Do reconcile when ConfigSecret changes

tjamet · tjamet · commit 52aef235c012 · 2024-09-04T11:38:26.000+02:00
As a cluster operator, I want to iterate my infrastructure provisioner
configuration and ensure the relevant cluster-api-providers are
provisioned as configured.

Currently, the GenericProvider Reconciler considers exclusively the
Providers spec and ignores the data pointed by the ConfigSecret field.

If one of those fields changes, the deployment of the provider is
unchanged.

For example, if an infrastructure is defined as

```yaml
apiVersion: operator.cluster.x-k8s.io/v1alpha2
kind: InfrastructureProvider
metadata:
  name: aws
  namespace: infrastructure-aws-system
spec:
  version: v2.5.2
  configSecret:
    name: aws-variables
  deployment:
    replicas: 1
---
apiVersion: v1
kind: Secret
metadata:
  name: aws-variables
  namespace: capi-config
type: Opaque
stringData:
  AWS_B64ENCODED_CREDENTIALS: "SOME_BASE_64_CREDS"
```

It is impossible to get the latest version of
`AWS_B64ENCODED_CREDENTIALS` without changing the provisioner version or
the deployments or verbosity level

This commit proposes to also take into consideration the content of the
configuration so, any change to it leads to an adjustment of the
deployment.
diff --git a/internal/controller/genericprovider_controller.go b/internal/controller/genericprovider_controller.go
@@ -23,7 +23,9 @@ import (
 	"errors"
 	"fmt"
 
+	v1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	kerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/client-go/rest"
 	operatorv1 "sigs.k8s.io/cluster-api-operator/api/v1alpha2"
@@ -46,7 +48,8 @@ type GenericProviderReconciler struct {
 }
 
 const (
-	appliedSpecHashAnnotation = "operator.cluster.x-k8s.io/applied-spec-hash"
+	appliedSpecHashAnnotation   = "operator.cluster.x-k8s.io/applied-spec-hash"
+	appliedConfigHashAnnotation = "operator.cluster.x-k8s.io/applied-config-hash"
 )
 
 func (r *GenericProviderReconciler) SetupWithManager(mgr ctrl.Manager, options controller.Options) error {
@@ -107,9 +110,19 @@ func (r *GenericProviderReconciler) Reconcile(ctx context.Context, req reconcile
 		return ctrl.Result{}, err
 	}
 
-	if r.Provider.GetAnnotations()[appliedSpecHashAnnotation] == specHash {
-		log.Info("No changes detected, skipping further steps")
+	upTodate := r.Provider.GetAnnotations()[appliedSpecHashAnnotation] == specHash
+
+	configHash, err := r.getProviderConfigSecretHash(ctx)
+	if err != nil {
+		return ctrl.Result{}, err
+	}
 
+	if r.Provider.GetAnnotations()[appliedConfigHashAnnotation] != configHash {
+		upTodate = false
+	}
+
+	if upTodate {
+		log.Info("No changes detected, skipping further steps")
 		return ctrl.Result{}, nil
 	}
 
@@ -129,8 +142,19 @@ func (r *GenericProviderReconciler) Reconcile(ctx context.Context, req reconcile
 		}
 
 		annotations[appliedSpecHashAnnotation] = specHash
+
+		configHash, err := r.getProviderConfigSecretHash(ctx)
+		if err != nil {
+			return ctrl.Result{}, err
+		}
+		if configHash != "" {
+			annotations[appliedConfigHashAnnotation] = configHash
+		} else {
+			delete(annotations, appliedConfigHashAnnotation)
+		}
 	} else {
 		annotations[appliedSpecHashAnnotation] = ""
+		delete(annotations, appliedConfigHashAnnotation)
 	}
 
 	r.Provider.SetAnnotations(annotations)
@@ -218,6 +242,30 @@ func (r *GenericProviderReconciler) reconcileDelete(ctx context.Context, provide
 	return res, nil
 }
 
+func (r *GenericProviderReconciler) getProviderConfigSecretHash(ctx context.Context) (string, error) {
+	if r.Provider.GetSpec().ConfigSecret != nil {
+		secret := &v1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: r.Provider.GetSpec().ConfigSecret.Namespace,
+				Name:      r.Provider.GetSpec().ConfigSecret.Name,
+			},
+		}
+		if secret.Namespace == "" {
+			secret.Namespace = r.Provider.GetNamespace()
+		}
+		err := r.Client.Get(ctx, client.ObjectKeyFromObject(secret), secret)
+		if err != nil {
+			return "", err
+		}
+		configHash, err := calculateHash(secret.Data)
+		if err != nil {
+			return "", err
+		}
+		return configHash, nil
+	}
+	return "", nil
+}
+
 func calculateHash(object interface{}) (string, error) {
 	jsonData, err := json.Marshal(object)
 	if err != nil {
diff --git a/internal/controller/genericprovider_controller_test.go b/internal/controller/genericprovider_controller_test.go
@@ -424,6 +424,142 @@ releaseSeries:
 	}
 }
 
+func TestProviderConfigSecretChanges(t *testing.T) {
+	testCases := []struct {
+		name           string
+		cmData         map[string][]byte
+		updatedCMData  map[string][]byte
+		expectSameHash bool
+	}{
+		{
+			name: "With the same configmap data, the hash annotation doesn't change",
+			cmData: map[string][]byte{
+				"some-key":    []byte("some data"),
+				"another-key": []byte("another data"),
+			},
+			updatedCMData: map[string][]byte{
+				"another-key": []byte("another data"),
+				"some-key":    []byte("some data"),
+			},
+			expectSameHash: true,
+		},
+		{
+			name: "With the same configmap data, the hash annotation doesn't change",
+			cmData: map[string][]byte{
+				"some-key":    []byte("some data"),
+				"another-key": []byte("another data"),
+			},
+			updatedCMData: map[string][]byte{
+				"another-key": []byte("another data"),
+				"some-key":    []byte("some updated data"),
+			},
+			expectSameHash: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			dataHash, err := calculateHash(tc.cmData)
+			g.Expect(err).ToNot(HaveOccurred())
+
+			updatedDataHash, err := calculateHash(tc.updatedCMData)
+			g.Expect(err).ToNot(HaveOccurred())
+
+			if tc.expectSameHash {
+				g.Expect(updatedDataHash).To(Equal(dataHash))
+			} else {
+				g.Expect(updatedDataHash).ToNot(Equal(dataHash))
+			}
+
+			cmSecretName := "test-config"
+
+			provider := &operatorv1.CoreProvider{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "cluster-api",
+				},
+				Spec: operatorv1.CoreProviderSpec{
+					ProviderSpec: operatorv1.ProviderSpec{
+						Version: testCurrentVersion,
+						FetchConfig: &operatorv1.FetchConfiguration{
+							Selector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"test": "dummy-config",
+								},
+							},
+						},
+						ConfigSecret: &operatorv1.SecretReference{
+							Name: cmSecretName,
+						},
+					},
+				},
+			}
+
+			providerNamespace, err := env.CreateNamespace(ctx, "test-provider")
+			t.Log("Ensure namespace exists", providerNamespace.Name)
+			g.Expect(err).ToNot(HaveOccurred())
+
+			configNamespace, err := env.CreateNamespace(ctx, "test-provider-config-changes")
+			t.Log("Ensure namespace exists", configNamespace.Name)
+			g.Expect(err).ToNot(HaveOccurred())
+
+			g.Expect(env.CreateAndWait(ctx, dummyConfigMap(providerNamespace.Name, testCurrentVersion))).To(Succeed())
+
+			provider.Namespace = providerNamespace.Name
+			provider.Spec.ConfigSecret.Namespace = configNamespace.Name
+
+			secret := &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: configNamespace.Name,
+					Name:      cmSecretName,
+				},
+				Data: tc.cmData,
+			}
+
+			g.Expect(env.CreateAndWait(ctx, secret.DeepCopy())).To(Succeed())
+
+			t.Log("creating test provider", provider.GetName())
+			g.Expect(env.CreateAndWait(ctx, provider.DeepCopy())).To(Succeed())
+
+			g.Eventually(generateExpectedResultChecker(provider, appliedConfigHashAnnotation, dataHash, corev1.ConditionTrue), timeout).Should(BeEquivalentTo(true))
+
+			g.Eventually(func() error {
+				if err := env.Client.Get(ctx, client.ObjectKeyFromObject(secret), secret); err != nil {
+					return err
+				}
+
+				// Change provider config data
+				secret.Data = tc.updatedCMData
+
+				return env.Client.Update(ctx, secret)
+			}).Should(Succeed())
+
+			g.Eventually(func() error {
+				if err := env.Client.Get(ctx, client.ObjectKeyFromObject(provider), provider); err != nil {
+					return err
+				}
+
+				// Set a label to ensure that provider was changed
+				labels := provider.GetLabels()
+				if labels == nil {
+					labels = map[string]string{}
+				}
+				labels["my-label"] = "some-value"
+				provider.SetLabels(labels)
+				provider.SetManagedFields(nil)
+
+				return env.Client.Update(ctx, provider)
+			}).Should(Succeed())
+
+			g.Eventually(generateExpectedResultChecker(provider, appliedConfigHashAnnotation, updatedDataHash, corev1.ConditionTrue), timeout).Should(BeEquivalentTo(true))
+
+			// Clean up
+			g.Expect(env.Cleanup(ctx, provider, secret, providerNamespace, configNamespace)).To(Succeed())
+		})
+	}
+}
+
 func TestProviderSpecChanges(t *testing.T) {
 	testCases := []struct {
 		name        string
@@ -540,7 +676,7 @@ func TestProviderSpecChanges(t *testing.T) {
 			t.Log("creating test provider", provider.GetName())
 			g.Expect(env.CreateAndWait(ctx, provider.DeepCopy())).To(Succeed())
 
-			g.Eventually(generateExpectedResultChecker(provider, specHash, corev1.ConditionTrue), timeout).Should(BeEquivalentTo(true))
+			g.Eventually(generateExpectedResultChecker(provider, appliedSpecHashAnnotation, specHash, corev1.ConditionTrue), timeout).Should(BeEquivalentTo(true))
 
 			g.Eventually(func() error {
 				if err := env.Client.Get(ctx, client.ObjectKeyFromObject(provider), provider); err != nil {
@@ -563,9 +699,9 @@ func TestProviderSpecChanges(t *testing.T) {
 			}).Should(Succeed())
 
 			if !tc.expectError {
-				g.Eventually(generateExpectedResultChecker(provider, updatedSpecHash, corev1.ConditionTrue), timeout).Should(BeEquivalentTo(true))
+				g.Eventually(generateExpectedResultChecker(provider, appliedSpecHashAnnotation, updatedSpecHash, corev1.ConditionTrue), timeout).Should(BeEquivalentTo(true))
 			} else {
-				g.Eventually(generateExpectedResultChecker(provider, "", corev1.ConditionFalse), timeout).Should(BeEquivalentTo(true))
+				g.Eventually(generateExpectedResultChecker(provider, appliedSpecHashAnnotation, "", corev1.ConditionFalse), timeout).Should(BeEquivalentTo(true))
 			}
 
 			// Clean up
@@ -574,14 +710,14 @@ func TestProviderSpecChanges(t *testing.T) {
 	}
 }
 
-func generateExpectedResultChecker(provider genericprovider.GenericProvider, specHash string, condStatus corev1.ConditionStatus) func() bool {
+func generateExpectedResultChecker(provider genericprovider.GenericProvider, hashKey, specHash string, condStatus corev1.ConditionStatus) func() bool {
 	return func() bool {
 		if err := env.Get(ctx, client.ObjectKeyFromObject(provider), provider); err != nil {
 			return false
 		}
 
 		// In case of error we don't want the spec annotation to be updated
-		if provider.GetAnnotations()[appliedSpecHashAnnotation] != specHash {
+		if provider.GetAnnotations()[hashKey] != specHash {
 			return false
 		}
 
