BUG fix - OOM crash when cluster contains a lot of secrets (#610)

Author: kerenlahav

.github/workflows/go.yml

@@ -13,10 +13,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
-    - name: Set up Go 1.25.6
+    - name: Set up Go 1.25.7
       uses: actions/setup-go@v2
       with:
-        go-version: 1.25.6
+        go-version: 1.25.7
 
     - name: Check out code into the Go module directory
       uses: actions/checkout@v2

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM --platform=$BUILDPLATFORM golang:1.25.6-alpine3.23 as builder
+FROM --platform=$BUILDPLATFORM golang:1.25.7-alpine3.23 as builder
 
 WORKDIR /workspace
 # Copy the Go Modules manifests

api/common/consts.go

@@ -5,6 +5,7 @@ const (
 	ClusterSecretLabel        = "services.cloud.sap.com/cluster-secret"
 	InstanceSecretRefLabel    = "services.cloud.sap.com/secret-ref_"
 	WatchSecretAnnotation     = "services.cloud.sap.com/watch-secret-"
+	WatchSecretLabel          = "services.cloud.sap.com/watch-secret"
 
 	NamespaceLabel = "_namespace"
 	K8sNameLabel   = "_k8sname"

controllers/secret_controller.go

@@ -6,8 +6,9 @@ import (
 	"reflect"
 
 	"github.com/SAP/sap-btp-service-operator/internal/utils/logutils"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
-
 	"sigs.k8s.io/controller-runtime/pkg/event"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 
@@ -78,50 +79,40 @@ func (r *SecretReconciler) Reconcile(ctx context.Context, req reconcile.Request)
 
 // SetupWithManager sets up the controller with the Manager.
 func (r *SecretReconciler) SetupWithManager(mgr ctrl.Manager) error {
-	predicates := predicate.Funcs{
+	labelSelectorPredicate, err := predicate.LabelSelectorPredicate(metav1.LabelSelector{
+		MatchLabels: map[string]string{common.WatchSecretLabel: "true"},
+	})
+	if err != nil {
+		return err
+	}
+
+	dataChangedPredicate := predicate.Funcs{
 		UpdateFunc: func(e event.UpdateEvent) bool {
-			return (utils.IsSecretWatched(e.ObjectNew.GetAnnotations()) && isSecretDataChanged(e)) || isSecretInDelete(e)
+			oldSecret := e.ObjectOld.(*corev1.Secret)
+			newSecret := e.ObjectNew.(*corev1.Secret)
+			return (utils.IsSecretWatched(newSecret) && isSecretDataChanged(oldSecret, newSecret)) || isSecretInDelete(newSecret)
 		},
 		CreateFunc: func(e event.CreateEvent) bool {
-			return utils.IsSecretWatched(e.Object.GetAnnotations())
+			return utils.IsSecretWatched(e.Object)
 		},
 		DeleteFunc: func(e event.DeleteEvent) bool {
-			return utils.IsSecretWatched(e.Object.GetAnnotations())
+			return utils.IsSecretWatched(e.Object)
 		},
 		GenericFunc: func(e event.GenericEvent) bool {
-			return utils.IsSecretWatched(e.Object.GetAnnotations())
+			return utils.IsSecretWatched(e.Object)
 		},
 	}
 
 	return ctrl.NewControllerManagedBy(mgr).
-		For(&corev1.Secret{}).
-		WithEventFilter(predicates).
+		For(&corev1.Secret{}, builder.WithPredicates(labelSelectorPredicate, dataChangedPredicate)).
 		WithOptions(controller.Options{MaxConcurrentReconciles: 1}).
 		Complete(r)
 }
 
-func isSecretDataChanged(e event.UpdateEvent) bool {
-	// Type assert to *v1.Secret
-	oldSecret, okOld := e.ObjectOld.(*corev1.Secret)
-	newSecret, okNew := e.ObjectNew.(*corev1.Secret)
-	if !okOld || !okNew {
-		// If the objects are not Secrets, skip the event
-		return false
-	}
-
-	// Compare the Data field (byte slices)
+func isSecretDataChanged(oldSecret, newSecret *corev1.Secret) bool {
 	return !reflect.DeepEqual(oldSecret.Data, newSecret.Data) || !reflect.DeepEqual(oldSecret.StringData, newSecret.StringData)
 }
 
-func isSecretInDelete(e event.UpdateEvent) bool {
-	// Type assert to *v1.Secret
-
-	newSecret, okNew := e.ObjectNew.(*corev1.Secret)
-	if !okNew {
-		// If the objects are not Secrets, skip the event
-		return false
-	}
-
-	// Compare the Data field (byte slices)
-	return !newSecret.GetDeletionTimestamp().IsZero() && controllerutil.ContainsFinalizer(newSecret, common.FinalizerName)
+func isSecretInDelete(secret *corev1.Secret) bool {
+	return !secret.GetDeletionTimestamp().IsZero() && controllerutil.ContainsFinalizer(secret, common.FinalizerName)
 }

controllers/serviceinstance_controller.go

@@ -26,6 +26,7 @@ import (
 
 	"github.com/SAP/sap-btp-service-operator/internal/utils/logutils"
 	"github.com/pkg/errors"
+	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	"k8s.io/apimachinery/pkg/types"
@@ -143,12 +144,7 @@ func (r *ServiceInstanceReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 	}
 
 	if isFinalState(ctx, serviceInstance) {
-		if len(serviceInstance.Status.HashedSpec) == 0 {
-			updateHashedSpecValue(serviceInstance)
-			return ctrl.Result{}, utils.UpdateStatus(ctx, r.Client, serviceInstance)
-		}
-
-		return ctrl.Result{}, nil
+		return r.maintainFinalState(ctx, serviceInstance)
 	}
 
 	if controllerutil.AddFinalizer(serviceInstance, common.FinalizerName) {
@@ -574,7 +570,6 @@ func (r *ServiceInstanceReconciler) buildSMRequestParameters(ctx context.Context
 				log.Error(err, fmt.Sprintf("failed to mark secret for watch %s", secret.Name))
 				return nil, err
 			}
-
 		}
 	}
 
@@ -603,6 +598,34 @@ func (r *ServiceInstanceReconciler) buildSMRequestParameters(ctx context.Context
 	return instanceParameters, nil
 }
 
+func (r *ServiceInstanceReconciler) maintainFinalState(ctx context.Context, serviceInstance *v1.ServiceInstance) (ctrl.Result, error) {
+	log := logutils.GetLogger(ctx)
+
+	if serviceInstance.IsSubscribedToParamSecretsChanges() {
+		log.Info("instance is in final state, WatchParametersFromChanges is true, validating that all parameters secrets are watched")
+		for _, param := range serviceInstance.Spec.ParametersFrom {
+			if param.SecretKeyRef != nil {
+				secret := &corev1.Secret{}
+				if err := r.Get(ctx, types.NamespacedName{Name: param.SecretKeyRef.Name, Namespace: serviceInstance.Namespace}, secret); err != nil {
+					log.Error(err, fmt.Sprintf("failed to get secret %s", param.SecretKeyRef.Name))
+					return ctrl.Result{}, err
+				}
+				if err := utils.AddWatchForSecretIfNeeded(ctx, r.Client, secret, string(serviceInstance.UID)); err != nil {
+					log.Error(err, fmt.Sprintf("failed to mark secret for watch %s", param.SecretKeyRef.Name))
+					return ctrl.Result{}, err
+				}
+			}
+		}
+	}
+
+	if len(serviceInstance.Status.HashedSpec) == 0 {
+		log.Info("instance is missing HashedSpec value, updating it")
+		updateHashedSpecValue(serviceInstance)
+		return ctrl.Result{}, utils.UpdateStatus(ctx, r.Client, serviceInstance)
+	}
+	return ctrl.Result{}, nil
+}
+
 func isFinalState(ctx context.Context, serviceInstance *v1.ServiceInstance) bool {
 	log := logutils.GetLogger(ctx)
 

controllers/serviceinstance_controller_test.go

@@ -1663,10 +1663,11 @@ func checkSecretAnnotationsAndLabels(ctx context.Context, k8sClient client.Clien
 	if len(instances) == 0 {
 		Eventually(func() bool {
 			Expect(k8sClient.Get(ctx, getResourceNamespacedName(paramsSecret), paramsSecret)).To(Succeed())
-			return !utils.IsSecretWatched(paramsSecret.Annotations) && len(paramsSecret.Finalizers) == 0
+			return !utils.IsSecretWatched(paramsSecret) && len(paramsSecret.Finalizers) == 0
 		}, timeout, interval).Should(BeTrue())
 	} else {
 		Expect(k8sClient.Get(ctx, getResourceNamespacedName(paramsSecret), paramsSecret)).To(Succeed())
+		Expect(paramsSecret.Labels[common.WatchSecretLabel]).To(Equal("true"))
 		for _, instance := range instances {
 			Expect(k8sClient.Get(ctx, getResourceNamespacedName(instance), instance)).To(Succeed())
 			Expect(instance.Labels[utils.GetLabelKeyForInstanceSecret(paramsSecret.Name)]).To(Equal(paramsSecret.Name))

go.mod

@@ -1,6 +1,6 @@
 module github.com/SAP/sap-btp-service-operator
 
-go 1.25.6
+go 1.25.7
 
 require (
 	github.com/Masterminds/sprig/v3 v3.3.0

internal/utils/controller_util.go

@@ -23,7 +23,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/util/rand"
 
-	v1 "k8s.io/api/authentication/v1"
+	authv1 "k8s.io/api/authentication/v1"
 )
 
 const (
@@ -80,7 +80,7 @@ func NormalizeCredentials(credentialsJSON json.RawMessage) (map[string][]byte, [
 	return normalized, metadata, nil
 }
 
-func BuildUserInfo(ctx context.Context, userInfo *v1.UserInfo) string {
+func BuildUserInfo(ctx context.Context, userInfo *authv1.UserInfo) string {
 	log := logutils.GetLogger(ctx)
 	if userInfo == nil {
 		return ""
@@ -177,13 +177,25 @@ func RemoveAnnotations(ctx context.Context, k8sClient client.Client, object comm
 
 func AddWatchForSecretIfNeeded(ctx context.Context, k8sClient client.Client, secret *corev1.Secret, instanceUID string) error {
 	log := logutils.GetLogger(ctx)
+	updateRequired := false
 	if secret.Annotations == nil {
 		secret.Annotations = make(map[string]string)
 	}
 	if len(secret.Annotations[common.WatchSecretAnnotation+string(instanceUID)]) == 0 {
-		log.Info(fmt.Sprintf("adding secret watch for secret %s", secret.Name))
+		log.Info(fmt.Sprintf("adding secret watch annotation for instance %s on secret %s", instanceUID, secret.Name))
 		secret.Annotations[common.WatchSecretAnnotation+instanceUID] = "true"
+		updateRequired = true
+	}
+	if secret.Labels == nil {
+		secret.Labels = make(map[string]string)
+	}
+	if secret.Labels[common.WatchSecretLabel] != "true" {
+		log.Info(fmt.Sprintf("adding watch label for secret %s", secret.Name))
+		secret.Labels[common.WatchSecretLabel] = "true"
 		controllerutil.AddFinalizer(secret, common.FinalizerName)
+		updateRequired = true
+	}
+	if updateRequired {
 		return k8sClient.Update(ctx, secret)
 	}
 
@@ -197,19 +209,22 @@ func RemoveWatchForSecret(ctx context.Context, k8sClient client.Client, secretKe
 	}
 
 	delete(secret.Annotations, common.WatchSecretAnnotation+instanceUID)
-	if !IsSecretWatched(secret.Annotations) {
+	existInstanceAnnotation := false
+	for key := range secret.Annotations {
+		if strings.HasPrefix(key, common.WatchSecretAnnotation) {
+			existInstanceAnnotation = true
+			break
+		}
+	}
+	if !existInstanceAnnotation {
+		delete(secret.Labels, common.WatchSecretLabel)
 		controllerutil.RemoveFinalizer(secret, common.FinalizerName)
 	}
 	return k8sClient.Update(ctx, secret)
 }
 
-func IsSecretWatched(secretAnnotations map[string]string) bool {
-	for key := range secretAnnotations {
-		if strings.HasPrefix(key, common.WatchSecretAnnotation) {
-			return true
-		}
-	}
-	return false
+func IsSecretWatched(secret client.Object) bool {
+	return secret.GetLabels() != nil && secret.GetLabels()[common.WatchSecretLabel] == "true"
 }
 
 func GetLabelKeyForInstanceSecret(secretName string) string {

internal/utils/controller_util_test.go

@@ -185,6 +185,7 @@ var _ = Describe("Controller Util", func() {
 			Expect(err).ToNot(HaveOccurred())
 			Expect(updatedSecret.Finalizers[0]).To(Equal(common.FinalizerName))
 			Expect(updatedSecret.Annotations[common.WatchSecretAnnotation+"123"]).To(Equal("true"))
+			Expect(updatedSecret.Labels[common.WatchSecretLabel]).To(Equal("true"))
 
 		})
 	})