Filter what objects we cache from the API

controllers/rabbitmqcluster_controller.go

@@ -22,6 +22,7 @@ import (
 	"golang.org/x/text/cases"
 	"golang.org/x/text/language"
 
+	"github.com/rabbitmq/cluster-operator/v2/internal/metadata"
 	"github.com/rabbitmq/cluster-operator/v2/internal/resource"
 	"github.com/rabbitmq/cluster-operator/v2/internal/status"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
@@ -59,6 +60,7 @@ const (
 // RabbitmqClusterReconciler reconciles a RabbitmqCluster object
 type RabbitmqClusterReconciler struct {
 	client.Client
+	APIReader               client.Reader
 	Scheme                  *runtime.Scheme
 	Namespace               string
 	Recorder                record.EventRecorder
@@ -139,6 +141,17 @@ func (r *RabbitmqClusterReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		return ctrl.Result{}, tlsErr
 	}
 
+	// if the secret already exists, ensure it has the labels necessary for being in the controller's cache
+	// otherwise, our attempt to create it will fail (CreateOrUpdate only checks for the existence of the resource in the cache)
+	defaultUserSecret := &corev1.Secret{}
+	err = r.APIReader.Get(ctx, types.NamespacedName{Namespace: rabbitmqCluster.Namespace, Name: rabbitmqCluster.ChildResourceName("default-user")}, defaultUserSecret)
+	if err == nil {
+		if v, ok := defaultUserSecret.Labels["app.kubernetes.io/part-of"]; !ok || v != "rabbitmq" {
+			defaultUserSecret.Labels = metadata.GetLabels(rabbitmqCluster.Name, rabbitmqCluster.Labels)
+			r.Client.Update(ctx, defaultUserSecret)
+		}
+	}
+
 	sts, err := r.statefulSet(ctx, rabbitmqCluster)
 	// The StatefulSet may not have been created by this point, so ignore Not Found errors
 	if client.IgnoreNotFound(err) != nil {
@@ -262,9 +275,10 @@ func (r *RabbitmqClusterReconciler) logAndRecordOperationResult(logger logr.Logg
 	var operation string
 	if operationResult == controllerutil.OperationResultCreated {
 		operation = "create"
-	}
-	if operationResult == controllerutil.OperationResultUpdated {
+	} else if operationResult == controllerutil.OperationResultUpdated {
 		operation = "update"
+	} else {
+		operation = string(operationResult)
 	}
 
 	caser := cases.Title(language.English)
@@ -275,7 +289,11 @@ func (r *RabbitmqClusterReconciler) logAndRecordOperationResult(logger logr.Logg
 	}
 
 	if err != nil {
-		msg := fmt.Sprintf("failed to %s resource %s of Type %T", operation, resource.(metav1.Object).GetName(), resource.(metav1.Object))
+		var msg string
+		if operation != "unchanged" {
+			msg = fmt.Sprintf("failed to %s resource %s of Type %T: ", operation, resource.(metav1.Object).GetName(), resource.(metav1.Object))
+		}
+		msg = fmt.Sprintf("%s%s", msg, err)
 		logger.Error(err, msg)
 		r.Recorder.Event(rmq, corev1.EventTypeWarning, fmt.Sprintf("Failed%s", caser.String(operation)), msg)
 	}

controllers/reconcile_tls.go

@@ -39,9 +39,10 @@ func (r *RabbitmqClusterReconciler) checkTLSSecrets(ctx context.Context, rabbitm
 	secretName := rabbitmqCluster.Spec.TLS.SecretName
 	logger.V(1).Info("TLS enabled, looking for secret", "secret", secretName)
 
-	// check if secret exists
+	// check if secret exists - we need to use the APIReader because if the Secret doesn't have
+	// "app.kubernetes.io/part-of" label set to "rabbitmq", it's not cached by the controller
 	secret := &corev1.Secret{}
-	if err := r.Get(ctx, types.NamespacedName{Namespace: rabbitmqCluster.Namespace, Name: secretName}, secret); err != nil {
+	if err := r.APIReader.Get(ctx, types.NamespacedName{Namespace: rabbitmqCluster.Namespace, Name: secretName}, secret); err != nil {
 		r.Recorder.Event(rabbitmqCluster, corev1.EventTypeWarning, "TLSError",
 			fmt.Sprintf("Failed to get TLS secret %s in namespace %s: %v", secretName, rabbitmqCluster.Namespace, err.Error()))
 		logger.Error(err, "Error setting up TLS")
@@ -65,7 +66,7 @@ func (r *RabbitmqClusterReconciler) checkTLSSecrets(ctx context.Context, rabbitm
 
 			// check if secret exists
 			secret = &corev1.Secret{}
-			if err := r.Get(ctx, types.NamespacedName{Namespace: rabbitmqCluster.Namespace, Name: secretName}, secret); err != nil {
+			if err := r.APIReader.Get(ctx, types.NamespacedName{Namespace: rabbitmqCluster.Namespace, Name: secretName}, secret); err != nil {
 				r.Recorder.Event(rabbitmqCluster, corev1.EventTypeWarning, "TLSError",
 					fmt.Sprintf("Failed to get CA certificate secret %v in namespace %v: %v", secretName, rabbitmqCluster.Namespace, err.Error()))
 				logger.Error(err, "Error setting up TLS")

controllers/suite_test.go

@@ -13,9 +13,10 @@ package controllers_test
 import (
 	"context"
 	"path/filepath"
-	"sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	"testing"
 
+	"sigs.k8s.io/controller-runtime/pkg/metrics/server"
+
 	"k8s.io/client-go/util/retry"
 
 	. "github.com/onsi/ginkgo/v2"
@@ -95,6 +96,7 @@ var _ = BeforeSuite(func() {
 	fakeExecutor = &fakePodExecutor{}
 	err = (&controllers.RabbitmqClusterReconciler{
 		Client:                  mgr.GetClient(),
+		APIReader:               mgr.GetAPIReader(),
 		Scheme:                  mgr.GetScheme(),
 		Recorder:                mgr.GetEventRecorderFor(controllerName),
 		Namespace:               "rabbitmq-system",

main.go

@@ -12,20 +12,28 @@ import (
 	"flag"
 	"fmt"
 	"os"
-	"sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	"strconv"
 	"strings"
 	"time"
 
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/server"
+
 	"github.com/rabbitmq/cluster-operator/v2/pkg/profiling"
 
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+
 	"k8s.io/klog/v2"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client/config"
 
 	rabbitmqv1beta1 "github.com/rabbitmq/cluster-operator/v2/api/v1beta1"
 	"github.com/rabbitmq/cluster-operator/v2/controllers"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/selection"
 	"k8s.io/client-go/kubernetes"
 	defaultscheme "k8s.io/client-go/kubernetes/scheme"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
@@ -130,6 +138,25 @@ func main() {
 		}
 	}
 
+	rmqLabel, err := labels.NewRequirement("app.kubernetes.io/part-of", selection.Equals, []string{"rabbitmq"})
+	if err != nil {
+		log.Error(err, "unable to create a label filter")
+		os.Exit(1)
+	}
+	rmqSelector := labels.NewSelector().Add(*rmqLabel)
+
+	options.Cache.ByObject = map[client.Object]cache.ByObject{
+		&rabbitmqv1beta1.RabbitmqCluster{}: {},
+		&appsv1.StatefulSet{}:              {Label: rmqSelector},
+		&corev1.Service{}:                  {Label: rmqSelector},
+		&corev1.ConfigMap{}:                {Label: rmqSelector},
+		&corev1.Secret{}:                   {Label: rmqSelector},
+		&corev1.ServiceAccount{}:           {Label: rmqSelector},
+		&corev1.Endpoints{}:                {Label: rmqSelector},
+		&rbacv1.Role{}:                     {Label: rmqSelector},
+		&rbacv1.RoleBinding{}:              {Label: rmqSelector},
+	}
+
 	if leaseDuration := getEnvInDuration("LEASE_DURATION"); leaseDuration != 0 {
 		log.Info("manager configured with lease duration", "seconds", int(leaseDuration.Seconds()))
 		options.LeaseDuration = &leaseDuration
@@ -167,6 +194,7 @@ func main() {
 
 	err = (&controllers.RabbitmqClusterReconciler{
 		Client:                  mgr.GetClient(),
+		APIReader:               mgr.GetAPIReader(),
 		Scheme:                  mgr.GetScheme(),
 		Recorder:                mgr.GetEventRecorderFor(controllerName),
 		Namespace:               operatorNamespace,