Merge pull request #3569 from gman0/cachedresources-identity-fix

kcp-ci-bot · web-flow · commit 626e860a5950 · 2025-09-05T15:36:37.000+02:00
CachedResources identity fix and tests
diff --git a/pkg/reconciler/cache/cachedresources/cachedresources_reconcile.go b/pkg/reconciler/cache/cachedresources/cachedresources_reconcile.go
@@ -18,8 +18,6 @@ package cachedresources
 
 import (
 	"context"
-	"crypto/sha256"
-	"fmt"
 	"time"
 
 	corev1 "k8s.io/api/core/v1"
@@ -41,7 +39,6 @@ import (
 	"github.com/kcp-dev/kcp/pkg/tombstone"
 	apisv1alpha1 "github.com/kcp-dev/kcp/sdk/apis/apis/v1alpha1"
 	cachev1alpha1 "github.com/kcp-dev/kcp/sdk/apis/cache/v1alpha1"
-	"github.com/kcp-dev/kcp/sdk/apis/third_party/conditions/util/conditions"
 )
 
 type reconcileStatus int
@@ -63,11 +60,10 @@ func (c *Controller) reconcile(ctx context.Context, cluster logicalcluster.Name,
 	reconcilers := []reconciler{
 		&finalizer{},
 		&identity{
-			ensureSecretNamespaceExists:      c.ensureSecretNamespaceExists,
-			getSecret:                        c.getSecret,
-			createIdentitySecret:             c.createIdentitySecret,
-			updateOrVerifyIdentitySecretHash: c.updateOrVerifyIdentitySecretHash,
-			secretNamespace:                  c.secretNamespace,
+			ensureSecretNamespaceExists: c.ensureSecretNamespaceExists,
+			getSecret:                   c.getSecret,
+			createIdentitySecret:        c.createIdentitySecret,
+			secretNamespace:             c.secretNamespace,
 		},
 		&schemaSource{
 			getLogicalCluster:    c.getLogicalCluster,
@@ -208,13 +204,13 @@ func (c *Controller) listSelectedCacheResources(ctx context.Context, cluster log
 	return resources, nil
 }
 
-func (c *Controller) ensureSecretNamespaceExists(ctx context.Context, clusterName logicalcluster.Name) {
+func (c *Controller) ensureSecretNamespaceExists(ctx context.Context, clusterName logicalcluster.Name, defaultSecretNamespace string) {
 	logger := klog.FromContext(ctx)
 	ctx = klog.NewContext(ctx, logger)
-	if _, err := c.getNamespace(clusterName, c.secretNamespace); errors.IsNotFound(err) {
+	if _, err := c.getNamespace(clusterName, defaultSecretNamespace); errors.IsNotFound(err) {
 		ns := &corev1.Namespace{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:        c.secretNamespace,
+				Name:        defaultSecretNamespace,
 				Annotations: map[string]string{logicalcluster.AnnotationKey: clusterName.String()},
 			},
 		}
@@ -226,8 +222,8 @@ func (c *Controller) ensureSecretNamespaceExists(ctx context.Context, clusterNam
 	}
 }
 
-func (c *Controller) createIdentitySecret(ctx context.Context, clusterName logicalcluster.Path, apiExportName string) error {
-	secret, err := GenerateIdentitySecret(ctx, c.secretNamespace, apiExportName)
+func (c *Controller) createIdentitySecret(ctx context.Context, clusterName logicalcluster.Path, defaultSecretNamespace, cachedResourceName string) error {
+	secret, err := GenerateIdentitySecret(ctx, defaultSecretNamespace, cachedResourceName)
 	if err != nil {
 		return err
 	}
@@ -239,42 +235,6 @@ func (c *Controller) createIdentitySecret(ctx context.Context, clusterName logic
 	return c.createSecret(ctx, clusterName, secret)
 }
 
-func (c *Controller) updateOrVerifyIdentitySecretHash(ctx context.Context, clusterName logicalcluster.Name, cachedResource *cachev1alpha1.CachedResource) error {
-	secret, err := c.getSecret(ctx, clusterName, c.secretNamespace, cachedResource.Name)
-	if err != nil {
-		return err
-	}
-
-	hash, err := IdentityHash(secret)
-	if err != nil {
-		return err
-	}
-
-	if cachedResource.Status.IdentityHash == "" {
-		cachedResource.Status.IdentityHash = hash
-	}
-
-	if cachedResource.Status.IdentityHash != hash {
-		return fmt.Errorf("hash mismatch: identity secret hash %q must match status.identityHash %q", hash, cachedResource.Status.IdentityHash)
-	}
-
-	conditions.MarkTrue(cachedResource, cachev1alpha1.CachedResourceIdentityValid)
-
-	return nil
-}
-
-// TODO: This is copy from apiexport controller. We should move it to a shared location.
-func IdentityHash(secret *corev1.Secret) (string, error) {
-	key := secret.Data[apisv1alpha1.SecretKeyAPIExportIdentity]
-	if len(key) == 0 {
-		return "", fmt.Errorf("secret is missing data.%s", apisv1alpha1.SecretKeyAPIExportIdentity)
-	}
-
-	hashBytes := sha256.Sum256(key)
-	hash := fmt.Sprintf("%x", hashBytes)
-	return hash, nil
-}
-
 // TODO: This is copy from apiexport controller. We should move it to a shared location.
 func GenerateIdentitySecret(ctx context.Context, ns string, name string) (*corev1.Secret, error) {
 	logger := klog.FromContext(ctx)
diff --git a/pkg/reconciler/cache/cachedresources/cachedresources_reconcile_identity.go b/pkg/reconciler/cache/cachedresources/cachedresources_reconcile_identity.go
@@ -18,24 +18,25 @@ package cachedresources
 
 import (
 	"context"
+	"crypto/sha256"
 	"fmt"
 
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 
 	"github.com/kcp-dev/logicalcluster/v3"
 
+	apisv1alpha1 "github.com/kcp-dev/kcp/sdk/apis/apis/v1alpha1"
 	cachev1alpha1 "github.com/kcp-dev/kcp/sdk/apis/cache/v1alpha1"
 	conditionsv1alpha1 "github.com/kcp-dev/kcp/sdk/apis/third_party/conditions/apis/conditions/v1alpha1"
 	"github.com/kcp-dev/kcp/sdk/apis/third_party/conditions/util/conditions"
 )
 
 // identity creates identity secret for the published resource and computes hash of the secret.
 type identity struct {
-	ensureSecretNamespaceExists      func(ctx context.Context, clusterName logicalcluster.Name)
-	getSecret                        func(ctx context.Context, clusterName logicalcluster.Name, namespace, name string) (*corev1.Secret, error)
-	createIdentitySecret             func(ctx context.Context, clusterName logicalcluster.Path, name string) error
-	updateOrVerifyIdentitySecretHash func(ctx context.Context, clusterName logicalcluster.Name, CachedResource *cachev1alpha1.CachedResource) error
+	ensureSecretNamespaceExists func(ctx context.Context, clusterName logicalcluster.Name, defaultSecretNamespace string)
+	getSecret                   func(ctx context.Context, clusterName logicalcluster.Name, namespace, name string) (*corev1.Secret, error)
+	createIdentitySecret        func(ctx context.Context, clusterName logicalcluster.Path, defaultSecretNamespace, name string) error
 
 	secretNamespace string
 }
@@ -52,7 +53,7 @@ func (r *identity) reconcile(ctx context.Context, cachedResource *cachev1alpha1.
 	clusterName := logicalcluster.From(cachedResource)
 
 	if identity.SecretRef == nil {
-		r.ensureSecretNamespaceExists(ctx, clusterName)
+		r.ensureSecretNamespaceExists(ctx, clusterName, r.secretNamespace)
 
 		// See if the generated secret already exists (for whatever reason)
 		_, err := r.getSecret(ctx, clusterName, r.secretNamespace, cachedResource.Name)
@@ -64,7 +65,7 @@ func (r *identity) reconcile(ctx context.Context, cachedResource *cachev1alpha1.
 			)
 		}
 		if errors.IsNotFound(err) {
-			if err := r.createIdentitySecret(ctx, clusterName.Path(), cachedResource.Name); err != nil {
+			if err := r.createIdentitySecret(ctx, clusterName.Path(), r.secretNamespace, cachedResource.Name); err != nil {
 				conditions.MarkFalse(
 					cachedResource,
 					cachev1alpha1.CachedResourceIdentityValid,
@@ -90,7 +91,7 @@ func (r *identity) reconcile(ctx context.Context, cachedResource *cachev1alpha1.
 	}
 
 	// Ref exists - make sure it's valid
-	if err := r.updateOrVerifyIdentitySecretHash(ctx, clusterName, cachedResource); err != nil {
+	if err := r.updateOrVerifyIdentitySecretHash(ctx, clusterName, cachedResource, r.secretNamespace); err != nil {
 		conditions.MarkFalse(
 			cachedResource,
 			cachev1alpha1.CachedResourceIdentityValid,
@@ -103,5 +104,41 @@ func (r *identity) reconcile(ctx context.Context, cachedResource *cachev1alpha1.
 		return reconcileStatusStop, err
 	}
 
+	conditions.MarkTrue(cachedResource, cachev1alpha1.CachedResourceIdentityValid)
+
 	return reconcileStatusContinue, nil
 }
+
+func (r *identity) updateOrVerifyIdentitySecretHash(ctx context.Context, clusterName logicalcluster.Name, cachedResource *cachev1alpha1.CachedResource, defaultSecretNamespace string) error {
+	secret, err := r.getSecret(ctx, clusterName, cachedResource.Spec.Identity.SecretRef.Namespace, cachedResource.Spec.Identity.SecretRef.Name)
+	if err != nil {
+		return err
+	}
+
+	hash, err := IdentityHash(secret)
+	if err != nil {
+		return err
+	}
+
+	if cachedResource.Status.IdentityHash == "" {
+		cachedResource.Status.IdentityHash = hash
+	}
+
+	if cachedResource.Status.IdentityHash != hash {
+		return fmt.Errorf("hash mismatch: identity secret hash %q must match status.identityHash %q", hash, cachedResource.Status.IdentityHash)
+	}
+
+	return nil
+}
+
+// TODO: This is copy from apiexport controller. We should move it to a shared location.
+func IdentityHash(secret *corev1.Secret) (string, error) {
+	key := secret.Data[apisv1alpha1.SecretKeyAPIExportIdentity]
+	if len(key) == 0 {
+		return "", fmt.Errorf("secret is missing data.%s", apisv1alpha1.SecretKeyAPIExportIdentity)
+	}
+
+	hashBytes := sha256.Sum256(key)
+	hash := fmt.Sprintf("%x", hashBytes)
+	return hash, nil
+}
diff --git a/pkg/reconciler/cache/cachedresources/cachedresources_reconcile_identity_test.go b/pkg/reconciler/cache/cachedresources/cachedresources_reconcile_identity_test.go
