added list options to podrefresh logic (#270)

because the functions to search for workloads mounting certificate secret was searching across all namespaces, so changed to check only in the namespace of the Certificate which triggered the reconcile. A bug from searching all namespaces is when there are two certificates with the same name in different namespaces, and there are two workloads, again, one in each namespace with a certificate of the same name. When one of the Certificates get renewed, both workloads will be restarted even though one is in a different namespace from the certificate being renewed. Signed-off-by: Henry Li <[email protected]>
IBM · Jul 22, 2022 · a0ecc4a · a0ecc4a
1 parent 09616a8
commit a0ecc4a
Showing 1 changed file with 20 additions and 11 deletions.
diff --git a/controllers/cert-manager/podrefresh_controller.go b/controllers/cert-manager/podrefresh_controller.go
@@ -82,7 +82,7 @@ func (r *PodRefreshReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 	}
 
 	if cert.Status.NotBefore != nil && cert.Status.NotAfter != nil {
-		if err := r.restart(cert.Spec.SecretName, cert.Name, cert.Status.NotBefore.Format("2006-1-2.1504")); err != nil {
+		if err := r.restart(cert.Spec.SecretName, cert.Name, cert.Namespace, cert.Status.NotBefore.Format("2006-1-2.1504")); err != nil {
 			reqLogger.Error(err, "Failed to fresh pod")
 			return ctrl.Result{}, err
 		}
@@ -95,13 +95,13 @@ func (r *PodRefreshReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 
 // pod refresh is enabled. It will edit the deployments, statefulsets, and daemonsets
 // that use the secret being updated, which will trigger the pod to be restarted.
-func (r *PodRefreshReconciler) restart(secret, cert string, lastUpdated string) error {
+func (r *PodRefreshReconciler) restart(secret, cert, namespace string, lastUpdated string) error {
 	timeNow := time.Now().Format("2006-1-2.1504")
 	deployments := &appsv1.DeploymentList{}
 	if err := r.Client.List(context.TODO(), deployments); err != nil {
 		return fmt.Errorf("error getting deployments: %v", err)
 	}
-	deploymentsToUpdate, err := r.getDeploymentsNeedUpdate(secret, lastUpdated)
+	deploymentsToUpdate, err := r.getDeploymentsNeedUpdate(secret, namespace, lastUpdated)
 	if err != nil {
 		return err
 	}
@@ -110,15 +110,15 @@ func (r *PodRefreshReconciler) restart(secret, cert string, lastUpdated string)
 		return err
 	}
 
-	statefulsetsToUpdate, err := r.getStsNeedUpdate(secret, lastUpdated)
+	statefulsetsToUpdate, err := r.getStsNeedUpdate(secret, namespace, lastUpdated)
 	if err != nil {
 		return err
 	}
 	if err := r.updateStsAnnotations(statefulsetsToUpdate, cert, secret, timeNow); err != nil {
 		return err
 	}
 
-	daemonsetsToUpdate, err := r.getDaemonSetNeedUpdate(secret, lastUpdated)
+	daemonsetsToUpdate, err := r.getDaemonSetNeedUpdate(secret, namespace, lastUpdated)
 	if err != nil {
 		return err
 	}
@@ -129,10 +129,13 @@ func (r *PodRefreshReconciler) restart(secret, cert string, lastUpdated string)
 	return nil
 }
 
-func (r *PodRefreshReconciler) getDeploymentsNeedUpdate(secret, lastUpdated string) ([]appsv1.Deployment, error) {
+func (r *PodRefreshReconciler) getDeploymentsNeedUpdate(secret, namespace, lastUpdated string) ([]appsv1.Deployment, error) {
 	deploymentsToUpdate := make([]appsv1.Deployment, 0)
 	deployments := &appsv1.DeploymentList{}
-	if err := r.Client.List(context.TODO(), deployments); err != nil {
+	listOpts := &client.ListOptions{
+		Namespace: namespace,
+	}
+	if err := r.Client.List(context.TODO(), deployments, listOpts); err != nil {
 		return deploymentsToUpdate, fmt.Errorf("error getting deployments: %v", err)
 	}
 NEXT_DEPLOYMENT:
@@ -176,10 +179,13 @@ NEXT_DEPLOYMENT:
 	return deploymentsToUpdate, nil
 }
 
-func (r *PodRefreshReconciler) getStsNeedUpdate(secret, lastUpdated string) ([]appsv1.StatefulSet, error) {
+func (r *PodRefreshReconciler) getStsNeedUpdate(secret, namespace, lastUpdated string) ([]appsv1.StatefulSet, error) {
 	statefulsetsToUpdate := make([]appsv1.StatefulSet, 0)
 	statefulsets := &appsv1.StatefulSetList{}
-	err := r.Client.List(context.TODO(), statefulsets)
+	listOpts := &client.ListOptions{
+		Namespace: namespace,
+	}
+	err := r.Client.List(context.TODO(), statefulsets, listOpts)
 	if err != nil {
 		return statefulsetsToUpdate, fmt.Errorf("error getting statefulsets: %v", err)
 	}
@@ -224,10 +230,13 @@ NEXT_STATEFULSET:
 	return statefulsetsToUpdate, nil
 }
 
-func (r *PodRefreshReconciler) getDaemonSetNeedUpdate(secret, lastUpdated string) ([]appsv1.DaemonSet, error) {
+func (r *PodRefreshReconciler) getDaemonSetNeedUpdate(secret, namespace, lastUpdated string) ([]appsv1.DaemonSet, error) {
 	daemonsetsToUpdate := make([]appsv1.DaemonSet, 0)
 	daemonsets := &appsv1.DaemonSetList{}
-	if err := r.Client.List(context.TODO(), daemonsets); err != nil {
+	listOpts := &client.ListOptions{
+		Namespace: namespace,
+	}
+	if err := r.Client.List(context.TODO(), daemonsets, listOpts); err != nil {
 		return daemonsetsToUpdate, fmt.Errorf("error getting daemonsets: %v", err)
 	}
 NEXT_DAEMONSET: