Fix label handling in kubecertagent controllers.

These controllers were a bit inconsistent. There were cases where the controllers ran out of the expected order and the custom labels might not have been applied.

We should still plan to remove this label handling or move responsibility into the middleware layer, but this avoids any regression.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
This commit is contained in:
Matt Moyer 2021-03-02 13:59:46 -06:00
parent 643c60fd7a
commit 2a29303e3f
No known key found for this signature in database
GPG Key ID: EAE88AD172C5AE2D
5 changed files with 33 additions and 10 deletions

View File

@ -33,6 +33,7 @@ const (
type annotaterController struct {
agentPodConfig *AgentPodConfig
credentialIssuerLocationConfig *CredentialIssuerLocationConfig
credentialIssuerLabels map[string]string
clock clock.Clock
k8sClient kubernetes.Interface
pinnipedAPIClient pinnipedclientset.Interface
@ -51,6 +52,7 @@ type annotaterController struct {
func NewAnnotaterController(
agentPodConfig *AgentPodConfig,
credentialIssuerLocationConfig *CredentialIssuerLocationConfig,
credentialIssuerLabels map[string]string,
clock clock.Clock,
k8sClient kubernetes.Interface,
pinnipedAPIClient pinnipedclientset.Interface,
@ -64,6 +66,7 @@ func NewAnnotaterController(
Syncer: &annotaterController{
agentPodConfig: agentPodConfig,
credentialIssuerLocationConfig: credentialIssuerLocationConfig,
credentialIssuerLabels: credentialIssuerLabels,
clock: clock,
k8sClient: k8sClient,
pinnipedAPIClient: pinnipedAPIClient,
@ -125,7 +128,7 @@ func (c *annotaterController) Sync(ctx controllerlib.Context) error {
strategyResultUpdateErr := issuerconfig.UpdateStrategy(
ctx.Context,
c.credentialIssuerLocationConfig.Name,
nil,
c.credentialIssuerLabels,
c.pinnipedAPIClient,
strategyError(c.clock, err),
)

View File

@ -41,6 +41,7 @@ func TestAnnotaterControllerFilter(t *testing.T) {
) {
_ = NewAnnotaterController(
agentPodConfig,
nil, // credentialIssuerLabels, shouldn't matter
nil, // credentialIssuerLocationConfig, shouldn't matter
nil, // clock, shouldn't matter
nil, // k8sClient, shouldn't matter
@ -85,6 +86,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
var podsGVR schema.GroupVersionResource
var credentialIssuerGVR schema.GroupVersionResource
var frozenNow time.Time
var credentialIssuerLabels map[string]string
// Defer starting the informers until the last possible moment so that the
// nested Before's can keep adding things to the informer caches.
@ -103,6 +105,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
&CredentialIssuerLocationConfig{
Name: credentialIssuerResourceName,
},
credentialIssuerLabels,
clock.NewFakeClock(frozenNow),
kubeAPIClient,
pinnipedAPIClient,
@ -297,6 +300,10 @@ func TestAnnotaterControllerSync(t *testing.T) {
})
when("there is not already a CredentialIssuer", func() {
it.Before(func() {
credentialIssuerLabels = map[string]string{"foo": "bar"}
})
it("creates the CredentialIssuer status with the error", func() {
startInformersAndController()
err := controllerlib.TestSync(t, subject, *syncContext)
@ -305,6 +312,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
TypeMeta: metav1.TypeMeta{},
ObjectMeta: metav1.ObjectMeta{
Name: credentialIssuerResourceName,
Labels: map[string]string{"foo": "bar"},
},
}
@ -312,6 +320,7 @@ func TestAnnotaterControllerSync(t *testing.T) {
TypeMeta: metav1.TypeMeta{},
ObjectMeta: metav1.ObjectMeta{
Name: credentialIssuerResourceName,
Labels: map[string]string{"foo": "bar"},
},
Status: configv1alpha1.CredentialIssuerStatus{
Strategies: []configv1alpha1.CredentialIssuerStrategy{

View File

@ -31,6 +31,7 @@ const (
type execerController struct {
credentialIssuerLocationConfig *CredentialIssuerLocationConfig
credentialIssuerLabels map[string]string
discoveryURLOverride *string
dynamicCertProvider dynamiccert.Provider
podCommandExecutor PodCommandExecutor
@ -48,6 +49,7 @@ type execerController struct {
// credentialIssuerLocationConfig, with any errors that it encounters.
func NewExecerController(
credentialIssuerLocationConfig *CredentialIssuerLocationConfig,
credentialIssuerLabels map[string]string,
discoveryURLOverride *string,
dynamicCertProvider dynamiccert.Provider,
podCommandExecutor PodCommandExecutor,
@ -62,6 +64,7 @@ func NewExecerController(
Name: "kube-cert-agent-execer-controller",
Syncer: &execerController{
credentialIssuerLocationConfig: credentialIssuerLocationConfig,
credentialIssuerLabels: credentialIssuerLabels,
discoveryURLOverride: discoveryURLOverride,
dynamicCertProvider: dynamicCertProvider,
podCommandExecutor: podCommandExecutor,
@ -112,7 +115,7 @@ func (c *execerController) Sync(ctx controllerlib.Context) error {
strategyResultUpdateErr := issuerconfig.UpdateStrategy(
ctx.Context,
c.credentialIssuerLocationConfig.Name,
nil,
c.credentialIssuerLabels,
c.pinnipedAPIClient,
strategyError(c.clock, err),
)
@ -125,7 +128,7 @@ func (c *execerController) Sync(ctx controllerlib.Context) error {
strategyResultUpdateErr := issuerconfig.UpdateStrategy(
ctx.Context,
c.credentialIssuerLocationConfig.Name,
nil,
c.credentialIssuerLabels,
c.pinnipedAPIClient,
strategyError(c.clock, err),
)
@ -140,7 +143,7 @@ func (c *execerController) Sync(ctx controllerlib.Context) error {
strategyResultUpdateErr := issuerconfig.UpdateStrategy(
ctx.Context,
c.credentialIssuerLocationConfig.Name,
nil,
c.credentialIssuerLabels,
c.pinnipedAPIClient,
configv1alpha1.CredentialIssuerStrategy{
Type: configv1alpha1.KubeClusterSigningCertificateStrategyType,
@ -157,7 +160,7 @@ func (c *execerController) Sync(ctx controllerlib.Context) error {
return issuerconfig.UpdateStrategy(
ctx.Context,
c.credentialIssuerLocationConfig.Name,
nil,
c.credentialIssuerLabels,
c.pinnipedAPIClient,
configv1alpha1.CredentialIssuerStrategy{
Type: configv1alpha1.KubeClusterSigningCertificateStrategyType,

View File

@ -49,6 +49,7 @@ func TestExecerControllerOptions(t *testing.T) {
&CredentialIssuerLocationConfig{
Name: "ignored by this test",
},
nil, // credentialIssuerLabels, not needed for this test
nil, // discoveryURLOverride, not needed for this test
nil, // dynamicCertProvider, not needed for this test
nil, // podCommandExecutor, not needed for this test
@ -152,6 +153,7 @@ func TestManagerControllerSync(t *testing.T) {
var kubeInformerFactory kubeinformers.SharedInformerFactory
var kubeClientset *kubernetesfake.Clientset
var fakeExecutor *fakePodExecutor
var credentialIssuerLabels map[string]string
var discoveryURLOverride *string
var dynamicCertProvider dynamiccert.Provider
var fakeCertPEM, fakeKeyPEM string
@ -166,6 +168,7 @@ func TestManagerControllerSync(t *testing.T) {
&CredentialIssuerLocationConfig{
Name: credentialIssuerResourceName,
},
credentialIssuerLabels,
discoveryURLOverride,
dynamicCertProvider,
fakeExecutor,
@ -516,16 +519,18 @@ func TestManagerControllerSync(t *testing.T) {
it.Before(func() {
server := "https://overridden-server-url.example.com"
discoveryURLOverride = &server
credentialIssuerLabels = map[string]string{"foo": "bar"}
startInformersAndController()
})
it("also creates the the CredentialIssuer with the appropriate status field", func() {
it("also creates the the CredentialIssuer with the appropriate status field and labels", func() {
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
expectedCreateCredentialIssuer := &configv1alpha1.CredentialIssuer{
TypeMeta: metav1.TypeMeta{},
ObjectMeta: metav1.ObjectMeta{
Name: credentialIssuerResourceName,
Labels: map[string]string{"foo": "bar"},
},
}
@ -533,6 +538,7 @@ func TestManagerControllerSync(t *testing.T) {
TypeMeta: metav1.TypeMeta{},
ObjectMeta: metav1.ObjectMeta{
Name: credentialIssuerResourceName,
Labels: map[string]string{"foo": "bar"},
},
Status: configv1alpha1.CredentialIssuerStatus{
Strategies: []configv1alpha1.CredentialIssuerStrategy{

View File

@ -204,6 +204,7 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
kubecertagent.NewAnnotaterController(
agentPodConfig,
credentialIssuerLocationConfig,
c.Labels,
clock.RealClock{},
client.Kubernetes,
client.PinnipedConcierge,
@ -216,6 +217,7 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
WithController(
kubecertagent.NewExecerController(
credentialIssuerLocationConfig,
c.Labels,
c.DiscoveryURLOverride,
c.DynamicSigningCertProvider,
kubecertagent.NewPodCommandExecutor(client.JSONConfig, client.Kubernetes),