Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 73cc32d500
Branches Tags
helm-externa...
/
pkg
/
controllers
/
externalsecret
/
informer_manager.go

informer_manager.go 10 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310 
  1. /*
    2. 

  2. Copyright © 2025 ESO Maintainer Team
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package externalsecret
    18. 

  18. 

  19. import (
    20. 

  20. 	"context"
    21. 

  21. 	"fmt"
    22. 

  22. 	"sync"
    23. 

  23. 

  24. 	"github.com/go-logr/logr"
    25. 

  25. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    26. 

  26. 	"k8s.io/apimachinery/pkg/fields"
    27. 

  27. 	"k8s.io/apimachinery/pkg/runtime/schema"
    28. 

  28. 	"k8s.io/apimachinery/pkg/types"
    29. 

  29. 	"k8s.io/client-go/util/workqueue"
    30. 

  30. 	ctrl "sigs.k8s.io/controller-runtime"
    31. 

  31. 	runtimecache "sigs.k8s.io/controller-runtime/pkg/cache"
    32. 

  32. 	"sigs.k8s.io/controller-runtime/pkg/client"
    33. 

  33. 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
    34. 

  34. 	"sigs.k8s.io/controller-runtime/pkg/source"
    35. 

  35. 

  36. 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    37. 

  37. )
    38. 

  38. 

  39. // InformerManager manages the lifecycle of informers for generic target resources.
    40. 

  40. // It handles dynamic registration, tracking, and cleanup of informers.
    41. 

  41. type InformerManager interface {
    42. 

  42. 	// EnsureInformer ensures an informer exists for the given GVK and registers the ExternalSecret as using it.
    43. 

  43. 	// Returns true if a new informer was created, false if it already existed.
    44. 

  44. 	EnsureInformer(ctx context.Context, gvk schema.GroupVersionKind, es types.NamespacedName) (bool, error)
    45. 

  45. 

  46. 	// ReleaseInformer unregisters the ExternalSecret from using this GVK.
    47. 

  47. 	// If no more ExternalSecrets use this GVK, the informer is stopped and removed.
    48. 

  48. 	ReleaseInformer(ctx context.Context, gvk schema.GroupVersionKind, es types.NamespacedName) error
    49. 

  49. 

  50. 	// IsManaged returns true if the manager is currently managing an informer for the GVK.
    51. 

  51. 	IsManaged(gvk schema.GroupVersionKind) bool
    52. 

  52. 

  53. 	// GetInformer returns the informer for a GVK if it exists.
    54. 

  54. 	GetInformer(gvk schema.GroupVersionKind) (runtimecache.Informer, bool)
    55. 

  55. 

  56. 	// Source returns a source.TypedSource that can be used with WatchesRawSource
    57. 

  57. 	Source() source.TypedSource[reconcile.Request]
    58. 

  58. 

  59. 	// SetQueue binds the reconcile queue to the informer manager
    60. 

  60. 	SetQueue(queue workqueue.TypedRateLimitingInterface[ctrl.Request]) error
    61. 

  61. }
    62. 

  62. 

  63. // informerEntry tracks an informer and the ExternalSecrets using it.
    64. 

  64. type informerEntry struct {
    65. 

  65. 	informer runtimecache.Informer
    66. 

  66. 	// externalSecrets tracks the external secrets using a GVK. Once this list is empty, we
    67. 

  67. 	// stop the informer and deregister it to free up resources. It is a map instead of just a number to prevent
    68. 

  68. 	// duplicated reconcile ensures to increase the number on each reconcile.
    69. 

  69. 	externalSecrets map[types.NamespacedName]struct{}
    70. 

  70. }
    71. 

  71. 

  72. // DefaultInformerManager implements InformerManager using controller-runtime's cache.
    73. 

  73. type DefaultInformerManager struct {
    74. 

  74. 	cache          runtimecache.Cache
    75. 

  75. 	client         client.Client
    76. 

  76. 	log            logr.Logger
    77. 

  77. 	mu             sync.RWMutex
    78. 

  78. 	informers      map[string]*informerEntry // key: GVK string
    79. 

  79. 	queue          workqueue.TypedRateLimitingInterface[ctrl.Request]
    80. 

  80. 	managerContext context.Context
    81. 

  81. }
    82. 

  82. 

  83. // NewInformerManager creates a new InformerManager.
    84. 

  84. func NewInformerManager(ctx context.Context, cache runtimecache.Cache, client client.Client, log logr.Logger) InformerManager {
    85. 

  85. 	return &DefaultInformerManager{
    86. 

  86. 		managerContext: ctx,
    87. 

  87. 		cache:          cache,
    88. 

  88. 		client:         client,
    89. 

  89. 		log:            log,
    90. 

  90. 		informers:      make(map[string]*informerEntry),
    91. 

  91. 	}
    92. 

  92. }
    93. 

  93. 

  94. // EnsureInformer ensures an informer exists for the given GVK and registers the ExternalSecret.
    95. 

  95. func (m *DefaultInformerManager) EnsureInformer(ctx context.Context, gvk schema.GroupVersionKind, es types.NamespacedName) (bool, error) {
    96. 

  96. 	m.mu.Lock()
    97. 

  97. 	defer m.mu.Unlock()
    98. 

  98. 

  99. 	key := gvk.String()
    100. 

  100. 

  101. 	// check if we have this gvk in the list of informers already
    102. 

  102. 	if entry, exists := m.informers[key]; exists {
    103. 

  103. 		// register this ExternalSecret as using this informer (deduplicate);
    104. 

  104. 		entry.externalSecrets[es] = struct{}{}
    105. 

  105. 		m.log.Info("registered ExternalSecret with existing informer",
    106. 

  106. 			"gvk", key,
    107. 

  107. 			"externalSecret", es,
    108. 

  108. 			"totalUsers", len(entry.externalSecrets))
    109. 

  109. 		return false, nil
    110. 

  110. 	}
    111. 

  111. 

  112. 	if m.queue == nil {
    113. 

  113. 		return false, fmt.Errorf("queue not initialized, call SetQueue first")
    114. 

  114. 	}
    115. 

  115. 

  116. 	// Get or create informer for this GVK
    117. 

  117. 	informer, err := m.cache.GetInformerForKind(ctx, gvk)
    118. 

  118. 	if err != nil {
    119. 

  119. 		return false, fmt.Errorf("failed to get informer for %s: %w", key, err)
    120. 

  120. 	}
    121. 

  121. 

  122. 	// Add event handler to the informer that enqueues reconcile requests
    123. 

  123. 	_, err = informer.AddEventHandler(&enqueueHandler{
    124. 

  124. 		managerContext: m.managerContext,
    125. 

  125. 		gvk:            gvk,
    126. 

  126. 		client:         m.client,
    127. 

  127. 		queue:          m.queue,
    128. 

  128. 		log:            m.log,
    129. 

  129. 	})
    130. 

  130. 	if err != nil {
    131. 

  131. 		return false, fmt.Errorf("failed to add event handler for %s: %w", key, err)
    132. 

  132. 	}
    133. 

  133. 

  134. 	// Store the informer with this ExternalSecret as the first user
    135. 

  135. 	m.informers[key] = &informerEntry{
    136. 

  136. 		informer:        informer,
    137. 

  137. 		externalSecrets: map[types.NamespacedName]struct{}{es: {}},
    138. 

  138. 	}
    139. 

  139. 

  140. 	m.log.Info("registered informer for generic target",
    141. 

  141. 		"group", gvk.Group,
    142. 

  142. 		"version", gvk.Version,
    143. 

  143. 		"kind", gvk.Kind,
    144. 

  144. 		"externalSecret", es)
    145. 

  145. 

  146. 	return true, nil
    147. 

  147. }
    148. 

  148. 

  149. // enqueueHandler is an event handler that enqueues reconcile requests for ExternalSecrets
    150. 

  150. // that target the changed resource.
    151. 

  151. type enqueueHandler struct {
    152. 

  152. 	managerContext context.Context
    153. 

  153. 	gvk            schema.GroupVersionKind
    154. 

  154. 	client         client.Client
    155. 

  155. 	queue          workqueue.TypedRateLimitingInterface[ctrl.Request]
    156. 

  156. 	log            logr.Logger
    157. 

  157. }
    158. 

  158. 

  159. func (h *enqueueHandler) OnAdd(obj interface{}, _ bool) {
    160. 

  160. 	h.enqueue(obj)
    161. 

  161. }
    162. 

  162. 

  163. func (h *enqueueHandler) OnUpdate(_, newObj interface{}) {
    164. 

  164. 	h.enqueue(newObj)
    165. 

  165. }
    166. 

  166. 

  167. func (h *enqueueHandler) OnDelete(obj interface{}) {
    168. 

  168. 	h.enqueue(obj)
    169. 

  169. }
    170. 

  170. 

  171. func (h *enqueueHandler) enqueue(obj interface{}) {
    172. 

  172. 	// Extract metadata
    173. 

  173. 	meta, ok := obj.(metav1.Object)
    174. 

  174. 	if !ok {
    175. 

  175. 		h.log.Error(nil, "unexpected object type", "type", fmt.Sprintf("%T", obj))
    176. 

  176. 		return
    177. 

  177. 	}
    178. 

  178. 

  179. 	// Only process resources with the managed label
    180. 

  180. 	labels := meta.GetLabels()
    181. 

  181. 	if labels == nil {
    182. 

  182. 		return
    183. 

  183. 	}
    184. 

  184. 

  185. 	value, hasLabel := labels[esv1.LabelManaged]
    186. 

  186. 	if !hasLabel || value != esv1.LabelManagedValue {
    187. 

  187. 		return
    188. 

  188. 	}
    189. 

  189. 

  190. 	// Find ExternalSecrets that target this resource
    191. 

  191. 	externalSecretsList := &esv1.ExternalSecretList{}
    192. 

  192. 	indexValue := fmt.Sprintf("%s/%s/%s/%s", h.gvk.Group, h.gvk.Version, h.gvk.Kind, meta.GetName())
    193. 

  193. 	listOps := &client.ListOptions{
    194. 

  194. 		FieldSelector: fields.OneTermEqualSelector(indexESTargetResourceField, indexValue),
    195. 

  195. 		Namespace:     meta.GetNamespace(),
    196. 

  196. 	}
    197. 

  197. 

  198. 	if err := h.client.List(h.managerContext, externalSecretsList, listOps); err != nil {
    199. 

  199. 		h.log.Error(err, "failed to list ExternalSecrets for resource",
    200. 

  200. 			"gvk", h.gvk.String(),
    201. 

  201. 			"name", meta.GetName(),
    202. 

  202. 			"namespace", meta.GetNamespace())
    203. 

  203. 		return
    204. 

  204. 	}
    205. 

  205. 

  206. 	// Enqueue reconcile requests for each ExternalSecret
    207. 

  207. 	for i := range externalSecretsList.Items {
    208. 

  208. 		req := ctrl.Request{
    209. 

  209. 			NamespacedName: types.NamespacedName{
    210. 

  210. 				Name:      externalSecretsList.Items[i].GetName(),
    211. 

  211. 				Namespace: externalSecretsList.Items[i].GetNamespace(),
    212. 

  212. 			},
    213. 

  213. 		}
    214. 

  214. 		h.queue.Add(req)
    215. 

  215. 

  216. 		h.log.V(1).Info("enqueued reconcile request due to resource change",
    217. 

  217. 			"externalSecret", req.NamespacedName,
    218. 

  218. 			"targetGVK", h.gvk.String(),
    219. 

  219. 			"targetResource", meta.GetName())
    220. 

  220. 	}
    221. 

  221. }
    222. 

  222. 

  223. // ReleaseInformer unregisters the ExternalSecret from using this GVK.
    224. 

  224. func (m *DefaultInformerManager) ReleaseInformer(ctx context.Context, gvk schema.GroupVersionKind, es types.NamespacedName) error {
    225. 

  225. 	m.mu.Lock()
    226. 

  226. 	defer m.mu.Unlock()
    227. 

  227. 

  228. 	key := gvk.String()
    229. 

  229. 

  230. 	entry, exists := m.informers[key]
    231. 

  231. 	if !exists {
    232. 

  232. 		// Already removed or never existed; can happen if we had a bad start, failed to watch, or during other errors.
    233. 

  233. 		// In that case, there is nothing else to do really.
    234. 

  234. 		m.log.Info("informer not found for release",
    235. 

  235. 			"gvk", key,
    236. 

  236. 			"externalSecret", es)
    237. 

  237. 		return nil
    238. 

  238. 	}
    239. 

  239. 

  240. 	// remove the ES from the list of ESs using this GVK
    241. 

  241. 	delete(entry.externalSecrets, es)
    242. 

  242. 	m.log.Info("unregistered ExternalSecret from informer",
    243. 

  243. 		"gvk", key,
    244. 

  244. 		"externalSecret", es,
    245. 

  245. 		"remainingUsers", len(entry.externalSecrets))
    246. 

  246. 

  247. 	// if no more ExternalSecrets are using this informer, remove it
    248. 

  248. 	if len(entry.externalSecrets) == 0 {
    249. 

  249. 		partial := &metav1.PartialObjectMetadata{}
    250. 

  250. 		partial.SetGroupVersionKind(gvk)
    251. 

  251. 

  252. 		if err := m.cache.RemoveInformer(ctx, partial); err != nil {
    253. 

  253. 			m.log.Error(err, "failed to remove informer, will clean up tracking anyway",
    254. 

  254. 				"gvk", key)
    255. 

  255. 		}
    256. 

  256. 

  257. 		delete(m.informers, key)
    258. 

  258. 

  259. 		m.log.Info("removed informer for generic target (no more users)",
    260. 

  260. 			"group", gvk.Group,
    261. 

  261. 			"version", gvk.Version,
    262. 

  262. 			"kind", gvk.Kind)
    263. 

  263. 	}
    264. 

  264. 

  265. 	return nil
    266. 

  266. }
    267. 

  267. 

  268. // IsManaged returns true if the manager is currently managing an informer for the GVK.
    269. 

  269. func (m *DefaultInformerManager) IsManaged(gvk schema.GroupVersionKind) bool {
    270. 

  270. 	m.mu.RLock()
    271. 

  271. 	defer m.mu.RUnlock()
    272. 

  272. 

  273. 	_, exists := m.informers[gvk.String()]
    274. 

  274. 	return exists
    275. 

  275. }
    276. 

  276. 

  277. // GetInformer returns the informer for a GVK if it exists.
    278. 

  278. func (m *DefaultInformerManager) GetInformer(gvk schema.GroupVersionKind) (runtimecache.Informer, bool) {
    279. 

  279. 	m.mu.RLock()
    280. 

  280. 	defer m.mu.RUnlock()
    281. 

  281. 

  282. 	entry, exists := m.informers[gvk.String()]
    283. 

  283. 	if !exists {
    284. 

  284. 		return nil, false
    285. 

  285. 	}
    286. 

  286. 	return entry.informer, true
    287. 

  287. }
    288. 

  288. 

  289. // Source returns a source.TypedSource that binds the reconcile queue to this manager.
    290. 

  290. func (m *DefaultInformerManager) Source() source.TypedSource[reconcile.Request] {
    291. 

  291. 	return source.Func(func(_ context.Context, queue workqueue.TypedRateLimitingInterface[ctrl.Request]) error {
    292. 

  292. 		// This dynamically binds the given queue to the informer manager
    293. 

  293. 		// From this point on, the queue will receive events for all registered informers
    294. 

  294. 		return m.SetQueue(queue)
    295. 

  295. 	})
    296. 

  296. }
    297. 

  297. 

  298. // SetQueue binds the reconcile queue to the informer manager.
    299. 

  299. func (m *DefaultInformerManager) SetQueue(queue workqueue.TypedRateLimitingInterface[ctrl.Request]) error {
    300. 

  300. 	m.mu.Lock()
    301. 

  301. 	defer m.mu.Unlock()
    302. 

  302. 

  303. 	if m.queue != nil {
    304. 

  304. 		return fmt.Errorf("queue already set")
    305. 

  305. 	}
    306. 

  306. 

  307. 	m.queue = queue
    308. 

  308. 	m.log.Info("reconcile queue bound to informer manager")
    309. 

  309. 	return nil
    310. 

  310. }
    311.