Only listen for updates to known secrets

@kopf.on.update('secrets') will cause us to attempt to listen to
updates to every secret in the Kubernetes cluster in which we are
running.  This is negative because:

* kopf annotates every object it is watching to track last known
  state, which will be *every secret in the cluster* if with the
  current approach.  This is a somewhat obnoxious behaviour.

* if the operator is not running with elevated priviledges, this may
  not work correctly anyway, although the current deployment does
  provide the operator user with cluster-admin priviledges

Instead, we should only track the secrets that we've expressed
interest in, which is effectively what we're doing anyway, but this
will save us from annotating every secret in the cluster.

Change-Id: I540841ee8b053ae05ca7943aca3f1646b509cfd9
This commit is contained in:
Michael Kelly 2022-08-17 21:25:00 -07:00
parent 4f51fc7da3
commit d2b2393d52
No known key found for this signature in database
GPG Key ID: 77F7FE93040ECF3E

View File

@ -67,8 +67,20 @@ def startup(memo, logger, **kwargs):
memoize_secrets(memo, logger) memoize_secrets(memo, logger)
@kopf.on.update('secrets') def when_update_secret(name, namespace, memo, logger, **_):
def update_secret(name, namespace, logger, memo, new, **kwargs): logger.info(f"Checking update predicate for {namespace}/{name}")
for resources in memo.config_resources.values():
for resource in resources:
if (resource.namespace == namespace or
resource.resource_name == name):
return True
return False
@kopf.on.update('secrets', when=when_update_secret)
def update_secret(name, namespace, logger, memo, **kwargs):
# if this configmap isn't known, ignore # if this configmap isn't known, ignore
logger.info(f"Update secret {namespace}/{name}") logger.info(f"Update secret {namespace}/{name}")