From 2f518b8b7cc9076751ff0402cccf4549cb0d3cad Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Fri, 18 Dec 2020 15:10:17 -0800 Subject: [PATCH] TLSCertObserverController Syncs less often by adjusting its filters - Only watches Secrets of type "kubernetes.io/tls" Signed-off-by: Aram Price --- .../supervisorconfig/tls_cert_observer.go | 3 ++- .../supervisorconfig/tls_cert_observer_test.go | 14 +++++++++++--- test/integration/e2e_test.go | 4 +++- test/integration/supervisor_discovery_test.go | 1 + test/integration/supervisor_login_test.go | 4 +++- test/library/client.go | 2 +- 6 files changed, 21 insertions(+), 7 deletions(-) diff --git a/internal/controller/supervisorconfig/tls_cert_observer.go b/internal/controller/supervisorconfig/tls_cert_observer.go index 37018b2e..59635dbc 100644 --- a/internal/controller/supervisorconfig/tls_cert_observer.go +++ b/internal/controller/supervisorconfig/tls_cert_observer.go @@ -9,6 +9,7 @@ import ( "net/url" "strings" + v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/labels" corev1informers "k8s.io/client-go/informers/core/v1" @@ -49,7 +50,7 @@ func NewTLSCertObserverController( }, withInformer( secretInformer, - pinnipedcontroller.MatchAnythingFilter(nil), + pinnipedcontroller.MatchAnySecretOfTypeFilter(v1.SecretTypeTLS), controllerlib.InformerOption{}, ), withInformer( diff --git a/internal/controller/supervisorconfig/tls_cert_observer_test.go b/internal/controller/supervisorconfig/tls_cert_observer_test.go index 07c5e547..d90f796e 100644 --- a/internal/controller/supervisorconfig/tls_cert_observer_test.go +++ b/internal/controller/supervisorconfig/tls_cert_observer_test.go @@ -59,11 +59,11 @@ func TestTLSCertObserverControllerInformerFilters(t *testing.T) { it.Before(func() { subject = secretsInformerFilter - secret = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "any-name", Namespace: "any-namespace"}} - otherSecret = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "any-other-name", Namespace: "any-other-namespace"}} + secret = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "any-name", Namespace: "any-namespace"}, Type: corev1.SecretTypeTLS} + otherSecret = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "any-other-name", Namespace: "any-other-namespace"}, Type: "other type"} }) - when("any Secret changes", func() { + when("any Secret of type TLS changes", func() { it("returns true to trigger the sync method", func() { r.True(subject.Add(secret)) r.True(subject.Update(secret, otherSecret)) @@ -71,6 +71,14 @@ func TestTLSCertObserverControllerInformerFilters(t *testing.T) { r.True(subject.Delete(secret)) }) }) + + when("any Secret that is not of type TLS changes", func() { + it("returns false to avoid triggering the sync method", func() { + r.False(subject.Add(otherSecret)) + r.False(subject.Update(otherSecret, otherSecret)) + r.False(subject.Delete(otherSecret)) + }) + }) }) when("watching FederationDomain objects", func() { diff --git a/test/integration/e2e_test.go b/test/integration/e2e_test.go index b702b973..7ef16147 100644 --- a/test/integration/e2e_test.go +++ b/test/integration/e2e_test.go @@ -20,6 +20,8 @@ import ( "testing" "time" + v1 "k8s.io/api/core/v1" + "github.com/stretchr/testify/require" rbacv1 "k8s.io/api/rbac/v1" @@ -84,7 +86,7 @@ func TestE2EFullIntegration(t *testing.T) { certSecret := library.CreateTestSecret(t, env.SupervisorNamespace, "oidc-provider-tls", - "kubernetes.io/tls", + v1.SecretTypeTLS, map[string]string{"tls.crt": string(certPEM), "tls.key": string(keyPEM)}, ) diff --git a/test/integration/supervisor_discovery_test.go b/test/integration/supervisor_discovery_test.go index ddf2bd6a..bf3c663f 100644 --- a/test/integration/supervisor_discovery_test.go +++ b/test/integration/supervisor_discovery_test.go @@ -287,6 +287,7 @@ func createTLSCertificateSecret(ctx context.Context, t *testing.T, ns string, ho tlsCertChainPEM, tlsPrivateKeyPEM, err := certauthority.ToPEM(tlsCert) require.NoError(t, err) secret := corev1.Secret{ + Type: corev1.SecretTypeTLS, TypeMeta: metav1.TypeMeta{}, ObjectMeta: metav1.ObjectMeta{ Name: secretName, diff --git a/test/integration/supervisor_login_test.go b/test/integration/supervisor_login_test.go index 2ccc6862..798618e5 100644 --- a/test/integration/supervisor_login_test.go +++ b/test/integration/supervisor_login_test.go @@ -18,6 +18,8 @@ import ( "testing" "time" + v1 "k8s.io/api/core/v1" + coreosoidc "github.com/coreos/go-oidc" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -95,7 +97,7 @@ func TestSupervisorLogin(t *testing.T) { certSecret := library.CreateTestSecret(t, env.SupervisorNamespace, "oidc-provider-tls", - "kubernetes.io/tls", + v1.SecretTypeTLS, map[string]string{"tls.crt": string(certPEM), "tls.key": string(keyPEM)}, ) diff --git a/test/library/client.go b/test/library/client.go index 7f8f3ea1..f7035dca 100644 --- a/test/library/client.go +++ b/test/library/client.go @@ -314,7 +314,7 @@ func RandHex(t *testing.T, numBytes int) string { return hex.EncodeToString(buf) } -func CreateTestSecret(t *testing.T, namespace string, baseName string, secretType string, stringData map[string]string) *corev1.Secret { +func CreateTestSecret(t *testing.T, namespace string, baseName string, secretType corev1.SecretType, stringData map[string]string) *corev1.Secret { t.Helper() client := NewClientset(t) ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)