From e5c297daeb5c23790453e9f858b4696b52893ed2 Mon Sep 17 00:00:00 2001 From: Kenjiro Nakayama Date: Wed, 2 Aug 2023 14:38:49 +0900 Subject: [PATCH 01/11] Add label to secret --- pkg/generator/ingress_translator.go | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/pkg/generator/ingress_translator.go b/pkg/generator/ingress_translator.go index c1cc1c809..b96e85bdd 100644 --- a/pkg/generator/ingress_translator.go +++ b/pkg/generator/ingress_translator.go @@ -34,7 +34,9 @@ import ( "google.golang.org/protobuf/types/known/anypb" corev1 "k8s.io/api/core/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" + kubeclient "k8s.io/client-go/kubernetes" pkgconfig "knative.dev/net-kourier/pkg/config" envoy "knative.dev/net-kourier/pkg/envoy/api" "knative.dev/net-kourier/pkg/reconciler/ingress/config" @@ -62,6 +64,8 @@ type IngressTranslator struct { serviceGetter func(ns, name string) (*corev1.Service, error) namespaceGetter func(name string) (*corev1.Namespace, error) tracker tracker.Interface + + kubeClient kubeclient.Interface } func NewIngressTranslator( @@ -93,6 +97,15 @@ func (translator *IngressTranslator) translateIngress(ctx context.Context, ingre return nil, fmt.Errorf("failed to fetch secret: %w", err) } + // Don't modify the informers copy + existing := secret.DeepCopy() + // existing.Labels = desired.Labels + + secret, err = translator.kubeClient.CoreV1().Secrets(ingressTLS.SecretNamespace).Update(ctx, existing, metav1.UpdateOptions{}) + if err != nil { + return nil, fmt.Errorf("failed to update secret: %w", err) + } + // Validate certificate here as these are defined by users. // We should not send Gateway without validation. _, err = tls.X509KeyPair( From 846e6feea890e090f1ec2327ef174ec2e38d5c32 Mon Sep 17 00:00:00 2001 From: Kenjiro Nakayama Date: Wed, 2 Aug 2023 14:46:42 +0900 Subject: [PATCH 02/11] update --- pkg/generator/ingress_translator.go | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/pkg/generator/ingress_translator.go b/pkg/generator/ingress_translator.go index b96e85bdd..741419292 100644 --- a/pkg/generator/ingress_translator.go +++ b/pkg/generator/ingress_translator.go @@ -39,6 +39,7 @@ import ( kubeclient "k8s.io/client-go/kubernetes" pkgconfig "knative.dev/net-kourier/pkg/config" envoy "knative.dev/net-kourier/pkg/envoy/api" + "knative.dev/net-kourier/pkg/reconciler/informerfiltering" "knative.dev/net-kourier/pkg/reconciler/ingress/config" "knative.dev/networking/pkg/apis/networking/v1alpha1" "knative.dev/networking/pkg/certificates" @@ -97,13 +98,15 @@ func (translator *IngressTranslator) translateIngress(ctx context.Context, ingre return nil, fmt.Errorf("failed to fetch secret: %w", err) } - // Don't modify the informers copy - existing := secret.DeepCopy() - // existing.Labels = desired.Labels + if secret.Labels[informerfiltering.EnableSecretInformerFilteringByCertUIDEnv] == "" { + // Don't modify the informers copy + existing := secret.DeepCopy() + existing.Labels[informerfiltering.EnableSecretInformerFilteringByCertUIDEnv] = ingressTLS.SecretName + secret, err = translator.kubeClient.CoreV1().Secrets(ingressTLS.SecretNamespace).Update(ctx, existing, metav1.UpdateOptions{}) + if err != nil { + return nil, fmt.Errorf("failed to update secret: %w", err) + } - secret, err = translator.kubeClient.CoreV1().Secrets(ingressTLS.SecretNamespace).Update(ctx, existing, metav1.UpdateOptions{}) - if err != nil { - return nil, fmt.Errorf("failed to update secret: %w", err) } // Validate certificate here as these are defined by users. From 85205f1c61a8e54d25b5a22c3d64cebb126c22db Mon Sep 17 00:00:00 2001 From: Kenjiro Nakayama Date: Wed, 2 Aug 2023 14:53:45 +0900 Subject: [PATCH 03/11] wip --- pkg/generator/ingress_translator_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/generator/ingress_translator_test.go b/pkg/generator/ingress_translator_test.go index 7b2eaae45..b2a208830 100644 --- a/pkg/generator/ingress_translator_test.go +++ b/pkg/generator/ingress_translator_test.go @@ -674,6 +674,7 @@ func TestIngressTranslator(t *testing.T) { return kubeclient.CoreV1().Namespaces().Get(ctx, name, metav1.GetOptions{}) }, &pkgtest.FakeTracker{}, + kubeclient.Interface, ) got, err := translator.translateIngress(ctx, test.in, false) From 2dbb06d367be1fb43b762759d7b76c865804cab0 Mon Sep 17 00:00:00 2001 From: Kenjiro Nakayama Date: Wed, 2 Aug 2023 15:08:40 +0900 Subject: [PATCH 04/11] wip --- pkg/generator/ingress_translator.go | 16 ++++++++++------ pkg/generator/ingress_translator_test.go | 16 +++++++++++++++- 2 files changed, 25 insertions(+), 7 deletions(-) diff --git a/pkg/generator/ingress_translator.go b/pkg/generator/ingress_translator.go index 741419292..249f065fc 100644 --- a/pkg/generator/ingress_translator.go +++ b/pkg/generator/ingress_translator.go @@ -34,9 +34,7 @@ import ( "google.golang.org/protobuf/types/known/anypb" corev1 "k8s.io/api/core/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" - kubeclient "k8s.io/client-go/kubernetes" pkgconfig "knative.dev/net-kourier/pkg/config" envoy "knative.dev/net-kourier/pkg/envoy/api" "knative.dev/net-kourier/pkg/reconciler/informerfiltering" @@ -64,9 +62,10 @@ type IngressTranslator struct { endpointsGetter func(ns, name string) (*corev1.Endpoints, error) serviceGetter func(ns, name string) (*corev1.Service, error) namespaceGetter func(name string) (*corev1.Namespace, error) - tracker tracker.Interface - kubeClient kubeclient.Interface + secretUpdater func(ns string, secret *corev1.Secret) (*corev1.Secret, error) + + tracker tracker.Interface } func NewIngressTranslator( @@ -74,12 +73,14 @@ func NewIngressTranslator( endpointsGetter func(ns, name string) (*corev1.Endpoints, error), serviceGetter func(ns, name string) (*corev1.Service, error), namespaceGetter func(name string) (*corev1.Namespace, error), + secretUpdater func(ns string, secret *corev1.Secret) (*corev1.Secret, error), tracker tracker.Interface) IngressTranslator { return IngressTranslator{ secretGetter: secretGetter, endpointsGetter: endpointsGetter, serviceGetter: serviceGetter, namespaceGetter: namespaceGetter, + secretUpdater: secretUpdater, tracker: tracker, } } @@ -98,11 +99,14 @@ func (translator *IngressTranslator) translateIngress(ctx context.Context, ingre return nil, fmt.Errorf("failed to fetch secret: %w", err) } - if secret.Labels[informerfiltering.EnableSecretInformerFilteringByCertUIDEnv] == "" { + if secret.Labels == nil || secret.Labels[informerfiltering.EnableSecretInformerFilteringByCertUIDEnv] == "" { // Don't modify the informers copy existing := secret.DeepCopy() + if existing.Labels == nil { + existing.Labels = make(map[string]string) + } existing.Labels[informerfiltering.EnableSecretInformerFilteringByCertUIDEnv] = ingressTLS.SecretName - secret, err = translator.kubeClient.CoreV1().Secrets(ingressTLS.SecretNamespace).Update(ctx, existing, metav1.UpdateOptions{}) + secret, err = translator.secretUpdater(ingressTLS.SecretNamespace, existing) if err != nil { return nil, fmt.Errorf("failed to update secret: %w", err) } diff --git a/pkg/generator/ingress_translator_test.go b/pkg/generator/ingress_translator_test.go index b2a208830..e045ca087 100644 --- a/pkg/generator/ingress_translator_test.go +++ b/pkg/generator/ingress_translator_test.go @@ -673,8 +673,10 @@ func TestIngressTranslator(t *testing.T) { func(name string) (*corev1.Namespace, error) { return kubeclient.CoreV1().Namespaces().Get(ctx, name, metav1.GetOptions{}) }, + func(ns string, secret *corev1.Secret) (*corev1.Secret, error) { + return kubeclient.CoreV1().Secrets(ns).Update(ctx, secret, metav1.UpdateOptions{}) + }, &pkgtest.FakeTracker{}, - kubeclient.Interface, ) got, err := translator.translateIngress(ctx, test.in, false) @@ -886,6 +888,9 @@ func TestIngressTranslatorWithHTTPOptionDisabled(t *testing.T) { func(name string) (*corev1.Namespace, error) { return kubeclient.CoreV1().Namespaces().Get(ctx, name, metav1.GetOptions{}) }, + func(ns string, secret *corev1.Secret) (*corev1.Secret, error) { + return kubeclient.CoreV1().Secrets(ns).Update(ctx, secret, metav1.UpdateOptions{}) + }, &pkgtest.FakeTracker{}, ) @@ -1212,6 +1217,9 @@ func TestIngressTranslatorWithUpstreamTLS(t *testing.T) { func(name string) (*corev1.Namespace, error) { return kubeclient.CoreV1().Namespaces().Get(ctx, name, metav1.GetOptions{}) }, + func(ns string, secret *corev1.Secret) (*corev1.Secret, error) { + return kubeclient.CoreV1().Secrets(ns).Update(ctx, secret, metav1.UpdateOptions{}) + }, &pkgtest.FakeTracker{}, ) @@ -1313,6 +1321,9 @@ func TestIngressTranslatorHTTP01Challenge(t *testing.T) { func(name string) (*corev1.Namespace, error) { return kubeclient.CoreV1().Namespaces().Get(ctx, name, metav1.GetOptions{}) }, + func(ns string, secret *corev1.Secret) (*corev1.Secret, error) { + return kubeclient.CoreV1().Secrets(ns).Update(ctx, secret, metav1.UpdateOptions{}) + }, &pkgtest.FakeTracker{}, ) @@ -1425,6 +1436,9 @@ func TestIngressTranslatorDomainMappingDisableHTTP2(t *testing.T) { func(name string) (*corev1.Namespace, error) { return kubeclient.CoreV1().Namespaces().Get(ctx, name, metav1.GetOptions{}) }, + func(ns string, secret *corev1.Secret) (*corev1.Secret, error) { + return kubeclient.CoreV1().Secrets(ns).Update(ctx, secret, metav1.UpdateOptions{}) + }, &pkgtest.FakeTracker{}, ) From 5a636d8e1de2794ce38bd3e6efaec64ccf4b479d Mon Sep 17 00:00:00 2001 From: Kenjiro Nakayama Date: Wed, 2 Aug 2023 15:12:19 +0900 Subject: [PATCH 05/11] Fix --- pkg/reconciler/ingress/controller.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkg/reconciler/ingress/controller.go b/pkg/reconciler/ingress/controller.go index 0a9d27aa6..f6ed923da 100644 --- a/pkg/reconciler/ingress/controller.go +++ b/pkg/reconciler/ingress/controller.go @@ -190,6 +190,9 @@ func NewController(ctx context.Context, cmw configmap.Watcher) *controller.Impl func(name string) (*corev1.Namespace, error) { return namespaceInformer.Lister().Get(name) }, + func(ns string, secret *corev1.Secret) (*corev1.Secret, error) { + return kubernetesClient.CoreV1().Secrets(ns).Update(ctx, secret, metav1.UpdateOptions{}) + }, impl.Tracker) r.ingressTranslator = &ingressTranslator @@ -223,6 +226,9 @@ func NewController(ctx context.Context, cmw configmap.Watcher) *controller.Impl func(name string) (*corev1.Namespace, error) { return namespaceInformer.Lister().Get(name) }, + func(ns string, secret *corev1.Secret) (*corev1.Secret, error) { + return kubernetesClient.CoreV1().Secrets(ns).Update(ctx, secret, metav1.UpdateOptions{}) + }, impl.Tracker) for _, ingress := range ingressesToSync { From 8add1e76f0350a2a41d0657b18be50487edffa46 Mon Sep 17 00:00:00 2001 From: Kenjiro Nakayama Date: Wed, 2 Aug 2023 15:28:12 +0900 Subject: [PATCH 06/11] Add permission to update secret --- config/200-serviceaccount.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/config/200-serviceaccount.yaml b/config/200-serviceaccount.yaml index 0989a185d..5062a1bd3 100644 --- a/config/200-serviceaccount.yaml +++ b/config/200-serviceaccount.yaml @@ -37,8 +37,11 @@ rules: resources: ["events"] verbs: ["create", "update", "patch"] - apiGroups: [""] - resources: ["pods", "endpoints", "services", "secrets"] + resources: ["pods", "endpoints", "services"] verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "update"] - apiGroups: [""] resources: ["configmaps"] verbs: [ "get", "list", "watch" ] From 8d442d867c0b9ce7eff55731a9d2f9aafe5f88ab Mon Sep 17 00:00:00 2001 From: Kenjiro Nakayama Date: Wed, 2 Aug 2023 15:36:05 +0900 Subject: [PATCH 07/11] Fix correct label key --- pkg/generator/ingress_translator.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/generator/ingress_translator.go b/pkg/generator/ingress_translator.go index 249f065fc..90d788dfb 100644 --- a/pkg/generator/ingress_translator.go +++ b/pkg/generator/ingress_translator.go @@ -37,8 +37,8 @@ import ( "k8s.io/apimachinery/pkg/types" pkgconfig "knative.dev/net-kourier/pkg/config" envoy "knative.dev/net-kourier/pkg/envoy/api" - "knative.dev/net-kourier/pkg/reconciler/informerfiltering" "knative.dev/net-kourier/pkg/reconciler/ingress/config" + "knative.dev/networking/pkg/apis/networking" "knative.dev/networking/pkg/apis/networking/v1alpha1" "knative.dev/networking/pkg/certificates" netconfig "knative.dev/networking/pkg/config" @@ -99,13 +99,13 @@ func (translator *IngressTranslator) translateIngress(ctx context.Context, ingre return nil, fmt.Errorf("failed to fetch secret: %w", err) } - if secret.Labels == nil || secret.Labels[informerfiltering.EnableSecretInformerFilteringByCertUIDEnv] == "" { + if secret.Labels == nil || secret.Labels[networking.CertificateUIDLabelKey] == "" { // Don't modify the informers copy existing := secret.DeepCopy() if existing.Labels == nil { existing.Labels = make(map[string]string) } - existing.Labels[informerfiltering.EnableSecretInformerFilteringByCertUIDEnv] = ingressTLS.SecretName + existing.Labels[networking.CertificateUIDLabelKey] = ingressTLS.SecretName secret, err = translator.secretUpdater(ingressTLS.SecretNamespace, existing) if err != nil { return nil, fmt.Errorf("failed to update secret: %w", err) From c27d40891d6f71b68df0a2284ebd381cea403517 Mon Sep 17 00:00:00 2001 From: Kenjiro Nakayama Date: Wed, 2 Aug 2023 15:41:50 +0900 Subject: [PATCH 08/11] Enable secret filtering by default --- cmd/kourier/main.go | 5 ++- config/300-controller.yaml | 2 - pkg/reconciler/informerfiltering/util.go | 47 ------------------------ 3 files changed, 3 insertions(+), 51 deletions(-) delete mode 100644 pkg/reconciler/informerfiltering/util.go diff --git a/cmd/kourier/main.go b/cmd/kourier/main.go index 560250756..2924b8d50 100644 --- a/cmd/kourier/main.go +++ b/cmd/kourier/main.go @@ -18,16 +18,17 @@ package main import ( "knative.dev/net-kourier/pkg/config" - "knative.dev/net-kourier/pkg/reconciler/informerfiltering" kourierIngressController "knative.dev/net-kourier/pkg/reconciler/ingress" + "knative.dev/networking/pkg/apis/networking" "knative.dev/pkg/signals" // This defines the shared main for injected controllers. + filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" "knative.dev/pkg/injection/sharedmain" ) func main() { - ctx := informerfiltering.GetContextWithFilteringLabelSelector(signals.NewContext()) + ctx := filteredFactory.WithSelectors(signals.NewContext(), networking.CertificateUIDLabelKey) ctx = sharedmain.WithHealthProbesDisabled(ctx) sharedmain.MainWithContext(ctx, config.ControllerName, kourierIngressController.NewController) } diff --git a/config/300-controller.yaml b/config/300-controller.yaml index 53dbd9d87..e9fad1142 100644 --- a/config/300-controller.yaml +++ b/config/300-controller.yaml @@ -57,8 +57,6 @@ spec: value: "knative.dev/samples" - name: KOURIER_GATEWAY_NAMESPACE value: "kourier-system" - - name: ENABLE_SECRET_INFORMER_FILTERING_BY_CERT_UID - value: "false" # KUBE_API_BURST and KUBE_API_QPS allows to configure maximum burst for throttle and maximum QPS to the server from the client. # Setting these values using env vars is possible since https://github.com/knative/pkg/pull/2755. # 200 is an arbitrary value, but it speeds up kourier startup duration, and the whole ingress reconciliation process as a whole. diff --git a/pkg/reconciler/informerfiltering/util.go b/pkg/reconciler/informerfiltering/util.go deleted file mode 100644 index 786e205d8..000000000 --- a/pkg/reconciler/informerfiltering/util.go +++ /dev/null @@ -1,47 +0,0 @@ -/* -Copyright 2022 The Knative Authors - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package informerfiltering - -import ( - "context" - "os" - "strconv" - - "knative.dev/networking/pkg/apis/networking" - filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" -) - -const EnableSecretInformerFilteringByCertUIDEnv = "ENABLE_SECRET_INFORMER_FILTERING_BY_CERT_UID" - -// ShouldFilterByCertificateUID allows to choose whether to apply filtering on certificate related secrets -// when list by informers in this component. If not set or set to false no filtering is applied and instead informers -// will get any secret available in the cluster which may lead to mem issues in large clusters. -func ShouldFilterByCertificateUID() bool { - if enable := os.Getenv(EnableSecretInformerFilteringByCertUIDEnv); enable != "" { - b, _ := strconv.ParseBool(enable) - return b - } - return false -} - -// GetContextWithFilteringLabelSelector returns the passed context with the proper label key selector added to it. -func GetContextWithFilteringLabelSelector(ctx context.Context) context.Context { - if ShouldFilterByCertificateUID() { - return filteredFactory.WithSelectors(ctx, networking.CertificateUIDLabelKey) - } - return filteredFactory.WithSelectors(ctx, "") // Allow all -} From 5fda827824837ddb4c1c7cd7f5da9ad884faf1a4 Mon Sep 17 00:00:00 2001 From: Kenjiro Nakayama Date: Wed, 2 Aug 2023 16:20:09 +0900 Subject: [PATCH 09/11] Fix --- pkg/generator/ingress_translator.go | 21 +++++++++++++++------ pkg/generator/ingress_translator_test.go | 20 +++++--------------- pkg/reconciler/ingress/controller.go | 8 ++------ 3 files changed, 22 insertions(+), 27 deletions(-) diff --git a/pkg/generator/ingress_translator.go b/pkg/generator/ingress_translator.go index 90d788dfb..e597916ac 100644 --- a/pkg/generator/ingress_translator.go +++ b/pkg/generator/ingress_translator.go @@ -34,7 +34,10 @@ import ( "google.golang.org/protobuf/types/known/anypb" corev1 "k8s.io/api/core/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" + apierrs "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" + kubeclient "k8s.io/client-go/kubernetes" pkgconfig "knative.dev/net-kourier/pkg/config" envoy "knative.dev/net-kourier/pkg/envoy/api" "knative.dev/net-kourier/pkg/reconciler/ingress/config" @@ -62,8 +65,7 @@ type IngressTranslator struct { endpointsGetter func(ns, name string) (*corev1.Endpoints, error) serviceGetter func(ns, name string) (*corev1.Service, error) namespaceGetter func(name string) (*corev1.Namespace, error) - - secretUpdater func(ns string, secret *corev1.Secret) (*corev1.Secret, error) + kubeClient kubeclient.Interface tracker tracker.Interface } @@ -73,14 +75,14 @@ func NewIngressTranslator( endpointsGetter func(ns, name string) (*corev1.Endpoints, error), serviceGetter func(ns, name string) (*corev1.Service, error), namespaceGetter func(name string) (*corev1.Namespace, error), - secretUpdater func(ns string, secret *corev1.Secret) (*corev1.Secret, error), + kubeClient kubeclient.Interface, tracker tracker.Interface) IngressTranslator { return IngressTranslator{ secretGetter: secretGetter, endpointsGetter: endpointsGetter, serviceGetter: serviceGetter, namespaceGetter: namespaceGetter, - secretUpdater: secretUpdater, + kubeClient: kubeClient, tracker: tracker, } } @@ -95,7 +97,14 @@ func (translator *IngressTranslator) translateIngress(ctx context.Context, ingre } secret, err := translator.secretGetter(ingressTLS.SecretNamespace, ingressTLS.SecretName) - if err != nil { + if apierrs.IsNotFound(err) { + // As secret does not have a CertificateUIDLabel for the first time, informer cannot get the secret. + // Try to use k8s client to get the secret. It may have some cost but it happens only once when a new secret is specified. + secret, err = translator.kubeClient.CoreV1().Secrets(ingressTLS.SecretNamespace).Get(ctx, ingressTLS.SecretName, metav1.GetOptions{}) + if err != nil { + return nil, fmt.Errorf("failed to get secret: %w", err) + } + } else if err != nil { return nil, fmt.Errorf("failed to fetch secret: %w", err) } @@ -106,7 +115,7 @@ func (translator *IngressTranslator) translateIngress(ctx context.Context, ingre existing.Labels = make(map[string]string) } existing.Labels[networking.CertificateUIDLabelKey] = ingressTLS.SecretName - secret, err = translator.secretUpdater(ingressTLS.SecretNamespace, existing) + secret, err = translator.kubeClient.CoreV1().Secrets(ingressTLS.SecretNamespace).Update(ctx, existing, metav1.UpdateOptions{}) if err != nil { return nil, fmt.Errorf("failed to update secret: %w", err) } diff --git a/pkg/generator/ingress_translator_test.go b/pkg/generator/ingress_translator_test.go index e045ca087..59c90dbc8 100644 --- a/pkg/generator/ingress_translator_test.go +++ b/pkg/generator/ingress_translator_test.go @@ -673,9 +673,7 @@ func TestIngressTranslator(t *testing.T) { func(name string) (*corev1.Namespace, error) { return kubeclient.CoreV1().Namespaces().Get(ctx, name, metav1.GetOptions{}) }, - func(ns string, secret *corev1.Secret) (*corev1.Secret, error) { - return kubeclient.CoreV1().Secrets(ns).Update(ctx, secret, metav1.UpdateOptions{}) - }, + kubeclient, &pkgtest.FakeTracker{}, ) @@ -888,9 +886,7 @@ func TestIngressTranslatorWithHTTPOptionDisabled(t *testing.T) { func(name string) (*corev1.Namespace, error) { return kubeclient.CoreV1().Namespaces().Get(ctx, name, metav1.GetOptions{}) }, - func(ns string, secret *corev1.Secret) (*corev1.Secret, error) { - return kubeclient.CoreV1().Secrets(ns).Update(ctx, secret, metav1.UpdateOptions{}) - }, + kubeclient, &pkgtest.FakeTracker{}, ) @@ -1217,9 +1213,7 @@ func TestIngressTranslatorWithUpstreamTLS(t *testing.T) { func(name string) (*corev1.Namespace, error) { return kubeclient.CoreV1().Namespaces().Get(ctx, name, metav1.GetOptions{}) }, - func(ns string, secret *corev1.Secret) (*corev1.Secret, error) { - return kubeclient.CoreV1().Secrets(ns).Update(ctx, secret, metav1.UpdateOptions{}) - }, + kubeclient, &pkgtest.FakeTracker{}, ) @@ -1321,9 +1315,7 @@ func TestIngressTranslatorHTTP01Challenge(t *testing.T) { func(name string) (*corev1.Namespace, error) { return kubeclient.CoreV1().Namespaces().Get(ctx, name, metav1.GetOptions{}) }, - func(ns string, secret *corev1.Secret) (*corev1.Secret, error) { - return kubeclient.CoreV1().Secrets(ns).Update(ctx, secret, metav1.UpdateOptions{}) - }, + kubeclient, &pkgtest.FakeTracker{}, ) @@ -1436,9 +1428,7 @@ func TestIngressTranslatorDomainMappingDisableHTTP2(t *testing.T) { func(name string) (*corev1.Namespace, error) { return kubeclient.CoreV1().Namespaces().Get(ctx, name, metav1.GetOptions{}) }, - func(ns string, secret *corev1.Secret) (*corev1.Secret, error) { - return kubeclient.CoreV1().Secrets(ns).Update(ctx, secret, metav1.UpdateOptions{}) - }, + kubeclient, &pkgtest.FakeTracker{}, ) diff --git a/pkg/reconciler/ingress/controller.go b/pkg/reconciler/ingress/controller.go index f6ed923da..6c74d4760 100644 --- a/pkg/reconciler/ingress/controller.go +++ b/pkg/reconciler/ingress/controller.go @@ -190,9 +190,7 @@ func NewController(ctx context.Context, cmw configmap.Watcher) *controller.Impl func(name string) (*corev1.Namespace, error) { return namespaceInformer.Lister().Get(name) }, - func(ns string, secret *corev1.Secret) (*corev1.Secret, error) { - return kubernetesClient.CoreV1().Secrets(ns).Update(ctx, secret, metav1.UpdateOptions{}) - }, + kubernetesClient, impl.Tracker) r.ingressTranslator = &ingressTranslator @@ -226,9 +224,7 @@ func NewController(ctx context.Context, cmw configmap.Watcher) *controller.Impl func(name string) (*corev1.Namespace, error) { return namespaceInformer.Lister().Get(name) }, - func(ns string, secret *corev1.Secret) (*corev1.Secret, error) { - return kubernetesClient.CoreV1().Secrets(ns).Update(ctx, secret, metav1.UpdateOptions{}) - }, + kubernetesClient, impl.Tracker) for _, ingress := range ingressesToSync { From 63b0516b5f9b340e1f767e422cc7e7e473167826 Mon Sep 17 00:00:00 2001 From: Kenjiro Nakayama Date: Wed, 2 Aug 2023 16:33:24 +0900 Subject: [PATCH 10/11] drop blank line --- pkg/generator/ingress_translator.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pkg/generator/ingress_translator.go b/pkg/generator/ingress_translator.go index e597916ac..2ce0141b5 100644 --- a/pkg/generator/ingress_translator.go +++ b/pkg/generator/ingress_translator.go @@ -66,8 +66,7 @@ type IngressTranslator struct { serviceGetter func(ns, name string) (*corev1.Service, error) namespaceGetter func(name string) (*corev1.Namespace, error) kubeClient kubeclient.Interface - - tracker tracker.Interface + tracker tracker.Interface } func NewIngressTranslator( From b98dd66853ec2aa362a0c24c427b77e624e257e5 Mon Sep 17 00:00:00 2001 From: Kenjiro Nakayama Date: Wed, 2 Aug 2023 17:36:35 +0900 Subject: [PATCH 11/11] Fix lint --- pkg/generator/ingress_translator.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pkg/generator/ingress_translator.go b/pkg/generator/ingress_translator.go index 2ce0141b5..e5c48a46c 100644 --- a/pkg/generator/ingress_translator.go +++ b/pkg/generator/ingress_translator.go @@ -34,7 +34,6 @@ import ( "google.golang.org/protobuf/types/known/anypb" corev1 "k8s.io/api/core/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" - apierrs "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" kubeclient "k8s.io/client-go/kubernetes" @@ -96,7 +95,7 @@ func (translator *IngressTranslator) translateIngress(ctx context.Context, ingre } secret, err := translator.secretGetter(ingressTLS.SecretNamespace, ingressTLS.SecretName) - if apierrs.IsNotFound(err) { + if apierrors.IsNotFound(err) { // As secret does not have a CertificateUIDLabel for the first time, informer cannot get the secret. // Try to use k8s client to get the secret. It may have some cost but it happens only once when a new secret is specified. secret, err = translator.kubeClient.CoreV1().Secrets(ingressTLS.SecretNamespace).Get(ctx, ingressTLS.SecretName, metav1.GetOptions{})