGVK.Kind, rsRef))
 	if equality.Semantic.DeepEqual(existingBinding, binding) {
 		return nil
 	}
@@ -708,7 +711,7 @@ func (r *reconcilerBase) upsertSharedClusterRoleBinding(ctx context.Context, nam
 	childCRB := &rbacv1.ClusterRoleBinding{}
 	childCRB.Name = crbRef.Name
 
-	labelMap := ManagedObjectLabelMap(r.syncKind, rsRef)
+	labelMap := ManagedObjectLabelMap(r.syncGVK.Kind, rsRef)
 	// Remove sync-name label since the ClusterRoleBinding may be shared
 	delete(labelMap, metadata.SyncNameLabel)
 
@@ -792,7 +795,7 @@ func (r *reconcilerBase) patchSyncMetadata(ctx context.Context, rs client.Object
 				// Some other tooling previously claimed this RSync as an ApplySet parent.
 				// According to the ApplySet KEP, we MUST error if the tooling name does not match.
 				return false, fmt.Errorf("%s applyset owned by %s: remove the %s annotation to allow adoption",
-					r.syncKind, currentApplySetToolingValue, metadata.ApplySetToolingAnnotation)
+					r.syncGVK.Kind, currentApplySetToolingValue, metadata.ApplySetToolingAnnotation)
 			}
 			// Else, if the name is ours, we can adopt it and update the version.
 			// In the future we may want some version migration behavior,
@@ -823,3 +826,62 @@ func (r *reconcilerBase) patchSyncMetadata(ctx context.Context, rs client.Object
 	r.logger(ctx).Info("Sync metadata update successful")
 	return true, nil
 }
+
+func (r *reconcilerBase) requeueRSync(ctx context.Context, obj client.Object, rsRef types.NamespacedName) []reconcile.Request {
+	r.logger(ctx).Info(fmt.Sprintf("Changes to %s triggered a reconciliation for the %s (%s).",
+		kinds.ObjectSummary(obj), r.syncGVK.Kind, rsRef))
+	return []reconcile.Request{
+		{NamespacedName: rsRef},
+	}
+}
+
+func (r *reconcilerBase) requeueAllRSyncs(ctx context.Context, obj client.Object) []reconcile.Request {
+	syncMetaList, err := r.listSyncMetadata(ctx)
+	if err != nil {
+		r.logger(ctx).Error(err, "Failed to list objects",
+			logFieldSyncKind, r.syncGVK.Kind)
+		return nil
+	}
+	requests := make([]reconcile.Request, len(syncMetaList.Items))
+	for i, syncMeta := range syncMetaList.Items {
+		requests[i] = reconcile.Request{
+			NamespacedName: client.ObjectKeyFromObject(&syncMeta),
+		}
+	}
+	if len(requests) > 0 {
+		r.logger(ctx).Info(fmt.Sprintf("Changes to %s triggered reconciliations for %d %s objects.",
+			kinds.ObjectSummary(obj), len(syncMetaList.Items), r.syncGVK.Kind))
+	}
+	return requests
+}
+
+func (r *reconcilerBase) listSyncMetadata(ctx context.Context, opts ...client.ListOption) (*metav1.PartialObjectMetadataList, error) {
+	syncMetaList := &metav1.PartialObjectMetadataList{}
+	syncMetaList.SetGroupVersionKind(kinds.ListGVKForItemGVK(r.syncGVK))
+	if err := r.client.List(ctx, syncMetaList, opts...); err != nil {
+		return nil, err
+	}
+	return syncMetaList, nil
+}
+
+// isAnnotationValueTrue returns whether the annotation should be enabled for the
+// reconciler of this RSync. This is determined by an annotation that is set on
+// the RSync by the reconciler.
+func (r *reconcilerBase) isAnnotationValueTrue(ctx context.Context, obj core.Annotated, key string) bool {
+	annotations := obj.GetAnnotations()
+	if annotations == nil {
+		return false
+	}
+	val, ok := obj.GetAnnotations()[key]
+	if !ok { // default to disabling the annotation
+		return false
+	}
+	boolVal, err := strconv.ParseBool(val)
+	if err != nil {
+		// This should never happen, as the annotation should always be set to a
+		// valid value by the reconciler. Log the error and return the default value.
+		r.logger(ctx).Error(err, "Failed to parse annotation value as boolean: %s: %s", key, val)
+		return false
+	}
+	return boolVal
+}

pkg/reconcilermanager/controllers/reposync_controller.go

@@ -106,7 +106,7 @@ func NewRepoSyncReconciler(clusterName string, reconcilerPollingPeriod, hydratio
 			scheme:                     scheme,
 			reconcilerPollingPeriod:    reconcilerPollingPeriod,
 			hydrationPollingPeriod:     hydrationPollingPeriod,
-			syncKind:                   configsync.RepoSyncKind,
+			syncGVK:                    kinds.RepoSyncV1Beta1(),
 			knownHostExist:             false,
 			controllerName:             "",
 		},
@@ -130,7 +130,7 @@ func (r *RepoSyncReconciler) Reconcile(ctx context.Context, req controllerruntim
 		Name:      core.NsReconcilerName(rsRef.Namespace, rsRef.Name),
 	}
 	ctx = r.setLoggerValues(ctx,
-		logFieldSyncKind, r.syncKind,
+		logFieldSyncKind, r.syncGVK.Kind,
 		logFieldSyncRef, rsRef.String(),
 		logFieldReconciler, reconcilerRef.String())
 	rs := &v1beta1.RepoSync{}
@@ -220,7 +220,7 @@ func (r *RepoSyncReconciler) upsertManagedObjects(ctx context.Context, reconcile
 	rsRef := client.ObjectKeyFromObject(rs)
 	r.logger(ctx).V(3).Info("Reconciling managed objects")
 
-	labelMap := ManagedObjectLabelMap(r.syncKind, rsRef)
+	labelMap := ManagedObjectLabelMap(r.syncGVK.Kind, rsRef)
 
 	// Create secret in config-management-system namespace using the
 	// existing secret in the reposync.namespace.
@@ -561,11 +561,14 @@ func (r *RepoSyncReconciler) watchConfigMaps(rs *v1beta1.RepoSync) error {
 
 func (r *RepoSyncReconciler) mapMembershipToRepoSyncs(ctx context.Context, o client.Object) []reconcile.Request {
 	// Clear the membership if the cluster is unregistered
-	if err := r.client.Get(ctx, types.NamespacedName{Name: fleetMembershipName}, &hubv1.Membership{}); err != nil {
+	membershipObj := &hubv1.Membership{}
+	membershipObj.Name = fleetMembershipName
+	membershipRef := client.ObjectKeyFromObject(membershipObj)
+	if err := r.client.Get(ctx, membershipRef, membershipObj); err != nil {
 		if apierrors.IsNotFound(err) {
 			klog.Info("Fleet Membership not found, clearing membership cache")
 			r.membership = nil
-			return r.requeueAllRepoSyncs(fleetMembershipName)
+			return r.requeueAllRSyncs(ctx, membershipObj)
 		}
 		klog.Errorf("Fleet Membership get failed: %v", err)
 		return nil
@@ -581,28 +584,7 @@ func (r *RepoSyncReconciler) mapMembershipToRepoSyncs(ctx context.Context, o cli
 		return nil
 	}
 	r.membership = m
-	return r.requeueAllRepoSyncs(fleetMembershipName)
-}
-
-func (r *RepoSyncReconciler) requeueAllRepoSyncs(name string) []reconcile.Request {
-	//TODO: pass through context (reqs updating controller-runtime)
-	ctx := context.Background()
-	allRepoSyncs := &v1beta1.RepoSyncList{}
-	if err := r.client.List(ctx, allRepoSyncs); err != nil {
-		klog.Errorf("RepoSync list failed: %v", err)
-		return nil
-	}
-
-	requests := make([]reconcile.Request, len(allRepoSyncs.Items))
-	for i, rs := range allRepoSyncs.Items {
-		requests[i] = reconcile.Request{
-			NamespacedName: client.ObjectKeyFromObject(&rs),
-		}
-	}
-	if len(requests) > 0 {
-		klog.Infof("Changes to %s trigger reconciliations for %d RepoSync objects.", name, len(allRepoSyncs.Items))
-	}
-	return requests
+	return r.requeueAllRSyncs(ctx, membershipObj)
 }
 
 // mapSecretToRepoSyncs define a mapping from the Secret object to its attached
@@ -633,7 +615,7 @@ func (r *RepoSyncReconciler) mapSecretToRepoSyncs(ctx context.Context, secret cl
 			// so requeue the mapped RepoSync object and then return.
 			reconcilerName := core.NsReconcilerName(rs.GetNamespace(), rs.GetName())
 			if isUpsertedSecret(&rs, sRef.Name) {
-				return requeueRepoSyncRequest(secret, client.ObjectKeyFromObject(&rs))
+				return r.requeueRSync(ctx, secret, client.ObjectKeyFromObject(&rs))
 			}
 			isSAToken := strings.HasPrefix(sRef.Name, reconcilerName+"-token-")
 			if isSAToken {
@@ -648,7 +630,7 @@ func (r *RepoSyncReconciler) mapSecretToRepoSyncs(ctx context.Context, secret cl
 				}
 				for _, s := range serviceAccount.Secrets {
 					if s.Name == sRef.Name {
-						return requeueRepoSyncRequest(secret, client.ObjectKeyFromObject(&rs))
+						return r.requeueRSync(ctx, secret, client.ObjectKeyFromObject(&rs))
 					}
 				}
 			}
@@ -686,9 +668,9 @@ func (r *RepoSyncReconciler) mapSecretToRepoSyncs(ctx context.Context, secret cl
 	return requests
 }
 
-func (r *RepoSyncReconciler) mapAdmissionWebhookToRepoSyncs(_ context.Context, admissionWebhook client.Object) []reconcile.Request {
+func (r *RepoSyncReconciler) mapAdmissionWebhookToRepoSyncs(ctx context.Context, admissionWebhook client.Object) []reconcile.Request {
 	if admissionWebhook.GetName() == webhookconfiguration.Name {
-		return r.requeueAllRepoSyncs(admissionWebhook.GetName())
+		return r.requeueAllRSyncs(ctx, admissionWebhook)
 	}
 	return nil
 }
@@ -782,7 +764,7 @@ func (r *RepoSyncReconciler) mapConfigMapToRepoSyncs(ctx context.Context, obj cl
 			}
 		}
 		if len(rsRef.Name) > 0 && len(rsRef.Namespace) > 0 {
-			return requeueRepoSyncRequest(obj, rsRef)
+			return r.requeueRSync(ctx, obj, rsRef)
 		}
 		return nil
 	}
@@ -857,10 +839,10 @@ func (r *RepoSyncReconciler) mapObjectToRepoSync(ctx context.Context, obj client
 		}
 	}
 
-	allRepoSyncs := &v1beta1.RepoSyncList{}
-	if err := r.client.List(ctx, allRepoSyncs); err != nil {
-		klog.Errorf("failed to list all RepoSyncs for %s (%s): %v",
-			obj.GetObjectKind().GroupVersionKind().Kind, objRef, err)
+	syncMetaList, err := r.listSyncMetadata(ctx)
+	if err != nil {
+		r.logger(ctx).Error(err, "Failed to list objects",
+			logFieldSyncKind, r.syncGVK.Kind)
 		return nil
 	}
 
@@ -869,19 +851,19 @@ func (r *RepoSyncReconciler) mapObjectToRepoSync(ctx context.Context, obj client
 	// For other resources, requeue the mapping RepoSync object and then return.
 	var requests []reconcile.Request
 	var attachedRSNames []string
-	for _, rs := range allRepoSyncs.Items {
-		reconcilerName := core.NsReconcilerName(rs.GetNamespace(), rs.GetName())
+	for _, syncMeta := range syncMetaList.Items {
+		reconcilerName := core.NsReconcilerName(syncMeta.GetNamespace(), syncMeta.GetName())
 		switch obj.(type) {
 		case *rbacv1.RoleBinding:
-			if objRef.Name == nsRoleBindingName && objRef.Namespace == rs.Namespace {
+			if objRef.Name == nsRoleBindingName && objRef.Namespace == syncMeta.Namespace {
 				requests = append(requests, reconcile.Request{
-					NamespacedName: client.ObjectKeyFromObject(&rs),
+					NamespacedName: client.ObjectKeyFromObject(&syncMeta),
 				})
-				attachedRSNames = append(attachedRSNames, rs.GetName())
+				attachedRSNames = append(attachedRSNames, syncMeta.GetName())
 			}
 		default: // Deployment and ServiceAccount
 			if objRef.Name == reconcilerName {
-				return requeueRepoSyncRequest(obj, client.ObjectKeyFromObject(&rs))
+				return r.requeueRSync(ctx, obj, client.ObjectKeyFromObject(&syncMeta))
 			}
 		}
 	}
@@ -892,16 +874,6 @@ func (r *RepoSyncReconciler) mapObjectToRepoSync(ctx context.Context, obj client
 	return requests
 }
 
-func requeueRepoSyncRequest(obj client.Object, rsRef types.NamespacedName) []reconcile.Request {
-	klog.Infof("Changes to %s triggered a reconciliation for the RepoSync (%s).",
-		kinds.ObjectSummary(obj), rsRef)
-	return []reconcile.Request{
-		{
-			NamespacedName: rsRef,
-		},
-	}
-}
-
 func (r *RepoSyncReconciler) populateContainerEnvs(ctx context.Context, rs *v1beta1.RepoSync, reconcilerName string) map[string][]corev1.EnvVar {
 	result := map[string][]corev1.EnvVar{
 		reconcilermanager.HydrationController: hydrationEnvs(hydrationOptions{
@@ -926,7 +898,7 @@ func (r *RepoSyncReconciler) populateContainerEnvs(ctx context.Context, rs *v1be
 			statusMode:        rs.Spec.SafeOverride().StatusMode,
 			reconcileTimeout:  v1beta1.GetReconcileTimeout(rs.Spec.SafeOverride().ReconcileTimeout),
 			apiServerTimeout:  v1beta1.GetAPIServerTimeout(rs.Spec.SafeOverride().APIServerTimeout),
-			requiresRendering: annotationEnabled(metadata.RequiresRenderingAnnotationKey, rs.GetAnnotations()),
+			requiresRendering: r.isAnnotationValueTrue(ctx, rs, metadata.RequiresRenderingAnnotationKey),
 			// Namespace reconciler doesn't support NamespaceSelector at all.
 			dynamicNSSelectorEnabled: false,
 			webhookEnabled:           r.webhookEnabled,
@@ -1090,7 +1062,7 @@ func (r *RepoSyncReconciler) upsertSharedRoleBinding(ctx context.Context, reconc
 	childRB := &rbacv1.RoleBinding{}
 	childRB.Name = rbRef.Name
 	childRB.Namespace = rbRef.Namespace
-	labelMap := ManagedObjectLabelMap(r.syncKind, rsRef)
+	labelMap := ManagedObjectLabelMap(r.syncGVK.Kind, rsRef)
 	// Remove sync-name label since the RoleBinding may be shared
 	delete(labelMap, metadata.SyncNameLabel)
 
@@ -1242,7 +1214,7 @@ func (r *RepoSyncReconciler) mutationsFor(ctx context.Context, rs *v1beta1.RepoS
 			case reconcilermanager.Reconciler:
 				container.Env = append(container.Env, containerEnvs[container.Name]...)
 			case reconcilermanager.HydrationController:
-				if !annotationEnabled(metadata.RequiresRenderingAnnotationKey, rs.GetAnnotations()) {
+				if !r.isAnnotationValueTrue(ctx, rs, metadata.RequiresRenderingAnnotationKey) {
 					// if the sync source does not require rendering, omit the hydration controller
 					// this minimizes the resource footprint of the reconciler
 					addContainer = false