ContainerImage.Pinniped/internal/controller/authenticator/cachecleaner/cachecleaner.go

// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

// Package cachecleaner implements a controller for garbage collecting authenticators from an authenticator cache.
package cachecleaner

import (
	"fmt"

	"github.com/go-logr/logr"
	"k8s.io/apimachinery/pkg/labels"
	"k8s.io/klog/v2"

	auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
	authinformers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions/authentication/v1alpha1"
	pinnipedcontroller "go.pinniped.dev/internal/controller"
	"go.pinniped.dev/internal/controller/authenticator"
	"go.pinniped.dev/internal/controller/authenticator/authncache"
	"go.pinniped.dev/internal/controllerlib"
)

// New instantiates a new controllerlib.Controller which will garbage collect authenticators from the provided Cache.
func New(
	cache *authncache.Cache,
	webhooks authinformers.WebhookAuthenticatorInformer,
	jwtAuthenticators authinformers.JWTAuthenticatorInformer,
	log logr.Logger,
) controllerlib.Controller {
	return controllerlib.New(
		controllerlib.Config{
			Name: "cachecleaner-controller",
			Syncer: &controller{
				cache:             cache,
				webhooks:          webhooks,
				jwtAuthenticators: jwtAuthenticators,
				log:               log.WithName("cachecleaner-controller"),
			},
		},
		controllerlib.WithInformer(
			webhooks,
			pinnipedcontroller.MatchAnythingFilter(pinnipedcontroller.SingletonQueue()),
			controllerlib.InformerOption{},
		),
		controllerlib.WithInformer(
			jwtAuthenticators,
			pinnipedcontroller.MatchAnythingFilter(pinnipedcontroller.SingletonQueue()),
			controllerlib.InformerOption{},
		),
	)
}

type controller struct {
	cache             *authncache.Cache
	webhooks          authinformers.WebhookAuthenticatorInformer
	jwtAuthenticators authinformers.JWTAuthenticatorInformer
	log               logr.Logger
}

// Sync implements controllerlib.Syncer.
func (c *controller) Sync(_ controllerlib.Context) error {
	webhooks, err := c.webhooks.Lister().List(labels.Everything())
	if err != nil {
		return fmt.Errorf("failed to list WebhookAuthenticators: %w", err)
	}

	jwtAuthenticators, err := c.jwtAuthenticators.Lister().List(labels.Everything())
	if err != nil {
		return fmt.Errorf("failed to list JWTAuthenticators: %w", err)
	}

	// Index the current authenticators by cache key.
	authenticatorSet := map[authncache.Key]bool{}
	for _, webhook := range webhooks {
		key := authncache.Key{
			Name:     webhook.Name,
			Kind:     "WebhookAuthenticator",
			APIGroup: auth1alpha1.SchemeGroupVersion.Group,
		}
		authenticatorSet[key] = true
	}
	for _, jwtAuthenticator := range jwtAuthenticators {
		key := authncache.Key{
			Name:     jwtAuthenticator.Name,
			Kind:     "JWTAuthenticator",
			APIGroup: auth1alpha1.SchemeGroupVersion.Group,
		}
		authenticatorSet[key] = true
	}

	// Delete any entries from the cache which are no longer in the cluster.
	for _, key := range c.cache.Keys() {
		if key.APIGroup != auth1alpha1.SchemeGroupVersion.Group || (key.Kind != "WebhookAuthenticator" && key.Kind != "JWTAuthenticator") {
			continue
		}
		if _, exists := authenticatorSet[key]; !exists {
			c.log.WithValues(
				"authenticator",
				klog.KRef("", key.Name),
				"kind",
				key.Kind,
			).Info("deleting authenticator from cache")

			value := c.cache.Get(key)
			if closer, ok := value.(authenticator.Closer); ok {
				closer.Close()
			}

			c.cache.Delete(key)
		}
	}
	return nil
}
Changing references from 1.19 to 1.20 2021-01-07 22:58:09 +00:00			`// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.`
Add JWTAuthenticator controller See https://github.com/vmware-tanzu/pinniped/issues/260 for UX bummer. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-08 01:39:51 +00:00			`// SPDX-License-Identifier: Apache-2.0`

			`// Package cachecleaner implements a controller for garbage collecting authenticators from an authenticator cache.`
			`package cachecleaner`

			`import (`
			`"fmt"`

			`"github.com/go-logr/logr"`
			`"k8s.io/apimachinery/pkg/labels"`
			`"k8s.io/klog/v2"`

Use new 'go.pinniped.dev/generated/latest' package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-02-16 19:00:08 +00:00			`auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"`
			`authinformers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions/authentication/v1alpha1"`
Add JWTAuthenticator controller See https://github.com/vmware-tanzu/pinniped/issues/260 for UX bummer. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-08 01:39:51 +00:00			`pinnipedcontroller "go.pinniped.dev/internal/controller"`
Always close JWTAuthenticator underlying authenticator Otherwise we will leak goroutines. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-08 16:08:53 +00:00			`"go.pinniped.dev/internal/controller/authenticator"`
Add JWTAuthenticator controller See https://github.com/vmware-tanzu/pinniped/issues/260 for UX bummer. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-08 01:39:51 +00:00			`"go.pinniped.dev/internal/controller/authenticator/authncache"`
			`"go.pinniped.dev/internal/controllerlib"`
			`)`

			`// New instantiates a new controllerlib.Controller which will garbage collect authenticators from the provided Cache.`
			`func New(`
			`cache *authncache.Cache,`
			`webhooks authinformers.WebhookAuthenticatorInformer,`
			`jwtAuthenticators authinformers.JWTAuthenticatorInformer,`
			`log logr.Logger,`
			`) controllerlib.Controller {`
			`return controllerlib.New(`
			`controllerlib.Config{`
			`Name: "cachecleaner-controller",`
			`Syncer: &controller{`
			`cache: cache,`
			`webhooks: webhooks,`
			`jwtAuthenticators: jwtAuthenticators,`
			`log: log.WithName("cachecleaner-controller"),`
			`},`
			`},`
			`controllerlib.WithInformer(`
			`webhooks,`
			`pinnipedcontroller.MatchAnythingFilter(pinnipedcontroller.SingletonQueue()),`
			`controllerlib.InformerOption{},`
			`),`
			`controllerlib.WithInformer(`
			`jwtAuthenticators,`
			`pinnipedcontroller.MatchAnythingFilter(pinnipedcontroller.SingletonQueue()),`
			`controllerlib.InformerOption{},`
			`),`
			`)`
			`}`

			`type controller struct {`
			`cache *authncache.Cache`
			`webhooks authinformers.WebhookAuthenticatorInformer`
			`jwtAuthenticators authinformers.JWTAuthenticatorInformer`
			`log logr.Logger`
			`}`

			`// Sync implements controllerlib.Syncer.`
			`func (c *controller) Sync(_ controllerlib.Context) error {`
			`webhooks, err := c.webhooks.Lister().List(labels.Everything())`
			`if err != nil {`
			`return fmt.Errorf("failed to list WebhookAuthenticators: %w", err)`
			`}`

			`jwtAuthenticators, err := c.jwtAuthenticators.Lister().List(labels.Everything())`
			`if err != nil {`
			`return fmt.Errorf("failed to list JWTAuthenticators: %w", err)`
			`}`

			`// Index the current authenticators by cache key.`
			`authenticatorSet := map[authncache.Key]bool{}`
			`for _, webhook := range webhooks {`
			`key := authncache.Key{`
authncache: remove namespace concept Signed-off-by: Monis Khan <mok@vmware.com> 2021-02-09 23:16:22 +00:00			`Name: webhook.Name,`
			`Kind: "WebhookAuthenticator",`
			`APIGroup: auth1alpha1.SchemeGroupVersion.Group,`
Add JWTAuthenticator controller See https://github.com/vmware-tanzu/pinniped/issues/260 for UX bummer. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-08 01:39:51 +00:00			`}`
			`authenticatorSet[key] = true`
			`}`
			`for _, jwtAuthenticator := range jwtAuthenticators {`
			`key := authncache.Key{`
authncache: remove namespace concept Signed-off-by: Monis Khan <mok@vmware.com> 2021-02-09 23:16:22 +00:00			`Name: jwtAuthenticator.Name,`
			`Kind: "JWTAuthenticator",`
			`APIGroup: auth1alpha1.SchemeGroupVersion.Group,`
Add JWTAuthenticator controller See https://github.com/vmware-tanzu/pinniped/issues/260 for UX bummer. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-08 01:39:51 +00:00			`}`
			`authenticatorSet[key] = true`
			`}`

			`// Delete any entries from the cache which are no longer in the cluster.`
			`for _, key := range c.cache.Keys() {`
			`if key.APIGroup != auth1alpha1.SchemeGroupVersion.Group \|\| (key.Kind != "WebhookAuthenticator" && key.Kind != "JWTAuthenticator") {`
			`continue`
			`}`
			`if _, exists := authenticatorSet[key]; !exists {`
			`c.log.WithValues(`
			`"authenticator",`
authncache: remove namespace concept Signed-off-by: Monis Khan <mok@vmware.com> 2021-02-09 23:16:22 +00:00			`klog.KRef("", key.Name),`
Add JWTAuthenticator controller See https://github.com/vmware-tanzu/pinniped/issues/260 for UX bummer. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-08 01:39:51 +00:00			`"kind",`
			`key.Kind,`
			`).Info("deleting authenticator from cache")`

			`value := c.cache.Get(key)`
Always close JWTAuthenticator underlying authenticator Otherwise we will leak goroutines. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-08 16:08:53 +00:00			`if closer, ok := value.(authenticator.Closer); ok {`
			`closer.Close()`
Add JWTAuthenticator controller See https://github.com/vmware-tanzu/pinniped/issues/260 for UX bummer. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-08 01:39:51 +00:00			`}`

			`c.cache.Delete(key)`
			`}`
			`}`
			`return nil`
			`}`