Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 413d1f9c07
Branches Tags
helm-externa...
/
pkg
/
controllers
/
externalsecret
/
informer_manager.go

informer_manager.go 10 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312 
  1. /*
    2. 

  2. Copyright © 2025 ESO Maintainer Team
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package externalsecret
    18. 

  18. 

  19. import (
    20. 

  20. 	"context"
    21. 

  21. 	"fmt"
    22. 

  22. 	"sync"
    23. 

  23. 

  24. 	"github.com/go-logr/logr"
    25. 

  25. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    26. 

  26. 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
    27. 

  27. 	"k8s.io/apimachinery/pkg/fields"
    28. 

  28. 	"k8s.io/apimachinery/pkg/runtime/schema"
    29. 

  29. 	"k8s.io/apimachinery/pkg/types"
    30. 

  30. 	"k8s.io/client-go/util/workqueue"
    31. 

  31. 	ctrl "sigs.k8s.io/controller-runtime"
    32. 

  32. 	runtimecache "sigs.k8s.io/controller-runtime/pkg/cache"
    33. 

  33. 	"sigs.k8s.io/controller-runtime/pkg/client"
    34. 

  34. 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
    35. 

  35. 	"sigs.k8s.io/controller-runtime/pkg/source"
    36. 

  36. 

  37. 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    38. 

  38. )
    39. 

  39. 

  40. // InformerManager manages the lifecycle of informers for generic target resources.
    41. 

  41. // It handles dynamic registration, tracking, and cleanup of informers.
    42. 

  42. type InformerManager interface {
    43. 

  43. 	// EnsureInformer ensures an informer exists for the given GVK and registers the ExternalSecret as using it.
    44. 

  44. 	// Returns true if a new informer was created, false if it already existed.
    45. 

  45. 	EnsureInformer(ctx context.Context, gvk schema.GroupVersionKind, es types.NamespacedName) (bool, error)
    46. 

  46. 

  47. 	// ReleaseInformer unregisters the ExternalSecret from using this GVK.
    48. 

  48. 	// If no more ExternalSecrets use this GVK, the informer is stopped and removed.
    49. 

  49. 	ReleaseInformer(ctx context.Context, gvk schema.GroupVersionKind, es types.NamespacedName) error
    50. 

  50. 

  51. 	// IsManaged returns true if the manager is currently managing an informer for the GVK.
    52. 

  52. 	IsManaged(gvk schema.GroupVersionKind) bool
    53. 

  53. 

  54. 	// GetInformer returns the informer for a GVK if it exists.
    55. 

  55. 	GetInformer(gvk schema.GroupVersionKind) (runtimecache.Informer, bool)
    56. 

  56. 

  57. 	// Source returns a source.TypedSource that can be used with WatchesRawSource
    58. 

  58. 	Source() source.TypedSource[reconcile.Request]
    59. 

  59. 

  60. 	// SetQueue binds the reconcile queue to the informer manager
    61. 

  61. 	SetQueue(queue workqueue.TypedRateLimitingInterface[ctrl.Request]) error
    62. 

  62. }
    63. 

  63. 

  64. // informerEntry tracks an informer and the ExternalSecrets using it.
    65. 

  65. type informerEntry struct {
    66. 

  66. 	informer runtimecache.Informer
    67. 

  67. 	// externalSecrets tracks the external secrets using a GVK. Once this list is empty, we
    68. 

  68. 	// stop the informer and deregister it to free up resources. It is a map instead of just a number to prevent
    69. 

  69. 	// duplicated reconcile ensures to increase the number on each reconcile.
    70. 

  70. 	externalSecrets map[types.NamespacedName]struct{}
    71. 

  71. }
    72. 

  72. 

  73. // DefaultInformerManager implements InformerManager using controller-runtime's cache.
    74. 

  74. type DefaultInformerManager struct {
    75. 

  75. 	cache          runtimecache.Cache
    76. 

  76. 	client         client.Client
    77. 

  77. 	log            logr.Logger
    78. 

  78. 	mu             sync.RWMutex
    79. 

  79. 	informers      map[string]*informerEntry // key: GVK string
    80. 

  80. 	queue          workqueue.TypedRateLimitingInterface[ctrl.Request]
    81. 

  81. 	managerContext context.Context
    82. 

  82. }
    83. 

  83. 

  84. // NewInformerManager creates a new InformerManager.
    85. 

  85. func NewInformerManager(ctx context.Context, cache runtimecache.Cache, client client.Client, log logr.Logger) InformerManager {
    86. 

  86. 	return &DefaultInformerManager{
    87. 

  87. 		managerContext: ctx,
    88. 

  88. 		cache:          cache,
    89. 

  89. 		client:         client,
    90. 

  90. 		log:            log,
    91. 

  91. 		informers:      make(map[string]*informerEntry),
    92. 

  92. 	}
    93. 

  93. }
    94. 

  94. 

  95. // EnsureInformer ensures an informer exists for the given GVK and registers the ExternalSecret.
    96. 

  96. func (m *DefaultInformerManager) EnsureInformer(ctx context.Context, gvk schema.GroupVersionKind, es types.NamespacedName) (bool, error) {
    97. 

  97. 	m.mu.Lock()
    98. 

  98. 	defer m.mu.Unlock()
    99. 

  99. 

  100. 	key := gvk.String()
    101. 

  101. 

  102. 	// check if we have this gvk in the list of informers already
    103. 

  103. 	if entry, exists := m.informers[key]; exists {
    104. 

  104. 		// register this ExternalSecret as using this informer (deduplicate);
    105. 

  105. 		entry.externalSecrets[es] = struct{}{}
    106. 

  106. 		m.log.Info("registered ExternalSecret with existing informer",
    107. 

  107. 			"gvk", key,
    108. 

  108. 			"externalSecret", es,
    109. 

  109. 			"totalUsers", len(entry.externalSecrets))
    110. 

  110. 		return false, nil
    111. 

  111. 	}
    112. 

  112. 

  113. 	if m.queue == nil {
    114. 

  114. 		return false, fmt.Errorf("queue not initialized, call SetQueue first")
    115. 

  115. 	}
    116. 

  116. 

  117. 	obj := &unstructured.Unstructured{}
    118. 

  118. 	obj.SetGroupVersionKind(gvk)
    119. 

  119. 	informer, err := m.cache.GetInformer(ctx, obj)
    120. 

  120. 	if err != nil {
    121. 

  121. 		return false, fmt.Errorf("failed to get informer for %s: %w", key, err)
    122. 

  122. 	}
    123. 

  123. 

  124. 	// Add event handler to the informer that enqueues reconcile requests
    125. 

  125. 	_, err = informer.AddEventHandler(&enqueueHandler{
    126. 

  126. 		managerContext: m.managerContext,
    127. 

  127. 		gvk:            gvk,
    128. 

  128. 		client:         m.client,
    129. 

  129. 		queue:          m.queue,
    130. 

  130. 		log:            m.log,
    131. 

  131. 	})
    132. 

  132. 	if err != nil {
    133. 

  133. 		return false, fmt.Errorf("failed to add event handler for %s: %w", key, err)
    134. 

  134. 	}
    135. 

  135. 

  136. 	// Store the informer with this ExternalSecret as the first user
    137. 

  137. 	m.informers[key] = &informerEntry{
    138. 

  138. 		informer:        informer,
    139. 

  139. 		externalSecrets: map[types.NamespacedName]struct{}{es: {}},
    140. 

  140. 	}
    141. 

  141. 

  142. 	m.log.Info("registered informer for generic target",
    143. 

  143. 		"group", gvk.Group,
    144. 

  144. 		"version", gvk.Version,
    145. 

  145. 		"kind", gvk.Kind,
    146. 

  146. 		"externalSecret", es)
    147. 

  147. 

  148. 	return true, nil
    149. 

  149. }
    150. 

  150. 

  151. // enqueueHandler is an event handler that enqueues reconcile requests for ExternalSecrets
    152. 

  152. // that target the changed resource.
    153. 

  153. type enqueueHandler struct {
    154. 

  154. 	managerContext context.Context
    155. 

  155. 	gvk            schema.GroupVersionKind
    156. 

  156. 	client         client.Client
    157. 

  157. 	queue          workqueue.TypedRateLimitingInterface[ctrl.Request]
    158. 

  158. 	log            logr.Logger
    159. 

  159. }
    160. 

  160. 

  161. func (h *enqueueHandler) OnAdd(obj interface{}, _ bool) {
    162. 

  162. 	h.enqueue(obj)
    163. 

  163. }
    164. 

  164. 

  165. func (h *enqueueHandler) OnUpdate(_, newObj interface{}) {
    166. 

  166. 	h.enqueue(newObj)
    167. 

  167. }
    168. 

  168. 

  169. func (h *enqueueHandler) OnDelete(obj interface{}) {
    170. 

  170. 	h.enqueue(obj)
    171. 

  171. }
    172. 

  172. 

  173. func (h *enqueueHandler) enqueue(obj interface{}) {
    174. 

  174. 	// Extract metadata
    175. 

  175. 	meta, ok := obj.(metav1.Object)
    176. 

  176. 	if !ok {
    177. 

  177. 		h.log.Error(nil, "unexpected object type", "type", fmt.Sprintf("%T", obj))
    178. 

  178. 		return
    179. 

  179. 	}
    180. 

  180. 

  181. 	// Only process resources with the managed label
    182. 

  182. 	labels := meta.GetLabels()
    183. 

  183. 	if labels == nil {
    184. 

  184. 		return
    185. 

  185. 	}
    186. 

  186. 

  187. 	value, hasLabel := labels[esv1.LabelManaged]
    188. 

  188. 	if !hasLabel || value != esv1.LabelManagedValue {
    189. 

  189. 		return
    190. 

  190. 	}
    191. 

  191. 

  192. 	// Find ExternalSecrets that target this resource
    193. 

  193. 	externalSecretsList := &esv1.ExternalSecretList{}
    194. 

  194. 	indexValue := fmt.Sprintf("%s/%s/%s/%s", h.gvk.Group, h.gvk.Version, h.gvk.Kind, meta.GetName())
    195. 

  195. 	listOps := &client.ListOptions{
    196. 

  196. 		FieldSelector: fields.OneTermEqualSelector(indexESTargetResourceField, indexValue),
    197. 

  197. 		Namespace:     meta.GetNamespace(),
    198. 

  198. 	}
    199. 

  199. 

  200. 	if err := h.client.List(h.managerContext, externalSecretsList, listOps); err != nil {
    201. 

  201. 		h.log.Error(err, "failed to list ExternalSecrets for resource",
    202. 

  202. 			"gvk", h.gvk.String(),
    203. 

  203. 			"name", meta.GetName(),
    204. 

  204. 			"namespace", meta.GetNamespace())
    205. 

  205. 		return
    206. 

  206. 	}
    207. 

  207. 

  208. 	// Enqueue reconcile requests for each ExternalSecret
    209. 

  209. 	for i := range externalSecretsList.Items {
    210. 

  210. 		req := ctrl.Request{
    211. 

  211. 			NamespacedName: types.NamespacedName{
    212. 

  212. 				Name:      externalSecretsList.Items[i].GetName(),
    213. 

  213. 				Namespace: externalSecretsList.Items[i].GetNamespace(),
    214. 

  214. 			},
    215. 

  215. 		}
    216. 

  216. 		h.queue.Add(req)
    217. 

  217. 

  218. 		h.log.V(1).Info("enqueued reconcile request due to resource change",
    219. 

  219. 			"externalSecret", req.NamespacedName,
    220. 

  220. 			"targetGVK", h.gvk.String(),
    221. 

  221. 			"targetResource", meta.GetName())
    222. 

  222. 	}
    223. 

  223. }
    224. 

  224. 

  225. // ReleaseInformer unregisters the ExternalSecret from using this GVK.
    226. 

  226. func (m *DefaultInformerManager) ReleaseInformer(ctx context.Context, gvk schema.GroupVersionKind, es types.NamespacedName) error {
    227. 

  227. 	m.mu.Lock()
    228. 

  228. 	defer m.mu.Unlock()
    229. 

  229. 

  230. 	key := gvk.String()
    231. 

  231. 

  232. 	entry, exists := m.informers[key]
    233. 

  233. 	if !exists {
    234. 

  234. 		// Already removed or never existed; can happen if we had a bad start, failed to watch, or during other errors.
    235. 

  235. 		// In that case, there is nothing else to do really.
    236. 

  236. 		m.log.Info("informer not found for release",
    237. 

  237. 			"gvk", key,
    238. 

  238. 			"externalSecret", es)
    239. 

  239. 		return nil
    240. 

  240. 	}
    241. 

  241. 

  242. 	// remove the ES from the list of ESs using this GVK
    243. 

  243. 	delete(entry.externalSecrets, es)
    244. 

  244. 	m.log.Info("unregistered ExternalSecret from informer",
    245. 

  245. 		"gvk", key,
    246. 

  246. 		"externalSecret", es,
    247. 

  247. 		"remainingUsers", len(entry.externalSecrets))
    248. 

  248. 

  249. 	// if no more ExternalSecrets are using this informer, remove it
    250. 

  250. 	if len(entry.externalSecrets) == 0 {
    251. 

  251. 		obj := &unstructured.Unstructured{}
    252. 

  252. 		obj.SetGroupVersionKind(gvk)
    253. 

  253. 

  254. 		if err := m.cache.RemoveInformer(ctx, obj); err != nil {
    255. 

  255. 			m.log.Error(err, "failed to remove informer, will clean up tracking anyway",
    256. 

  256. 				"gvk", key)
    257. 

  257. 		}
    258. 

  258. 

  259. 		delete(m.informers, key)
    260. 

  260. 

  261. 		m.log.Info("removed informer for generic target (no more users)",
    262. 

  262. 			"group", gvk.Group,
    263. 

  263. 			"version", gvk.Version,
    264. 

  264. 			"kind", gvk.Kind)
    265. 

  265. 	}
    266. 

  266. 

  267. 	return nil
    268. 

  268. }
    269. 

  269. 

  270. // IsManaged returns true if the manager is currently managing an informer for the GVK.
    271. 

  271. func (m *DefaultInformerManager) IsManaged(gvk schema.GroupVersionKind) bool {
    272. 

  272. 	m.mu.RLock()
    273. 

  273. 	defer m.mu.RUnlock()
    274. 

  274. 

  275. 	_, exists := m.informers[gvk.String()]
    276. 

  276. 	return exists
    277. 

  277. }
    278. 

  278. 

  279. // GetInformer returns the informer for a GVK if it exists.
    280. 

  280. func (m *DefaultInformerManager) GetInformer(gvk schema.GroupVersionKind) (runtimecache.Informer, bool) {
    281. 

  281. 	m.mu.RLock()
    282. 

  282. 	defer m.mu.RUnlock()
    283. 

  283. 

  284. 	entry, exists := m.informers[gvk.String()]
    285. 

  285. 	if !exists {
    286. 

  286. 		return nil, false
    287. 

  287. 	}
    288. 

  288. 	return entry.informer, true
    289. 

  289. }
    290. 

  290. 

  291. // Source returns a source.TypedSource that binds the reconcile queue to this manager.
    292. 

  292. func (m *DefaultInformerManager) Source() source.TypedSource[reconcile.Request] {
    293. 

  293. 	return source.Func(func(_ context.Context, queue workqueue.TypedRateLimitingInterface[ctrl.Request]) error {
    294. 

  294. 		// This dynamically binds the given queue to the informer manager
    295. 

  295. 		// From this point on, the queue will receive events for all registered informers
    296. 

  296. 		return m.SetQueue(queue)
    297. 

  297. 	})
    298. 

  298. }
    299. 

  299. 

  300. // SetQueue binds the reconcile queue to the informer manager.
    301. 

  301. func (m *DefaultInformerManager) SetQueue(queue workqueue.TypedRateLimitingInterface[ctrl.Request]) error {
    302. 

  302. 	m.mu.Lock()
    303. 

  303. 	defer m.mu.Unlock()
    304. 

  304. 

  305. 	if m.queue != nil {
    306. 

  306. 		return fmt.Errorf("queue already set")
    307. 

  307. 	}
    308. 

  308. 

  309. 	m.queue = queue
    310. 

  310. 	m.log.Info("reconcile queue bound to informer manager")
    311. 

  311. 	return nil
    312. 

  312. }
    313.