Remove secret from default resourceCache (#1878)

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2025-03-29 02:45:06 +00:00 · 2021-05-04 22:10:01 -07:00 · 2021-05-04 22:10:01 -07:00 · e9952fbaf2
commit e9952fbaf2
parent 02f1faca0b
5 changed files with 23 additions and 23 deletions
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@ -148,8 +148,7 @@ func main() {
 		debug,
 		log.Log)

-	// Resource Mutating Webhook Watcher
-	webhookMonitor := webhookconfig.NewMonitor(rCache, log.Log.WithName("WebhookMonitor"))
+	webhookMonitor := webhookconfig.NewMonitor(kubeInformer.Core().V1().Secrets(), log.Log.WithName("WebhookMonitor"))

 	// KYVERNO CRD INFORMER
 	// watches CRD resources:
--- a/pkg/resourcecache/main.go
+++ b/pkg/resourcecache/main.go
@ -33,7 +33,7 @@ type resourceCache struct {
 	log logr.Logger
 }

-var KyvernoDefaultInformer = []string{"ConfigMap", "Secret", "Deployment", "MutatingWebhookConfiguration", "ValidatingWebhookConfiguration"}
+var KyvernoDefaultInformer = []string{"ConfigMap", "Deployment", "MutatingWebhookConfiguration", "ValidatingWebhookConfiguration"}

 // NewResourceCache - initializes the ResourceCache
 func NewResourceCache(dclient *dclient.Client, dInformer dynamicinformer.DynamicSharedInformerFactory, logger logr.Logger) (ResourceCache, error) {
--- a/pkg/tls/certRenewer.go
+++ b/pkg/tls/certRenewer.go
@ -65,7 +65,7 @@ func (c *CertRenewer) InitTLSPemPair(serverIP string) (*PemPair, error) {
 			logger.Info("using existing TLS key/certificate pair")
 			return tlsPair, nil
 		}
-	} else {
+	} else if err != nil {
 		logger.V(3).Info("unable to find TLS pair", "reason", err.Error())
 	}

--- a/pkg/tls/reader.go
+++ b/pkg/tls/reader.go
@ -13,6 +13,8 @@ import (
 	"k8s.io/client-go/rest"
 )

+var ErrorsNotFound = "root CA certificate not found"
+
 // ReadRootCASecret returns the RootCA from the pre-defined secret
 func ReadRootCASecret(restConfig *rest.Config, client *client.Client) (result []byte, err error) {
 	certProps, err := GetTLSCertProps(restConfig)
@ -33,7 +35,7 @@ func ReadRootCASecret(restConfig *rest.Config, client *client.Client) (result []

 	result = tlsca.Data[RootCAKey]
 	if len(result) == 0 {
-		return nil, errors.Errorf("root CA certificate not found in secret %s/%s", certProps.Namespace, tlsca.Name)
+		return nil, errors.Errorf("%s in secret %s/%s", ErrorsNotFound, certProps.Namespace, tlsca.Name)
 	}

 	return result, nil
--- a/pkg/webhookconfig/monitor.go
+++ b/pkg/webhookconfig/monitor.go
@ -4,15 +4,16 @@ import (
 	"fmt"
 	"os"
 	"reflect"
+	"strings"
 	"sync"
 	"time"

 	"github.com/go-logr/logr"
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/event"
-	"github.com/kyverno/kyverno/pkg/resourcecache"
 	"github.com/kyverno/kyverno/pkg/tls"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	v1 "k8s.io/api/core/v1"
+	informerv1 "k8s.io/client-go/informers/core/v1"
 	"k8s.io/client-go/tools/cache"
 )

@ -41,22 +42,14 @@ type Monitor struct {
 }

 //NewMonitor returns a new instance of webhook monitor
-func NewMonitor(resCache resourcecache.ResourceCache, log logr.Logger) *Monitor {
+func NewMonitor(nsInformer informerv1.SecretInformer, log logr.Logger) *Monitor {
 	monitor := &Monitor{
 		t:           time.Now(),
 		secretQueue: make(chan bool, 1),
 		log:         log,
 	}

-	var err error
-	secretCache, ok := resCache.GetGVRCache("Secret")
-	if !ok {
-		if secretCache, err = resCache.CreateGVKInformer("Secret"); err != nil {
-			log.Error(err, "unable to start Secret's informer")
-		}
-	}
-
-	secretCache.GetInformer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+	nsInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
 		AddFunc:    monitor.addSecretFunc,
 		UpdateFunc: monitor.updateSecretFunc,
 	})
@ -80,7 +73,7 @@ func (t *Monitor) SetTime(tm time.Time) {
 }

 func (t *Monitor) addSecretFunc(obj interface{}) {
-	secret := obj.(*unstructured.Unstructured)
+	secret := obj.(*v1.Secret)
 	if secret.GetNamespace() != config.KyvernoNamespace {
 		return
 	}
@ -94,8 +87,8 @@ func (t *Monitor) addSecretFunc(obj interface{}) {
 }

 func (t *Monitor) updateSecretFunc(oldObj interface{}, newObj interface{}) {
-	old := oldObj.(*unstructured.Unstructured)
-	new := newObj.(*unstructured.Unstructured)
+	old := oldObj.(*v1.Secret)
+	new := newObj.(*v1.Secret)
 	if new.GetNamespace() != config.KyvernoNamespace {
 		return
 	}
@ -105,7 +98,7 @@ func (t *Monitor) updateSecretFunc(oldObj interface{}, newObj interface{}) {
 		return
 	}

-	if reflect.DeepEqual(old.UnstructuredContent()["data"], new.UnstructuredContent()["data"]) {
+	if reflect.DeepEqual(old.DeepCopy().Data, new.DeepCopy().Data) {
 		return
 	}

@ -182,7 +175,10 @@ func (t *Monitor) Run(register *Register, certRenewer *tls.CertRenewer, eventGen
 			valid, err := certRenewer.ValidCert()
 			if err != nil {
 				logger.Error(err, "failed to validate cert")
-				continue
+
+				if !strings.Contains(err.Error(), tls.ErrorsNotFound) {
+					continue
+				}
 			}

 			if valid {
@ -199,7 +195,10 @@ func (t *Monitor) Run(register *Register, certRenewer *tls.CertRenewer, eventGen
 			valid, err := certRenewer.ValidCert()
 			if err != nil {
 				logger.Error(err, "failed to validate cert")
-				continue
+
+				if !strings.Contains(err.Error(), tls.ErrorsNotFound) {
+					continue
+				}
 			}

 			if valid {