fix: Perform watches on a per-object basis instead of globally on the kind

Author: codablock

api/v1alpha1/texttemplate_types.go

@@ -20,6 +20,10 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+const (
+	TextTemplateFinalizer = "finalizers.templates.kluctl.io"
+)
+
 // TextTemplateSpec defines the desired state of TextTemplate
 type TextTemplateSpec struct {
 	// Suspend can be used to suspend the reconciliation of this object.

controllers/base_template_reconciler.go

@@ -7,78 +7,45 @@ import (
 	"github.com/ohler55/ojg/jp"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/rest"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
-	"sigs.k8s.io/controller-runtime/pkg/handler"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
-	"sigs.k8s.io/controller-runtime/pkg/source"
 	"sync"
 )
 
 type BaseTemplateReconciler struct {
 	client.Client
 
+	RawWatchContext context.Context
+
 	Manager      manager.Manager
 	Scheme       *runtime.Scheme
 	FieldManager string
 
-	controller   controller.Controller
-	watchedKinds map[schema.GroupVersionKind]bool
-	mutex        sync.Mutex
+	controller controller.Controller
+
+	watchesUtil watchesUtil
+
+	mutex sync.Mutex
 }
 
-func (r *BaseTemplateReconciler) getClientForObjects(serviceAccountName string, objNamespace string) (client.Client, error) {
+func (r *BaseTemplateReconciler) getClientForObjects(serviceAccountName string, objNamespace string) (client.WithWatch, string, error) {
 	restConfig := rest.CopyConfig(r.Manager.GetConfig())
 
 	name := "default"
 	if serviceAccountName != "" {
 		name = serviceAccountName
 	}
-	if name == "" {
-		return nil, fmt.Errorf("empty serviceAccountName not allowed")
-	}
 	username := fmt.Sprintf("system:serviceaccount:%s:%s", objNamespace, name)
 	restConfig.Impersonate = rest.ImpersonationConfig{UserName: username}
 
-	c, err := client.New(restConfig, client.Options{Mapper: r.RESTMapper()})
-	if err != nil {
-		return nil, err
-	}
-	return c, nil
-}
-
-func (r *BaseTemplateReconciler) addWatchForKind(ctx context.Context, gvk schema.GroupVersionKind, key string, eventHandler handler.TypedEventHandler[client.Object]) error {
-	logger := log.FromContext(ctx)
-
-	r.mutex.Lock()
-	defer r.mutex.Unlock()
-
-	if r.watchedKinds == nil {
-		r.watchedKinds = map[schema.GroupVersionKind]bool{}
-	}
-
-	keyGvk := gvk
-	keyGvk.Kind += "+" + key
-	if x, ok := r.watchedKinds[keyGvk]; ok && x {
-		return nil
-	}
-
-	logger.V(1).Info("Starting watch for new kind and key", "gvk", gvk, "key", key)
-
-	var dummy unstructured.Unstructured
-	dummy.SetGroupVersionKind(gvk)
-
-	err := r.controller.Watch(source.Kind[client.Object](r.Manager.GetCache(), &dummy, eventHandler))
+	c, err := client.NewWithWatch(restConfig, client.Options{Mapper: r.RESTMapper()})
 	if err != nil {
-		return err
+		return nil, "", err
 	}
-
-	r.watchedKinds[keyGvk] = true
-	return nil
+	return c, name, nil
 }
 
 func (r *BaseTemplateReconciler) buildBaseVars(templateObj runtime.Object, objVarName string) (map[string]any, error) {

controllers/objecttemplate_controller.go

@@ -28,24 +28,19 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/yaml"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
-	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
-	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 	"sort"
 	"strings"
 	"sync"
 )
 
-const forMatrixObjectKey = "spec.matrix.object.ref"
-
 // ObjectTemplateReconciler reconciles a ObjectTemplate object
 type ObjectTemplateReconciler struct {
 	BaseTemplateReconciler
@@ -95,20 +90,6 @@ func (r *ObjectTemplateReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		return ctrl.Result{}, nil
 	}
 
-	for _, me := range rt.Spec.Matrix {
-		if me.Object != nil {
-			gvk, err2 := me.Object.Ref.GroupVersionKind()
-			if err2 != nil {
-				err = err2
-				return
-			}
-			err = r.addWatchForKind(ctx, gvk, forMatrixObjectKey, r.buildWatchEventHandler(forMatrixObjectKey))
-			if err != nil {
-				return
-			}
-		}
-	}
-
 	patch := client.MergeFrom(rt.DeepCopy())
 	err = r.doReconcile(ctx, &rt)
 	if err != nil {
@@ -203,11 +184,25 @@ func (r *ObjectTemplateReconciler) doReconcile(ctx context.Context, rt *template
 	var wg sync.WaitGroup
 	var mutex sync.Mutex
 
-	objClient, err := r.getClientForObjects(rt.Spec.ServiceAccountName, rt.GetNamespace())
+	objClient, saName, err := r.getClientForObjects(rt.Spec.ServiceAccountName, rt.GetNamespace())
 	if err != nil {
 		return err
 	}
 
+	wt := r.watchesUtil.getWatchesForTemplate(client.ObjectKeyFromObject(rt))
+	wt.setClient(objClient, saName)
+	newObjects := map[templatesv1alpha1.ObjectRef]bool{}
+	for _, me := range rt.Spec.Matrix {
+		if me.Object != nil {
+			newObjects[me.Object.Ref] = true
+			err = wt.addWatchForObject(ctx, me.Object.Ref)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	wt.removeDeletedWatches(newObjects)
+
 	matrixEntries, err := r.buildMatrixEntries(ctx, rt, objClient)
 	if err != nil {
 		return err
@@ -429,21 +424,6 @@ func (r *ObjectTemplateReconciler) renderTemplates(j2 *jinja2.Jinja2, rt *templa
 func (r *ObjectTemplateReconciler) SetupWithManager(mgr ctrl.Manager, concurrent int) error {
 	r.Manager = mgr
 
-	// Index the ObjectTemplate by the objects they are for.
-	if err := mgr.GetCache().IndexField(context.TODO(), &templatesv1alpha1.ObjectTemplate{}, forMatrixObjectKey,
-		func(object client.Object) []string {
-			o := object.(*templatesv1alpha1.ObjectTemplate)
-			var ret []string
-			for _, me := range o.Spec.Matrix {
-				if me.Object != nil {
-					ret = append(ret, BuildRefIndexValue(me.Object.Ref, o.GetNamespace()))
-				}
-			}
-			return ret
-		}); err != nil {
-		return fmt.Errorf("failed setting index fields: %w", err)
-	}
-
 	c, err := ctrl.NewControllerManagedBy(mgr).
 		For(&templatesv1alpha1.ObjectTemplate{}, builder.WithPredicates(
 			predicate.Or(predicate.GenerationChangedPredicate{}),
@@ -457,33 +437,16 @@ func (r *ObjectTemplateReconciler) SetupWithManager(mgr ctrl.Manager, concurrent
 	}
 	r.controller = c
 
-	return nil
-}
-
-func (r *ObjectTemplateReconciler) buildWatchEventHandler(indexField string) handler.EventHandler {
-	return handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, object client.Object) []reconcile.Request {
-		var list templatesv1alpha1.ObjectTemplateList
+	err = r.watchesUtil.init(r.RawWatchContext, r.controller)
+	if err != nil {
+		return err
+	}
 
-		err := r.List(context.Background(), &list, client.MatchingFields{
-			indexField: BuildObjectIndexValue(object),
-		})
-		if err != nil {
-			return nil
-		}
-		var reqs []reconcile.Request
-		for _, x := range list.Items {
-			reqs = append(reqs, reconcile.Request{
-				NamespacedName: types.NamespacedName{
-					Namespace: x.GetNamespace(),
-					Name:      x.GetName(),
-				},
-			})
-		}
-		return reqs
-	})
+	return nil
 }
 
 func (r *ObjectTemplateReconciler) finalize(ctx context.Context, obj *templatesv1alpha1.ObjectTemplate) (ctrl.Result, error) {
+	r.watchesUtil.removeWatchesForTemplate(client.ObjectKeyFromObject(obj))
 	r.doFinalize(ctx, obj)
 
 	// Remove our finalizer from the list and update it
@@ -503,7 +466,7 @@ func (r *ObjectTemplateReconciler) doFinalize(ctx context.Context, obj *template
 		return
 	}
 
-	objClient, err := r.getClientForObjects(obj.Spec.ServiceAccountName, obj.GetNamespace())
+	objClient, _, err := r.getClientForObjects(obj.Spec.ServiceAccountName, obj.GetNamespace())
 	if err != nil {
 		log.Error(err, "Failed to create objClient for deletion")
 		return

controllers/objecttemplate_controller_test.go

@@ -129,7 +129,7 @@ var _ = Describe("ObjectTemplate controller", func() {
 			t2 := getObjectTemplate(key)
 			c := getReadyCondition(t2.GetConditions())
 			Expect(c.Status).To(Equal(metav1.ConditionFalse))
-			Expect(c.Message).To(ContainSubstring("secrets \"m1\" is forbidden"))
+			Expect(c.Message).To(ContainSubstring("Secret \"m1\" is forbidden"))
 		})
 		It("Should succeed when RBAC is created", func() {
 			createRoleWithBinding("default", ns, []string{"secrets"})
@@ -149,7 +149,7 @@ var _ = Describe("ObjectTemplate controller", func() {
 			t2 := getObjectTemplate(key)
 			c := getReadyCondition(t2.GetConditions())
 			Expect(c.Status).To(Equal(metav1.ConditionFalse))
-			Expect(c.Message).To(ContainSubstring("secrets \"m1\" is forbidden"))
+			Expect(c.Message).To(ContainSubstring("Secret \"m1\" is forbidden"))
 		})
 		It("Should succeed after the SA is being created", func() {
 			createServiceAccount("non-existent", ns)

controllers/suite_test.go

@@ -93,9 +93,10 @@ var _ = BeforeSuite(func() {
 
 	err = (&ObjectTemplateReconciler{
 		BaseTemplateReconciler: BaseTemplateReconciler{
-			Client:       k8sManager.GetClient(),
-			Scheme:       k8sManager.GetScheme(),
-			FieldManager: "template-controller",
+			Client:          k8sManager.GetClient(),
+			RawWatchContext: ctx,
+			Scheme:          k8sManager.GetScheme(),
+			FieldManager:    "template-controller",
 		},
 	}).SetupWithManager(k8sManager, 1)
 	Expect(err).ToNot(HaveOccurred())