Merge pull request #3491 from ntnn/kcp3350-clusterwithcontext

Prevent workspace deletion leaks

Author: kcp-ci-bot

go.mod

@@ -23,7 +23,7 @@ require (
 	github.com/spf13/cobra v1.9.1
 	github.com/spf13/pflag v1.0.6
 	github.com/stretchr/testify v1.10.0
-	go.uber.org/goleak v1.3.0
+	go.uber.org/goleak v1.3.1-0.20241121203838-4ff5fa6529ee
 	go.uber.org/multierr v1.11.0
 	golang.org/x/sys v0.32.0
 	gopkg.in/square/go-jose.v2 v2.6.0

go.sum

@@ -346,8 +346,8 @@ go.opentelemetry.io/otel/trace v1.33.0/go.mod h1:uIcdVUZMpTAmz0tI1z04GoVSezK37Cb
 go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
-go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
-go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
+go.uber.org/goleak v1.3.1-0.20241121203838-4ff5fa6529ee h1:uOMbcH1Dmxv45VkkpZQYoerZFeDncWpjbN7ATiQOO7c=
+go.uber.org/goleak v1.3.1-0.20241121203838-4ff5fa6529ee/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=

pkg/admission/mutatingwebhook/plugin.go

@@ -27,11 +27,13 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apiserver/pkg/admission"
 	"k8s.io/apiserver/pkg/admission/configuration"
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/generic"
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/mutating"
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/client-go/tools/cache"
 
 	kcpkubernetesinformers "github.com/kcp-dev/client-go/informers"
 	kcpkubernetesclientset "github.com/kcp-dev/client-go/kubernetes"
@@ -40,6 +42,7 @@ import (
 	kcpinitializers "github.com/kcp-dev/kcp/pkg/admission/initializers"
 	"github.com/kcp-dev/kcp/pkg/admission/validatingwebhook"
 	apisv1alpha2 "github.com/kcp-dev/kcp/sdk/apis/apis/v1alpha2"
+	corev1alpha1 "github.com/kcp-dev/kcp/sdk/apis/core/v1alpha1"
 	kcpinformers "github.com/kcp-dev/kcp/sdk/client/informers/externalversions"
 )
 
@@ -55,11 +58,13 @@ type Plugin struct {
 	kubeClusterClient               kcpkubernetesclientset.ClusterInterface
 	localKubeSharedInformerFactory  kcpkubernetesinformers.SharedInformerFactory
 	globalKubeSharedInformerFactory kcpkubernetesinformers.SharedInformerFactory
+	serverStopChannel               <-chan struct{}
 
 	getAPIBindings func(clusterName logicalcluster.Name) ([]*apisv1alpha2.APIBinding, error)
 
-	managerLock   sync.Mutex
-	managersCache map[logicalcluster.Name]generic.Source
+	managerLock    sync.Mutex
+	managersCache  map[logicalcluster.Name]generic.Source
+	managersCancel map[logicalcluster.Name]context.CancelFunc
 }
 
 var (
@@ -72,9 +77,10 @@ var (
 
 func NewMutatingAdmissionWebhook(configFile io.Reader) (*Plugin, error) {
 	p := &Plugin{
-		managerLock:   sync.Mutex{},
-		managersCache: make(map[logicalcluster.Name]generic.Source),
-		Handler:       admission.NewHandler(admission.Connect, admission.Create, admission.Delete, admission.Update),
+		managerLock:    sync.Mutex{},
+		managersCache:  make(map[logicalcluster.Name]generic.Source),
+		managersCancel: make(map[logicalcluster.Name]context.CancelFunc),
+		Handler:        admission.NewHandler(admission.Connect, admission.Create, admission.Delete, admission.Update),
 	}
 	if configFile != nil {
 		config, err := io.ReadAll(configFile)
@@ -146,10 +152,13 @@ func (p *Plugin) getHookSource(clusterName logicalcluster.Name, groupResource sc
 
 	p.managerLock.Lock()
 	defer p.managerLock.Unlock()
+
 	if _, ok := p.managersCache[clusterNameForGroupResource]; !ok {
+		ctx, cancel := context.WithCancel(wait.ContextForChannel(p.serverStopChannel))
 		p.managersCache[clusterNameForGroupResource] = configuration.NewMutatingWebhookConfigurationManagerForInformer(
-			p.globalKubeSharedInformerFactory.Admissionregistration().V1().MutatingWebhookConfigurations().Cluster(clusterNameForGroupResource),
+			p.globalKubeSharedInformerFactory.Admissionregistration().V1().MutatingWebhookConfigurations().ClusterWithContext(ctx, clusterNameForGroupResource),
 		)
+		p.managersCancel[clusterNameForGroupResource] = cancel
 	}
 
 	return p.managersCache[clusterNameForGroupResource], nil
@@ -184,6 +193,9 @@ func (p *Plugin) ValidateInitialization() error {
 	if p.globalKubeSharedInformerFactory == nil {
 		return errors.New("missing globalKubeSharedInformerFactory")
 	}
+	if p.serverStopChannel == nil {
+		return errors.New("missing serverStopChannel")
+	}
 	return nil
 }
 
@@ -200,4 +212,35 @@ func (p *Plugin) SetKcpInformers(local, global kcpinformers.SharedInformerFactor
 	p.getAPIBindings = func(clusterName logicalcluster.Name) ([]*apisv1alpha2.APIBinding, error) {
 		return local.Apis().V1alpha2().APIBindings().Lister().Cluster(clusterName).List(labels.Everything())
 	}
+
+	// handler doesn't need to be deregistered - the webhook is valid
+	// for as long as kcp runs and when kcp stops the informer is
+	// stopped and the handler gets cleaned up.
+	_, _ = local.Core().V1alpha1().LogicalClusters().Informer().AddEventHandler(
+		cache.ResourceEventHandlerFuncs{
+			DeleteFunc: func(obj interface{}) {
+				cl, ok := obj.(*corev1alpha1.LogicalCluster)
+				if !ok {
+					return
+				}
+
+				clName := logicalcluster.Name(cl.Annotations[logicalcluster.AnnotationKey])
+
+				p.managerLock.Lock()
+				defer p.managerLock.Unlock()
+
+				cancel, ok := p.managersCancel[clName]
+				if !ok {
+					return
+				}
+				delete(p.managersCancel, clName)
+				delete(p.managersCache, clName)
+				cancel()
+			},
+		},
+	)
+}
+
+func (p *Plugin) SetServerShutdownChannel(ch <-chan struct{}) {
+	p.serverStopChannel = ch
 }

pkg/admission/validatingwebhook/plugin.go

@@ -27,18 +27,21 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apiserver/pkg/admission"
 	"k8s.io/apiserver/pkg/admission/configuration"
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/generic"
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/validating"
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/client-go/tools/cache"
 
 	kcpkubernetesinformers "github.com/kcp-dev/client-go/informers"
 	kcpkubernetesclientset "github.com/kcp-dev/client-go/kubernetes"
 	"github.com/kcp-dev/logicalcluster/v3"
 
 	kcpinitializers "github.com/kcp-dev/kcp/pkg/admission/initializers"
 	apisv1alpha2 "github.com/kcp-dev/kcp/sdk/apis/apis/v1alpha2"
+	corev1alpha1 "github.com/kcp-dev/kcp/sdk/apis/core/v1alpha1"
 	kcpinformers "github.com/kcp-dev/kcp/sdk/client/informers/externalversions"
 )
 
@@ -54,11 +57,13 @@ type Plugin struct {
 	kubeClusterClient               kcpkubernetesclientset.ClusterInterface
 	localKubeSharedInformerFactory  kcpkubernetesinformers.SharedInformerFactory
 	globalKubeSharedInformerFactory kcpkubernetesinformers.SharedInformerFactory
+	serverStopChannel               <-chan struct{}
 
 	getAPIBindings func(clusterName logicalcluster.Name) ([]*apisv1alpha2.APIBinding, error)
 
-	managerLock   sync.Mutex
-	managersCache map[logicalcluster.Name]generic.Source
+	managerLock    sync.Mutex
+	managersCache  map[logicalcluster.Name]generic.Source
+	managersCancel map[logicalcluster.Name]context.CancelFunc
 }
 
 var (
@@ -71,9 +76,10 @@ var (
 
 func NewValidatingAdmissionWebhook(configFile io.Reader) (*Plugin, error) {
 	p := &Plugin{
-		managerLock:   sync.Mutex{},
-		managersCache: make(map[logicalcluster.Name]generic.Source),
-		Handler:       admission.NewHandler(admission.Connect, admission.Create, admission.Delete, admission.Update),
+		managerLock:    sync.Mutex{},
+		managersCache:  make(map[logicalcluster.Name]generic.Source),
+		managersCancel: make(map[logicalcluster.Name]context.CancelFunc),
+		Handler:        admission.NewHandler(admission.Connect, admission.Create, admission.Delete, admission.Update),
 	}
 	if configFile != nil {
 		config, err := io.ReadAll(configFile)
@@ -145,10 +151,13 @@ func (p *Plugin) getHookSource(clusterName logicalcluster.Name, groupResource sc
 
 	p.managerLock.Lock()
 	defer p.managerLock.Unlock()
+
 	if _, ok := p.managersCache[clusterNameForGroupResource]; !ok {
+		ctx, cancel := context.WithCancel(wait.ContextForChannel(p.serverStopChannel))
 		p.managersCache[clusterNameForGroupResource] = configuration.NewValidatingWebhookConfigurationManagerForInformer(
-			p.globalKubeSharedInformerFactory.Admissionregistration().V1().ValidatingWebhookConfigurations().Cluster(clusterNameForGroupResource),
+			p.globalKubeSharedInformerFactory.Admissionregistration().V1().ValidatingWebhookConfigurations().ClusterWithContext(ctx, clusterNameForGroupResource),
 		)
+		p.managersCancel[clusterNameForGroupResource] = cancel
 	}
 
 	return p.managersCache[clusterNameForGroupResource], nil
@@ -183,6 +192,9 @@ func (p *Plugin) ValidateInitialization() error {
 	if p.globalKubeSharedInformerFactory == nil {
 		return errors.New("missing globalKubeSharedInformerFactory")
 	}
+	if p.serverStopChannel == nil {
+		return errors.New("missing serverStopChannel")
+	}
 	return nil
 }
 
@@ -199,6 +211,33 @@ func (p *Plugin) SetKcpInformers(local, global kcpinformers.SharedInformerFactor
 	p.getAPIBindings = func(clusterName logicalcluster.Name) ([]*apisv1alpha2.APIBinding, error) {
 		return local.Apis().V1alpha2().APIBindings().Lister().Cluster(clusterName).List(labels.Everything())
 	}
+
+	// handler doesn't need to be deregistered - the webhook is valid
+	// for as long as kcp runs and when kcp stops the informer is
+	// stopped and the handler gets cleaned up.
+	_, _ = local.Core().V1alpha1().LogicalClusters().Informer().AddEventHandler(
+		cache.ResourceEventHandlerFuncs{
+			DeleteFunc: func(obj interface{}) {
+				cl, ok := obj.(*corev1alpha1.LogicalCluster)
+				if !ok {
+					return
+				}
+
+				clName := logicalcluster.Name(cl.Annotations[logicalcluster.AnnotationKey])
+
+				p.managerLock.Lock()
+				defer p.managerLock.Unlock()
+
+				cancel, ok := p.managersCancel[clName]
+				if !ok {
+					return
+				}
+				delete(p.managersCancel, clName)
+				delete(p.managersCache, clName)
+				cancel()
+			},
+		},
+	)
 }
 
 // SetClusterAnnotation sets the cluster annotation on the given object to the given clusterName,
@@ -225,3 +264,7 @@ func SetClusterAnnotation(obj metav1.Object, clusterName logicalcluster.Name) fu
 	obj.SetAnnotations(anns)
 	return undoFn
 }
+
+func (p *Plugin) SetServerShutdownChannel(ch <-chan struct{}) {
+	p.serverStopChannel = ch
+}

pkg/informer/informer.go

@@ -267,9 +267,20 @@ func (d *DiscoveringDynamicSharedInformerFactory) Cluster(cluster logicalcluster
 	}
 }
 
+func (d *DiscoveringDynamicSharedInformerFactory) ClusterWithContext(ctx context.Context, cluster logicalcluster.Name) kcpinformers.ScopedDynamicSharedInformerFactory {
+	informer := &scopedDiscoveringDynamicSharedInformerFactory{
+		DiscoveringDynamicSharedInformerFactory: d,
+		cluster:                                 cluster,
+		contextFn:                               func() context.Context { return ctx },
+	}
+
+	return informer
+}
+
 type scopedDiscoveringDynamicSharedInformerFactory struct {
 	*DiscoveringDynamicSharedInformerFactory
-	cluster logicalcluster.Name
+	cluster   logicalcluster.Name
+	contextFn func() context.Context
 }
 
 // ForResource returns the GenericInformer for gvr, creating it if needed. The GenericInformer must be started
@@ -279,6 +290,9 @@ func (d *scopedDiscoveringDynamicSharedInformerFactory) ForResource(gvr schema.G
 	if err != nil {
 		return nil, err
 	}
+	if d.contextFn != nil {
+		return clusterInformer.ClusterWithContext(d.contextFn(), d.cluster), nil
+	}
 	return clusterInformer.Cluster(d.cluster), nil
 }
 

pkg/reconciler/cache/cachedresources/cachedresources_reconcile_replication.go

@@ -79,8 +79,7 @@ func (r *replication) reconcile(ctx context.Context, cachedResource *cachev1alph
 		global := r.cacheKcpInformers.Cache().V1alpha1().CachedObjects()
 
 		// Local informer is based on the specific types we want to replicate.
-		// TODO: use ClusterWithContext
-		local, err := r.discoveringDynamicKcpInformers.Cluster(cluster).ForResource(gvr)
+		local, err := r.discoveringDynamicKcpInformers.ClusterWithContext(ctx, cluster).ForResource(gvr)
 		if err != nil {
 			logger.Error(err, "Failed to get local informer for resource", "resource", gvr)
 			cancel()

pkg/reconciler/garbagecollector/garbagecollector_controller.go

@@ -253,7 +253,7 @@ func (c *Controller) startGarbageCollectorForLogicalCluster(ctx context.Context,
 		c.metadataClient.Cluster(clusterName.Path()),
 		c.dynamicDiscoverySharedInformerFactory.RESTMapper(),
 		c.ignoredResources,
-		c.dynamicDiscoverySharedInformerFactory.Cluster(clusterName),
+		c.dynamicDiscoverySharedInformerFactory.ClusterWithContext(ctx, clusterName),
 		c.informersStarted,
 	)
 	if err != nil {

pkg/reconciler/kubequota/kubequota_controller.go

@@ -51,6 +51,7 @@ const (
 
 type scopeableInformerFactory interface {
 	Cluster(logicalcluster.Name) kcpkubernetesinformers.ScopedDynamicSharedInformerFactory
+	ClusterWithContext(context.Context, logicalcluster.Name) kcpkubernetesinformers.ScopedDynamicSharedInformerFactory
 }
 
 // Controller manages per-workspace resource quota controllers.
@@ -263,9 +264,9 @@ func (c *Controller) startQuotaForLogicalCluster(ctx context.Context, clusterNam
 
 	resourceQuotaControllerOptions := &resourcequota.ControllerOptions{
 		QuotaClient:           resourceQuotaControllerClient.CoreV1(),
-		ResourceQuotaInformer: c.resourceQuotaClusterInformer.Cluster(clusterName),
+		ResourceQuotaInformer: c.resourceQuotaClusterInformer.ClusterWithContext(ctx, clusterName),
 		ResyncPeriod:          controller.StaticResyncPeriodFunc(c.quotaRecalculationPeriod),
-		InformerFactory:       c.scopingGenericSharedInformerFactory.Cluster(clusterName),
+		InformerFactory:       c.scopingGenericSharedInformerFactory.ClusterWithContext(ctx, clusterName),
 		ReplenishmentResyncPeriod: func() time.Duration {
 			return c.fullResyncPeriod
 		},