Add propagation improvements for webhook (running before reconciler)

Signed-off-by: Pierangelo Di Pilato <[email protected]>
knative · May 22, 2024 · 9b9892c · 9b9892c
1 parent 48de042
commit 9b9892c
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 15 deletions.
diff --git a/pkg/apis/sources/v1/sinkbinding_lifecycle.go b/pkg/apis/sources/v1/sinkbinding_lifecycle.go
@@ -24,6 +24,7 @@ import (
 
 	"go.uber.org/zap"
 	corev1listers "k8s.io/client-go/listers/core/v1"
+	kubeclient "knative.dev/pkg/client/injection/kube/client"
 
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -196,13 +197,29 @@ func (sb *SinkBinding) Do(ctx context.Context, ps *duckv1.WithPod) {
 			Value: ceOverrides,
 		})
 	}
-
-	pss, err := eventingtls.AddTrustBundleVolumes(GetTrustBundleConfigMapLister(ctx), sb, &ps.Spec.Template.Spec)
+	gvk := schema.GroupVersionKind{
+		Group:   SchemeGroupVersion.Group,
+		Version: SchemeGroupVersion.Version,
+		Kind:    "SinkBinding",
+	}
+	bundles, err := eventingtls.PropagateTrustBundles(ctx, kubeclient.Get(ctx), GetTrustBundleConfigMapLister(ctx), gvk, sb)
 	if err != nil {
-		logging.FromContext(ctx).Errorw("Failed to add trust bundle volumes %s/%s: %+v", zap.Error(err))
-		return
+		logging.FromContext(ctx).Errorw("Failed to propagate trust bundles", zap.Error(err))
+	} else if len(bundles) > 0 {
+		pss, err := eventingtls.AddTrustBundleVolumesFromConfigMaps(bundles, &ps.Spec.Template.Spec)
+		if err != nil {
+			logging.FromContext(ctx).Errorw("Failed to add trust bundle volumes %s/%s: %+v", zap.Error(err))
+			return
+		}
+		ps.Spec.Template.Spec = *pss
+	} else {
+		pss, err := eventingtls.AddTrustBundleVolumes(GetTrustBundleConfigMapLister(ctx), sb, &ps.Spec.Template.Spec)
+		if err != nil {
+			logging.FromContext(ctx).Errorw("Failed to add trust bundle volumes %s/%s: %+v", zap.Error(err))
+			return
+		}
+		ps.Spec.Template.Spec = *pss
 	}
-	ps.Spec.Template.Spec = *pss
 
 	if sb.Status.OIDCTokenSecretName != nil {
 		ps.Spec.Template.Spec.Volumes = append(ps.Spec.Template.Spec.Volumes, corev1.Volume{

diff --git a/pkg/eventingtls/trust_bundle.go b/pkg/eventingtls/trust_bundle.go
@@ -57,18 +57,20 @@ var (
 
 // PropagateTrustBundles propagates Trust bundles ConfigMaps from the system.Namespace() to the
 // obj namespace.
-func PropagateTrustBundles(ctx context.Context, k8s kubernetes.Interface, trustBundleConfigMapLister corev1listers.ConfigMapLister, gvk schema.GroupVersionKind, obj kmeta.Accessor) error {
+func PropagateTrustBundles(ctx context.Context, k8s kubernetes.Interface, trustBundleConfigMapLister corev1listers.ConfigMapLister, gvk schema.GroupVersionKind, obj kmeta.Accessor) ([]*corev1.ConfigMap, error) {
 
 	systemNamespaceBundles, err := trustBundleConfigMapLister.ConfigMaps(system.Namespace()).List(TrustBundleSelector)
 	if err != nil {
-		return fmt.Errorf("failed to list trust bundle ConfigMaps in %q: %w", system.Namespace(), err)
+		return nil, fmt.Errorf("failed to list trust bundle ConfigMaps in %q: %w", system.Namespace(), err)
 	}
 
 	userNamespaceBundles, err := trustBundleConfigMapLister.ConfigMaps(obj.GetNamespace()).List(TrustBundleSelector)
 	if err != nil {
-		return fmt.Errorf("failed to list trust bundles ConfigMaps in %q: %w", obj.GetNamespace(), err)
+		return nil, fmt.Errorf("failed to list trust bundles ConfigMaps in %q: %w", obj.GetNamespace(), err)
 	}
 
+	outputUserNamespaceBundles := make([]*corev1.ConfigMap, 0, len(systemNamespaceBundles))
+
 	type Pair struct {
 		sysCM  *corev1.ConfigMap
 		userCm *corev1.ConfigMap
@@ -114,7 +116,7 @@ func PropagateTrustBundles(ctx context.Context, k8s kubernetes.Interface, trustB
 				// Only delete the ConfigMap if the object owns it
 				if equality.Semantic.DeepDerivative(expectedOr, or) {
 					if err := deleteConfigMap(ctx, k8s, obj, p.userCm); err != nil {
-						return err
+						return nil, err
 					}
 				}
 			}
@@ -136,8 +138,9 @@ func PropagateTrustBundles(ctx context.Context, k8s kubernetes.Interface, trustB
 			// Update owner references
 			expected.OwnerReferences = withOwnerReferences(obj, gvk, []metav1.OwnerReference{})
 			if err := createConfigMap(ctx, k8s, expected); err != nil {
-				return err
+				return nil, err
 			}
+			outputUserNamespaceBundles = append(outputUserNamespaceBundles, expected)
 			continue
 		}
 
@@ -146,21 +149,28 @@ func PropagateTrustBundles(ctx context.Context, k8s kubernetes.Interface, trustB
 		// Update owner references
 		expected.OwnerReferences = withOwnerReferences(obj, gvk, p.userCm.OwnerReferences)
 
-		if !equality.Semantic.DeepDerivative(expected, p.userCm) {
+		if !equality.Semantic.DeepDerivative(expected.Data, p.userCm.Data) ||
+			!equality.Semantic.DeepDerivative(expected.BinaryData, p.userCm.BinaryData) ||
+			!equality.Semantic.DeepDerivative(expected.Labels, p.userCm.Labels) {
 			if err := updateConfigMap(ctx, k8s, expected); err != nil {
-				return err
+				return nil, err
 			}
 		}
+		outputUserNamespaceBundles = append(outputUserNamespaceBundles, expected)
 	}
-	return nil
+
+	return outputUserNamespaceBundles, nil
 }
 
 func AddTrustBundleVolumes(trustBundleLister corev1listers.ConfigMapLister, obj kmeta.Accessor, pt *corev1.PodSpec) (*corev1.PodSpec, error) {
 	cms, err := trustBundleLister.ConfigMaps(obj.GetNamespace()).List(TrustBundleSelector)
 	if err != nil {
 		return nil, fmt.Errorf("failed to list trust bundles ConfigMaps in %q: %w", obj.GetNamespace(), err)
 	}
+	return AddTrustBundleVolumesFromConfigMaps(cms, pt)
+}
 
+func AddTrustBundleVolumesFromConfigMaps(cms []*corev1.ConfigMap, pt *corev1.PodSpec) (*corev1.PodSpec, error) {
 	pt = pt.DeepCopy()
 	sources := make([]corev1.VolumeProjection, 0, len(cms))
 	for _, cm := range cms {

diff --git a/pkg/reconciler/apiserversource/apiserversource.go b/pkg/reconciler/apiserversource/apiserversource.go
@@ -464,5 +464,6 @@ func (r *Reconciler) propagateTrustBundles(ctx context.Context, source *v1.ApiSe
 		Version: v1.SchemeGroupVersion.Version,
 		Kind:    "ApiServerSource",
 	}
-	return eventingtls.PropagateTrustBundles(ctx, r.kubeClientSet, r.trustBundleConfigMapLister, gvk, source)
+	_, err := eventingtls.PropagateTrustBundles(ctx, r.kubeClientSet, r.trustBundleConfigMapLister, gvk, source)
+	return err
 }
diff --git a/pkg/reconciler/sinkbinding/sinkbinding.go b/pkg/reconciler/sinkbinding/sinkbinding.go
@@ -245,5 +245,6 @@ func (s *SinkBindingSubResourcesReconciler) propagateTrustBundles(ctx context.Co
 		Version: v1.SchemeGroupVersion.Version,
 		Kind:    "SinkBinding",
 	}
-	return eventingtls.PropagateTrustBundles(ctx, s.kubeclient, s.trustBundleConfigMapLister, gvk, sb)
+	_, err := eventingtls.PropagateTrustBundles(ctx, s.kubeclient, s.trustBundleConfigMapLister, gvk, sb)
+	return err
 }