From d2b2393d522cfe62c5b123f71aca07a7cc38cf75 Mon Sep 17 00:00:00 2001 From: Michael Kelly Date: Wed, 17 Aug 2022 21:25:00 -0700 Subject: [PATCH] Only listen for updates to known secrets @kopf.on.update('secrets') will cause us to attempt to listen to updates to every secret in the Kubernetes cluster in which we are running. This is negative because: * kopf annotates every object it is watching to track last known state, which will be *every secret in the cluster* if with the current approach. This is a somewhat obnoxious behaviour. * if the operator is not running with elevated priviledges, this may not work correctly anyway, although the current deployment does provide the operator user with cluster-admin priviledges Instead, we should only track the secrets that we've expressed interest in, which is effectively what we're doing anyway, but this will save us from annotating every secret in the cluster. Change-Id: I540841ee8b053ae05ca7943aca3f1646b509cfd9 --- zuul_operator/operator.py | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/zuul_operator/operator.py b/zuul_operator/operator.py index f65d9eb..8fe874e 100644 --- a/zuul_operator/operator.py +++ b/zuul_operator/operator.py @@ -67,8 +67,20 @@ def startup(memo, logger, **kwargs): memoize_secrets(memo, logger) -@kopf.on.update('secrets') -def update_secret(name, namespace, logger, memo, new, **kwargs): +def when_update_secret(name, namespace, memo, logger, **_): + logger.info(f"Checking update predicate for {namespace}/{name}") + + for resources in memo.config_resources.values(): + for resource in resources: + if (resource.namespace == namespace or + resource.resource_name == name): + return True + + return False + + +@kopf.on.update('secrets', when=when_update_secret) +def update_secret(name, namespace, logger, memo, **kwargs): # if this configmap isn't known, ignore logger.info(f"Update secret {namespace}/{name}")