TLSCertObserverController Syncs less often by adjusting its filters

- Only watches Secrets of type "kubernetes.io/tls"

Signed-off-by: Aram Price <pricear@vmware.com>

internal/controller/supervisorconfig/tls_cert_observer.go

@@ -9,6 +9,7 @@ import (
 	"net/url"
 	"strings"
 
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	corev1informers "k8s.io/client-go/informers/core/v1"
 
@@ -49,7 +50,7 @@ func NewTLSCertObserverController(
 		},
 		withInformer(
 			secretInformer,
-			pinnipedcontroller.MatchAnythingFilter(nil),
+			pinnipedcontroller.MatchAnySecretOfTypeFilter(v1.SecretTypeTLS),
 			controllerlib.InformerOption{},
 		),
 		withInformer(

internal/controller/supervisorconfig/tls_cert_observer_test.go

@@ -59,11 +59,11 @@ func TestTLSCertObserverControllerInformerFilters(t *testing.T) {
 
 			it.Before(func() {
 				subject = secretsInformerFilter
-				secret = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "any-name", Namespace: "any-namespace"}}
+				secret = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "any-name", Namespace: "any-namespace"}, Type: corev1.SecretTypeTLS}
-				otherSecret = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "any-other-name", Namespace: "any-other-namespace"}}
+				otherSecret = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "any-other-name", Namespace: "any-other-namespace"}, Type: "other type"}
 			})
 
-			when("any Secret changes", func() {
+			when("any Secret of type TLS changes", func() {
 				it("returns true to trigger the sync method", func() {
 					r.True(subject.Add(secret))
 					r.True(subject.Update(secret, otherSecret))
@@ -71,6 +71,14 @@ func TestTLSCertObserverControllerInformerFilters(t *testing.T) {
 					r.True(subject.Delete(secret))
 				})
 			})
+
+			when("any Secret that is not of type TLS changes", func() {
+				it("returns false to avoid triggering the sync method", func() {
+					r.False(subject.Add(otherSecret))
+					r.False(subject.Update(otherSecret, otherSecret))
+					r.False(subject.Delete(otherSecret))
+				})
+			})
 		})
 
 		when("watching FederationDomain objects", func() {

test/integration/e2e_test.go

@@ -20,6 +20,8 @@ import (
 	"testing"
 	"time"
 
+	v1 "k8s.io/api/core/v1"
+
 	"github.com/stretchr/testify/require"
 	rbacv1 "k8s.io/api/rbac/v1"
 
@@ -84,7 +86,7 @@ func TestE2EFullIntegration(t *testing.T) {
 	certSecret := library.CreateTestSecret(t,
 		env.SupervisorNamespace,
 		"oidc-provider-tls",
-		"kubernetes.io/tls",
+		v1.SecretTypeTLS,
 		map[string]string{"tls.crt": string(certPEM), "tls.key": string(keyPEM)},
 	)
 

test/integration/supervisor_discovery_test.go

@@ -287,6 +287,7 @@ func createTLSCertificateSecret(ctx context.Context, t *testing.T, ns string, ho
 	tlsCertChainPEM, tlsPrivateKeyPEM, err := certauthority.ToPEM(tlsCert)
 	require.NoError(t, err)
 	secret := corev1.Secret{
+		Type:     corev1.SecretTypeTLS,
 		TypeMeta: metav1.TypeMeta{},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      secretName,

test/integration/supervisor_login_test.go

@@ -18,6 +18,8 @@ import (
 	"testing"
 	"time"
 
+	v1 "k8s.io/api/core/v1"
+
 	coreosoidc "github.com/coreos/go-oidc"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -95,7 +97,7 @@ func TestSupervisorLogin(t *testing.T) {
 	certSecret := library.CreateTestSecret(t,
 		env.SupervisorNamespace,
 		"oidc-provider-tls",
-		"kubernetes.io/tls",
+		v1.SecretTypeTLS,
 		map[string]string{"tls.crt": string(certPEM), "tls.key": string(keyPEM)},
 	)
 

test/library/client.go

@@ -314,7 +314,7 @@ func RandHex(t *testing.T, numBytes int) string {
 	return hex.EncodeToString(buf)
 }
 
-func CreateTestSecret(t *testing.T, namespace string, baseName string, secretType string, stringData map[string]string) *corev1.Secret {
+func CreateTestSecret(t *testing.T, namespace string, baseName string, secretType corev1.SecretType, stringData map[string]string) *corev1.Secret {
 	t.Helper()
 	client := NewClientset(t)
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)