Add an optional reconciler to watch for ConfigSecret changes

Currently, if a ConfigSecret is updated, it is not reflected automatically to all providers using it.

Implement this behaviour, under an opt-in flag.

Author: tjamet

cmd/main.go

@@ -46,6 +46,7 @@ import (
 	operatorv1alpha1 "sigs.k8s.io/cluster-api-operator/api/v1alpha1"
 	operatorv1 "sigs.k8s.io/cluster-api-operator/api/v1alpha2"
 	providercontroller "sigs.k8s.io/cluster-api-operator/internal/controller"
+	"sigs.k8s.io/cluster-api-operator/internal/controller/genericprovider"
 	healtchcheckcontroller "sigs.k8s.io/cluster-api-operator/internal/controller/healthcheck"
 )
 
@@ -67,6 +68,7 @@ var (
 	webhookPort                 int
 	webhookCertDir              string
 	healthAddr                  string
+	watchConfigSecretChanges    bool
 	diagnosticsOptions          = flags.DiagnosticsOptions{}
 )
 
@@ -98,6 +100,9 @@ func InitFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&watchFilterValue, "watch-filter", "",
 		fmt.Sprintf("Label value that the controller watches to reconcile cluster-api objects. Label key is always %s. If unspecified, the controller watches for all cluster-api objects.", clusterv1.WatchLabel))
 
+	fs.BoolVar(&watchConfigSecretChanges, "watch-configsecret", false,
+		"Watch for changes to the ConfigSecret resource and reconcile all providers using it.")
+
 	fs.StringVar(&watchNamespace, "namespace", "",
 		"Namespace that the controller watches to reconcile cluster-api objects. If unspecified, the controller watches for cluster-api objects across all namespaces.")
 
@@ -185,7 +190,7 @@ func main() {
 	ctx := ctrl.SetupSignalHandler()
 
 	setupChecks(mgr)
-	setupReconcilers(mgr)
+	setupReconcilers(mgr, watchConfigSecretChanges)
 	setupWebhooks(mgr)
 
 	// +kubebuilder:scaffold:builder
@@ -209,7 +214,7 @@ func setupChecks(mgr ctrl.Manager) {
 	}
 }
 
-func setupReconcilers(mgr ctrl.Manager) {
+func setupReconcilers(mgr ctrl.Manager, watchConfigSecretChanges bool) {
 	if err := (&providercontroller.GenericProviderReconciler{
 		Provider:     &operatorv1.CoreProvider{},
 		ProviderList: &operatorv1.CoreProviderList{},
@@ -286,6 +291,24 @@ func setupReconcilers(mgr ctrl.Manager) {
 		setupLog.Error(err, "unable to create controller", "controller", "Healthcheck")
 		os.Exit(1)
 	}
+
+	if watchConfigSecretChanges {
+		if err := (&providercontroller.SecretReconciler{
+			ProviderLists: []genericprovider.GenericProviderList{
+				&operatorv1.CoreProviderList{},
+				&operatorv1.InfrastructureProviderList{},
+				&operatorv1.BootstrapProviderList{},
+				&operatorv1.ControlPlaneProviderList{},
+				&operatorv1.AddonProviderList{},
+				&operatorv1.IPAMProviderList{},
+				&operatorv1.RuntimeExtensionProviderList{},
+			},
+			Client: mgr.GetClient(),
+		}).SetupWithManager(mgr, concurrency(concurrencyNumber)); err != nil {
+			setupLog.Error(err, "unable to create controller", "controller", "Secret")
+			os.Exit(1)
+		}
+	}
 }
 
 func setupWebhooks(mgr ctrl.Manager) {

hack/charts/cluster-api-operator/templates/deployment.yaml

@@ -74,6 +74,9 @@ spec:
         {{- if .Values.insecureDiagnostics }}
         - --insecure-diagnostics={{ .Values.insecureDiagnostics }}
         {{- end }}
+        {{- if .Values.watchConfigSecret }}
+        - --watch-configsecret
+        {{- end }}
         {{- with .Values.leaderElection }}
         - --leader-elect={{ .enabled }}
         {{- if .leaseDuration }}

hack/charts/cluster-api-operator/values.yaml

@@ -27,6 +27,7 @@ healthAddr: ":8081"
 metricsBindAddr: "127.0.0.1:8080"
 diagnosticsAddress: "8443"
 insecureDiagnostics: false
+watchConfigSecret: false
 imagePullSecrets: {}
 resources:
   manager:

internal/controller/secret_controller.go

@@ -0,0 +1,113 @@
+package controller
+
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import (
+	"context"
+
+	v1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/cluster-api-operator/internal/controller/genericprovider"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+)
+
+type SecretReconciler struct {
+	ProviderLists []genericprovider.GenericProviderList
+	Client        client.Client
+}
+
+const (
+	observedSpecHashAnnotation = "operator.cluster.x-k8s.io/observed-spec-hash"
+)
+
+func (r *SecretReconciler) SetupWithManager(mgr ctrl.Manager, options controller.Options) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&v1.Secret{}).
+		WithOptions(options).
+		Complete(r)
+}
+
+func (r *SecretReconciler) Reconcile(ctx context.Context, req reconcile.Request) (_ reconcile.Result, reterr error) {
+	log := ctrl.LoggerFrom(ctx)
+
+	log.Info("Reconciling provider")
+
+	secret := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: req.Namespace,
+			Name:      req.Name,
+		},
+	}
+
+	err := r.Client.Get(ctx, req.NamespacedName, secret)
+	if ctrlclient.IgnoreNotFound(err) != nil {
+		return reconcile.Result{}, err
+	}
+
+	hash := ""
+	if !apierrors.IsNotFound(err) {
+		hash, err = calculateHash(secret.Data)
+		if err != nil {
+			return reconcile.Result{}, err
+		}
+	}
+
+	for _, group := range r.ProviderLists {
+		g, ok := group.(client.ObjectList)
+		if !ok {
+			continue
+		}
+
+		if err := r.Client.List(ctx, g); err != nil {
+			return reconcile.Result{}, err
+		}
+
+		for _, p := range group.GetItems() {
+			if p.GetSpec().ConfigSecret != nil {
+				configNamespace := p.GetSpec().ConfigSecret.Namespace
+				if configNamespace == "" {
+					configNamespace = p.GetNamespace()
+				}
+				if configNamespace == req.Namespace && p.GetSpec().ConfigSecret.Name == req.Name {
+					patched, ok := p.DeepCopyObject().(client.Object)
+					if !ok {
+						// todo: just log
+					} else {
+						annotations := patched.GetAnnotations()
+						if annotations == nil {
+							annotations = map[string]string{}
+						}
+						if annotations[observedSpecHashAnnotation] != hash {
+							annotations[observedSpecHashAnnotation] = hash
+							patched.SetAnnotations(annotations)
+							err := r.Client.Patch(ctx, patched, client.MergeFrom(p))
+							if err != nil {
+								return reconcile.Result{}, err
+							}
+						}
+					}
+				}
+			}
+		}
+	}
+	return reconcile.Result{}, nil
+}

internal/controller/secret_controller_test.go

@@ -0,0 +1,139 @@
+package controller
+
+import (
+	"context"
+	"testing"
+
+	. "github.com/onsi/gomega"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	operatorv1 "sigs.k8s.io/cluster-api-operator/api/v1alpha2"
+	"sigs.k8s.io/cluster-api-operator/internal/controller/genericprovider"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+)
+
+func TestSecretReconciler(t *testing.T) {
+	ctx := ctx
+
+	g := NewWithT(t)
+	scheme := runtime.NewScheme()
+	g.Expect(v1.AddToScheme(scheme)).To(Succeed())
+	g.Expect(operatorv1.AddToScheme(scheme)).To(Succeed())
+
+	providersUsingTheSecret := []client.Object{
+		&operatorv1.AddonProvider{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: "default",
+				Name:      "some-addon",
+			},
+			Spec: operatorv1.AddonProviderSpec{
+				ProviderSpec: operatorv1.ProviderSpec{
+					ConfigSecret: &operatorv1.SecretReference{
+						Name: "secret-in-default-namespace",
+					},
+				},
+			},
+		},
+		&operatorv1.ControlPlaneProvider{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: "some-namespace",
+				Name:      "some-control-plane",
+			},
+			Spec: operatorv1.ControlPlaneProviderSpec{
+				ProviderSpec: operatorv1.ProviderSpec{
+					ConfigSecret: &operatorv1.SecretReference{
+						Name:      "secret-in-default-namespace",
+						Namespace: "default",
+					},
+				},
+			},
+		},
+	}
+	providersNotUsingTheSecret := []client.Object{
+		&operatorv1.InfrastructureProvider{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: "some-namespace",
+				Name:      "some-infra",
+			},
+		},
+		&operatorv1.IPAMProvider{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: "default",
+				Name:      "some-addon",
+			},
+			Spec: operatorv1.IPAMProviderSpec{
+				ProviderSpec: operatorv1.ProviderSpec{
+					ConfigSecret: &operatorv1.SecretReference{
+						Name: "other-secret-name",
+					},
+				},
+			},
+		},
+	}
+
+	k8sClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(providersUsingTheSecret...).WithObjects(providersNotUsingTheSecret...).Build()
+
+	r := &SecretReconciler{
+		Client: k8sClient,
+		ProviderLists: []genericprovider.GenericProviderList{
+			&operatorv1.AddonProviderList{},
+			&operatorv1.ControlPlaneProviderList{},
+			&operatorv1.InfrastructureProviderList{},
+			&operatorv1.IPAMProviderList{},
+			&operatorv1.BootstrapProviderList{},
+		},
+	}
+
+	t.Run("When the secret does not exist", func(t *testing.T) {
+		_, err := r.Reconcile(ctx, reconcile.Request{NamespacedName: types.NamespacedName{Name: "secret-in-default-namespace", Namespace: "default"}})
+		g.Expect(err).ToNot(HaveOccurred())
+
+		assertProvidersAreAnnotatedWithSecretVersions(g, ctx, k8sClient, providersUsingTheSecret, providersNotUsingTheSecret, "")
+
+		t.Run("Any subsequent reconciliation is successful", func(t *testing.T) {
+			_, err = r.Reconcile(ctx, reconcile.Request{NamespacedName: types.NamespacedName{Name: "secret-in-default-namespace", Namespace: "default"}})
+			g.Expect(err).ToNot(HaveOccurred())
+
+			assertProvidersAreAnnotatedWithSecretVersions(g, ctx, k8sClient, providersUsingTheSecret, providersNotUsingTheSecret, "")
+		})
+	})
+
+	t.Run("When the secret exists", func(t *testing.T) {
+		secret := &v1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: "default",
+				Name:      "secret-in-default-namespace",
+			},
+			Data: map[string][]byte{
+				"key": []byte("value"),
+			},
+		}
+		g.Expect(r.Client.Create(ctx, secret)).To(Succeed())
+
+		_, err := r.Reconcile(ctx, reconcile.Request{NamespacedName: types.NamespacedName{Name: "secret-in-default-namespace", Namespace: "default"}})
+		g.Expect(err).ToNot(HaveOccurred())
+		assertProvidersAreAnnotatedWithSecretVersions(g, ctx, k8sClient, providersUsingTheSecret, providersNotUsingTheSecret, "fed7a27106a07691449b9cf7f57536328004b134d358d8fcafaf6a2a06f99d50")
+
+		t.Run("Any subsequent reconciliation is successful", func(t *testing.T) {
+			_, err = r.Reconcile(ctx, reconcile.Request{NamespacedName: types.NamespacedName{Name: "secret-in-default-namespace", Namespace: "default"}})
+			g.Expect(err).ToNot(HaveOccurred())
+		})
+		assertProvidersAreAnnotatedWithSecretVersions(g, ctx, k8sClient, providersUsingTheSecret, providersNotUsingTheSecret, "fed7a27106a07691449b9cf7f57536328004b134d358d8fcafaf6a2a06f99d50")
+	})
+}
+
+func assertProvidersAreAnnotatedWithSecretVersions(g *WithT, ctx context.Context, k8sClient client.Client, providersUsingTheSecret, providersNotUsingTheSecret []client.Object, secretHash string) {
+
+	for _, provider := range providersUsingTheSecret {
+		g.Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(provider), provider)).To(Succeed())
+		g.Expect(provider.GetAnnotations()[observedSpecHashAnnotation]).To(Equal(secretHash))
+	}
+	for _, provider := range providersNotUsingTheSecret {
+		g.Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(provider), provider)).To(Succeed())
+		g.Expect(provider.GetAnnotations()).NotTo(HaveKey(observedSpecHashAnnotation))
+	}
+}