feat: cache generated RBACs since code is called once per k8s flavor

Author: metacosm

core/deployment/src/main/java/io/quarkiverse/operatorsdk/deployment/AddRoleBindingsDecorator.java

@@ -2,19 +2,22 @@
 
 import static io.quarkiverse.operatorsdk.deployment.AddClusterRolesDecorator.getClusterRoleName;
 
+import java.util.ArrayList;
 import java.util.Collection;
-import java.util.HashSet;
+import java.util.List;
 import java.util.Optional;
-import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
 
 import org.eclipse.microprofile.config.ConfigProvider;
 import org.jboss.logging.Logger;
 
 import io.dekorate.kubernetes.decorator.ResourceProvidingDecorator;
+import io.fabric8.kubernetes.api.model.HasMetadata;
 import io.fabric8.kubernetes.api.model.KubernetesListBuilder;
+import io.fabric8.kubernetes.api.model.rbac.ClusterRoleBinding;
 import io.fabric8.kubernetes.api.model.rbac.ClusterRoleBindingBuilder;
+import io.fabric8.kubernetes.api.model.rbac.RoleBinding;
 import io.fabric8.kubernetes.api.model.rbac.RoleBindingBuilder;
 import io.quarkiverse.operatorsdk.runtime.BuildTimeOperatorConfiguration;
 import io.quarkiverse.operatorsdk.runtime.QuarkusControllerConfiguration;
@@ -28,7 +31,7 @@ public class AddRoleBindingsDecorator extends ResourceProvidingDecorator<Kuberne
     protected static final String SERVICE_ACCOUNT = "ServiceAccount";
     private final Collection<QuarkusControllerConfiguration> configs;
     private final BuildTimeOperatorConfiguration operatorConfiguration;
-    private static final ConcurrentMap<String, Object> alreadyLogged = new ConcurrentHashMap<>();
+    private static final ConcurrentMap<QuarkusControllerConfiguration, List<HasMetadata>> cachedBindings = new ConcurrentHashMap<>();
     private static final Optional<String> deployNamespace = ConfigProvider.getConfig()
             .getOptionalValue("quarkus.kubernetes.namespace", String.class);
 
@@ -41,82 +44,83 @@ public AddRoleBindingsDecorator(Collection<QuarkusControllerConfiguration> confi
     @Override
     public void visit(KubernetesListBuilder list) {
         final var serviceAccountName = getMandatoryDeploymentMetadata(list).getName();
-        configs.forEach(controllerConfiguration -> {
-            QuarkusControllerConfiguration<?> config = (QuarkusControllerConfiguration<?>) controllerConfiguration;
-            String controllerName = config.getName();
-            final var roleBindingName = controllerName + "-role-binding";
-            if (config.watchCurrentNamespace()) {
-                // create a RoleBinding that will be applied in the current namespace if watching only the current NS
-                log.infov("Creating ''{0}'' RoleBinding to be applied to current namespace", roleBindingName);
-                list.addToItems(new RoleBindingBuilder()
-                        .withNewMetadata()
-                        .withName(roleBindingName)
-                        .endMetadata()
-                        .withNewRoleRef(RBAC_AUTHORIZATION_GROUP, CLUSTER_ROLE,
-                                getClusterRoleName(controllerName))
-                        .addNewSubject(null, SERVICE_ACCOUNT, serviceAccountName, null)
-                        .build());
-            } else if (config.watchAllNamespaces()) {
-                handleClusterRoleBinding(list, serviceAccountName, controllerName,
-                        controllerName + "-cluster-role-binding", "watch all namespaces",
-                        getClusterRoleName(controllerName));
-            } else {
-                // retrieve which namespaces should be used to generate either from annotation or from the build time configuration
-                var desiredWatchedNamespaces = config.getNamespaces();
-                final var buildTimeConfig = operatorConfiguration.controllers.get(controllerName);
-                if (buildTimeConfig != null) {
-                    desiredWatchedNamespaces = buildTimeConfig.generateWithWatchedNamespaces
-                            .<Set<String>> map(HashSet::new)
-                            .orElse(desiredWatchedNamespaces);
-                }
-
-                // create a RoleBinding using either the provided deployment namespace or the desired watched namespace name
-                desiredWatchedNamespaces.forEach(ns -> {
-                    log.infov(
-                            "Creating ''{0}'' RoleBinding to be applied to ''{1}'' namespace",
-                            roleBindingName, ns);
-                    list.addToItems(new RoleBindingBuilder()
-                            .withNewMetadata()
-                            .withName(roleBindingName)
-                            .withNamespace(ns)
-                            .endMetadata()
-                            .withNewRoleRef(RBAC_AUTHORIZATION_GROUP, CLUSTER_ROLE,
-                                    getClusterRoleName(controllerName))
-                            .addNewSubject(null, SERVICE_ACCOUNT, serviceAccountName, deployNamespace.orElse(null))
-                            .build());
-                });
-            }
-
-            // if we validate the CRDs, also create a binding for the CRD validating role
-            if (operatorConfiguration.crd.validate) {
-                final var crBindingName = controllerName + "-crd-validating-role-binding";
-                handleClusterRoleBinding(list, serviceAccountName, controllerName, crBindingName, "validate CRDs",
-                        AddClusterRolesDecorator.JOSDK_CRD_VALIDATING_CLUSTER_ROLE);
-            }
+        configs.forEach(config -> {
+            final var toAdd = cachedBindings.computeIfAbsent(config, c -> bindingsFor(c, serviceAccountName));
+            list.addAllToItems(toAdd);
         });
     }
 
-    private void handleClusterRoleBinding(KubernetesListBuilder list, String serviceAccountName,
+    private List<HasMetadata> bindingsFor(QuarkusControllerConfiguration<?> controllerConfiguration,
+            String serviceAccountName) {
+        final var controllerName = controllerConfiguration.getName();
+
+        // retrieve which namespaces should be used to generate either from annotation or from the build time configuration
+        final var desiredWatchedNamespaces = controllerConfiguration.getNamespaces();
+
+        // if we validate the CRDs, also create a binding for the CRD validating role
+        List<HasMetadata> itemsToAdd;
+        if (operatorConfiguration.crd.validate) {
+            final var crBindingName = controllerName + "-crd-validating-role-binding";
+            final var crdValidatorRoleBinding = createClusterRoleBinding(serviceAccountName, controllerName,
+                    crBindingName, "validate CRDs",
+                    AddClusterRolesDecorator.JOSDK_CRD_VALIDATING_CLUSTER_ROLE);
+            itemsToAdd = new ArrayList<>(desiredWatchedNamespaces.size() + 1);
+            itemsToAdd.add(crdValidatorRoleBinding);
+        } else {
+            itemsToAdd = new ArrayList<>(desiredWatchedNamespaces.size());
+        }
+
+        final var roleBindingName = controllerName + "-role-binding";
+        if (controllerConfiguration.watchCurrentNamespace()) {
+            // create a RoleBinding that will be applied in the current namespace if watching only the current NS
+            itemsToAdd.add(createRoleBinding(roleBindingName, controllerName, serviceAccountName, null));
+        } else if (controllerConfiguration.watchAllNamespaces()) {
+            itemsToAdd.add(createClusterRoleBinding(serviceAccountName, controllerName,
+                    controllerName + "-cluster-role-binding", "watch all namespaces",
+                    getClusterRoleName(controllerName)));
+        } else {
+            // create a RoleBinding using either the provided deployment namespace or the desired watched namespace name
+            desiredWatchedNamespaces
+                    .forEach(ns -> itemsToAdd.add(createRoleBinding(roleBindingName, controllerName, serviceAccountName, ns)));
+        }
+
+        return itemsToAdd;
+    }
+
+    private static RoleBinding createRoleBinding(String roleBindingName, String controllerName,
+            String serviceAccountName, String namespace) {
+        final var nsMsg = (namespace == null ? "current" : "'" + namespace + "'") + " namespace";
+        log.infov("Creating ''{0}'' RoleBinding to be applied to {1}", roleBindingName, nsMsg);
+        return new RoleBindingBuilder()
+                .withNewMetadata()
+                .withName(roleBindingName)
+                .withNamespace(deployNamespace.orElse(namespace))
+                .endMetadata()
+                .withNewRoleRef(RBAC_AUTHORIZATION_GROUP, CLUSTER_ROLE, getClusterRoleName(controllerName))
+                .addNewSubject(null, SERVICE_ACCOUNT, serviceAccountName,
+                        deployNamespace.orElse(null))
+                .build();
+    }
+
+    private static ClusterRoleBinding createClusterRoleBinding(String serviceAccountName,
             String controllerName, String bindingName, String controllerConfMessage,
             String clusterRoleName) {
         outputWarningIfNeeded(controllerName, bindingName, controllerConfMessage);
         final var ns = deployNamespace.orElse(null);
         log.infov("Creating ''{0}'' ClusterRoleBinding to be applied to ''{1}'' namespace", bindingName, ns);
-        list.addToItems(new ClusterRoleBindingBuilder()
+        return new ClusterRoleBindingBuilder()
                 .withNewMetadata().withName(bindingName)
                 .endMetadata()
                 .withNewRoleRef(RBAC_AUTHORIZATION_GROUP, CLUSTER_ROLE, clusterRoleName)
                 .addNewSubject()
-                .withKind(SERVICE_ACCOUNT).withName(serviceAccountName).withNamespace(
-                        ns)
+                .withKind(SERVICE_ACCOUNT).withName(serviceAccountName).withNamespace(ns)
                 .endSubject()
-                .build());
+                .build();
     }
 
-    private void outputWarningIfNeeded(String controllerName, String crBindingName, String controllerConfMessage) {
+    private static void outputWarningIfNeeded(String controllerName, String crBindingName, String controllerConfMessage) {
         // the decorator can be called several times but we only want to output the warning once
-        if (deployNamespace.isEmpty()
-                && alreadyLogged.putIfAbsent(controllerName + crBindingName, new Object()) == null) {
+        if (deployNamespace.isEmpty()) {
             log.warnv(
                     "''{0}'' controller is configured to "
                             + controllerConfMessage

docs/modules/ROOT/pages/includes/quarkus-operator-sdk.adoc

@@ -150,7 +150,7 @@ endif::add-copy-button-to-env-var[]
 ifndef::add-copy-button-to-env-var[]
 Environment variable: `+++QUARKUS_OPERATOR_SDK_DISABLE_RBAC_GENERATION+++`
 endif::add-copy-button-to-env-var[]
---|boolean
+--|boolean 
 |`false`
 
 
@@ -339,10 +339,10 @@ a|icon:lock[title=Fixed at build time] [[quarkus-operator-sdk_quarkus.operator-s
 
 [.description]
 --
-An optional list of comma-separated watched namespace names that will be used to generate manifests at build time.
-Note that this is provided as a means to quickly deploy a specific controller to test it by applying the generated manifests to the target cluster. If empty, no manifests will be generated. The namespace in which the controller will be deployed will be the currently configured namespace as specified by your `.kube/config` file, unless you specify the target deployment namespace using the `quarkus.kubernetes.namespace` property.
+An optional list of comma-separated watched namespace names that will be used to generate manifests at build time. 
+Note that this is provided as a means to quickly deploy a specific controller to test it by applying the generated manifests to the target cluster. If empty, no manifests will be generated. The namespace in which the controller will be deployed will be the currently configured namespace as specified by your `.kube/config` file, unless you specify the target deployment namespace using the `quarkus.kubernetes.namespace` property. 
 
-As this functionality cannot handle namespaces that are not know until runtime (because the generation happens during build time), we recommend that you use a different mechanism such as OLM or Helm charts to deploy your operator in production.
+As this functionality cannot handle namespaces that are not know until runtime (because the generation happens during build time), we recommend that you use a different mechanism such as OLM or Helm charts to deploy your operator in production.  
 This replaces the previous `namespaces` property which was confusing and against Quarkus best practices since it existed both at build time and runtime. That property wasn't also adequately capturing the fact that namespaces that wouldn't be known until runtime would render whatever got generated at build time invalid as far as generated manifests were concerned.
 
 ifdef::add-copy-button-to-env-var[]
@@ -351,7 +351,7 @@ endif::add-copy-button-to-env-var[]
 ifndef::add-copy-button-to-env-var[]
 Environment variable: `+++QUARKUS_OPERATOR_SDK_CONTROLLERS__CONTROLLERS__GENERATE_WITH_WATCHED_NAMESPACES+++`
 endif::add-copy-button-to-env-var[]
---|list of string
+--|list of string 
 |