Add a label to secrets managed by OLM, and don't watch secrets that omit

ecordell · ecordell · commit 7811462e58af · 2021-07-09T12:54:52.000-04:00
the label.

This should greatly reduce the secret cache size.

Signed-off-by: Evan &lt;cordell.evan@gmail.com&gt;
diff --git a/pkg/controller/install/certresources.go b/pkg/controller/install/certresources.go
@@ -39,6 +39,9 @@ const (
 	Organization = "Red Hat, Inc."
 	// Kubernetes System namespace
 	KubeSystem = "kube-system"
+	// olm managed label
+	OLMManagedLabelKey   = "olm.managed"
+	OLMManagedLabelValue = "true"
 )
 
 type certResource interface {
@@ -292,6 +295,7 @@ func (i *StrategyDeploymentInstaller) installCertRequirementsForDeployment(deplo
 	secret.SetName(SecretName(service.GetName()))
 	secret.SetNamespace(i.owner.GetNamespace())
 	secret.SetAnnotations(map[string]string{OLMCAHashAnnotationKey: caHash})
+	secret.SetLabels(map[string]string{OLMManagedLabelKey: OLMManagedLabelValue})
 
 	existingSecret, err := i.strategyClient.GetOpLister().CoreV1().SecretLister().Secrets(i.owner.GetNamespace()).Get(secret.GetName())
 	if err == nil {
@@ -315,10 +319,17 @@ func (i *StrategyDeploymentInstaller) installCertRequirementsForDeployment(deplo
 	} else if k8serrors.IsNotFound(err) {
 		// Create the secret
 		ownerutil.AddNonBlockingOwner(secret, i.owner)
-		_, err = i.strategyClient.GetOpClient().CreateSecret(secret)
-		if err != nil {
-			log.Warnf("could not create secret %s", secret.GetName())
-			return nil, nil, err
+		if _, err := i.strategyClient.GetOpClient().CreateSecret(secret); err != nil {
+			if !k8serrors.IsAlreadyExists(err) {
+				log.Warnf("could not create secret %s: %v", secret.GetName(), err)
+				return nil, nil, err
+			}
+			// if the secret isn't in the cache but exists in the cluster, it's missing the labels for the cache filter
+			// and just needs to be updated
+			if _, err := i.strategyClient.GetOpClient().UpdateSecret(secret); err != nil {
+				log.Warnf("could not update secret %s: %v", secret.GetName(), err)
+				return nil, nil, err
+			}
 		}
 	} else {
 		return nil, nil, err
diff --git a/pkg/controller/install/certresources_test.go b/pkg/controller/install/certresources_test.go
@@ -12,7 +12,9 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 
 	"github.com/operator-framework/api/pkg/operators/v1alpha1"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/api/wrappers"
@@ -182,6 +184,7 @@ func TestInstallCertRequirementsForDeployment(t *testing.T) {
 						Name:        "test-service-cert",
 						Namespace:   namespace,
 						Annotations: map[string]string{OLMCAHashAnnotationKey: caHash},
+						Labels:      map[string]string{OLMManagedLabelKey: OLMManagedLabelValue},
 					},
 					Data: map[string][]byte{
 						"tls.crt":   certPEM,
@@ -405,6 +408,7 @@ func TestInstallCertRequirementsForDeployment(t *testing.T) {
 						Name:        "test-service-cert",
 						Namespace:   namespace,
 						Annotations: map[string]string{OLMCAHashAnnotationKey: caHash},
+						Labels:      map[string]string{OLMManagedLabelKey: OLMManagedLabelValue},
 					},
 					Data: map[string][]byte{
 						"tls.crt":   certPEM,
@@ -587,6 +591,241 @@ func TestInstallCertRequirementsForDeployment(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "labels an unlabelled secret if present",
+			mockExternal: func(mockOpClient *operatorclientmocks.MockClientInterface, fakeLister *operatorlisterfakes.FakeOperatorLister, namespace string, args args) {
+				mockOpClient.EXPECT().DeleteService(namespace, "test-service", &metav1.DeleteOptions{}).Return(nil)
+				service := corev1.Service{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "test-service",
+						OwnerReferences: []metav1.OwnerReference{
+							ownerutil.NonBlockingOwner(&v1alpha1.ClusterServiceVersion{}),
+						},
+					},
+					Spec: corev1.ServiceSpec{
+						Ports:    args.ports,
+						Selector: selector(t, "test=label").MatchLabels,
+					},
+				}
+				mockOpClient.EXPECT().CreateService(&service).Return(&service, nil)
+
+				hosts := []string{
+					fmt.Sprintf("%s.%s", service.GetName(), namespace),
+					fmt.Sprintf("%s.%s.svc", service.GetName(), namespace),
+				}
+				servingPair, err := certGenerator.Generate(args.rotateAt, Organization, args.ca, hosts)
+				require.NoError(t, err)
+
+				// Create Secret for serving cert
+				certPEM, privPEM, err := servingPair.ToPEM()
+				require.NoError(t, err)
+
+				secret := &corev1.Secret{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:        "test-service-cert",
+						Namespace:   namespace,
+						Annotations: map[string]string{OLMCAHashAnnotationKey: caHash},
+						Labels:      map[string]string{OLMManagedLabelKey: OLMManagedLabelValue},
+						OwnerReferences: []metav1.OwnerReference{
+							ownerutil.NonBlockingOwner(&v1alpha1.ClusterServiceVersion{}),
+						},
+					},
+					Data: map[string][]byte{
+						"tls.crt":   certPEM,
+						"tls.key":   privPEM,
+						OLMCAPEMKey: caPEM,
+					},
+					Type: corev1.SecretTypeTLS,
+				}
+				// secret already exists, but without label
+				mockOpClient.EXPECT().CreateSecret(secret).Return(nil, errors.NewAlreadyExists(schema.GroupResource{
+					Group:    "",
+					Resource: "secrets",
+				}, "test-service-cert"))
+
+				// update secret with label
+				mockOpClient.EXPECT().UpdateSecret(secret).Return(secret, nil)
+
+				secretRole := &rbacv1.Role{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      secret.GetName(),
+						Namespace: namespace,
+					},
+					Rules: []rbacv1.PolicyRule{
+						{
+							Verbs:         []string{"get"},
+							APIGroups:     []string{""},
+							Resources:     []string{"secrets"},
+							ResourceNames: []string{secret.GetName()},
+						},
+					},
+				}
+				mockOpClient.EXPECT().UpdateRole(secretRole).Return(secretRole, nil)
+
+				roleBinding := &rbacv1.RoleBinding{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      secret.GetName(),
+						Namespace: namespace,
+					},
+					Subjects: []rbacv1.Subject{
+						{
+							Kind:      "ServiceAccount",
+							APIGroup:  "",
+							Name:      "test-sa",
+							Namespace: namespace,
+						},
+					},
+					RoleRef: rbacv1.RoleRef{
+						APIGroup: "rbac.authorization.k8s.io",
+						Kind:     "Role",
+						Name:     secretRole.GetName(),
+					},
+				}
+				mockOpClient.EXPECT().UpdateRoleBinding(roleBinding).Return(roleBinding, nil)
+
+				authDelegatorClusterRoleBinding := &rbacv1.ClusterRoleBinding{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: service.GetName() + "-system:auth-delegator",
+					},
+					Subjects: []rbacv1.Subject{
+						{
+							Kind:      "ServiceAccount",
+							APIGroup:  "",
+							Name:      "test-sa",
+							Namespace: namespace,
+						},
+					},
+					RoleRef: rbacv1.RoleRef{
+						APIGroup: "rbac.authorization.k8s.io",
+						Kind:     "ClusterRole",
+						Name:     "system:auth-delegator",
+					},
+				}
+
+				mockOpClient.EXPECT().UpdateClusterRoleBinding(authDelegatorClusterRoleBinding).Return(authDelegatorClusterRoleBinding, nil)
+
+				authReaderRoleBinding := &rbacv1.RoleBinding{
+					Subjects: []rbacv1.Subject{
+						{
+							Kind:      "ServiceAccount",
+							APIGroup:  "",
+							Name:      args.depSpec.Template.Spec.ServiceAccountName,
+							Namespace: namespace,
+						},
+					},
+					RoleRef: rbacv1.RoleRef{
+						APIGroup: "rbac.authorization.k8s.io",
+						Kind:     "Role",
+						Name:     "extension-apiserver-authentication-reader",
+					},
+				}
+				authReaderRoleBinding.SetName(service.GetName() + "-auth-reader")
+				authReaderRoleBinding.SetNamespace(KubeSystem)
+
+				mockOpClient.EXPECT().UpdateRoleBinding(authReaderRoleBinding).Return(authReaderRoleBinding, nil)
+			},
+			state: fakeState{
+				existingService: &corev1.Service{
+					ObjectMeta: metav1.ObjectMeta{
+						OwnerReferences: []metav1.OwnerReference{
+							ownerutil.NonBlockingOwner(&v1alpha1.ClusterServiceVersion{}),
+						},
+					},
+				},
+				// unlabelled secret won't be in cache
+				getSecretError: errors.NewNotFound(schema.GroupResource{
+					Group:    "",
+					Resource: "Secret",
+				}, "nope"),
+				existingRole: &rbacv1.Role{
+					ObjectMeta: metav1.ObjectMeta{},
+				},
+				existingRoleBinding: &rbacv1.RoleBinding{
+					ObjectMeta: metav1.ObjectMeta{},
+				},
+				existingClusterRoleBinding: &rbacv1.ClusterRoleBinding{
+					ObjectMeta: metav1.ObjectMeta{},
+				},
+			},
+			fields: fields{
+				owner:                  &v1alpha1.ClusterServiceVersion{},
+				previousStrategy:       nil,
+				templateAnnotations:    nil,
+				initializers:           nil,
+				apiServiceDescriptions: []certResource{},
+				webhookDescriptions:    []certResource{},
+			},
+			args: args{
+				deploymentName: "test",
+				ca:             ca,
+				rotateAt:       time.Now().Add(time.Hour),
+				ports:          []corev1.ServicePort{},
+				depSpec: appsv1.DeploymentSpec{
+					Selector: selector(t, "test=label"),
+					Template: corev1.PodTemplateSpec{
+						Spec: corev1.PodSpec{
+							ServiceAccountName: "test-sa",
+						},
+						ObjectMeta: metav1.ObjectMeta{
+							Annotations: map[string]string{
+								"foo": "bar",
+							},
+						},
+					},
+				},
+			},
+			want: &appsv1.DeploymentSpec{
+				Selector: selector(t, "test=label"),
+				Template: corev1.PodTemplateSpec{
+					ObjectMeta: metav1.ObjectMeta{
+						Annotations: map[string]string{
+							"foo":                  "bar",
+							OLMCAHashAnnotationKey: caHash},
+					},
+					Spec: corev1.PodSpec{
+						ServiceAccountName: "test-sa",
+						Volumes: []corev1.Volume{
+							{
+								Name: "apiservice-cert",
+								VolumeSource: corev1.VolumeSource{
+									Secret: &corev1.SecretVolumeSource{
+										SecretName: "test-service-cert",
+										Items: []corev1.KeyToPath{
+											{
+												Key:  "tls.crt",
+												Path: "apiserver.crt",
+											},
+											{
+												Key:  "tls.key",
+												Path: "apiserver.key",
+											},
+										},
+									},
+								},
+							},
+							{
+								Name: "webhook-cert",
+								VolumeSource: corev1.VolumeSource{
+									Secret: &corev1.SecretVolumeSource{
+										SecretName: "test-service-cert",
+										Items: []corev1.KeyToPath{
+											{
+												Key:  "tls.crt",
+												Path: "tls.crt",
+											},
+											{
+												Key:  "tls.key",
+												Path: "tls.key",
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
diff --git a/pkg/controller/operators/olm/apiservices.go b/pkg/controller/operators/olm/apiservices.go
@@ -110,7 +110,7 @@ func (a *Operator) checkAPIServiceResources(csv *v1alpha1.ClusterServiceVersion,
 		secretName := install.SecretName(serviceName)
 		secret, err := a.lister.CoreV1().SecretLister().Secrets(csv.GetNamespace()).Get(secretName)
 		if err != nil {
-			logger.WithField("secret", secretName).Warnf("could not retrieve generated Secret")
+			logger.WithField("secret", secretName).Warnf("could not retrieve generated Secret: %v", err)
 			errs = append(errs, err)
 			continue
 		}
diff --git a/pkg/controller/operators/olm/operator.go b/pkg/controller/operators/olm/operator.go
@@ -303,7 +303,9 @@ func newOperatorWithConfig(ctx context.Context, config *operatorConfig) (*Operat
 		}
 
 		// Register Secret QueueInformer
-		secretInformer := k8sInformerFactory.Core().V1().Secrets()
+		secretInformer := informers.NewSharedInformerFactoryWithOptions(op.opClient.KubernetesInterface(), config.resyncPeriod(), informers.WithNamespace(namespace), informers.WithTweakListOptions(func(options *metav1.ListOptions) {
+			options.LabelSelector = labels.SelectorFromValidatedSet(map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue}).String()
+		})).Core().V1().Secrets()
 		op.lister.CoreV1().RegisterSecretLister(namespace, secretInformer.Lister())
 		secretQueueInformer, err := queueinformer.NewQueueInformer(
 			ctx,
diff --git a/pkg/controller/operators/olm/operator_test.go b/pkg/controller/operators/olm/operator_test.go
@@ -1460,9 +1460,9 @@ func TestTransitionCSV(t *testing.T) {
 					deployment("a1", namespace, "sa", addAnnotations(defaultTemplateAnnotations, map[string]string{
 						install.OLMCAHashAnnotationKey: validCAHash,
 					})),
-					withAnnotations(keyPairToTLSSecret("a1-service-cert", namespace, signedServingPair(time.Now().Add(24*time.Hour), validCA, []string{"a1-service.ns", "a1-service.ns.svc"})), map[string]string{
+					withLabels(withAnnotations(keyPairToTLSSecret("a1-service-cert", namespace, signedServingPair(time.Now().Add(24*time.Hour), validCA, []string{"a1-service.ns", "a1-service.ns.svc"})), map[string]string{
 						install.OLMCAHashAnnotationKey: validCAHash,
-					}),
+					}), map[string]string{install.OLMManagedLabelKey: install.OLMManagedLabelValue}),
 					service("a1-service", namespace, "a1", 80),
 					serviceAccount("sa", namespace),
 					role("a1-service-cert", namespace, []rbacv1.PolicyRule{

Original file line number	Diff line number	Diff line change
`@@ -110,7 +110,7 @@ func (a Operator) checkAPIServiceResources(csv v1alpha1.ClusterServiceVersion,`
`110`	`110`	`secretName := install.SecretName(serviceName)`
`111`	`111`	`secret, err := a.lister.CoreV1().SecretLister().Secrets(csv.GetNamespace()).Get(secretName)`
`112`	`112`	`if err != nil {`
`113`		`- logger.WithField("secret", secretName).Warnf("could not retrieve generated Secret")`
	`113`	`+ logger.WithField("secret", secretName).Warnf("could not retrieve generated Secret: %v", err)`
`114`	`114`	`errs = append(errs, err)`
`115`	`115`	`continue`
`116`	`116`	`}`