feat: create separate cache for nodepublishsecretref in rotation

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Author: aramase

cmd/secrets-store-csi-driver/main.go

@@ -25,15 +25,14 @@ import (
 	"strings"
 	"time"
 
-	"k8s.io/apimachinery/pkg/runtime/schema"
-
 	"sigs.k8s.io/secrets-store-csi-driver/pkg/cache"
 	"sigs.k8s.io/secrets-store-csi-driver/pkg/metrics"
 	"sigs.k8s.io/secrets-store-csi-driver/pkg/rotation"
 	"sigs.k8s.io/secrets-store-csi-driver/pkg/version"
 
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	json "k8s.io/component-base/logs/json"
 	"k8s.io/klog/v2"
@@ -63,11 +62,10 @@ var (
 	enableProfile          = flag.Bool("enable-pprof", false, "enable pprof profiling")
 	profilePort            = flag.Int("pprof-port", 6065, "port for pprof profiling")
 
-	// enable filtered watch for secrets. The filtering is done on the csi driver label: secrets-store.csi.k8s.io/managed=true
-	// this label is set for all Kubernetes secrets created by the CSI driver. For Kubernetes secrets used to provide credentials
-	// for use with the CSI driver, set the label by running: kubectl label secret secrets-store-creds secrets-store.csi.k8s.io/managed=true
+	// enable filtered watch for NodePublishSecretRef secrets. The filtering is done on the csi driver label: secrets-store.csi.k8s.io/used=true
+	// For Kubernetes secrets used to provide credentials for use with the CSI driver, set the label by running: kubectl label secret secrets-store-creds secrets-store.csi.k8s.io/used=true
 	// This feature flag will be enabled by default after n+2 releases giving time for users to label all their existing credential secrets.
-	filteredWatchSecret = flag.Bool("filtered-watch-secret", false, "enable filtered watch for secrets with label secrets-store.csi.k8s.io/managed=true")
+	filteredWatchSecret = flag.Bool("filtered-watch-secret", false, "enable filtered watch for NodePublishSecretRef secrets with label secrets-store.csi.k8s.io/used=true")
 
 	scheme = runtime.NewScheme()
 )
@@ -98,7 +96,7 @@ func main() {
 		}()
 	}
 	if *filteredWatchSecret {
-		klog.Infof("Filtered watch for secret based on secrets-store.csi.k8s.io/managed=true label enabled")
+		klog.Infof("Filtered watch for nodePublishSecretRef secret based on secrets-store.csi.k8s.io/used=true label enabled")
 	}
 
 	// initialize metrics exporter before creating measurements
@@ -115,15 +113,13 @@ func main() {
 	fieldSelectorByResource := map[schema.GroupResource]string{
 		{Group: "", Resource: "pods"}: fields.OneTermEqualSelector("spec.nodeName", *nodeID).String(),
 	}
-	// this enables filtered watch of secretproviderclasspodstatuses based on the internal node label
-	// internal.secrets-store.csi.k8s.io/node-name=<node name> added by csi driver
 	labelSelectorByResource := map[schema.GroupResource]string{
-		{Group: "", Resource: "secretproviderclasspodstatuses"}: fmt.Sprintf("%s=%s", v1alpha1.InternalNodeLabel, *nodeID),
-	}
-	// this enables filtered watch of secrets based on the label (secrets-store.csi.k8s.io/managed=true)
-	// added to the secrets created by the CSI driver
-	if *filteredWatchSecret {
-		labelSelectorByResource[schema.GroupResource{Group: "", Resource: "secrets"}] = fmt.Sprintf("%s=true", controllers.SecretManagedLabel)
+		// this enables filtered watch of secretproviderclasspodstatuses based on the internal node label
+		// internal.secrets-store.csi.k8s.io/node-name=<node name> added by csi driver
+		{Group: v1alpha1.GroupVersion.Group, Resource: "secretproviderclasspodstatuses"}: fmt.Sprintf("%s=%s", v1alpha1.InternalNodeLabel, *nodeID),
+		// this enables filtered watch of secrets based on the label (secrets-store.csi.k8s.io/managed=true)
+		// added to the secrets created by the CSI driver
+		{Group: "", Resource: "secrets"}: fmt.Sprintf("%s=true", controllers.SecretManagedLabel),
 	}
 
 	mgr, err := ctrl.NewManager(cfg, ctrl.Options{

controllers/secretproviderclasspodstatus_controller.go

@@ -55,6 +55,7 @@ import (
 
 const (
 	SecretManagedLabel         = "secrets-store.csi.k8s.io/managed"
+	SecretUsedLabel            = "secrets-store.csi.k8s.io/used"
 	secretCreationFailedReason = "FailedToCreateSecret"
 )
 
@@ -123,7 +124,7 @@ func (r *SecretProviderClassPodStatusReconciler) Patcher(ctx context.Context) er
 		spc := &v1alpha1.SecretProviderClass{}
 		namespace := spcPodStatuses[i].Namespace
 
-		if val, exists := spcMap[spcPodStatuses[i].Namespace+"/"+spcName]; exists {
+		if val, exists := spcMap[namespace+"/"+spcName]; exists {
 			spc = &val
 		} else {
 			if err := r.reader.Get(ctx, client.ObjectKey{Namespace: namespace, Name: spcName}, spc); err != nil {
@@ -165,7 +166,7 @@ func (r *SecretProviderClassPodStatusReconciler) Patcher(ctx context.Context) er
 		}
 
 		for _, secret := range spc.Spec.SecretObjects {
-			key := types.NamespacedName{Name: secret.SecretName, Namespace: spcPodStatuses[i].Namespace}
+			key := types.NamespacedName{Name: secret.SecretName, Namespace: namespace}
 			val, exists := secretOwnerMap[key]
 			if exists {
 				secretOwnerMap[key] = append(val, ownerRefs...)

pkg/k8s/store.go

@@ -40,6 +40,7 @@ import (
 type Informer struct {
 	Pod                          cache.SharedIndexInformer
 	Secret                       cache.SharedIndexInformer
+	NodePublishSecretRefSecret   cache.SharedIndexInformer
 	SecretProviderClass          cache.SharedIndexInformer
 	SecretProviderClassPodStatus cache.SharedIndexInformer
 }
@@ -48,6 +49,7 @@ type Informer struct {
 type Lister struct {
 	Pod                          PodLister
 	Secret                       SecretLister
+	NodePublishSecretRefSecret   SecretLister
 	SecretProviderClass          SecretProviderClassLister
 	SecretProviderClassPodStatus SecretProviderClassPodStatusLister
 }
@@ -57,6 +59,8 @@ type Store interface {
 	GetPod(name, namespace string) (*v1.Pod, error)
 	// GetSecret returns the secret matching name and namespace
 	GetSecret(name, namespace string) (*v1.Secret, error)
+	// GetNodePublishSecretRefSecret returns the NodePublishSecretRef secret matching name and namespace
+	GetNodePublishSecretRefSecret(name, namespace string) (*v1.Secret, error)
 	// GetSecretProviderClass returns the secret provider class matching name and namespace
 	GetSecretProviderClass(name, namespace string) (*v1alpha1.SecretProviderClass, error)
 	// GetSecretProviderClassPodStatus returns the secret provider class pod status matching key
@@ -81,9 +85,12 @@ func New(kubeClient kubernetes.Interface, crdClient secretsStoreClient.Interface
 	store.informers.Pod = newPodInformer(kubeClient, resyncPeriod, nodeName)
 	store.listers.Pod.Store = store.informers.Pod.GetStore()
 
-	store.informers.Secret = newSecretInformer(kubeClient, resyncPeriod, filteredWatchSecret)
+	store.informers.Secret = newSecretInformer(kubeClient, resyncPeriod)
 	store.listers.Secret.Store = store.informers.Secret.GetStore()
 
+	store.informers.NodePublishSecretRefSecret = newNodePublishSecretRefSecretInformer(kubeClient, resyncPeriod, filteredWatchSecret)
+	store.listers.NodePublishSecretRefSecret.Store = store.informers.NodePublishSecretRefSecret.GetStore()
+
 	store.informers.SecretProviderClass = newSPCInformer(crdClient, resyncPeriod)
 	store.listers.SecretProviderClass.Store = store.informers.SecretProviderClass.GetStore()
 
@@ -108,6 +115,11 @@ func (s k8sStore) GetSecret(name, namespace string) (*v1.Secret, error) {
 	return s.listers.Secret.GetWithKey(getStoreKey(name, namespace))
 }
 
+// GetNodePublishSecretRefSecret returns the NodePublishSecretRef secret matching name and namespace
+func (s k8sStore) GetNodePublishSecretRefSecret(name, namespace string) (*v1.Secret, error) {
+	return s.listers.NodePublishSecretRefSecret.GetWithKey(getStoreKey(name, namespace))
+}
+
 // GetSecretProviderClass returns the secret provider class matching name and namespace
 func (s k8sStore) GetSecretProviderClass(name, namespace string) (*v1alpha1.SecretProviderClass, error) {
 	return s.listers.SecretProviderClass.GetWithKey(getStoreKey(name, namespace))
@@ -135,10 +147,11 @@ func (s k8sStore) GetSecretProviderClassPodStatus(key string) (*v1alpha1.SecretP
 func (i *Informer) run(stopCh <-chan struct{}) error {
 	go i.Pod.Run(stopCh)
 	go i.Secret.Run(stopCh)
+	go i.NodePublishSecretRefSecret.Run(stopCh)
 	go i.SecretProviderClass.Run(stopCh)
 	go i.SecretProviderClassPodStatus.Run(stopCh)
 
-	synced := []cache.InformerSynced{i.Pod.HasSynced, i.Secret.HasSynced, i.SecretProviderClass.HasSynced, i.SecretProviderClassPodStatus.HasSynced}
+	synced := []cache.InformerSynced{i.Pod.HasSynced, i.Secret.HasSynced, i.NodePublishSecretRefSecret.HasSynced, i.SecretProviderClass.HasSynced, i.SecretProviderClassPodStatus.HasSynced}
 	if !cache.WaitForCacheSync(stopCh, synced...) {
 		return fmt.Errorf("failed to sync informer caches")
 	}
@@ -158,22 +171,28 @@ func newPodInformer(kubeClient kubernetes.Interface, resyncPeriod time.Duration,
 }
 
 // newSecretInformer returns a secret informer
-func newSecretInformer(kubeClient kubernetes.Interface, resyncPeriod time.Duration, filteredWatchSecret bool) cache.SharedIndexInformer {
+func newSecretInformer(kubeClient kubernetes.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return coreInformers.NewFilteredSecretInformer(
+		kubeClient,
+		v1.NamespaceAll,
+		resyncPeriod,
+		cache.Indexers{},
+		managedFilterForSecret(),
+	)
+}
+
+// newNodePublishSecretRefSecretInformer returns a NodePublishSecretRef informer
+func newNodePublishSecretRefSecretInformer(kubeClient kubernetes.Interface, resyncPeriod time.Duration, filteredWatchSecret bool) cache.SharedIndexInformer {
+	var tweakListOptionsFunc internalinterfaces.TweakListOptionsFunc
 	if filteredWatchSecret {
-		return coreInformers.NewFilteredSecretInformer(
-			kubeClient,
-			v1.NamespaceAll,
-			resyncPeriod,
-			cache.Indexers{},
-			managedFilterForSecret(),
-		)
+		tweakListOptionsFunc = usedFilterForSecret()
 	}
 	return coreInformers.NewFilteredSecretInformer(
 		kubeClient,
 		v1.NamespaceAll,
 		resyncPeriod,
 		cache.Indexers{},
-		nil,
+		tweakListOptionsFunc,
 	)
 }
 
@@ -221,9 +240,18 @@ func getStoreKey(name, namespace string) string {
 	return fmt.Sprintf("%s/%s", namespace, name)
 }
 
-// managedFilterForSecret returns tweak options to filter using managed label.
+// managedFilterForSecret returns tweak options to filter using managed label (secrets-store.csi.k8s.io/managed=true).
+// this label is configured for all secrets created by the driver.
 func managedFilterForSecret() internalinterfaces.TweakListOptionsFunc {
 	return func(options *metav1.ListOptions) {
 		options.LabelSelector = fmt.Sprintf("%s=true", controllers.SecretManagedLabel)
 	}
 }
+
+// usedFilterForSecret returns tweak options to filter using used label (secrets-store.csi.k8s.io/used=true).
+// this label will need to be configured by user for NodePublishSecretRef secrets.
+func usedFilterForSecret() internalinterfaces.TweakListOptionsFunc {
+	return func(options *metav1.ListOptions) {
+		options.LabelSelector = fmt.Sprintf("%s=true", controllers.SecretUsedLabel)
+	}
+}

pkg/rotation/reconciler.go

@@ -245,7 +245,7 @@ func (r *Reconciler) reconcile(ctx context.Context, spcps *v1alpha1.SecretProvid
 		secretNamespace := spcps.Namespace
 
 		// read secret from the informer cache
-		secret, err := r.store.GetSecret(secretName, secretNamespace)
+		secret, err := r.store.GetNodePublishSecretRefSecret(secretName, secretNamespace)
 		if err != nil {
 			errorReason = internalerrors.NodePublishSecretRefNotFound
 			r.generateEvent(pod, v1.EventTypeWarning, mountRotationFailedReason, fmt.Sprintf("failed to get node publish secret %s/%s, err: %+v", secretNamespace, secretName, err))