ESO-83: Makes use of uncached client for unmanaged resources

bharath-b-rh · bharath-b-rh · commit 07b082bf164d · 2025-06-17T17:34:41.000+05:30
diff --git a/pkg/controller/external_secrets/certificate.go b/pkg/controller/external_secrets/certificate.go
@@ -151,7 +151,7 @@ func (r *Reconciler) assertSecretRefExists(es *operatorv1alpha1.ExternalSecrets,
 	}
 	object := &corev1.Secret{}
 
-	if err := r.Get(r.ctx, namespacedName, object); err != nil {
+	if err := r.UncachedClient.Get(r.ctx, namespacedName, object); err != nil {
 		return fmt.Errorf("failed to fetch %q secret: %w", namespacedName, err)
 	}
 
@@ -172,7 +172,7 @@ func (r *Reconciler) getIssuer(issuerRef v1.ObjectReference, namespace string) (
 		object = &certmanagerv1.Issuer{}
 	}
 
-	if ifExists, err := r.Exists(r.ctx, namespacedName, object); err != nil {
+	if ifExists, err := r.UncachedClient.Exists(r.ctx, namespacedName, object); err != nil {
 		return ifExists, fmt.Errorf("failed to fetch %q issuer: %w", namespacedName, err)
 	} else {
 		return ifExists, nil
diff --git a/pkg/controller/external_secrets/certificate_test.go b/pkg/controller/external_secrets/certificate_test.go
@@ -450,6 +450,7 @@ func TestCreateOrApplyCertificates(t *testing.T) {
 				tt.preReq(r, mock)
 			}
 			r.CtrlClient = mock
+			r.UncachedClient = mock
 
 			es := testExternalSecretsForCertificate()
 			if tt.es != nil {
diff --git a/pkg/controller/external_secrets/controller.go b/pkg/controller/external_secrets/controller.go
@@ -81,6 +81,7 @@ var (
 // Reconciler reconciles a ExternalSecrets object
 type Reconciler struct {
 	operatorclient.CtrlClient
+	UncachedClient        operatorclient.CtrlClient
 	Scheme                *runtime.Scheme
 	ctx                   context.Context
 	eventRecorder         record.EventRecorder
@@ -122,14 +123,27 @@ func New(ctx context.Context, mgr ctrl.Manager) (*Reconciler, error) {
 		esm:                   new(operatorv1alpha1.ExternalSecretsManager),
 		optionalResourcesList: make(map[string]struct{}),
 	}
+
+	// create a cached client for all the managed objects.
 	c, err := NewClient(mgr, r)
 	if err != nil {
 		return nil, err
 	}
 	r.CtrlClient = c
+
+	// create an uncached client for the objects not managed by
+	// the controller.
+	uc, err := NewUncachedClient(mgr)
+	if err != nil {
+		return nil, err
+	}
+	r.UncachedClient = uc
+
 	return r, nil
 }
 
+// NewClient is for creating a cached client, where the required objects are cached and informer are set to
+// update the cache.
 func NewClient(m manager.Manager, r *Reconciler) (operatorclient.CtrlClient, error) {
 	c, err := BuildCustomClient(m, r)
 	if err != nil {
@@ -140,6 +154,18 @@ func NewClient(m manager.Manager, r *Reconciler) (operatorclient.CtrlClient, err
 	}, nil
 }
 
+// NewUncachedClient is for creating an uncached client, and all the objects are read and written directly
+// through API server.
+func NewUncachedClient(m manager.Manager) (operatorclient.CtrlClient, error) {
+	c, err := client.New(m.GetConfig(), client.Options{Scheme: m.GetScheme()})
+	if err != nil {
+		return nil, fmt.Errorf("failed to create uncached client: %w", err)
+	}
+	return &operatorclient.CtrlClientImpl{
+		Client: c,
+	}, nil
+}
+
 // BuildCustomClient creates a custom client with a custom cache of required objects.
 // The corresponding informers receive events for objects matching label criteria.
 func BuildCustomClient(mgr ctrl.Manager, r *Reconciler) (client.Client, error) {
@@ -166,8 +192,6 @@ func BuildCustomClient(mgr ctrl.Manager, r *Reconciler) (client.Client, error) {
 		objectList[&certmanagerv1.Certificate{}] = cache.ByObject{
 			Label: managedResourceLabelReqSelector,
 		}
-		objectList[&certmanagerv1.ClusterIssuer{}] = cache.ByObject{}
-		objectList[&certmanagerv1.Issuer{}] = cache.ByObject{}
 	}
 
 	customCacheOpts := cache.Options{
@@ -192,14 +216,6 @@ func BuildCustomClient(mgr ctrl.Manager, r *Reconciler) (client.Client, error) {
 		if err != nil {
 			return nil, fmt.Errorf("failed to add informer for %s resource: %w", (&certmanagerv1.Certificate{}).GetObjectKind().GroupVersionKind().String(), err)
 		}
-		_, err = customCache.GetInformer(context.Background(), &certmanagerv1.ClusterIssuer{})
-		if err != nil {
-			return nil, fmt.Errorf("failed to add informer for %s resource: %w", (&certmanagerv1.ClusterIssuer{}).GetObjectKind().GroupVersionKind().String(), err)
-		}
-		_, err = customCache.GetInformer(context.Background(), &certmanagerv1.Issuer{})
-		if err != nil {
-			return nil, fmt.Errorf("failed to add informer for %s resource: %w", (&certmanagerv1.Issuer{}).GetObjectKind().GroupVersionKind().String(), err)
-		}
 	}
 	_, err = customCache.GetInformer(context.Background(), ownObject)
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -151,7 +151,7 @@ func (r Reconciler) assertSecretRefExists(es operatorv1alpha1.ExternalSecrets,`
`151`	`151`	`}`
`152`	`152`	`object := &corev1.Secret{}`
`153`	`153`
`154`		`- if err := r.Get(r.ctx, namespacedName, object); err != nil {`
	`154`	`+ if err := r.UncachedClient.Get(r.ctx, namespacedName, object); err != nil {`
`155`	`155`	`return fmt.Errorf("failed to fetch %q secret: %w", namespacedName, err)`
`156`	`156`	`}`
`157`	`157`
`@@ -172,7 +172,7 @@ func (r *Reconciler) getIssuer(issuerRef v1.ObjectReference, namespace string) (`
`172`	`172`	`object = &certmanagerv1.Issuer{}`
`173`	`173`	`}`
`174`	`174`
`175`		`- if ifExists, err := r.Exists(r.ctx, namespacedName, object); err != nil {`
	`175`	`+ if ifExists, err := r.UncachedClient.Exists(r.ctx, namespacedName, object); err != nil {`
`176`	`176`	`return ifExists, fmt.Errorf("failed to fetch %q issuer: %w", namespacedName, err)`
`177`	`177`	`} else {`
`178`	`178`	`return ifExists, nil`
Original file line number	Diff line number	Diff line change
`@@ -450,6 +450,7 @@ func TestCreateOrApplyCertificates(t *testing.T) {`
`450`	`450`	`tt.preReq(r, mock)`
`451`	`451`	`}`
`452`	`452`	`r.CtrlClient = mock`
	`453`	`+ r.UncachedClient = mock`
`453`	`454`
`454`	`455`	`es := testExternalSecretsForCertificate()`
`455`	`456`	`if tt.es != nil {`