Only listen for updates to known secrets
@kopf.on.update('secrets') will cause us to attempt to listen to updates to every secret in the Kubernetes cluster in which we are running. This is negative because: * kopf annotates every object it is watching to track last known state, which will be *every secret in the cluster* if with the current approach. This is a somewhat obnoxious behaviour. * if the operator is not running with elevated priviledges, this may not work correctly anyway, although the current deployment does provide the operator user with cluster-admin priviledges Instead, we should only track the secrets that we've expressed interest in, which is effectively what we're doing anyway, but this will save us from annotating every secret in the cluster. Change-Id: I540841ee8b053ae05ca7943aca3f1646b509cfd9
This commit is contained in:
parent
4f51fc7da3
commit
d2b2393d52
@ -67,8 +67,20 @@ def startup(memo, logger, **kwargs):
|
|||||||
memoize_secrets(memo, logger)
|
memoize_secrets(memo, logger)
|
||||||
|
|
||||||
|
|
||||||
@kopf.on.update('secrets')
|
def when_update_secret(name, namespace, memo, logger, **_):
|
||||||
def update_secret(name, namespace, logger, memo, new, **kwargs):
|
logger.info(f"Checking update predicate for {namespace}/{name}")
|
||||||
|
|
||||||
|
for resources in memo.config_resources.values():
|
||||||
|
for resource in resources:
|
||||||
|
if (resource.namespace == namespace or
|
||||||
|
resource.resource_name == name):
|
||||||
|
return True
|
||||||
|
|
||||||
|
return False
|
||||||
|
|
||||||
|
|
||||||
|
@kopf.on.update('secrets', when=when_update_secret)
|
||||||
|
def update_secret(name, namespace, logger, memo, **kwargs):
|
||||||
# if this configmap isn't known, ignore
|
# if this configmap isn't known, ignore
|
||||||
logger.info(f"Update secret {namespace}/{name}")
|
logger.info(f"Update secret {namespace}/{name}")
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user